SunScreen 3.2 Administration Guide

Configuring Policies for an HA Cluster

You configure the HA cluster just as you configure a single Screen. Policy rules for passive HA Screens are configured when they connect to the primary HA Screen. You should write a rule for connecting to the unique address of each host in the HA service group.

Updates to the primary HA Screen are automatically relayed to all the other HA Screens. This synchronization takes place during activation. When a configuration is activated, the primary HA Screen transfers the configuration--including certificates, local keys, addresses, and policy rules--to all other secondary HA Screens.

When an HA host is in the passive mode, you cannot connect to that host directly, except with remote administration to the HA interface. This also applies to connections from one HA host to another on the HA interface.

You can allow services other than the standard HA service or remote administration and heartbeat. These services will only be allowed between the HA hosts. Add them to the HA service group by selecting Service in the Type list on the Edit Policy page, and add the services you want to include.