1 2 Previous Next 12 Replies Latest reply on Oct 15, 2012 2:12 AM by asabban

    McAfee Web Gateway In Proxy HA Mode Config?

      I have been using McAfee Web Gateway for about a month now live in production environment as PoC,,,,Now my management wants to have Proxy in HA mode,,,,i cant figure it out as i am running my Webgateway on a VMWare workstation on single leg rit now. If my physical machine goes down my VM goes down as well.

      Now if i make another physical machine and setup another VM of McAfee Webgateway , how will i move my users to this machine transparently so that users doesn't know that first machine has gone down.

       

      Need Help.

       

      Regards,

      Adnan.

        • 1. Re: McAfee Web Gateway In Proxy HA Mode Config?

          Basic steps are:

          • Setup another VM gateway on another machine using a second IP address.
          • Make sure it's NIC is in the same subnet as the first gateway. You cannot do this across 2 different subnets.
          • Go to the first gateway's Configuration, and add the IP address of the second gateway to it in the cluster.
          • Set both gateways to use Proxy HA.
          • Add a port redirect rule to both. If you are using port 9090 as the proxy port, just add and save the defaults.
          • Slide the director priority of the first one to a number like 20.
          • Slide the director priority of the secondone to 10.
          • Set the management IP address of each gateway to the real IP of each gateway, not the virtual IP.
          • Assign a third IP address as a virtual address on both.

           

          Point your browser to use the virtual IP address.

           

           

          I think that is all there is to it.

          I'm not logged onto one right now so I can't look it up exactly. But those are the general steps.

           

          Message was edited by: eelsasser on 2/24/12 12:49:01 AM EST
          • 2. Re: McAfee Web Gateway In Proxy HA Mode Config?
            smalldog

            I can not add seconde appliances (see attach) And also how to config reporter on HA proxy mode? Thanks!

             

            Message was edited by: smalldog on 6/4/12 11:15:57 PM CDT
            • 3. Re: McAfee Web Gateway In Proxy HA Mode Config?

              You have probably changed the IP address on one of the appliances after it was installed.

              When you do that, the listening IP address for Central Management does not change in the configuration when you change the IP address of the NIC.

               

              Make sure the listening IP is set to the address of the proxy's NIC:

              Capture.jpg

               

              I am hope you are using version 7.2 with Web Reporter.

              You configure each proxy as a log source on WR with the host name as the logon ID.

               

              On the proxies, setup the Access Log to push files to web reporter.

              Use the %h as the username. This is substituted by the Hostname of the proxy.

              Capture2.jpg

               

               

              One Web Reporter, create a log source for each proxy.

              The host names on my prxies are mwg-1 and mwg-2. Use the same password for both log sources.

              Capture3.jpg

              Capture5.jpg

               

              When the proxies push the log files, they will go to their respective log sources as specified by the host name of the proxy.

              • 4. Re: McAfee Web Gateway In Proxy HA Mode Config?
                smalldog

                When i add appliance into cluster, is it synchronize settings and policies with another one or must configure on every appliances? Thanks Eelsasser!

                • 5. Re: McAfee Web Gateway In Proxy HA Mode Config?
                  smalldog

                  It working now. I have one question: how to check appliances that running active/active (not active/standby) . Thanks so much Eelsasser!

                  • 6. Re: McAfee Web Gateway In Proxy HA Mode Config?

                    Hi Erik

                     

                    One Question to port redirects.

                    On https://community.mcafee.com/message/159102#159102 Michael wrote that redirects should be setup for normal web-traffic ports like 80 and 443 ! I do not understand that...

                     

                    I understand that these redirect ports have to be the ones that will build up on the virtual IP and will be load-balanced aswell between the nodes.

                    So usually I will enter 8080 (or whatever the http proxy-port is running at) another example would be 2121 for ftp-proxy usage shared on the virtual IP... and so on...

                    But I really do not understand why I should redirect 80 and 443 espacially redirecting them to 8080 ?!!!

                     

                    Can you clarify this, please?

                     

                    (Or is this for the use-case if people forgot the dedicated proxy port and entered the wrong proxyport like 80 and then being redirected to 8080?)

                     

                    TIA.

                     

                    regards,

                    Stephan Kaiser

                     

                    Nachricht geändert durch Stephan.Kaiser on 18.06.12 23:42:00 MESZ

                     

                    Nachricht geändert durch Stephan.Kaiser on 18.06.12 23:55:32 MESZ
                    • 7. Re: McAfee Web Gateway In Proxy HA Mode Config?

                      The redirection is primarily for people who want one listening port and  multiple ways to get it to that port.

                       

                      You only truly need the one redirection for the listening port itself (8080). If you want people to also access the proxy via 80, then set up a second redirection..

                      • 8. Re: McAfee Web Gateway In Proxy HA Mode Config?
                        asabban

                        Hello,

                         

                        I think the redirects for port 80 and 443 are especially important when running in transparent router/transparent bridge modes. It is a little confusing that explicit proxy and transparent proxy deplyoments look very similar configuration wise in the MWG UI.

                         

                        Basically I would expect this to make sense:

                         

                        1.) Explicit Proxy

                         

                        - All browsers are configured to talk to 9090

                        - The redirect 9090->9090 is entered to tell the MFEND driver to pick those packets and apply load sharing/etc.

                         

                        2.) Transparent Proxy

                         

                        - Browsers do not know there is a proxy

                        - Client PCs will talk to servers on port 80/443 while trying to directly access them

                        - MWG will look for packets passing by on port 80 and 443, since these are the packets we would like to intercept

                        - MFEND will fetch those packets and handle them

                        - Therefore you configure the redirects 80->9090 and 443->9090

                         

                        Hope that makes sense.

                         

                        Best,

                        Andre

                        • 9. Re: McAfee Web Gateway In Proxy HA Mode Config?

                          Thank you both

                           

                          Okay I already thought of that usage examples too. But this thread and the other mentioned in my former post were ragarding Proxy HA and not about Transparent/Bridge setups.

                          So seeing something like 443 redirected to 8080 in just a ProxyHA was... very "confusing"... 

                           

                          We should not forget to also forward 2121 to 2121 for the ftp-proxy.

                          1863, 1865 and the other IM Ports wouldn't work in a Proxy-HA Setup, because they only work in a transparent setup.

                          So we must not put them on the HA-Interface. They could be left alone or lets say they can be disabled because we cannot use them...

                           

                          gracefully,

                          Stephan

                           

                          Nachricht geändert durch Stephan.Kaiser on 19.06.12 19:25:36 MESZ

                           

                          Nachricht geändert durch Stephan.Kaiser on 19.06.12 19:27:40 MESZ

                           

                          Nachricht geändert durch Stephan.Kaiser on 19.06.12 19:35:45 MESZ
                          1 2 Previous Next