I have 2 Proxies in an HA configuration. Couple of questions though:
1. How does the director determine which proxy will handle the request? One proxy has a priority of 99 and the other is 98. Will 99 always handle all connections?
2. Is there a way that I can determine which proxy handled the request? I tried to modify the block page and placed the Proxy.IP variable in it, but it shows the virtual IP and not the physical IP of the machine which handled it.
the priority defines which node is the director. The director with the highes priority will be the node which holds the virtual IP address. So all computers are talking to this node. The director intercepts all incoming packets on the configured ports before the reach the application (they are intercepted in the network driver). At this level the director forwards the packets across all scanning nodes (so all HA enabled nodes in the same area). They filter the traffic.
Correct me if I'm wrong, but as I understood it there was only 1 proxy in an HA cluster, which is the Director node. All other nodes are Scaning nodes who's job it is to perform the filtering logic, the av scanning etc. They do not proxy any traffic. The access log would should only be on the Director, and System.HostName should always show the Director node. In the event of the Director failing the node with the next highest priority will be promoted to Director and start to proxy traffic. If there is more than 1 node with equal priority one will be elected as Director and keep its status until either a higher priory node appers or it dies.
Yes, the System.Hostname variable worked! Thanks for the info.
Andre Sabban wrote:
At this level the director forwards the packets across all scanning nodes (so all HA enabled nodes in the same area). They filter the traffic.
How does the director determine which node to send the traffic to? Is Tris correct that the System. Hostname will always show the hostname of the director and not the node that is doing the scanning? I'm trying to determine how we will know which node we need to troubleshoot in the event that we encounter issues. Is there any type of stickiness involved between client and proxy?
Based on my testing, it seems that the node with higher priority is doing all the work.
Message was edited by: bragot on 12/12/12 9:35:34 AM CST
the director knows all scanning nodes and knows how many connections they currently serve. If a new request from an unknown source IP comes in, the director forwards this traffic to the scanning nodes with the smallest number of current connections. If another request comes in from this source IP it will be forwarded to the same scanning node.
If one IP is not seen for a specific time (I think 5 or 10 minutes) the director will forget about this source IP and the process starts over.
If you see only one node doing the whole traffic this can have a number of reasons:
- You have no port forwarding configured on the director. Even in Direct Proxy with HA a port redirect from 9090 to 9090 (or whatever port you like) is required. If there is no port redirect the network driver on the director will not redirect the traffic, but handle it locally
- All you traffic is coming from the same source IP because there is a downstream proxy or a NATting device in place
- The director does not know about other scanning nodes, you will need to review the HA configuration
If you encounter a block page you should see the host name of the machine that blocked the request.