Configure and Activate Multitenant RAC/RAS Devices with HA
For supported software information, click here.
This article provides step-by-step procedures for configuring and activating a multitenant high availability (HA) device. A managed service provider (MSP) can configure and active a remote access client (RAC) or remote access service (RAS) HA device on supported Versa Networks hardware appliances.
Note that only an operator can add a private (SASE) gateway, multitenant, or multitenant RAC/RAS gateway for a provider organization. An MSP must contact Versa Customer Support to add a SASE or multitenant device. For more information, see Add Devices Using Titan Portal.
To configure and activate a multitenant HA device, you do the following:
- Create a site using two identical software licenses.
- Create a device configuration for the site. When you save the device configuration, it is stored in the Titan cloud portal. You should configure WAN interfaces, and add or change any required LAN and WAN ports, before deployment; you cannot do so after you activate the SASE gateway, multitenant, or multitenant RAC/RAS gateway.
- Deploy the device configuration to the Versa Controller node, to inform the Controller node that the configuration exists.
- Activate the appliance.
Create a Site for the Multitenant HA Device
To create a multitenant HA site for the CSG700 series, CSG1000 series, CSG2500 model, CSG5000 model, and other supported Versa Networks hardware appliances:
- Log in to Titan Portal as an MSP.
- Enter your username and password, and then click Login.
- In the Organizations dashboard, click the MSP organization in the grid.
- Click Configure in the left menu bar to display the Configure dashboard.
- Click one of the license package icons to display the available license packages.
- CSG700 Series
- CSG1000 Series
- CSG2000 Series
- CSG5000 Series
- cCSG Series
- vCSG Series
- To add the site to the honeycomb, select a license package from the list and drag it onto the dashboard, or click on Map View, and drag and drop the license package to automatically fill in the information.
- In the New Site: Configuration window, select a region and then click Continue.
- Enter information for the following fields, and then click Save.
Field Description Site Name Enter a name for site. Address Enter the street address, zip code, city, state, and country.Enter the street address, zip code, city, state, and country. Latitude and Longitude - Autogenerate—Click the Autogenerate toggle to enable the determination of latitude and longitude coordinates automatically.
- Manual—Click the Manual toggle to enable the determination of latitude and longitude coordinates manually. This is the default.
Topology Click to configure the site role:
- Configure as Hub—Configure the device as a hub in a hub-and-spoke topology.
- Configure as Hub Controller—Configure the device as a hub controller in a hub-and-spoke topology. This device takes up a dual role of a hub and a Controller node. This function is typically required when branches are connected to a private MPLS network that has no direct access to the Versa Networks–hosted Controller node in the public internet. Note that Hub Controller is not available in HA mode.
HA Mode Click to configure two appliances in a high availability (HA) pair. For more information, see Configure and Activate a High Availability Site. Service (Group of Fields) Enter the information for Site A and Site B. - Service Type
Displays the type of the device. - Device Name
Enter a name for the device. A user cannot change the device name after creating the device. - Device Model
Enter the device model. - Serial Number
Enter the serial number of the device, which is printed on the bottom of the CSG appliance. - Image Version
(Optional.) Select the Versa Operating SystemTM (VOSTM) software version of the device. The user must select the software version before deploying the device. For a SASE gateway or multitenant gateway, and remote access VPN deployments, the VOS software version must be 21.3.x or higher. Contact Versa Networks Customer Support before you upgrade a SASE gateway, multitenant gateway, or remote access VPN devices. If a SASE gateway, multitenant gateway, or remote access VPN devices are up and running with the latest Release 21.3.x version, and if you undeploy and reactivate the same devices, you must perform a software upgrade for these devices because the devices come up running the latest Release 21.2.x version. If the devices are up and running older versions of Release 21.2.x, you must upgrade the devices to the latest Release 21.3.x version. - Service Add-ons
Select the services to add to the site. - Install the HA wiring on each router, with wires for the WAN1, cross-connect interface, and Virtual Route Redundancy Protocol (VRRP). For more information, see Install High Availability Wiring.
- Create and save the configuration (step 11 through step 17) for each device separately.
- In the Network > LAN > Ethernet and WiFi Ports screen, select a LAN port in the menu to the right of Quick Picks.
- Click the HA Cross-Connect Port toggle to enable the HA cross-connect port.
- Click the WAN box to display the Network > WAN screen.
- Select a WAN interface and enter information for the following fields.
Field Description Remote Access VPN Interface Click the toggle switch to enable remote access VPN. FQDN Enter the fully qualified domain name (FQDN) of the device. The FQDN cannot be changed after activation of the device. You must deactivate or undeploy the device and start over again to change the FQDN. If any tenants are attached to the device, delete the tenants before deactivating or undeploying the device. Network Address For remote access VPN, you must configure at least one WAN port on the device with a static IP address, which is used to terminate the remote clients. - Address
Enter a static IP address to use to terminate the remote clients. - Gateway
Enter the IP address of the gateway. - Click Save.
- Click Save, and then click the down arrow next to Save to display the Deploy popup window.
- Click Deploy, and then choose an activation method. Note that you can deploy a multitenant device the same way you deploy a normal device, and you can activate it using the global ZTP, WiFi, and Versable methods. To deploy and activate a device, see Deploy a Device Configuration and Activate an Appliance.
- Activate each device using the method selected in the previous step. You must activate each device separately.
