Information regarding high availability / failover / Disaster recover on VIP EG

In an environment protected by Symantec Validation & ID Protection Service (VIP), connectivity is crucial for the communication between the enterprise applications and the VIP Authentication Service that is hosted in the cloud. Any disruption in this communication affects the ability to perform two-factor strong authentication and impacts business transactions VIP Enterprise Gateway and the components within it are all stateless. Therefore, your enterprise can achieve failover and redundancy simply by deploying two VIP Enterprise Gateway instances.

•    Failover and redundancy for client applications
To prepare for failover and redundancy for client applications (such as VPN), configure the client(s) to connect to both VIP Enterprise Gateways in a round-robin fashion using RADIUS load balancing. For applications that use Symantec-provided integration plug-ins, consult the specific VIP Application Integration Guide for your application's load balancing and failover information.

•    Failover and redundancy for VIP Manager and Self Service Portal IDP
Since the IDP residing on VIP Enterprise Gateway are web applications, consider placing a load-balanced URL in front of the VIP Enterprise Gateway. Other recommendation and example for High availability are available in VIP_Enterprise_Authentication_Deployment_Guide.pdf (available at VIP Manager > Account > Download Files > General Documentation)

The Automatic Business Continuity feature in Enterprise Gateway enables Validation Servers to detect loss of connectivity to the VIP Authentication Service and switch to the Business Continuity mode automatically. In the Business Continuity mode, Validation Servers use only first-factor authentication, while users are still prompted for a security code for an uninterrupted login experience. After the connectivity is restored, Validation Servers switch back to the two-factor authentication without human intervention.

•    The following are some of the typical connectivity issues that the Business Continuity feature in the Automatic mode detects:
      -    VIP User web services host or port unreachable
      -    Enterprise HTTP proxy access issues
      -    VIP certificate has expired
•    The term connectivity in this topic stands for the connectivity between VIP Enterprise Gateway and the Symantec hosted VIP service. This does not include the connectivity between VIP Enterprise Gateway and User Store or the connectivity between an enterprise application (such as a VPN) and the VIP Enterprise Gateway.
•    Note: If the VIP Enterprise Gateway host is connected to the VIP user services thorough an HTTP proxy server, a delay can occur in detecting the connectivity issues. This will impact the timely switching between the normal and the Business Continuity modes.
•    Instruction on how to configure Automatic Business Continuity available in the VIP Enterprise Gateway configuration is in the VIP installation and configuration guide (available at VIP Manager > Account > Download Files > Enterprise Gateway > X.X (select a version) > VIPEGXXInstallAndConfig.pdf > Configuring Automatic Business Continuity

Supporting Load-balancing and failover

• To achieve load-balancing, LDAP synchronization schedules of each VIP Enterprise Gateway server must be at least three hours apart. No other LDAP sync instances can run within 3-hour of another LDAP sync instance that is part of the same Synchronization Cluster.
• The order of the user stores should be identical on each VIP EG. If necessary, drag and drop them into the correct order.
• When setting up additional VIP EG servers for cluster or failover, consider exporting settings from a working VIP EG and importing them into the new VIP EG. IP\DNS values will auto-adjust during the import. 
• Never re-IP or clone an existing VIP EG server. If a re-IP is necessary, export the VIP EG settings, uninstall the VIP EG software, perform the re-IP, install the VIP EG software, then import the settings.