Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Example Proxy HA configuration Using HAProxy (MWG >= 8.2)

Overview

Starting with SWG version 8.2, Skyhigh Security introduced a new HAProxy feature. This makes manual changes mandatory if you update frome an older version that is using mfend. This article is to show a simple example configuration for Proxy HA mode.

HAProxy support for ICAP Proxy was introduced with following SWG versions: 8.2.12, 9.2.3, 10.0. The configuration for ICAP is the same as for HTTP.

Action plan

  • Upgrade or install latest main version
  • Perform configuration changes as indicated below
  • In case of any failures, create a Service Request and provide:
    • feedback file
    • short description about used interfaces and their need (in-/outbound, IP addresses)

Example Proxy HA configuration

This is a config example to create a proxy HA cluster with 2 SWG's.

Interfaces:

  • SWG1 eth0: 10.116.40.3
  • SWG2 eth0: 10.116.40.4

SWG1 Configuration:

  • Scanners table: 10.116.40.4 (type: Peer Director), 10.116.40.3 (type: Scanner)
  • Director priority: 90
  • VIP: 10.116.40.5/32
  • VRRP: eth0
  • HTTP: 10.116.40.3:9090 (in general, bind management IP address to every port you want to configure)
  • FTP (if enabled): 10.116.40.3:2121

SWG2 Configuration:

  • Scanners table: 10.116.40.3 (type: Peer Director), 10.116.40.4 (type: Scanner)
  • Director priority: 50
  • VIP: 10.116.40.5/32
  • VRRP: eth0
  • HTTP: 10.116.40.4:9090 (in general, bind management IP address to every port you want to configure)
  • FTP (if enabled): 10.116.40.4:2121

Test HA feature from GUI on the active director:

"Troubleshooting" > "Network tools" > type in parameter "all" > choose "hastats".

Output on active director:

hastats all : 
Mode: Active Director 
HTTP - IPv4 
+-------------+------+-------------------+-------------------+ 
| Server |Status|Sessions per Second|Cumulative Sessions|
 +-------------+------+-------------------+-------------------+ 
 |10.116.40.4 | UP | 0 | 0 | 
 +-------------+------+-------------------+-------------------+ 
 |10.116.40.3 | UP | 0 | 0 |
+-------------+------+-------------------+-------------------+

 

FTP not configured

If you run the test on redundant director, it will only say to run this command on active director.

NOTES:

  • We highly recommend to use a /32 subnet mask for any VIP address
  • You can configure multiple VIPs. At least one needs to be on the same interface as the VRRP.
  • Director priority =0 = scanning only node
  • Director priority >0 = possible director node
  • If you want to configure a scanning-only machine, set director priority to =0 and most options will automatically grey out.
  • In this case you MUST change the HTTP listener from 10.116.40.3:9090 back to 0.0.0.0:9090 (same for any other active listener)
  • Was this article helpful?