Note: In a cloud gateway service, locking and unlocking devices are not supported, and you cannot reassign, add, or delete a LAN or WAN interface after the port is activated. Also, you cannot undeploy and redeploy the cloud gateway service after it is activated. To redeploy a cloud gateway service, you must first deactivate the gateway.
Install Certificates for Remote Access
A certificate authority (CA) is an entity that issues digital certificates that are used to verify the ownership of a public key. The digital certificates allow a party to trust the signature that is made by a private key that corresponds to the certified public key.
After a Titan device requests a certificate from a CA server, the CA server issues the certificate. You then need to upload the certificate to the CA database so that it can be used for verification.
Note: You do not need to install certificates if you are deploying a multitenant device without RAC/RAS.
Before you upload a CA certificate, you must upload a key file with the extension .key.
The key file, certificate file, and CA chain file that you import to the private SASE gateway or multitenant RAC/RAS must have the same name as the FQDN of the SASE gateway, multitenant RAC/RAS gateway, or remote access VPN device. For example, if the gateway FQDN is SASEQA1test.com, the filenames must be as follows:
- Key filename—SASEQA1test.com.key
- Certificate filename—SASEQA1test.com.crt
- CA chain filename—ca.SASEQA1test.com.crt (The CA chain filename is a combination of root CA and intermediate CA.)
To upload a key file:
- Locate the device in the grid, and then click the 3-dot icon in the Action column to display the available actions.
- Click Upload/Download CA Certificates and then click Upload Key.
- In the Add Key popup window, enter the following information.
- Enter a key name and password.
- Click Browse File to select the key file to upload. The file must be in .key format.
- Click System Key to store the key file at system level for the cloud gateway service and remote access VPN. Selecting this option is mandatory. Note that you must select System Key after you upload the key file.
- Click Add.
- Click Upload CA Certificates, and then click Upload Certificate.
- In the Add CA Certificate popup window, enter the following information.
- Enter a certificate name.
- Select the key file name.
- Click Browse File to select the CA certificate file to upload. The file must be in .crt, .cer, or .pem format.
- Click System Certificate to store the certificate file at system level for the gateway and remote access VPN. Selecting this option is mandatory. Note that you must select System Certificate after you upload the certificate file.
- Click Add. The certificate filename displays.
- Click the
icon to download the file.
- Click Upload CA Certificates and then click Upload CA Chain.
- In the Add CA Chain popup window, enter the following information.
- Enter a CA chain name.
- Click Browse File to select the CA chain file to upload. The file must be in .crt format.
- Click System CA Chain to store the CA chain file at system level for the SASE or multitenant (RAC/RAS) gateway and remote access VPN. Selecting this option is mandatory. Note that you must select System CA Chain after you upload the CA chain file.
- Click Add.
Manage Captive Portal Ports
To configure captive portal ports:
- Click Configure in the left menu bar to open the Configure dashboard.
- Hover over the device in the honeycomb, and click Configure to open the site information window.
- Select the Miscellaneous tab, and then click the Manage Captive Portal link.
- In the Captive Portal Port Number popup window, enter information for the following fields and then click Continue. You must configure all WAN ports with a WAN port captive portal configuration.
Field Description Network Name (Required) Click Please Select. In the Network Name popup window, click a WAN network. HTTP Enter the HTTP port number to use to redirect captive portal pages over HTTP. The default port is 44990. For WAN ports used for remote access VPN, use port 80. HTTPS Enter the HTTPS port number to use to redirect captive portal pages over HTTPS. The default port is 44991. For WAN ports used for remote access VPN, use port 443. - Click Continue. For more information, see Configure Miscellaneous Parameters.
Manage Multitenant License for a Tenant
An MSP can onboard a SASE gateway, multitenant, or multitenant RAC/RAS gateway to a tenant using the cloud gateway option. For more information, see Add a Cloud Gateway and Add a Multitenant or Multitenant RAC/RAS Gateway to a Device.
To manage multitenant gateway licenses and devices in the Titan Inventory:
- Log in to Titan Portal as an MSP.
- Enter your username and password, and then click Login.
- In the Organizations dashboard, click the MSP organization in the grid.
- Click the Inventory icon in the left menu bar to open the Inventory dashboard.
- Select Multitenant Gateway in the Device Type field.
Upgrade or Renew Multitenant Gateway Licenses
You must upgrade a multitenant gateway license before the license expires. If a license has expired, the Configure and Inventory dashboards display the site with license expired status and the network configuration window displays in purple and has read access only. You must renew the license to make any changes to the device configuration.
To upgrade or renew a multitenant gateway license in the Titan Inventory:
- Log in as an MSP and select the tenant organization.
- Click the Inventory icon in the left menu bar to open the Inventory dashboard.
- Select Multitenant Gateway in the Device Type field.
- Click Upgrade.
- In the Upgrade popup window, enter the following information.
- Select the Available Gateway. Click Advanced option to enter the VLAN ID and port details for the multitenant gateway services. If you do not select any VLAN ID and port, the organization ID is taken as the VLAN ID and the first LAN port is taken as the port by default. If you are adding a new gateway to a tenant, you must enter the same tenant VLAN ID for the gateway.
- For an upgrade, enter information for the following fields:
- Additional Gateway Users for Versa Secure Internet Access (VSIA) service.
- Additional Client Users for Versa Secure Private Access (VSPA) or multitenant RAC/RAS service.
- Enter the additional number of days to renew the license.
- Click Submit.
- Click Renewal.
- In the Renewal popup window, enter the number of days to renew the license.
- Click Submit.
Supported Software Information
Releases 10.3.4 and later support all content described in this article.