Distributed Engine Example Architectures

If you are a current customer with support hours for IBM Security Professional Services, you can discuss any of these diagrams in detail with one of our Professional Services Solutions Architects.

This reference architecture is our best practice architecture for Verify Privilege Vault (SS) Distributed Engines (DEs). The two most common use cases are:

  • Distributing work across firewalled networks using the fewest ports possible to help ensure a better network security model
  • Separating work tasks away from the Web servers and placing the processing work on other dedicated servers within the IBM Security infrastructure to improve overall performance

Both of these use cases are covered with minimal and best high-availability solutions. The final reference architecture in this collection combines both uses cases with a high availability solution.

Minimal HA Single-Site Deployment with No Distributed Engines

Overview

Please see Verify Privilege Vault Example Architectures for additional design variations.

Requirements

General

  • SQL Server Standard Edition with basic availability group configuration.
  • SQL Server 2012 R2+.
  • Use Windows authentication for SQL Server.
  • You can use local load balancers for Web server nodes.
  • We require a file-share witness for SQL quorum voting for SQL to stay online during single-node unplanned failures.
  • Distributed Engine Ports.
  • Distributed Engine Proxy Configuration.
  • SQL Quorum Ports.

Virtual IP or Computer

  • ss.company.com: 443 (load balancer)

  • ss.company.com: 5671 or 5672 (load balancer)

  • ss-aoag.company.com: 1433 (created as part of SQL AlwaysOn configuration). Computer object or virtual IP.

  • Windows Failover Cluster Object (created as part of Windows failover clustering configuration):

    • Computer object or virtual IP
    • One additional virtual IP address may be required as part of Windows failover cluster for single-site design for the network configuration of the failover cluster.

Diagram

The reference number for this diagram is A1.

Figure: Minimal HA Single-Site Deployment with No Distributed Engines

image-20201013113004134

Minimal HA Single-Site Deployment with Distributed Engines for Additional Datacenters

Overview

  • Minimum-cost HA configuration.
  • No shared storage requirement.
  • Verify Privilege RabbitMQ Helper installed on separate dedicated servers.
  • Two DEs for HA of local site, which is included with all licensing models.
  • Distributed Engine licenses required for this design:

    • Three DE site licenses added (for DMZ, secondary, and cloud Locations), one DE included per site.
    • One DE per site license added, which allows for second DE in each DE site for HA.
  • All DEs require callback communication to Web servers (TCP 443) and to the Verify Privilege RabbitMQ Helper response bus (TCP 5672 or 5671). This is pictured with one set of distributed engines (local site) but is not pictured for other DEs to keep the diagram easier to interpret.
Please see Verify Privilege Vault Example Architectures for additional design variations.

Requirements

General

  • SQL Server Standard Edition with basic availability group configuration.
  • SQL Server 2012 R2+.
  • Use Windows authentication for SQL Server.
  • You can use local load balancers for Web server nodes.
  • We require a file-share witness for SQL quorum voting for SQL to stay online during single-node unplanned failures.
  • Distributed Engine Ports.
  • Distributed Engine Proxy Configuration.
  • SQL Quorum Ports.

Virtual IP or Computer

  • ss.company.com: 443 (load balancer)

  • ss.company.com: 5671 or 5672 (load balancer)

  • ss-aoag.company.com: 1433 (created as part of SQL AlwaysOn configuration). Computer object or virtual IP.

  • Windows Failover Cluster Object (created as part of Windows failover clustering configuration):

    • Computer object or virtual IP
    • One additional virtual IP address may be required as part of Windows failover cluster for single-site design for the network configuration of the failover cluster.

Diagram

The reference number for this diagram is A2.

Figure: Minimal HA Single-Site Deployment with Distributed Engines for Additional Datacenters

image-20201013114117287

Minimal HA Single-Site Deployment with Distribute Engines for Separate Work Tasks

Overview

  • Minimum-cost HA configuration.
  • No shared storage requirement.
  • Verify Privilege RabbitMQ Helper installed on separate dedicated servers.
  • Two DEs for HA of local site, which is included with all licensing models.
  • Local site for AD or LDAP, SMTP, SIEM, or RADIUS integration.
  • Distributed Engine licenses required for this design:

    • Two DE site licenses added (for secret and discovery tasks), one DE included per site.
    • One DE per site license added, which allows for second DE in each DE site for HA.
  • Single-site design with no native DR capacity. DR can be provided by VM replication if subnets are spanning locations, otherwise re-IP + DNS changes may be necessary.
  • All DEs require callback communication to Web servers (TCP 443) and to the Verify Privilege RabbitMQ Helper response bus (TCP 5672 or 5671). This is pictured with one set of distributed engines (local site) but is not pictured for other DEs to keep the diagram easier to interpret.

