Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.

Managing Policy Manager Zones

Policy Manager shares a distributed cache of run-time states across all nodes in a cluster. These run-time states include:

Roles and postures of connected entities

Connection status of all endpoints running OnGuard

Endpoint details gathered by OnGuard Agent

Policy Manager uses this run-time state information to make policy decisions across multiple transactions. In a deployment where a cluster spans WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. boundaries and multiple geographic zones, it is not necessary to share all of this run-time state across all nodes in the cluster. For example, when endpoints present in one geographical area are not likely to authenticate or be present in another area, it is more efficient from a network bandwidth usage and processing perspective to restrict the sharing of such run-time state to a given geographical area. You can configure zones in Policy Manager to match with the geographical areas in your deployment. There can be multiple zones per cluster, and each zone has a number of Policy Manager nodes that share their run-time state.

OnGuard Agent does not work when Policy Manager is on an Azure instance that is configured with an Azure public IP address. As a workaround, configure the Policy Manager server's public IP address instead of its private IP address in the Administration > Agents and Software Updates > OnGuard Settings > Policy Manager Zones > Override Server IPs field.

Adding Policy Manager Zones

To add a Policy Manager Zone:

1. Navigate to the Administration > Server Manager > Server Configuration page.

2. Click the Manage Policy Manager Zones link.

The Policy Manager Zones dialog opens:

Figure 1 Policy Manager Zones Dialog

3. To add a new Policy Manager Zone, click Click to add... and enter the name of the Policy Manager Zone to be added.

4. Be sure to click the Save icon, then click Save.

5. To delete a zone, click the trash can icon ().

Mapping Policy Manager Zones to OnGuard Clients

Use the following procedure to configure the Policy Manager Zone you created.

1. Navigate to Administration > Agents and Software Updates > OnGuard Settings. The OnGuard Settings page opens.

2. Click the Policy Manager Zones link. The Mappings for Policy Manager Zones to OnGuard Clients page opens.

Figure 2 Mappings for Policy Manager Zones to OnGuard Clients Page

3. Specify the Mappings for Policy Manager Zones to OnGuard Clients parameters as described in the following table:

Table 1: OnGuard Settings > Policy Manager Zones Parameters
Parameter	Action/Description
Policy Manager Zone	Select the Policy Manager Zone from the drop-down list. If no Policy Manager zone is configured, the default Policy Manager zone is displayed in this field.
Client Subnets Subnet is the logical division of an IP network./Prefixes	Specify the client subnet Subnet is the logical division of an IP network. addresses specified for the selected Policy Manager zone.
Default ClearPass IPv4 Server IPs	This field displays the default ClearPass server IPv4 address specific to the selected Policy Manager zone.
Default ClearPass IPv6 server IPs	This field displays the default ClearPass server IPv6 address specific to the selected Policy Manager zone.
Override Server IPs (Optional)	Optionally, specify the IP addresses or the Fully Qualified Domain Name (FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet.) to which you want the OnGuard agent to send the request in the sequence. You can specify the data port or load balancer IP address in this field. The IP addresses configured here will override the IP address configured in the Default ClearPass Server IPs field. For example, if you have configured the IP addresses 10.17.XXX.1, 10.17.XXX.2, and 10.17.XXX.3, OnGuard agent will send the request in the same sequence.
Zone Network Details
Policy Manager Zone	Select the Policy Manager zone from the drop-down list that is created from the Administration > Server Manager > Server Configuration > Manage Policy Manager Zones page.
Client Subnets Subnet is the logical division of an IP network.	Specify the client subnets Subnet is the logical division of an IP network. that are configured for the selected zone. When adding a new subnet Subnet is the logical division of an IP network. in the Policy Manager zone, the current domain ID is excluded from a database query. Previously, an error displayed stating "The configured client subnet Subnet is the logical division of an IP network. is already present in the MDC-onguard zone. Please use a different client subnet Subnet is the logical division of an IP network.." Now a new subnet Subnet is the logical division of an IP network. can be added within an existing Policy Manager zone without an error message.
Default Policy Manager Server IPs	Specify the IP address of the default Policy Manager server.
Override Server IPs	Optionally, specify the IP addresses or the Fully Qualified Domain Name (FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet.) to which you want the OnGuard agent to send the request in the sequence. You can specify the data port or load balancer IP address in this field. The IP addresses configured here will override the IP address configured in the Default ClearPass Server IPs field. For example, if you have configured the IP addresses 10.17.XXX.1, 10.17.XXX.2, and 10.17.XXX.3, OnGuard agent will send the request in the same sequence.

4. Click Save. The new Policy Manager Zone configuration settings are displayed.