4 Replies Latest reply on Jun 28, 2010 9:35 AM by Dmcneill

    Anyone have any experience with Web Gateway 7 in 'Proxy HA' mode?

      I'm looking at the available settings here, and it's just not adding up for me.  I'm hoping someone has some experience with this, or can help to fill in the gaps for me.


      First, my assumptions:

      1)  I can use the HA cluster as an explicit proxy...I don't need to have it in-line with the default route out to the internet.

      2)  rather than pointing my clients to the physical IP addresses of each individual MWG appliances, I would point them to a single (shared/virtual) IP address, which would load-balance the traffic between appliances


      In addition to the Common HTTP Proxy settings that I'm familiar with, the HA Proxy also has these settings:

      Port Redirects - I'm not sure why this one exists, or what it's purpose is.  If my clients are pointed at a (virtual) proxy address/port combination, why is this setting necessary/useful?  Is it mandatory?

      Director Priority - this one seems straight-forward enough.  It determines the liklihood that a given proxy will take over the cluster as a director.

      Management IP - Again, seems straight-forward enough.  This is the IP used to monitor/communicate with the cluster nodes.  Grayed out if the Director Priority is 0because that means this node will never have need to talk to it's peers.

      Virtual IPs - Here's the one that's really getting me.  My initial assumption was that this is the shared Cluster IP Address.  I assumed that my clients could connect to this address, and the active Director node would make a determination as to which node should handle that client's requests.  I'm wondering why it's asking for CIDR notation, rather than an individual IP (would a 32-bit subnet mask work here?).  Is my director node supposed to be listening "in front" of the physical appliances, and should the virtual addresses correspond with the Physical IPs of the other nodes in my cluster?  If not, where is it determined what nodes will participate in a given HA cluster?

      Virtual Router ID - last 2 hex characters in my cluster's MAC address, presumably taken over by the active Director Node.

      VRRP Interface - The interface that hosts the cluster's virtual IP(s).


      Just having trouble wrapping my head around how to load balance these things, and the documentation is pretty weak with regard to this topic.  Any experienced or otherwise informed input would be greatly appreciated.

        • 1. Re: Anyone have any experience with Web Gateway 7 in 'Proxy HA' mode?

          Hey Doug,


          just some background information.


          Port Redirect: You need to set up a port redirect. The reason is more or less "under the hood", I will give you a quick example. The director is running a virtual IP and we have to tell the director somehow that also traffic for port 9090 needs to be accepted by the network driver. Otherweise you would either talk to the MWG process running on port 9090 (if listening on the virtual IP) or you would try to talk to port 9090 with no service behind it, which would mean packets are rejected. By adding a Port Redirect (take the default one, Port 80, 443 -> 9090) the Director will have that "virtual" Port 9090 available. Of course the 80 and 443 destination port is ignored, but by adding that entry the network driver will be made aware that port 9090 is used - and only in this case it will accept traffic for Port 9090.


          I know this is definitely not straight-forward. I recommend to put in the default entry - I think this will be default in one of the future versions.

          Virtual IPs: I am a bit confused where the question is. Assigning the virtual IP address is just like assigning an IP address to a physical NIC - You always need to specify the IP Address, Subnetmask and the interface.


          Assuming your Clients have as their network, you need to configure as the IP Address. If you would use a 32-bit Netmask the Virtual IP would not be accessible. If your physical interface and the virtual IPs are in the same Subnet, then of course you have to specify the same subnet. Physical IP and virtual IP do not necessarily have to be in the same network range. You should also be able to assign a virtual IP and configure it on a physical interface which has no IP address configured itself.


          The HA Cluster (scanning nodes) will be detected by broadcasting messages. All MWG instances running within the same network (I can't remember which domain type it exactly was, but I think all nodes in the same broadcast domain) will be detected and taken into the HA by the director.


          Let me know if that helps you to get a better understanding or if there are questions left.




          • 2. Re: Anyone have any experience with Web Gateway 7 in 'Proxy HA' mode?

            Thanks Andre.  Just one last question/clarification.


            "Assuming your Clients have as their network, you need to configure as the IP Address"


            Did you mean "assuming your web gateways have as their network", or am I going to be defining Virtual IPs for every client network the gateways could ever possibly recieve requests from?

            • 3. Re: Anyone have any experience with Web Gateway 7 in 'Proxy HA' mode?

              Hey Doug,


              well you need to set up an IP address that can be reached from your clients. Imaging a very rudimentary network where your Clients do have an IP within this Range (the Client PCs) MWG also has to take an IP address that is accessible from the Clients, which needs to be in the range as well. If it is not you need to configure an IP address that the defautl gateway is routing to.


              Configuring the virtual IP address is exactly the same as configuring a physical interface. There is no difference from a configuration perspective.




              • 4. Re: Anyone have any experience with Web Gateway 7 in 'Proxy HA' mode?

                Thank you - that clears it up for me.