Tianrongxin builds a VPN cluster application solution for the government extranet
With the development of network technology and the continuous expansion of application fields, network interconnection between different branches of the government and companies has become an inevitable trend. In order to achieve a safe interconnection between different organizations while avoiding the high cost of leased private lines, Virtual Private Network (VirtualPrivateNetwork, VPN) technology has been widely used. Among them, SSL VPN is a kind of VPN technology. It has become a new highlight of VPN application technology with simple access, flexible and fine-grained permission control, and reliable security. However, with the increase in user traffic, the increase in the number of concurrent users, and the increasing demand for response speed and smooth communication in the application process, a single VPN has a large business volume, many users, and a network. In a complex environment, there are problems that users cannot accept, such as slow response time, poor user experience, bottlenecks in data forwarding processing, and service traffic interruption caused by equipment problems. In order to solve the above problems, the cluster has been proposed as a new solution.
https://best99008195.wordpress.com/
Cluster (Cluster) technology refers to a group of independent servers appearing as a single system in the network, and managed in a single system mode, this single system provides high availability services for customer workstations. The overall idea of clustering in SSLVPN is to form multiple VPNs into a VPN cluster and provide a unified interface to the outside world. In this way, when SSLVPN users access corresponding services through VPNs, they do not know how many VPNs there are in total, nor do they know which VPN is serving. However, in terms of data processing, VPN data processing capabilities have been greatly enhanced due to the parallel data processing of multiple VPN devices. At the same time, because each VPN device in the cluster has the same configuration and the same processing capacity, if one of the devices fails, the data processing function of this device will be automatically transferred to other devices, so that specific business applications will not be down because of a certain device. The machine is affected, which provides a strong guarantee for the stability of the user's environment.
Let's look at the specific use cases of the government extranet to see the two deployment methods and the problems solved in the actual use of the cluster.
The extranet for government affairs is a ring network, and the websites of various government agencies (eg, public security bureaus, audit bureaus, etc.) are accessed through this ring network. This ring-shaped network is a network with a high concentration of information, extensive applications, and large data coverage. For such an application, VPN should be used to encrypt data access and protect the background server. VPN is required. The system has powerful data processing capabilities, stable operation and backup capabilities, and simple and scalable capabilities.
In this environment, 4 VPN devices are used to establish the cluster, and the model and configuration of each cluster are the same. One of the devices is used as the main wall to perform the task of receiving tasks. There are multiple principles for the distribution of data. For unified distribution, it can be distributed to any one of the four VPN devices for processing. If there is a problem with the main wall, then the next three standby walls will select one of them to continue to perform the duties of the main wall according to the rules, and the tasks that have not been completed on the main wall will be distributed to the next three devices to continue processing, causing user access loss Reached the minimum. At the same time, each device in the environment has a port connected to the intranet server. If there is a problem with the intranet server, the interface linkage function will be activated on the VPN device, so that the external network port will feedback the service interruption response to the user. In this cluster environment, there is only one access address announced to the outside world, but there are four VPN devices that handle access at the same time, which greatly improves the actual data processing capacity. If you want to expand the processing capacity of the cluster, you only need to add more cluster equipment on the original basis, such as increasing to 8 units. In the configuration, the configuration of the device added later should be synchronized to other servers in time. This implementation requires that each VPN device be connected with a corresponding heartbeat line and load balancing line, in order to detect the operation of each VPN device in real time, and perform corresponding configuration synchronization.
The cluster environment can well meet the user's needs for high-performance data processing, timely response, and reliable stability, but it still has its shortcomings. First: this cluster environment requires all equipment to be together and cannot be distributed for implementation : Secondly, this cluster environment requires a main wall for distribution, then the performance of this main wall also directly determines the processing capacity of the overall cluster; third, this cluster environment requires the configuration of each wall in addition to the basic network configuration The exterior should be the same, which requires that the configuration of each wall needs to be synchronized in real time, and the configuration will be very large, which will bring certain difficulties to later maintenance; fourth, although this clustering method can theoretically be large-scale in scale Expansion, but due to the large amount of configuration, the large number of physical interfaces required, and the high performance requirements for the main distribution wall, in fact, a cluster environment of less than 10 units is possible, and more will cause difficulties in use and maintenance.
In this solution, multiple VPNs are distributed as independent devices to the user's ring network. The role of each device is the same, and there is no distinction between primary and secondary. The devices are connected to the internal network and the external network separately, that is to say, each device has a separate external network interface. Server 1 acts as a rights distribution center, and is responsible for the registration of each device in the cluster and the distribution of each device configuration. The authentication server area acts as an authentication center and is responsible for all user authentication. When a user accesses intranet resources for the first time, he first obtains the access address list of all VPN devices in the cluster through server area 1 and caches them locally. In this way, when accessing intranet resources subsequently, the protected intranet resources can be accessed randomly through any VPN device through the cached device address list. Of course, these operations are automatic, and users do not have to do it manually. At the same time, server 1 is also responsible for the distribution and maintenance of all VPN devices registered in this server, which avoids the resources consumed by synchronization between each server, and makes the distributed implementation of each VPN possible. . The user's authentication operation when accessing the VPN device is performed by a group of authentication servers in the authentication server area. The group of authentication servers are in a hot backup state with each other to increase the stability of the authentication function. At the same time, because the authentication function is separated, the authentication operation of the VPN device is simplified, and the user authentication information is easier to maintain. Through this distributed cluster architecture, the services provided by the cluster environment are more stable and efficient, and the large-scale expansion of the cluster is possible, which fully solves the problems faced by the above-mentioned traditional clusters in large networks.