5 Replies Latest reply on Oct 10, 2013 3:39 AM by asabban

    Implement Central Management in existing setup MWG


      Dear All,


      We have in our environment two physical web gateway in same building. The two are connected to two internet sources on eth 0 and operating in Proxy (optional WCCP) mode and both MWG's operating individually and they don't know about each other. Only one NIC on the gateways is in use. For authentication we authenticate users based on their domain name credentials.


      One gateway MWG1 is serving one building users and Second gateway MWG2 is serving other building users. Now I am willing to combine the two for central management of policies because presently I need to do any changes twice.


      Please let me know if can do the central management when only one NIC on both gateways is in use OR it should be a seperate NIC to be used on the two MWG's. The IP address of both gateway is in same range.


      - If then central management is done the active directory based authentication will still work ?

      - How about the two internet sources ? they will both be used in central management senario ?

      - The users will require to enter proxy settings in their IE ? if yes then which proxy name they will use MWG1 or MWG2



      Presently as I explained above MWG1 serve building 1 users, so they enter 'MWG1' as proxy in their browsers while MWG2 serve building 2 users, so they enter 'MWG2' as proxy in their browsers.


      Kind Regards,

        • 1. Re: Implement Central Management in existing setup MWG



          you can create the Central Management via one NIC, as long as both MWGs can "reach" each other. If they are physically put into two networks that cannot route to each other you will have to use a seconds NIC and bring both MWGs "together".


          The Central Management is rather simple. It synchronizes the policy - thats all. Settings such as IP addresses, routing information etc. are not synchronised. So yes, authentication will still work. Every MWG will continue using its "internet source", the routing will not be touched in any way. Also for the users nothing will change, users in building 1 will still talk to MWG1, users in building 2 will still talk to MWG2, which is perfectly fine.




          • 2. Re: Implement Central Management in existing setup MWG

            Dear Andre,


            Yes, both our physical MWG's are having IP as


            MWG1, 10.1.99.x

            GW, ( IP for ADSL modem1, first internet source)

            MWG2, 10.1.99.x

            GW, (IP for ADSL modem2, second internet source)


            Both MWG are able to ping each other , I checked this using, Troubleshooting> network tools > ping ( I entered the IP of second MWG and there was ping reply). So this will work in our case ?


            Any step to be done on safe side ? How the policy synchronization will be done, I mean which MWG will over write the other one first time. By chance if something goes wrong, how to return back to state which we have now.


            many thanks for support.




            • 3. Re: Implement Central Management in existing setup MWG



              that should work fine.


              You will log in to one MWG and "add" the second one to the central management. The one you "add" will have the policy of the one you are logged on to after you joined the central management.


              In case of problems make sure you took a backup. You can remove the node from central management and restore the backups. That should work fine, however I would do this change besides regular working hours to not interfere with the users browsing through MWG.




              • 4. Re: Implement Central Management in existing setup MWG

                I understand, it is good to do the change besides regular working hours.


                So, central management do not give any kind of high availibility, like for example in case the internet source of MWG2 went down or MWG2 fails itself, the users working through this proxy are required to change the proxy in their browsers ?


                What I understand it is just for making management easy and not to provide any load balance or HA, correct me if I am wrong , please.


                After implementing the central management like discussed above, then in order to have automatic redirection of users in event of failure of internet source OR MWG itself, what we can do ? I read for WCCP, presently our MWG's are operating in this mode, see picture please:



                Is it possible to proceed first with central management and then for transparent setup so user not required to use proxy in their IE or chrome or firefox



                • 5. Re: Implement Central Management in existing setup MWG



                  you are correct, central management is *only* central management :-) It does not add any failover capabilities or similar to MWG. Settings up load balancinc/HA/Failover (however you like to call it) is a completely different step.


                  There are a lot of options to achieve this:


                  - In WCCP the route performing WCCP should be able to do the job

                  - You could switch to Proxy HA, which will give you a virtual IP address which will be used by the clients. If one MWG goes down the virtual IP stays reachable for the clients

                  - You can use any kind of load balancer in front of MWG

                  - You can use Proxy.pac files


                  If you are already using WCCP and want to keep WCCP think the users coming in via WCCP should already have failover capabilities. Maybe this requires some additional configuration on the router... there should be some more guidance here on the community or support can help, personally I don't know much about WCCP since this is a feature that people do not seem to use over here in Europe :-)


                  If you keep WCCP the users who directly access MWG1 or MWG2 (not coming via WCCP) won't have failover capabilities. For them a proxy.pac file may be the right choice. You can design the proxy.pac in a way that users from building 1 always use MWG1. If MWG1 is dead all users (building 1 and 2) will use MWG2. Vice versa all users from building 2 will always use MWG2. In case MWG2 dies, all users (building 1 and 2) will go through MWG1. So you keep the existing distribution of users, but have a fall-back mechanism.


                  If you want to switch to Proxy HA I think you will use WCCP. If that is suitable you can enable Proxy HA and assign a new IP address which virtually points to both MWGs. Clients will access this IP in the future to have failover capabilities. In this case you have no influence on which user goes through which proxy, so you will lose your "building 1 -> MWG1, building 2-> MWG2" association.


                  The additional load balancer should allow you to configure a virtual IP and usually should have options to keep the building <-> MWG association, because load balancers usually have more options. But those options usually have to be paid :-)