Please see Verify Privilege Vault Example Architectures for additional design variations.

Requirements

General

  • SQL Server Standard Edition with basic availability group configuration.
  • SQL Server 2012 R2+.
  • Use Windows authentication for SQL Server.
  • You can use local load balancers for Web server nodes.
  • We require a file-share witness for SQL quorum voting for SQL to stay online during single-node unplanned failures.
  • Distributed Engine Ports.
  • Distributed Engine Proxy Configuration.
  • SQL Quorum Ports.

Virtual IP or Computer

  • ss.company.com: 443 (load balancer)

  • ss.company.com: 5671 or 5672 (load balancer)

  • ss-aoag.company.com: 1433 (created as part of SQL AlwaysOn configuration). Computer object or virtual IP.

  • Windows Failover Cluster Object (created as part of Windows failover clustering configuration):

    • Computer object or virtual IP
    • One additional virtual IP address may be required as part of Windows failover cluster for single-site design for the network configuration of the failover cluster.

Diagram

The reference number for this diagram is A3.

Figure: Minimal HA Single-Site Deployment with Distribute Engines for Separate Work Tasks

image-20201013133152994

Best HA Multi-Site Deployment with No Distributed Engines

Overview

  • All DEs require callback communication to Web servers (TCP 443) and to the Verify Privilege RabbitMQ Helper response bus (TCP 5672 or 5671). This is pictured with one set of distributed engines (local site) but is not pictured for other DEs to keep the diagram easier to interpret.

Please see Verify Privilege Vault Example Architectures for additional design variations.

Requirements

General

Virtual IP or Computer

  • ss.company.com: 443 and rmq.company.com: 5671 or 5672 (two virtual IPs—global load balancer).
  • ss-a.company.com: 443 and ss-b.company.com:443 (two virtual IPs—local load balancer).
  • rmq-a.company.com: 5671 or 5672 (load balancer) and rmq-b.company.com: 5671 or 5672 (two virtual IPs—local load balancer).
  • ss-a.company.com: 443 and ss-b.company.com:443 (two virtual IPs—local load balancer).
  • Windows Failover Cluster Object (created as part of Windows failover clustering configuration):

    • Computer object or virtual IP
    • One additional virtual IP address may be required as part of Windows failover cluster for single-site design for the network configuration of the failover cluster.

Diagram

The reference number for this diagram is B1.

Figure: Best HA Multi-Site Deployment with No Distributed Engines

image-20201013140105129

Best HA Multi-Site Deployment with Distributed Engines for Additional Datacenters

Overview

  • Two DE site licenses added (for DMZ and cloud locations), one DE included per site.

  • One DE per site license added, which allows for second DE in each DE site for HA and a third one for the local site (added to the primary location).

  • All DEs require callback communication to Web servers (TCP 443) and to the Verify Privilege RabbitMQ Helper response bus (TCP 5672 or 5671). This is pictured with one set of distributed engines (local site) but is not pictured for other DEs to keep the diagram easier to interpret.

Please see Verify Privilege Vault Example Architectures for additional design variations.

Requirements

General

Virtual IP or Computer

  • ss.company.com: 443 and rmq.company.com: 5671 or 5672 (two virtual IPs—global load balancer).
  • ss-a.company.com: 443 and ss-b.company.com: 443 (two virtual IPs—local load balancer).
  • rmq-a.company.com: 5671 or 5672 (load balancer) and rmq-b.company.com: 5671 or 5672 (two virtual IPs—local load balancer).
  • ss-a.company.com: 443 and ss-b.company.com: 443 (two virtual IPs—local load balancer).
  • Windows Failover Cluster Object (created as part of Windows failover clustering configuration):

    • Computer object or virtual IP
    • Two additional virtual IP addresses may be required as part of Windows failover cluster for single-site design for the network configuration of the failover cluster, representing both networks at each site.

Diagram

The reference number for this diagram is B2.

