cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
CR-BR
Level 7
Report Inappropriate Content
Message 1 of 4

Cluster - Transparent router

Jump to solution

Hello Friends, how are you?

I hope you are well!

I am preparing a LAB to replicate in the production environment.

My goal is to configure Transparent router with cluster. I need to allow users to surf the internet with the explicit proxy and also without the proxy configured in the browser.

I tried to set up this environment using vmware.

My settings:

eth0: NAT/vmware (Internet access);

eth1: LAN segment

mwgA eth1 (input): 10.0.0.1, eth0 (output): 192.168.239.128
mwgB eth1 (input): 10.0.0.2, eth0 (output): 192.168.239.135

VIP (input): 10.0.0.10/32
VIP (output): 192.168.239.140/32

Scanner table:

mwgA (using the output interfaces.):
192.168.239.128 (Director)
192.168.239.135 (Scanner)
Director's priority: 90
VIP (input): 10.0.0.10/32
VIP (output): 192.168.239.140/32
VRRP : eth1
HTTP: 0.0.0.0:9090

mwgB (using the output interfaces.)::
192.168.239.128 (Scanner)
192.168.239.135 (Director)
Director's priority: 80
VIP (input): 10.0.0.10/32
VIP (output): 192.168.239.140/32
VRRP : eth1
HTTP: 0.0.0.0:9090

ClientWIN7:

IP: 10.0.0.3
Gateway: 10.0.0.10
DNS: 10.0.0.10

  • Web Gateway: Internet ping test OK!
  • ClientWIN7: When configuring the proxy explicitly, Internet access is OK! When I disable the proxy, Internet access FAILS! I ran a tcpdump when I logged in without the proxy configured and I get the following information:

lab-transparente1.png

lab-transparente3.png

I only see SYN packets when the browser has the proxy disabled.

In the Web Gateway that the traffic does not arrive (another element of the cluster), I only receive these packets:

lab-transparente2.png

  • All VIPs are successfully ping.

Can anyone help me with these settings?

Thank You!

1 Solution

Accepted Solutions
aloksard
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Cluster - Transparent router

Jump to solution

Hi,

 

Hope you are doing well.

 

As a quick start please refer below link for HAProxy config in transparent router mode.

 

https://community.mcafee.com/t5/Enterprise-Documents/Example-Transparent-Proxy-configuration-using-H...

 

 

Was my reply helpful? If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
 
 
Regards
Alok Sarda

 

 

View solution in original post

3 Replies
aloksard
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Cluster - Transparent router

Jump to solution

Hi,

 

Hope you are doing well.

 

As a quick start please refer below link for HAProxy config in transparent router mode.

 

https://community.mcafee.com/t5/Enterprise-Documents/Example-Transparent-Proxy-configuration-using-H...

 

 

Was my reply helpful? If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
 
 
Regards
Alok Sarda

 

 

View solution in original post

aloksard
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Cluster - Transparent router

Jump to solution

Hi,

 

Hope you are doing well.

 

We conducted remote session and got HA Proxy transparent router working.

 

The issue was SYN packet from client was reaching MWG on port 443 and MWG was replying back with SYN/ACK but that SYN/ACK was not reaching client., it is being dropped by firewall due to address spoofing issue.

 

Was my reply helpful? If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
 
 
Regards
Alok Sarda

Re: Cluster - Transparent router

Jump to solution

Do not use internal connection port for VRRP interface.

for example:

eth0: NAT/vmware (Internet access);

eth1: LAN segment

mwgA eth1 (input): 10.0.0.1, eth0 (output): 192.168.239.128
mwgB eth1 (input): 10.0.0.2, eth0 (output): 192.168.239.135

VIP (input): 10.0.0.10/32
VIP (output): 192.168.239.140/32

 

Scanner table:

mwgA (using the output interfaces.):
192.168.239.128 (Director)
192.168.239.135 (Scanner)
Director's priority: 90
VIP (input): 10.0.0.10/32
VIP (output): 192.168.239.140/32
VRRP : eth0
HTTP: 0.0.0.0:9090

mwgB (using the output interfaces.)::
192.168.239.128 (Scanner)
192.168.239.135 (Director)
Director's priority: 80
VIP (input): 10.0.0.10/32
VIP (output): 192.168.239.140/32
VRRP : eth0
HTTP: 0.0.0.0:9090

Pass the test of version 10.2.2。

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community