Distributed mode is used when the different functions in Nexus Hybrid Access Gateway are distributed to several virtual appliances. A typical case is when you want to enforce the access in one appliance (PEP, Policy Enforcement Point) and process the authorization and authentication requests in one appliance (PDP, Policy Decision Point). In this case you will need two appliances. One that runs access point and another that runs the other Hybrid Access Gateway services.

Administration service limitations

There can be only one administration service in a node network. The appliance that runs administration service can be toggled to and from distributed mode. When toggling from distributed mode, no other than the services running locally on the appliance can be a part of the node network. Toggling an appliance with no administration service to and/or from distributed mode in general doesn’t make sense since there is no local administration service. Once a service has successfully connected to an administration service, then that service cannot easily be switched to work with another appliance's administration service.

  1. Log in on all appliances and go through the basic setup. The Setup system wizard should not be run on an appliance that will not run a local administration service. Make a note of each appliance’s network IP address which the other appliances should use to communicate with it. This can be viewed in the console under “modify interfaces”.
  2. Log in to the administration interface of the appliance that will host the Administration service.
  3. Go to Manage System. Here you can add, remove and configure the services Administration service (configure, not add/remove), Access point, Policy service, Authentication service and Distribution service according to your preferred setup. As the services must be able to communicate with each other, you must set them to listen on the appliance’s network IP address, overriding the default 127.0.0.1:
    1. Set the value Internal Host to an external IP address.
    2. Make a note of the Service ID for all services.
    3. When configuring the Policy service make sure to also configure XPI:REST.
  4. Go to Manage Resource Access and select the api resource.
  5. Select Edit Resource Host…
  6. Configure the same IP address as you configured under XPI:REST.
  7. If the Administration service, Policy service(s) and/or Authentication service(s) are to be spread out over multiple appliances, then the built-in default internal database cannot be used due to it being reachable only on the loopback adapter (127.0.0.1). Consequently an external database has to be used that can be reached by the appliances running these services. Go to Manage System > Database Service to configure it, see also Database service.
  8. If multiple Authentication services are to be used, then the built-in default OATH database cannot be used for the same reason as above. Go to Manage System > OATH Configuration. Select Configure Database Connection.
  9. Click Publish.
  10. Logon to the appliance hosting the Administration service and disable the services that this appliance should not host:
    1. In the console, select 2) Detailed server setup. A list of local services is displayed.

    2. Select each service that shall be deactivated. Answer the questions (first question is "Should this service be enabled?"

  11. Select 6) Activate distributed mode to toggle to “distributed mode”.
  12. Log in on the other appliance(s) and select Detailed server setup in the console.
  13. Select and disable all services you do not want to run on this appliance. Since the Administration service is not hosted on this/these appliance(s), then an external one needs to be pointed to.
  14. The Activate distributed mode option can be used as a convenience on an appliance to quickly set all IP address fields to a given value, and their port and node id to the default values:
    1. In the console, select 2) Detailed server setup.
    2. Then select 6) Activate distributed mode.
  15. To further manually configure any service on this appliance, select 2) Detailed server setup, and select the service to modify and answer the questions.