I using 2 McAfee Web Gateway appliances and have configured a proxy.pac file to return both address in case of a failure. During testing I noticed that I have a browser delay after shutting down the primary proxy. I'm wondering if there are better ways to setup a Web Gateway environment for failover. Any suggestions or feedback would be appreciated? Thanks.
I think the delay you notice is the time until the browser recognized the proxy is not reachable. This probably depends on in which way the proxy is not reachable. If the IP is reachable but the application is down there should be a very small delay, as the OS will directly refuse the connection. If the IP is not reachable as well it may be possible that the time used for establishing the TCP connection to the proxy is pretty long until it actually fails. I think this is depending on the OS and TCP settings.
MWG on Appliance actually contains a HA module, which is mainly used for load sharing but also provides a basic fail-over functionality. You may try if this matches your needs, but actually the fail-over may take some time as well. The upcoming major releases may probably contain better software HA support.
My personal favorite is absolutely to have load balancer between the Clients and MWG, which provides a virtual IP address and spreads the load across the boxes, taking care for fail-over as well. They usually have a lot of configurable options to detect a downtime quickly and are in my opinion the best solution.
Let me know if you are interested in any additional details.
The problem with this solution is that the load balancer need to have a way to know that the proxy is Up or down. If it is not responding at all, it will switch you immediately to the other proxy (a bit faster the the proxy Pac file). If the proxy still respond to ping and SNMP (had that problem with the previous build), how can the load balancer detect the problem? I suppose you could check for an external web site but, you have to assume that this web site will allways respond, and you need 2 LB in failover mode, and thjey in turn have to be monitored (we do that with those we have).
Load Balancer can be an answer but be sure of the question first.
The best way to check if the proxy is up or down would be if your load balancer supports layer 7 health checks (also known as HTTP or application layer health checks).
If this is available, you can have your load balancer connect to the proxy and attempt to retrieve a file called blank.html (The URL would be in the format http://MWGIProxyport/blank.html for example http://192.168.0.222:9090/blank.html).
Then your load balancer can check for the correct HTTP response code and valid response body. If the response code is 200, the proxy should be up; if it is something else, then it can mark it as down.
I know this post from a few years ago this is exactly the problem i am facing right now the MCP (mcAfee client proxy) detects a proxy which is up and try to get an answer from this url in the Internet: http://mcp.webmaster.com/test/MCP.txt. If it does not receive any answer ( what is going to happen when Internet is down), it only remains in standby state waiting…and traffic is not redirected to any other proxy. In this case, the MCP does NOTHING. Any insight on what to do in a situation like this?