I have been using McAfee Web Gateway for about a month now live in production environment as PoC,,,,Now my management wants to have Proxy in HA mode,,,,i cant figure it out as i am running my Webgateway on a VMWare workstation on single leg rit now. If my physical machine goes down my VM goes down as well.
Now if i make another physical machine and setup another VM of McAfee Webgateway , how will i move my users to this machine transparently so that users doesn't know that first machine has gone down.
Basic steps are:
Point your browser to use the virtual IP address.
I think that is all there is to it.
I'm not logged onto one right now so I can't look it up exactly. But those are the general steps.Message was edited by: eelsasser on 2/24/12 12:49:01 AM EST
You have probably changed the IP address on one of the appliances after it was installed.
When you do that, the listening IP address for Central Management does not change in the configuration when you change the IP address of the NIC.
Make sure the listening IP is set to the address of the proxy's NIC:
I am hope you are using version 7.2 with Web Reporter.
You configure each proxy as a log source on WR with the host name as the logon ID.
On the proxies, setup the Access Log to push files to web reporter.
Use the %h as the username. This is substituted by the Hostname of the proxy.
One Web Reporter, create a log source for each proxy.
The host names on my prxies are mwg-1 and mwg-2. Use the same password for both log sources.
When the proxies push the log files, they will go to their respective log sources as specified by the host name of the proxy.
One Question to port redirects.
On https://community.mcafee.com/message/159102#159102 Michael wrote that redirects should be setup for normal web-traffic ports like 80 and 443 ! I do not understand that...
I understand that these redirect ports have to be the ones that will build up on the virtual IP and will be load-balanced aswell between the nodes.
So usually I will enter 8080 (or whatever the http proxy-port is running at) another example would be 2121 for ftp-proxy usage shared on the virtual IP... and so on...
But I really do not understand why I should redirect 80 and 443 espacially redirecting them to 8080 ?!!!
Can you clarify this, please?
(Or is this for the use-case if people forgot the dedicated proxy port and entered the wrong proxyport like 80 and then being redirected to 8080?)
Nachricht geändert durch Stephan.Kaiser on 18.06.12 23:42:00 MESZNachricht geändert durch Stephan.Kaiser on 18.06.12 23:55:32 MESZ
The redirection is primarily for people who want one listening port and multiple ways to get it to that port.
You only truly need the one redirection for the listening port itself (8080). If you want people to also access the proxy via 80, then set up a second redirection..
I think the redirects for port 80 and 443 are especially important when running in transparent router/transparent bridge modes. It is a little confusing that explicit proxy and transparent proxy deplyoments look very similar configuration wise in the MWG UI.
Basically I would expect this to make sense:
1.) Explicit Proxy
- All browsers are configured to talk to 9090
- The redirect 9090->9090 is entered to tell the MFEND driver to pick those packets and apply load sharing/etc.
2.) Transparent Proxy
- Browsers do not know there is a proxy
- Client PCs will talk to servers on port 80/443 while trying to directly access them
- MWG will look for packets passing by on port 80 and 443, since these are the packets we would like to intercept
- MFEND will fetch those packets and handle them
- Therefore you configure the redirects 80->9090 and 443->9090
Hope that makes sense.
Thank you both
Okay I already thought of that usage examples too. But this thread and the other mentioned in my former post were ragarding Proxy HA and not about Transparent/Bridge setups.
So seeing something like 443 redirected to 8080 in just a ProxyHA was... very "confusing"...
We should not forget to also forward 2121 to 2121 for the ftp-proxy.
1863, 1865 and the other IM Ports wouldn't work in a Proxy-HA Setup, because they only work in a transparent setup.
So we must not put them on the HA-Interface. They could be left alone or lets say they can be disabled because we cannot use them...
Nachricht geändert durch Stephan.Kaiser on 19.06.12 19:25:36 MESZ
Nachricht geändert durch Stephan.Kaiser on 19.06.12 19:27:40 MESZNachricht geändert durch Stephan.Kaiser on 19.06.12 19:35:45 MESZ