cancel
Showing results for 
Search instead for 
Did you mean: 
clath13
Level 9

HA Proxys in 2 data centers

Hi everyone,

I have 3 Web Gateways, 2 at HDQ and 1 at DR. I would like to configure the one at DR to only respond when traffic is sent to it by a device at DR but still be available to take over should something happen to the 2 at HDQ.  In other words I want the one at DR to not be invlolved in HDQ load balancing but be in HA mode with HDQ and be able to accept traffic from DR.  I read a knowledgebase about 2 devices in HA - 1 at HDQ and 1 at DR and you remove any port redirects which negates load balancing but maintains HA.  Not sure how to do that with 3 gateways.  Also read a knowledgebase that talked about a Passive Director which looks kind of like what I want:  https://community.mcafee.com/message/358550 - but I want it to accept traffic from any device at DR just not any traffic from HDQ so I'm concerned about the "passive" Director mode.  Is this possible?

Thanks,

Claire

0 Kudos
1 Reply
McAfee Employee

Re: HA Proxys in 2 data centers

Hi Claire,

This seems possible.

Two things are important to understand for this situation:

1. Load sharing is handled by MFEND (McAfee Network Driver)

2. Failover (the virtual IP) is handled by VRRP

If we have HQ and DR share the same VRRP ID (set in the UI), then we allow them to share a virtual IP (so failover will work).

     2015-10-26_122128.jpg

To prevent the DR node from participating in load sharing you could either setup firewall rules to block "protocol 253 traffic" or you can configure the DR node to use a different "mfend" identifier (see ).


Best Regards,

Jon

0 Kudos