Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure the Proxy HA Mode

Configure the Proxy High Availability (Proxy HA) mode for a group of Secure Web Gateway appliances to perform load balancing and failover without using external load balancers.

A group of appliances that is configured in this way is also referred to as Proxy HA configuration or High Availability (HA) cluster.

Configure the appliances in this cluster one after another. Set up one of them as the director node, which provides the load balancing functions, and the others as backup nodes or as scanning nodes only. Select different values for the various settings options depending on the particular role of a node.

If no information regarding the different roles is provided in the following for a configuration step, complete it in the same way for each appliance.

  1. On the user interface, select Configuration > Appliances.

  2. On the appliances tree, select an appliance that you want to include in the cluster, then click Proxies.

  3. Under Network Setup, select Proxy HA.

    The Proxy HA settings appear immediately below the Network Setup settings.

  4. Configure these settings as follows.

    1. Begin with Director priority, which is located below the scanner table — Move the slider on the scale that is provided here to a numerical value for the appliance to configure its role in the cluster.

      • For a director node — Highest priority, for example, 99

        A load balancer runs on this node to provide load balancing functions in the cluster.

      • For a backup node — Lower priority, but higher than 0, for example, 89

        A backup node, also known as peer node, performs a failover to replace the director node when this node fails and no other node with a higher priority is active. Otherwise the backup node works as scanning node.

      • For a node that runs as a scanning node only — 0

        Moving the slider also makes the remaining Proxy HA settings accessible. Continue with configuring these settings.

    2. Scanners table — In this table, fill in IP addresses and roles of the nodes in the cluster that participate in the scanning. Roles are referred to as types in this table.

      Entries are filled in this table when setting up a director or a backup node. When setting up a scanning-only node, you need not deal with this table.

      When filling in an entry for the node that you are currently working on, always specify Scanner as role, regardless of the fact that the node might be a director or backup node.

      To add an entry, click the Add icon, and proceed as follows:

      • For a director node — If this node is to participate in the scanning, fill in its own IP address and select Scanner as type. Otherwise do not fill in an entry for this node.

        Add the IP addresses of all other nodes that run as scanning nodes. Select Scanner as role (type) if a node is a scanning-only node, and Peer/Director if it's a backup node.

        For example, you have a cluster with a director node (appliance 1) and a backup node (appliance 2) that both participate in the scanning along with two nodes that only run as scanning nodes (appliances 3 and 4).

        Then the table should include these entries:

        • IP address of the director node (appliance 1) — Type: Scanner

        • IP address of the backup node (appliance 2) — Type: Peer/Director

        • IP address of one scanning only node (appliance 3) — Type: Scanner

        • IP address of the other scanning only node (appliance 4) — Type: Scanner

      • For a backup node — Fill in its own IP address and select Scanner as role (type).

        Add the IP addresses of all other nodes that run as scanning nodes. Select Scanner as role if a node is a scanning-only node, and Peer/Director otherwise.

        For example, you have the same cluster as above. Then the table should include these entries:

        • IP address of the director node (appliance 1) — Type: Peer/Director

        • IP address of the backup node (appliance 2) — Type: Scanner

        • IP address of one scanning only node (appliance 3) — Type: Scanner

        • IP address of the other scanning only node (appliance 4) — Type: Scanner

    3. Relay port — For a director or backup node, configure a TCP port as relay port. This is a port that the scanning nodes in the cluster will use when forwarding web traffic to external destinations.

    4. Probe interval — For a director or backup node, set this interval as the time (in milliseconds) to elapse before the director node sends the next probe packet. Probe packets are sent to scanning nodes to verify they are still alive.

      If you specify 0, no probe packets are sent.

    5. Inactivity timeout — Set a timeout (in seconds) for inactivity on the connections between the clients and the internal load balancer.

    6. Load balancing algorithm — Select a load balancing algorithm for the load balancer.
      Select one of the following:

      • Round robin — Traffic is forwarded to the scanning nodes one after another.

      • Leastconn (Least connections) — Traffic is forwarded to the scanning node with the lowest number of currently active connections.

    7. Stickiness — Enable sticky sessions between the clients and the scanning nodes using the client IP addresses as sources.

