On-premises installations

On-premises installations are usually based upon an Airlock Gateway ISO image or a virtual machine disk image.

With a multi-NIC setup, a physical separation between service and public network can be established. For high availability requirements, Airlock Gateway can be set-up in a failover cluster.

Multi-NIC (recommended)

Multi-NIC setups offer the best combination of security advantages and high availability options.

  • Best practice:
  • Set-up a dedicated management NIC to separate back-end and management connections from the public interface.
  • Use dedicated IP addresses for public access (virtual hosts) and back-end access.
  • Set-up an Airlock Gateway failover cluster. To harden your failover setup:
    • -
      Use the public interface for Failover cluster checks.
    • -
      Use separated IP spaces for PIP/PPIP and virtual hosts.
    • -
      Make the PIPs only reachable by the partner nodes' PPIPs.

Single NIC

Single NIC setups prevent bypassing by design because there is only a single connection between the Gateway and back-ends. Single NIC setups also support Airlock Gateway failover cluster.

  • Best practice:
  • Use dedicated IP addresses for public access (virtual hosts) and back-end access.
  • Set-up an Airlock Gateway failover cluster. To harden your failover setup:
    • -
      Use separated IP spaces for PIP/PPIP and virtual hosts.
    • -
      Make the PIPs only reachable by the partner nodes' PPIPs.

Further information and links