Skip to main content
ByteHaven
ByteHaven
Explorer III
February 9, 2025
Solved

Fortimail HA across different sites

  • February 9, 2025
  • 1 reply
  • 1334 views

Hello everyone,

 

I am exploring better options for configuring FortiMail HA across two different sites—one FortiMail device in Site A and another in Site B. My initial idea is to connect the two devices via an MPLS VPN. However, this approach can be costly for geographically distant sites and requires extremely low latency to function effectively. As an alternative, I am considering using DNS failover...

 

Does anyone have a better suggestion ?

 

Best regards,

Best answer by AEK

Hi CL1

 

The failover here is native to mail servers, and it is not a DNS failover. It means a remote mail server will send to the first MX, and in case it is down it will send immediately to the second MX.

 

Your second concern is the synchronization between the two FML, right? For Active-Active there is no concern regarding the latency because it is just config sync, not data sync. See here:

https://docs.fortinet.com/document/fortimail/7.6.1/administration-guide/846008/using-high-availability-ha#About_HA_modes

Config sync doesn't not need low latency and it uses very low bandwidth. So your MPLS VPN is perfect for that in all cases.

 

Feel free to ask more questions in case it is not clear enough.

1 reply

AEK
SuperUser
AEK
SuperUser
February 9, 2025

Hi CL1

No need for DNS failover. Also a Active-Passive config will put your second FML in a idle state for the whole year. So I think one good idea is to configure Active-Active mode (config sync), and configure 2 MX different entries in your public DNS.

Depending to your case, you can configure one primary MX (1st priority) and one secondary MX, or you can configure them with the same priority so the remote senders will load balance between your 2 MXs.

FML_HA2.png

The failover is native to SMTP servers, it means when a remote server tries to send to your first MX, in case it finds it down then it will automatically send to the second MX.

 

AEK
ByteHaven
ByteHavenAuthor
Explorer III
February 11, 2025

Hello AEK,

 

Apologies if I'm mistaken, but what you described sounds like DNS failover, correct? Perhaps I don't fully understand the concept of DNS failover and should do more research on it. My main concern is ensuring connectivity between the two FortiMails, especially if they're separated by a significant distance, say 500km or more. The only solution I'm familiar with is MPLS VPN, which I understand is highly effective but can be quite costly. Do you have any alternative solutions to recommend?

 

I really appreciate your support

 

Best regards,

 

I really appreciate your help 

 

Best regards,

AEK
SuperUser
AEKAnswer
SuperUser
February 11, 2025

Hi CL1

 

The failover here is native to mail servers, and it is not a DNS failover. It means a remote mail server will send to the first MX, and in case it is down it will send immediately to the second MX.

 

Your second concern is the synchronization between the two FML, right? For Active-Active there is no concern regarding the latency because it is just config sync, not data sync. See here:

https://docs.fortinet.com/document/fortimail/7.6.1/administration-guide/846008/using-high-availability-ha#About_HA_modes

Config sync doesn't not need low latency and it uses very low bandwidth. So your MPLS VPN is perfect for that in all cases.

 

Feel free to ask more questions in case it is not clear enough.

AEK
    Terms & ConditionsAccessibility statement