Configure a Management Server Cluster

To create a Management Server cluster, and enable failover and high-availability (HA) for your WatchGuard Management Servers, you can configure the Failover Cluster feature for the Microsoft servers where your Management Servers are installed. You can then use the command line to add the cluster setting to the Management Server configuration.

Requirements

  • WatchGuard System Manager Installer v11.8.1 or higher
  • WatchGuard Management Server v11.8.1 or higher
  • Windows Server 2012, 2012 R2, and 2016

Set Up a Microsoft Failover Cluster

  1. Set up a Microsoft Failover Cluster with two nodes and a disk witness for a Node and Disk Majority quorum configuration.
  2. Add a shared disk as a storage resource for the Management Server data and give it a descriptive name.
    For example, name the shared disk WGdisk.
  3. Set up a Cluster Shared Volume with the disk you created and make note of the path name.
    For example, %SYSTEMDRIVE%\ClusterStorage\Volume<n>.
    <n> is the volume number.
  4. Open a command-prompt and run the file system commands to change the volume name to WGVolume:

cd %SYSTEMDRIVE%\ClusterStorage

ren Volume1 WGVolume

Install the Primary Management Server

After the Microsoft Failover Cluster is configured, you can install the first Management Server on the primary cluster node in the Microsoft Failover Cluster. This is the primary Management Server in the cluster.

  1. To create a junction point in the %SYSTEMDRIVE%\ProgramData directory to the Cluster Shared Volume, at a command prompt, type:

mklink /J WatchGuard %SYSTEMDRIVE%\ClusterStorage\WGVolume

  1. Run the WatchGuard System Manager Installer and select the Management Server component.
    Select an installation folder in a directory on the local Microsoft server disk that is also available on the other nodes in the cluster, so that each Management Server is installed in the same directory location on each member of the cluster.
  2. Run the WatchGuard Server Center Setup Wizard to configure the settings for your Management Server.
  3. If you specified a gateway Firebox for your Management Server in the Setup Wizard, modify the configuration file of the Firebox and edit the Management Server NAT policy to include only the IP addresses for the Management Servers that will fail over to this Management Server (go to the Configure the failover IP address step).

If you did not specify a gateway Firebox for the Management Server, in WatchGuard Server Center, select Management Server > Certificates and edit the Distribution IP Addresses list to include only the IP addresses for the Management Servers that will fail over to this Management Server (go to the Configure the failover IP address step).

  1. Stop the Management Server.

Install the Secondary Management Server

After the primary Management Server is configured, you can install the second Management Server on the secondary cluster node in the Microsoft Failover Cluster. This is the secondary Management Server in the cluster.

  1. To create a junction point in the %SYSTEMDRIVE%\ProgramData directory to the Cluster Shared Volume, at a command prompt, type:

mklink /J WatchGuard %SYSTEMDRIVE%\ClusterStorage\WGVolume

  1. Run the WatchGuard System Manager Installer and select the Management Server component.
    1. Select the same installation folder path on the local Microsoft server disk that you selected for the primary Management Server.
    2. On the Installation Complete page of the wizard, do not click Restart All Servers Now.
  2. Verify that the WatchGuard Management Server and WatchGuard Web Services Server are registered with SCM but stopped.
    • Select Start > Administrative Tools > Services and verify the status of the WatchGuard Management Server and WatchGuard Web Services Server services.
    • Or, at a command prompt, run these commands:
      • sc query wmserver_service
      • sc query wsserver_service

Configure the Primary Management Server as a Failover Resource

Next, you configure the primary Management Server that is installed on the primary cluster node in the Microsoft Failover Cluster as a failover resource.

To add the primary Management Server as a Failover Cluster resource, you use the Failover Cluster Manager to add the WatchGuard Management Server as a Generic Service cluster resource.

  1. Select Failover Cluster Manager > <failover cluster node> > Services and applications > Configure a Service or Application.
    The High Availability Wizard appears.
  2. Complete the wizard and specify these settings:
    1. On the Select Service or Application page, select Other Server.
    2. On the Client Access Point page, specify the DNS/NetBIOS name and IP address(es) for the Management Server .
    3. On the Select Storage page, do not specify any storage. Click Next.
    4. On the remaining pages of the wizard, review the settings and click Next.

    In the Services and Applications folder, the Management Server service appears with a status of Online.

  3. Select the Management Server service and select Actions > Take this service or application offline.
  4. Select Actions > Add a resource.
    The New Resource Wizard appears.
  5. Select Generic Service and specify these settings in the wizard:
    1. On the Select Service page, select WatchGuard Management Server. Click Next.
    2. On the Confirmation page, verify that the correct service name appears. Click Next.
      Do not add any options to the Parameters list.
    3. On the Summary page, review your settings and click Finish.
      In the Other Resources list, WatchGuard Management Server appears with a status of Offline.
  6. In the Services and Applications folder, select the Management Server Service and select Actions > Bring this service or application online.
  7. Right-click WatchGuard Management Server and select Properties.
    The Properties dialog box appears.
  8. On the General tab, remove all items from the Startup parameters list. Click OK.
  9. To add the cryptographic checkpoints required by the Management Server, at the command line run this command:
    <WSM-install-directory>\wmserver\bin\wmserver.exe -cluster
    Make sure to replace <WSM-install-directory> with the location where you installed the Management Server.

Start the WatchGuard Web Services Servers

Next, you start the web services servers on the secondary cluster node in the Microsoft Failover Cluster. You can start the service from either the Windows Services tool or from the command line.

From the Windows Services tool:

  1. Select Start > Administrative Tools > Services.
  2. Right-click WatchGuard Web Services Server and click Start.

From the command line:

  1. Open a command prompt as an administrator.
  2. Run this command: sc start wsserver_service.

Run a Failover Test

To test your failover settings, you can move the primary Management Server to a different cluster node.

  1. Open WatchGuard System Manager and connect to the primary Management Server.
  2. Move the Management Server to a different cluster node in the Microsoft server cluster.
  3. Verify that WatchGuard System Manager establishes a connection to the secondary failover Management Server.

Related Topics

Install and Set Up the WatchGuard Management Server

About Centralized Management Modes