cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 9

Proxy HA 8.2

Jump to solution

Hello friends,

Can anyone help me understand the new HA proxy settings? I need to configure 6 appliances in HA Proxy. Traffic must be balanced equally for all elements. The appliances are at version 8.2.

I will put some screens.

  • All appliances were added on the SAC2963 node.

web1.PNG

 

 

 

 

 

 

 

The appliances have two networks (eth0 and eth1).

The cluster must be on the eth1 interface.

  • In Central Management, the IP address of the eth1 interfaces (for each appliance).

10.0.199.63:12346

10.0.199.64:12346

10.0.199.65:12346

10.0.199.66:12346

10.0.199.67:12346

10.0.199.68:12346

  •  In Proxies, I configured it as follows:

SAC2963 (peer/director) / The others scan nodes

web2.PNG

 

 

 

 

 

 

 

 

 

 

 

web3.PNG

 

 

 

 

 

 

 

SAC2964 (peer/director) / The others scan nodes

web4.PNG

 

 

 

 

 

 

 

 

 

 

 

web5.PNG

 

 

 

 

 

 

 

SAC2965 (peer/director) / The others scan nodes

web6.PNG

 

 

 

 

 

 

 

 

 

web7.PNG

 

 

 

 

 

 

 

SAC2966 (peer/director) / The others scan nodes

web8.PNG

 

 

 

 

 

 

 

 

 

web9.PNG

 

 

 

 

 

 

 

SAC2967 (peer/director) / The others scan nodes

web10.PNG

 

 

 

 

 

 

 

 

 

 

web11.PNG

 

 

 

 

 

 

 

 

SAC2968 (peer/director) / The others scan nodes

web12.PNG

 

 

 

 

 

 

 

 

 

 

web13.PNG

 

 

 

 

 

 


Is this configuration correct?

I tried to access the VIP's IP and I couldn't.

Can someone help me?

Thank You!

 

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 9

Re: Proxy HA 8.2

Jump to solution

Hi,

 

Hope you are doing well.

 

If you want all 6 nodes to be scanning traffic and any of the MWG become active director as per the director priority set.

 

Firstly all nodes should have director priority greater then 0.  Now the MWG which you want to be active director should be having higher director priority , after that the next MWG you want to become director incase original one fails should have second highest director priority and so on.

 

Secondly on all nodes you can configure themselves as scanner in scanning table and other MWG's as peer/director in scanner table.

 

Note:- If you want to configure a scanning-only machine, set director priority to =0 and most options will automatically grey out.

 

 

Regards

Alok Sarda

View solution in original post

8 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: Proxy HA 8.2

Jump to solution

Hi,

 

Hope you are doing well.

 

Please refer below link for more information:-

 

https://community.mcafee.com/t5/Enterprise-Documents/Example-Proxy-HA-configuration-using-HAProxy-mf...

 

 

Was my reply helpful? If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

 

Regards

Alok Sarda

Highlighted
Level 7
Report Inappropriate Content
Message 3 of 9

Re: Proxy HA 8.2

Jump to solution

Hello, I followed this link. But it's still not working.

I can't ping the VIP's IP or access the WEB interface with the VIP.

Is my understanding of the scanner table correct?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 9

Re: Proxy HA 8.2

Jump to solution

Hi,

 

I suggest to open a service request with support and ping me the case number, so I can reach out to you to assist on this

 

Regards

Alok Sarda

Highlighted
Level 7
Report Inappropriate Content
Message 5 of 9

Re: Proxy HA 8.2

Jump to solution

Hello frinds,

After a boot on the virtual machines, I am able to access the VIP's IP.

I still have some doubts:

1. Is my understanding of the scanner table correct?

2. I would like to maintain a symmetry of connections between the 6 appliances. What is the best way to configure this way? Is the form I set up correct?

3. I can still access the WEB interface through the eth0 interface (192). I would like to access only through the eth1 (10) interface. It's possible?

4. Any suggestions?

In Troubleshooting:

web14.PNG

 

 

 

 

 

 

 

 

Status DOWN. 

It's correct?

Thank You.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 9

Re: Proxy HA 8.2

Jump to solution

Hi,

 

This is not correct.

 

The Status should be showing as UP.

 

On all MWG's make sure to bind HTTP listener with each of their interface IP Address.

 

Also on each MWG they them-self will be added as type:-  scanner in the scanner table entry.

 

 Also to restrict MWG GUI access  to specific interface IP Address, you can do this by navigating to option Configuration->Appliance->User Interface->HTTP/HTTPS connector.

 

Below link talks about sample example:-

 

https://docs.mcafee.com/bundle/web-gateway-7.8.2-interface-reference-guide/page/GUID-291F7C10-CC12-4...

 

 

Regards

Alok Sarda

 

 

Level 7
Report Inappropriate Content
Message 7 of 9

Re: Proxy HA 8.2

Jump to solution

Hi Alok Sarda,

Thanks for your answer. Helped me a lot. Good to have your support.

After your information, the nodes are UP.

web15.PNG

 

 

 

 

 

 

 

 

 

The idea is that the traffic is evenly distributed among the appliances.

I configured the table of scanners as follows.

The device itself is configured as Director and the rest as scanners. For example, the SAC2963 device is as a Peer/Director and the rest as a scanner. The SAC2964 device is as a Peer/Director and the rest as a scanner. This same logic applies to the other appliances. Is this configuration correct?

or should the SAC2963 appliance have two inputs? One as a Peer / Director and the other as a scanner?

Finally, if the goal is to distribute traffic equally to all appliances. How would the Director priority configuration look?

Thank You!

 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 9

Re: Proxy HA 8.2

Jump to solution

Hi,

 

Hope you are doing well.

 

If you want all 6 nodes to be scanning traffic and any of the MWG become active director as per the director priority set.

 

Firstly all nodes should have director priority greater then 0.  Now the MWG which you want to be active director should be having higher director priority , after that the next MWG you want to become director incase original one fails should have second highest director priority and so on.

 

Secondly on all nodes you can configure themselves as scanner in scanning table and other MWG's as peer/director in scanner table.

 

Note:- If you want to configure a scanning-only machine, set director priority to =0 and most options will automatically grey out.

 

 

Regards

Alok Sarda

View solution in original post

Highlighted
Level 7
Report Inappropriate Content
Message 9 of 9

Re: Proxy HA 8.2

Jump to solution

Hi Alok Sarda

Sorry for the delay in responding. Thank you very much.

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community