      If you want to run an FTP proxy under the Proxy HA network mode, this option must be enabled.

    8. Virtual IPs — For a director or backup node, specify a Virtual IP address (VIP address) that is to serve as the cluster address.

      Select a network interface, for example, eth0, to assign this VIP address to it.

      You can assign more than one VIP address to a network interface. You can also select more than one network interface.

      The cluster address is used by the node that is currently the active director. Using this address, the director node connects to the scanning nodes as well as to the clients that have their requests for web access redirected to Secure Web Gateway.

      Any network interface that you select or leave here as selected by default is one of those that you have configured under the Network Interfaces settings, which are part of the system settings on a Secure Web Gateway appliance.

      We recommend selecting network interfaces here that you have configured with a /32 subnet mask.

    9. Configure the settings for health checks under the Virtual Router Redundancy Protocol (VRRP).

      • Virtual router ID — ID used for the health checks

        This ID must be the same on all nodes.

        Default: 51

        You can leave the default ID unless you are already using VRRP elsewhere in your network with ID 51. Then change it here to make it unique for the High Availability cluster.

      • VRRP interface — Interface used for the health checks

        Default: eth0

        You can leave this default unless you are not using the eth0 interface on your appliances.

        The network interface that you select or leave here as selected by default is one of those that you have configured under the

        Network Interfaces settings, which are part of the system settings on a Web Gateway appliance.

        The VIP address of the network interface that is selected here is used when this node connects as active director to a scanning node in passive FTP mode. If more than one VIP address is configured for this interface, the address that was configured last is used.

        If no network interface is selected as the VRRP interface, no connections can be run under FTP in Proxy HA mode.

    10. List of egress IPs for load distribution Configure egress IP addresses in this list to be able to use more connections when forwarding incoming web traffic to the scanning nodes.

      Configuring egress IP addresses is optional. Configure them if more than 50,000 active connections are needed on one scanning node at the same time.

      As egress IP addresses, enter addresses that you added as IP aliases for network interfaces when you configured them under the Network Interfaces settings, which are part of the system settings on a Web Gateway appliance.

      The following must also apply to the IP aliases that you add as egress IP addresses. You must also have configured these IP aliases as IP addresses for the network interface that you selected as the VRRP interface in substep i.

      The load balancer on the active director node distributes incoming web traffic among the scanning nodes. The number of ports that can be used by this load balancer when connecting to these nodes is limited. By configuring egress IP addresses you can overcome this limit and increase performance.

  5. If you want to run the appliances in the cluster nodes as proxies under HTTP, configure the HTTP Proxy settings.

    • For a director or backup node — Under Listener Address in the HTTP port definition list, fill in the IP address of this node.

      Use the default entry that is provided in first position on the list, and replace the 0.0.0.0 with this IP address, keeping port 9090, for example, 192.168.2.100:9090.

      Leave the values in the remaining fields as they are unless you have a particular reason for changing them.

    • For a node that runs as scanning node only — Configure an unbound listener under Listener Address in the HTTP port definition list, for example, 0.0.0.0:9090.

      To configure an unbound listener, you can leave the default entry that is provided in first position on the list.

  6. If you want to run the appliances in the cluster as proxies under FTP, configure the FTP proxy settings.

    • For a director or backup node — Under Listener Address in the FTP port definition list, fill in the IP address of this node.

      Use the default entry that is provided in first position on the list, and replace the 0.0.0.0 with this IP address, keeping port 2121, for example, 192.168.2.100:2121.

      Leave the values in the remaining fields as they are unless you have a particular reason for changing them.

    • For a node that runs as scanning node only — Configure an unbound listener under Listener Address in the FTP port definition list, for example, 0.0.0.0:9090.

      To configure an unbound listener, you can leave the default entry that is provided in first position on the list.

  7. If you want to run the appliances in the cluster together with one or more ICAP servers, configure ports for them in the ICAP port definition list of the ICAP Server settings.

    Configure entries for director and backup nodes as well as for scanning only nodes in the same way as shown for HTTP in step 5.

  8. Click Save Changes.

  • Was this article helpful?