cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ChrLu
Level 9
Report Inappropriate Content
Message 1 of 3

Proxy HA, Multiple VIPs and only specific VIPs for defined Proxy Listeners

Lets imagine we have 3 VIPs assigned to deliver services linked to each of them and only that specific services.
VIP1 :80 - HTTP Pac File Hosting 
VIP2 :9090 - HTTP Proxy 
VIP3:2121 - FTP Proxy

In Best practice and product guide it is written that on Director you have to specify "interface ip" and on scanners you should have proxies configured for 0.0.0.0 and port.

Questions:
1. Wondering if VIP is mentioned here for Director or really physical interface ip of director?
2. is 0.0.0.0 really a requirement on scanner or just for simplification ? We do not like to have scanners having an active listener on ALL IPs (0.0.0.0) but only for the designated VIP instead.
3. Lets imagine we have 3 leg setup of the box (eth0=mgmt, eth1 internal, eth2 external) 0.0.0.0 will involve ALL interface ips having a listener, correct ? In that case i need to specify only internal IP and/or VIP according to my design above. please confirm.
4. If i like to have physical IP of internal interface as well as VIP as per Proxy type listening i would assume to require to configure the listeners like following on directors AND scanners ???
PAC FILE HOSTING --> physic IP:80 + VIP1:80
HTTP Proxy --> physic IP:9098+ VIP2:9090
FTP Proxy --> physic IP:2121+ VIP2:2121

I'm not going to say that 0.0.0.0 is not working as well but will this not be the recommended setup with limited listeners and most secure ?

 

Thanks.

regards,
Christian

2 Replies
ChrLu
Level 9
Report Inappropriate Content
Message 2 of 3

Re: Proxy HA, Multiple VIPs and only specific VIPs for defined Proxy Listeners

I also like to share a comment we found in 8.2.x Product Guide which is removed in later product guides of 9.x and 10.x:
chapter:
Best practices - Configuring the Proxy HA mode --> Configure Proxy HA Mode
f: For the director node as well as for a backup node, add the virtual IP address of the High Availability cluster to the settings for the HTTP and FTP proxies with ports that listen to requests coming in from the clients.

Wondering why this was removed later...
smasnizk
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: Proxy HA, Multiple VIPs and only specific VIPs for defined Proxy Listeners

Hi @ChrLu ,

 

some input on your provided description. The name "Scanner" is supposed to be the device not acting as failover device. This isn't something our customers plan to use. Your 2nd node is most likely planned to be Peer/Director and Director node should set as scanner in Proxy HA - Scanner Table too. The Listener needs to be set on each interface you plan to use to server Proxy Service on. This simply means here Interface IP not VIP. 

Q2: Scanner are different and I don't think this was in mind when you planed your setup.

Q3. If you don't need reverse proxy functionality you can simply start listener on Internal interface only, using Interface_IP:<Proxy_Port>

Q4: Only Physical are required

PAC FILE HOSTING --> physic IP:80
HTTP Proxy --> physic IP:9098
FTP Proxy --> physic IP:2121

If you still need to limit which IP the Clients should use you can do this in the Policy using Proxy.Port, Proxy.IP or Connection.OriginalDestinationIP (what ever works best for you), Honestly, I dont see the reason of 3 VIPs usage if you can use same VIP and define other criteria to allow or block certain Protocols for certain users. If you have certain use case let me know.

 

Best Regards,
Sergej


If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community