The Proxy HA network mode that you can configure on Web Gateway is an explicit proxy mode with High Availability functions. It allows you to perform failover and load balancing without using external load balancers.
Director node and scanning nodes
When multiple appliances run in a Proxy HA configuration, this configuration is also called a High Availability cluster. One of the appliances in this cluster is configured as the director node, while the other appliances are configured as scanning nodes.
The director node performs load balancing within the cluster by distributing load to the scanning nodes. Usually, the director node also acts as a scanning node. You also configure at least one scanning node as backup node that replaces a failed director node.
Appliances take their roles according to a priority value that you configure for each of them. The director node has the highest value configured, the values for the backup nodes are below this, but greater than 0, whereas scanning nodes that have 0 as their value will not perform backup functions.
The node that has the director role at a given point in time is known as the active director. The active director uses a virtual IP address (VIP) as an alias IP address on its interface for communication with the clients that have their web traffic redirected to Web Gateway for filtering.
We recommend that you also configure the appliances that you want to include in a Proxy HA configuration as members of a Central Management cluster.
These configuration types do not depend on each other for running successfully. But if the appliances are not controlled and synchronized by Central Management, each appliance might follow different web security rules after some time.
Load balancing in a Proxy HA configuration takes into account resource usage and active number of connections. So, if one scanning node is overloaded, others get more traffic to compensate.
When load balancing is performed, requests from the same client usually go to the same scanning node.
If the director node fails, the backup node with the highest priority value takes over the director role. When the original director node returns to active status, it takes over the director role again.
To verify that nodes are available, VRRP (Virtual Router Redundancy Protocol) is used for health checks. You must configure the following for VRRP on each appliance to enable the health checks: A VRRP interface and a virtual router ID that is the same for all members of the High Availability cluster.
Each node sends a multicast packet per second to IP address 18.104.22.168. If no multicast packet from the active director is seen for 3–4 seconds, a failover is performed. The failover lets the backup node with the highest priority become the director node. This node takes on ownership of the virtual IP address of the High Availability cluster and informs the other nodes about its new director role.
Gratuitous ARP (Address Resolution Protocol) messages are used to update the ARP tables of participating clients and routers. Each time the common virtual IP address changes ownership (a failover occurs), the new director node sends a gratuitous ARP message. Subsequent TCP/IP packets can thus reach this node.
On the appliances that are to run as director and backup nodes, IP addresses must be configured as follows:
- The IP addresses of all scanning nodes must be entered in the scanner table that is filled in on the director and backup nodes. If you also configure the director node to take the role of a scanning node, you must enter its address in this table as well.
- The virtual IP address that the director and backup nodes use on their interfaces as network IP address to communicate with the Web Gateway clients must also be known.
You must add this network interface IP address to the settings that are configured on these nodes for the HTTP and FTP proxies with ports that listen to requests coming in from the clients.