Understanding Communications Between Junos OS Enforcer and a Cluster of Infranet Controllers

You can configure a Junos OS Enforcer to work with more than one Infranet Controller in a high availability configuration known as an Infranet Controller cluster. The Junos OS Enforcer communicates with only one Infranet Controller at a time; the other Infranet Controllers are used for failover. If the Junos OS Enforcer cannot connect to the first Infranet Controller you added to a cluster, it tries to connect to the failed Infranet Controller again. Then it fails over to the other Infranet Controllers in the cluster. It continues trying to connect to Infranet Controllers in the cluster until a connection occurs.

When the Junos OS Enforcer cannot establish a connection to an Infranet Enforcer, it preserves all its existing authentication table entries and Unified Access Control (UAC) policies and takes the timeout action that you specify. Timeout actions include:

• close—Close existing sessions and block any further traffic. This is the default option.
• no-change—Preserve existing sessions and require authentication for new sessions.
• open—Preserve existing sessions and allow new sessions access.

Once the Junos OS Enforcer can reestablish a connection to an Infranet Controller, the Infranet Controller compares the authentication table entries and UAC policies stored on the Junos OS Enforcer with the authentication table entries and policies stored on the Infranet Controller and reconciles the two as required.

Note: The Infranet Controllers configured on a Junos OS Enforcer should all be members of the same Infranet Controller cluster.

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Unified Access Control Administration Guide
• Understanding Junos OS Enforcer Policy Enforcement
• Understanding Junos OS Enforcer Policy Enforcement
• Configuring Junos OS Enforcer Failover Options (CLI Procedure)