3 Replies Latest reply on Sep 13, 2013 11:28 AM by gurcanozturk

    Active/Active Load Balancing with McAfee Web Gateway


      Hello All,


      We are using web gateway web gateways through HP switches with PBR (Policy Based Routing) to redirect clients to proxy. Our clients authenticate against Windows AD with Cooki Authentication mechanism.


      In Proxy mode;

      Everything works perfectly with PBR.


      In Proxy HA mode;

      If client proxy settings is blank (No proxy settings) it does not work.

      If client proxy entered as proxy IP and port it works.


      in Transparent Router mode:

      It looks working in test case without user settings. I have to test with authentication/policy syncronization/log syncronization etc.




      What i want to do is, Active/Active load balancing with authentication via PBR . We have 5-6 proxies, so i want to active/active balancing through them without user settings. I don't want to set up WPAD/Proxy.pac or explicit proxy settings.



      What is the best practise for  this scenario?


      Message was edited by: gurcanozturk on 8/27/13 5:33:53 AM CDT
        • 1. Re: Active/Active Load Balancing with McAfee Web Gateway



          I've not used built in MWG load balancing, however we do use WCCP on one of our clusters. This is a transparrent mechnisam that nativly supportes load balancing and works very well for us. would this be an option? Alternativly on other parts of our estate we use HAProxy as a front end to spread load to a cluster of servers. This could be run under a VM and you can use things like Linux LVM to make it highly avalible.



          • 2. Re: Active/Active Load Balancing with McAfee Web Gateway



            please note that Proxy HA or Transparent Router mode are not exactly active/active. What happens is the following:


            ONE of the nodes in the cluster will become the "director". This node will be associated to the virtual IP address (e.g. on previous network devices the MAC address of the virtual IP will point to the physical NIC of the director node). This node will receive ALL traffic, but before the traffic is shifted from the NIC to the MWG process the data is shared across ALL known nodes in the cluster.


            So only one node will accept traffic, and will then try to equally share the load through all known MWG nodes in the local subnet. However all nodes will process the traffic.


            In your case I would probably try to go with transparent router mode. This would probably limit the efforts you have to take on your existing network devices, since MWG will automatically take care of the packets it wants to intercept etc.




            • 3. Re: Active/Active Load Balancing with McAfee Web Gateway



              I tried to set up a linux haproxy roundrobin with 5 McAfee Web gateways which are running in Proxy mode.


              - If i write down haproxy IP:PORT in proxy settings of browser it works, (explicit proxy)

              - If i remove IP:PORT in proxy settings of browser, it didnt work. (with PBR via HP switch)


              May i ask how did you set up haproxy and web gateways to work active/active balancing ?