Figure: Best HA Multi-Site Deployment with Distributed Engines for Additional Datacenters

image-20201013141246241

Best HA Multi-Site Deployment with Distributed Engines for Separate Work Tasks

Overview

  • Distributed Engine licenses required for this design:

    • Two DE site licenses added (for secret and discovery tasks), one DE included per site.

    • One DE per site license added, which allows for second DE in each DE site for HA and a third one for the local site (added to the primary location).

  • All DEs require callback communication to Web servers (TCP 443) and to the Verify Privilege RabbitMQ Helper response bus (TCP 5672 or 5671). This is pictured with one set of distributed engines (local site) but is not pictured for other DEs to keep the diagram easier to interpret.

Please see Verify Privilege Vault Example Architectures for additional design variations.

Requirements

General

  • SQL Server Enterprise Edition with availability group configuration.
  • SQL Server 2012 R2+.
  • Use Windows authentication for SQL Server.
  • Global and local load balancers.
  • We recommend a file-share witness for SQL quorum voting. We recommend a cloud witness or DFSR share for witness configuration. This can handle the failure of both SQL Server nodes in the primary location.
  • Distributed Engine Ports.
  • Distributed Engine Proxy Configuration.
  • SQL Quorum Ports.

Virtual IP or Computer

  • ss.company.com: 443 and rmq.company.com: 5671 or 5672 (two virtual IPs—global load balancer).
  • ss-a.company.com: 443 and ss-b.company.com: 443 (two virtual IPs—local load balancer).
  • rmq-a.company.com: 5671 or 5672 (load balancer) and rmq-b.company.com: 5671 or 5672 (two virtual IPs—local load balancer).
  • ss-a.company.com: 443 and ss-b.company.com: 443 (two virtual IPs—local load balancer).
  • Windows Failover Cluster Object (created as part of Windows failover clustering configuration):

    • Computer object or virtual IP
    • Two additional virtual IP addresses may be required as part of Windows failover cluster for single-site design for the network configuration of the failover cluster, representing both networks at each site.

Diagram

The reference number for this diagram is B3.

Figure: Best HA Multi-Site Deployment with Distributed Engines for Separate Work Tasks

image-20201013142125999

Best HA Multi-Site Deployment with Distributed Engines for Additional Datacenters with Separate Work Tasks

Overview

  • Distributed Engine licenses required for this design:

    • Five DE site licenses added (for primary secret and discovery tasks, DMZ site, and cloud secret and discovery tasks), one DE included per site.
    • Two DE per site licenses added, which allows for second DE in each DE site for HA and a third one for the local site (added to the primary and DR locations).
  • All DEs require callback communication to Web servers (TCP 443) and to the Verify Privilege RabbitMQ Helper response bus (TCP 5672 or 5671). This is pictured with one set of distributed engines (local site) but is not pictured for other DEs to keep the diagram easier to interpret.
Please see Verify Privilege Vault Example Architectures for additional design variations.

Requirements

General

  • SQL Server Enterprise Edition with availability group configuration.
  • SQL Server 2012 R2+.
  • Use Windows authentication for SQL Server.
  • Global and local load balancers.
  • We recommend a file-share witness for SQL quorum voting. We recommend a cloud witness or DFSR share for witness configuration. This can handle the failure of both SQL Server nodes in the primary location.
  • Distributed Engine Ports.
  • Distributed Engine Proxy Configuration.
  • SQL Quorum Ports.

Virtual IP or Computer

  • ss.company.com: 443 and rmq.company.com: 5671 or 5672 (two virtual IPs—global load balancer).
  • ss-a.company.com: 443 and ss-b.company.com: 443 (two virtual IPs—local load balancer).
  • rmq-a.company.com: 5671 or 5672 (load balancer) and rmq-b.company.com: 5671 or 5672 (two virtual IPs—local load balancer).
  • ss-aoag.company.com: 1433 (created as part of SQL AlwaysOn configuration). Computer object or virtual IP. May require two virtual IP addresses.
  • Windows Failover Cluster Object (created as part of Windows failover clustering configuration):

    • Computer object or virtual IP
    • Two additional virtual IP addresses may be required as part of Windows failover cluster for single-site design for the network configuration of the failover cluster, representing both networks at each site.

Diagram

The reference number for this diagram is C1.

Figure: Best HA Multi-Site Deployment with Distributed Engines for Additional Datacenters with Separate Work Tasks

image-20201013143035047