Migration of Forti-Authenticator

Forum|Forum|6 years ago
October 25, 2019
1 reply
5265 views

Hi Guys,

i have a forti-authenticator (FAC) thats currently hosted in a datacentre, on which my organisation is moving out of.

Now i have built a vanilla FAC in the new datacentre with with an eval license currently running on it.

An engineer which is assisting me with the project has made our production FAC and the new FAC into HA mode.

Production FAC = Standalone Master

New Vanilla FAC = Load Balancing Slave (different IP address, serial number)

Now we currently have 1500 users and tokens active, so the goal is to ensure we don't break them and force 1500 users to enrol again, which would be a pain.

Couple of questions:

1. Has the engineer who is assisting me, put the two FACs in the right HA mode? Should they be in Cluster Member Mode instead of Master/Slave HA mode?

2. i have pointed a test server and attempted to 2FA authenticate with the slave FAC and its not working. The Gen_Fac Host value has changed in the registry key for the server. Is this suffice information for the server to successfully authenticate OR are going about this the wrong way?

If there's anyone with high level steps on how we can successfully migrate the FAC into the new datacentre without disruption, i would really appreciate it, because we're not making any headway at this point in time.

Thanks,

emnoc

New Member

1: It depends on your goal, but cluster is act/stdby btw

2: Did you make the standby ACTIVE when you did your test

I would promote the standby active and do my test, I believe the eval license is going to be a issue if it does not match the current production unit.

Ken Felix

vonden85Author

New Member

Hi Ken, Thanks for your reply. The main goal is to not break the active tokens currently for the 1500 staff members. The current production one will need to be blown away cause we're vacating that data centre for good. My question is. 1. Are we in the right HA mode? Should the two facs being in cluster mode instead? So when the prod one is turned off. The other node kicks in? Or is there more to it than that hence the engineer has chosen master/slave? If I switch the slave to be active. How quick is it to roll back because I have VPN, untrusted remote access and 2FA authentication happening for IT admins across all our servers. 2. I'm going under the assumption that someone has conducted this task before (surely), but I heard the tokens are tied to the UUID of the VM of the FAC 3. Is the gen FAC value on the server the only thing that needs to be changed for a successful 2FA to happen for a server on the slave FAC. Kindly correct me if I'm wrong. Cheers Den.

abelio

SuperUser

Hello Den

A few comments:

- As emnoc pointed out, an eval license won't work because its user limits (10 users, i guess). So, before migration, try

to fix this to avoid headaches.

- HA active-passive is the only clustering mode which ensures full synchronization

If your networking scenario does not allow you this and you're forced to adopt active-active (master and load balance slave) you have to re-check your configuration because this mode cannot synchronize FSSO, certificates etc

As manual states, only below auth features are synchronized in this mode:

. Token and seeds . Local user database . Remote user database . Group mappings . Token and user mappings

Because of that, in our very particular scenario, we had to deal with this using Active-Passive and play with the network interfaces.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded