4 Replies Latest reply on Sep 26, 2016 1:48 AM by freddykr

    Are you using a load balancer? Care to share details?

    Jon Scholten

      Are you using a load balancer?

       

      I'd like to put a best practice together but would like some Community input. Usually the MWG is administered by one person/team, and the load balancer is administered by another. Having a best practice will make it easier for both sides to get the information they need.

       

      ProxyHA (best practice here) on MWG is an option for a lot of environments, but there's always a place for external load balancers too.

       

      If you have a load balancer, what mode are you using? In my experience the best experience was Direct routing or NAT mode, but there are limiting factors with network configuration.

      • Direct Routing / Server Return mode = Load balancer simply routes the packets directly to the upstream MWG. Client IP is obtained from the source IP in the packets.
      • NAT mode = Upstream MWG must be in segmented network with load balancer as the default gateway. Client IP is obtained from source IP in packets.
      • Source NAT mode = Load balancer acts as a proxy and sends traffic to upstream MWG must parse X-Forwarded-For to get client IP. It seems that XFF can be unreliable.
      • Any modes I'm missing?

       

      What mode is MWG configured in?

      • Direct Proxy mode - This would work for NAT mode or Source NAT mode
      • Direct Proxy mode with L2 - Would work with Direct routing, NAT mode, and source NAT mode
      • Transparent router mode - Would work with Direct routing, NAT mode, and source NAT mode
      • Is there anything strange about the configuration? e.g. I had to configure MWG in Transparent router mode with the LB as the gateway.
      • Did you have any seemingly strange routing problems?

       

      What health checks do you have configured? I'm guessing the possible responses would be:

      • Ping test - Simple ping to proxy IP, if it fails, other tests should determine action, if ping fails but port test succeeds it doesnt really matter that that the ping failed
      • Port test - Verify proxy port is open, failover if port check fails
      • Application level test - Send an actual HTTP request to the proxy and check for a certain response code or response body
      • Example Application level test? Here is an example of what I have from F5:
      GET / HTTP/1.0\r\nHost: www.google.com\r\nUser-Agent: F5-Proxy-Pac-Check\r\nConnection: close\r\n\r\n
      

       

      How is persistence for client connections configured?

      I'm imagining that there is a 5 minute inactivity timeout, whereby the load balancer will send all traffic from a certain source IP to the same proxy until there is 5 minutes of inactivity (this is how MWG's built in ProxyHA works).

       

      Related Community threads:

      https://community.mcafee.com/message/356567#356567

       

      Call outs in case you gurus have any insight (don't feel obligated to post if you dont want to): gjunges, malware-alerts, msiemens

       

      Best Regards,

      Jon

        • 1. Re: Are you using a load balancer? Care to share details?
          malware-alerts

          Really happy a 'best practice' will be created for this!

           

          In the absence of MWG-centric 'best practice', we used the LB vendor's best practice for 'web servers' as recommended by our Intel Security Service Specialist.

           

          If you have a load balancer, what mode are you using?

          • Direct Routing / Server Return mode

           

          What mode is MWG configured in?

          • Transparent mode (we kept this mode as we transitioned from an actual 'transparent' setup to 'explicit proxy', but the MWG is now acting as the explicit proxy for our clients)

           

          What health checks do you have configured?

          • Application-level tests. We have HTTP 'HEAD' probes sent to 3 different websites every 15 seconds. If all 3 fail, failover occurs.

           

          How is persistence for client connections configured?

          • 60 minutes 'stickiness' based on source IP.
          1 of 1 people found this helpful
          • 2. Re: Are you using a load balancer? Care to share details?
            msiemens

            Two items, both on the LB:

             

            1. Configure the LB Virtual IP (VIP) as layer 4 (L4). Some LBs will drop or alter HTTP fields in client-gateway connections. In some cases, these actions will result in web sites not working correctly or not working at all. These problems are difficult and time-consuming to diagnose and remediate.
            2. Make sure that you're getting true client source IP addresses from the LB. Some LB configurations will put the source IP address in the X-Forwarded-For field instead of retaining the true source IP. While this usually works, there are some troubleshooting tools where true source IP is very important. This issue goes back to L4 vs. L7 VIPs.
            2 of 2 people found this helpful
            • 3. Re: Are you using a load balancer? Care to share details?
              malware-alerts

              msiemens wrote:

               

              Two items, both on the LB:

               

              1. Configure the LB Virtual IP (VIP) as layer 4 (L4). Some LBs will drop or alter HTTP fields in client-gateway connections. In some cases, these actions will result in web sites not working correctly or not working at all. These problems are difficult and time-consuming to diagnose and remediate.
              2. Make sure that you're getting true client source IP addresses from the LB. Some LB configurations will put the source IP address in the X-Forwarded-For field instead of retaining the true source IP. While this usually works, there are some troubleshooting tools where true source IP is very important. This issue goes back to L4 vs. L7 VIPs.

              To your point: we changed LB technology in the past few months and the new LB is 'proxying' the connection (thus hiding the real source ip) and inserting 'X-Forwarded-For' headers. It's fine 90% of the time (for example the logs have the proper source IP), but a real PITA when it comes time to do tcpdumps to resolve issues...

              1 of 1 people found this helpful
              • 4. Re: Are you using a load balancer? Care to share details?
                freddykr

                If you have a load balancer, what mode are you using?

                • NAT mode for 95% of the internal networks (Default Gateway is the internet and static routes defined for internal networks)
                • SRC NAT mode for the rest (XFF is not used; the troubleshooting issue not getting the real IP-Address is accepted)

                 

                What mode is MWG configured in?

                • Direct Proxy mode

                 

                What health checks do you have configured?

                • Just simple port tests. We had some issues in the past, where we used application tests (i.e. Google), and these sites where not available at some times.

                 

                How is persistence for client connections configured?

                • 120 minutes 'stickiness' based on source IP.
                1 of 1 people found this helpful