Multiple, Load-Balanced Servers
Xpress Password supports multiple, load-balanced servers. Each server can host multiple Xpress Password instances, each with its own users, target systems, features and policies. Xpress Password instances can and normally do span multiple servers. Every server hosting a given instance is functionally identical. User traffic is load balanced between servers supporting the instance. Load balancing may be accomplished using DNS (round-robin is built into most DNS servers) or at the IP level with a device from Cisco, F5, etc.
High availability is accomplished by combining load balancing with server health monitoring and automatic fail-out. Xpress Password includes server monitoring tools that can be configured on each server to monitor its peers and when a failure is detected to trigger an alarm (e.g., by e-mail) and to automatically update DDNS records to remove the failed server from circulation.
There is no coded limit to the number of concurrent, replicated servers. With more than 10 servers, replication may become slow. Since the three largest customers of ILANTUS run with just two production servers each, this is only a theoretical problem.
Xpress Password must be installed on a Windows 2012 or Windows 2012/R2 server.Installing on a Windows server allows Xpress Password to leverage client software for most types of target systems, which is available primarily on the “Wintel” platform. In turn, this makes it possible for Xpress Password to manage passwords and accounts on target systems without installing a server-side agent.
Each Xpress Password application server requires a web server. IIS is used as it comes with the Windows 2012 Server OS. Xpress Password is a security application and should be locked down accordingly. Please refer to the ILANTUS document about hardening Xpress Password servers to learn how to do this.
Each Xpress Password server requires a database instance. Microsoft SQL database is the recommended choice.
Production Xpress Password application servers are normally configured as follows:
Hardware requirements or equivalent VM capacity:
- An Intel Xeon or similar CPU. Multi-core CPUs are supported and leveraged.
- At least 8GB RAM – 16GB or more is typical for a server.
- At least 500GB disk, preferably configured as RAID for reliability and preferably larger for retention of more historical and log data. More disk is always better, to increase log retention.
- At least one Gigabit Ethernet NIC.
- Windows 2012R2 Server Standard Edition, with current service packs.
- The server should not normally be a domain controller and in most deployments is not a domain member.
Installed and tested software on the server:
- TCP/IP networking, with a static IP address and DNS name.
- IIS web server with an SSL certificate.
- At least one web browser and PDF viewer.