Setting up a highly available system with SurePassID is possible regardless of your budget
Considerations for Highly Available Systems
To have a highly available SurePassID system, at a minimum you need to have the following items:
- One or more virtual machines/servers. These will host the application servers and database servers. SurePassID uses Microsoft SQL as the application repository. To reduce the number of VMs you can deploy SQL Server Express on each application server.
- SurePassID installed and configured on each VM.
- Highly available SQL Server system that supports Windows Server Failover Clustering (WSFC), SQL Server Publish-and-Subscribe replication. There are several alternative methods to create a highly available system that may require manual intervention. These options will be explored in the following sections.
- Optionally a load balancer.
There are other ways you can create a highly available environment using virtualization that can be more cost effective and require very little or no setup. Talk to our support team to see if those options can meet your requirements.
SurePassID MFA Server Deployment Models
There are three primary setup models for SurePassID that you can implement.
1) The first is the primary-secondary model, where one primary system is responsible for all authentication tasks, and a secondary system acts as a fallback in case any components of the primary system fail. This model is the simplest to implement and is typically sufficient for most scenarios, especially in air-gapped environments where the number of users is typically limited, and all users are located within the same network.
2) The second model is a peer-to-peer system which involves two primary systems, each primary system acts as the back-up to the other primary system. application servers serving as secondary to each primary. This configuration is particularly useful in scenarios where the primary systems are located in geographically distinct locations, allowing users in one area to connect to the nearest SurePassID instance while users in another area connect to a different instance. In this setup, the databases can be configured as replicas of each other, enhancing redundancy and availability.
3) The third model is a variation of the peer-to-peer setup that incorporates a load balancer to direct traffic to the appropriate primary system. This direction is based on the load balancer's configuration settings, which can include factors such as geographic proximity, round robin distribution, or least load. This configuration is preferred for various reasons, with the primary advantage being that it ensures continuous availability. If one server becomes unavailable for any reason, such as routine maintenance or unforeseen issues, users can still authenticate without interruption through the other systems. Additionally, this approach simplifies the configuration of SQL Server.
4) A fourth option is the hot-copy model, which involves using SQL Server Express as the primary database hosted on a server separate from the application server. In this setup, you would configure a second SQL Server Express instance on an additional server. You will need to schedule regular backup tasks for the primary SQL Server and set up corresponding tasks to restore these backups to the secondary database. In the event of a primary server failure, you can simply update the DNS records to point to the secondary server, allowing the application to continue functioning. While this model is a cost-effective solution, it does require manual intervention, which may not be ideal for all scenarios.
The selection of a deployment model should be guided by your network architecture, the distribution of your workforce, and your organization's specific goals. If you find yourself unsure about which model to adopt, we recommend starting with the primary-secondary model, as it is the most straightforward to implement.
No matter which deployment model you opt for, it is essential to have at least two MFA servers in place to ensure proper functionality and redundancy.
Selecting a SQL Server version
Before proceeding with the installation of SurePassID, it is essential to identify the specific version of SQL Server that will be utilized. There are many different SQL Server editions to consider when using SQL Server. Each option has plus/minuses and different associated costs. To explore the complete range of available editions, please refer to the following resources here.
Below are some of the more common high availability options:
- SQL Server Windows Server Failover Clustering (WSFC) is a group of independent servers that work together to increase the availability of applications and services. SQL Server takes advantage of WSFC services and capabilities to support Always On availability groups and SQL Server failover cluster instances. This is a more costly option. All current supported versions of SQL Server, including SQL Server 2016, 2017, 2019, and 2022, can utilize Windows Server Failover Clustering (WSFC) functionality to create failover cluster instances, as long as they are running on a compatible Windows Server OS like Windows Server 2016, 2019, or 2022. SQL Express is not supported. For an overview of this technology click here.
-
SQL Server Express is a free, limited-feature edition of Microsoft's SQL Server, primarily aimed at small-scale applications and development projects. It is an economical choice for SurePassID deployments with fewer than 250 users. This edition includes essential security features such as data encryption, user authentication, and authorization. However, it does impose certain restrictions, including limits on CPU usage, memory, and a maximum database size of 10GB. If your organization has access to a SQL Server license, we strongly recommend utilizing that option for enhanced capabilities. If a license is not available, SQL Server Express remains a viable alternative. Click here for more info.
-
SQL Server Publish-and-Subscribe replication connects two database servers, with one server designated as the primary that sends data updates and the other as the secondary that receives the replicated data. In this setup, either server can serve as a failover option. However, it's important to note that SQL Server Express can only function as the secondary server, receiving replicated data from the primary. This solution is a practical option for organizations looking to manage costs effectively. To set-up this feature here
Installing SurePassID on Application Servers
To begin, install the SurePassID product on one of your servers. During the installation process, carefully configure the application to meet your specific requirements. Once the installation is complete, conduct a few quick tests to ensure everything is functioning as expected. After successful testing, you can install SurePassID on the other secondary servers.
To begin, execute the SurePassID installer on each of the secondary servers. Once the installation is completed on the primary server, transfer the configuration file (web.config) to each secondary server to ensure they are configured correctly and can function seamlessly within the system.
The SurePassID Installation Guide can provide more detail information on how to configure the Application server.
Conclusion
There are various configurations available to tailor the system to your specific needs and budget. Our team is ready to assist you in identifying the optimal setup that aligns with your requirements. Please reach out to our support team for guidance.