| Description |
A common FortiMail HA configuration involves selecting add virtual IP/netmask to add a virtual IP address to a primary unit interface. You can then configure your network to send email traffic to the virtual IP address and this email traffic will be received by the primary unit. If a failover occurs, the backup unit inherits the same virtual IP address. The backup unit will then receive the email traffic sent to the virtual IP address.
For additional information, see the "Configuring high availability" chapter of the FortiMail Administration Guide.
|
| Components |
- FortiMail 3.0 GA, 3.0 MR1, and 3.0 MR2
- Active-passive high availability (HA)
Note: In FortiMail 3.0 MR3 and newer releases, all outgoing sessions that originate from an interface configured with a virtual IP address use the virtual IP address of the interface as the source address, not the actual IP address.
|
| Steps or Commands |
Configuring virtual IP addresses for an active-passive HA group gives the network interfaces two IP addresses: the virtual IP address and the actual IP address. A network interface can receive traffic sent to either of these IP addresses.
Configuring virtual IP addresses is commonly used so that, when a failover occurs, the backup unit inherits the virtual IP address and all traffic to the virtual IP is automatically received and processed by the backup unit. This enables the new primary unit to assume its duties without reconfiguring the network to connect to a new IP address for the new primary unit. In addition, because in this configuration the virtual IP address is transferred to the new primary unit but the actual IP address is not, an administrator could continue to connect to either unit using its actual IP address.
As a result, you would normally configure your network (MX records, firewall policies, routing, and so on) for connections with the virtual IP address.
However, for FortiMail 3.0 GA, 3.0 MR1, and 3.0 MR2, all sessions that originate from this interface (including outgoing email) use the actual IP address of the interface and not the virtual IP address. Because of this, if the HA group will process outgoing mail, alerts, etc., you should configure network devices such as firewalls to process traffic from both actual IP addresses and virtual IP addresses.
(For FortiMail 3.0 MR3 and newer releases, this behavior has changed: the virtual IP address is the source address for all traffic, both originating and reply.)
|
| Additional Notes |
Traffic connecting to the virtual IP address can only connect to the FortiMail unit that is currently operating as the primary unit.
For outgoing traffic for FortiMail 3.0 GA, 3.0 MR1, and 3.0 MR2, if the HA group is configured with public IP addresses and if you are using a virtual IP configuration, three public IP addresses are required: one virtual IP address, one actual IP address of the primary unit interface, and one actual IP address of the backup unit.
All IP addresses, both actual and virtual, must be resolvable. These IP addresses are the source IP addresses for traffic sent to external Mail Transfer Agents (MTAs).
However, if the HA group is installed behind a NAT device such as a router or firewall, all FortiMail IP addresses could be private network IP addresses: you would configure the NAT device so that outgoing traffic from any FortiMail internal IP address is mapped to the public external IP address of the NAT device. In this case, only the external IP address must be resolvable.
For outgoing traffic for FortiMail 3.0 MR3 and newer releases, if the HA group is configured with public IP addresses and if you are using a virtual IP configuration,only one public IP address is required: the virtual IP address. Similarly, if the HA group is installed behind a NAT firewall, you only need to map one IP address (the virtual IP address) to an external IP address.
|
