Example: Active-passive HA group in gateway mode
In this example, two FortiMail-400 units are configured to operate in gateway mode as an active-passive HA group.
The procedures in this example describe HA configuration necessary to achieve this scenario. Before beginning, verify that both of the FortiMail units are already:
• physically connected according to
Figure 79 • operating in gateway mode
• configured with the IP addresses for their
port3 and
port1 network interfaces according to
Figure 79, with the exception of the HA virtual IP address that will be configured in this example (for details, see
“Editing network interfaces”)
• allowing HTTPS administrative access through their
port1 network interfaces according to
Figure 79 Figure 79: Virtual IP address for HA failover
The active-passive HA group is located on a private network with email users and the protected email server. All are behind a FortiGate unit which separates the private network from the Internet. The DNS server, remote email users, and external SMTP servers are located on the Internet.
For both FortiMail units:
port1 | • connected to a switch which is connected only to the computer that the FortiMail administrator uses to manage the HA group • administrative access occurs through this port |
port3 | • connected to a switch which is connected to the private network and, indirectly, the Internet • email connections occur through this port |
port6 | • connected directly to each other using a crossover cable • heartbeat and synchronization occurs through this port |
The secondary unit will become the new primary unit when a failover occurs. In order for it to receive the connections formerly destined for the failed primary unit, the new primary unit must adopt the failed primary unit’s IP address. You will configure an HA virtual IP address on port3 for this purpose.
While the configured primary unit is functional, the HA virtual IP address is associated with its port3 network interface, which receives email connections. After a failover, the HA virtual IP address becomes associated with the new primary unit’s port3. As a result, after a failover, the new primary unit (originally the secondary unit) will then receive and process the email connections.
This example contains the following topics: