Skip to main content
McAfee Enterprise MVISION Cloud

Configure Proxy Settings for a Director Node in Transparent Router Mode

To configure proxy settings for a director node in Transparent Router mode, configure the director role for this node as well as port redirects and proxy ports.

  1. Select Configuration | Appliances.
  2. On the appliances tree, select the appliance that runs as director node, then click Proxies.
  3. Under Network Setup, select Transparent Router.
    Specific Transparent Router settings appear below the Network Setup settings.
  4. Configure one or more port redirects that let requests sent from Web Gateway clients be redirected to a particular port.
    1. Under Port redirects, click Add.
      The Add Port Redirects window opens.
    2. Configure the following for a new port redirect that applies to connections under HTTP or HTTPS:
      • Protocol name — http
        http covers connections under both HTTP and HTTPS.
      • Original destination ports — 80, 443
        These are the default destination ports. They cover connections under both HTTP and HTTPS.
        If you also want to filter HTTPS traffic, enable the SSL Scanner rule set, which is by default provided on the rule sets tree, but not enabled.
      • Destination proxy port — 9090
        9090 is the default proxy port on an appliance.
        If you need to use other ports due to the requirements of your network, change these settings as needed.
        To configure a port direct for connections under FTP, select this protocol. Default ports are then preconfigured, which you can change as needed.
  5. Continue with Director priority, which is located below the Scanners table.
    Move the slider on the scale that is provided here to a high value, for example, 99.
    Moving the slider also makes the remaining Transparent Router settings accessible. Continue with configuring these settings.
  6. Scanners table — In this table, fill in the IP addresses of the outbound network interfaces for the nodes in a cluster that run as scanning nodes as well as their roles. Roles are referred to as types in this table.
    Click the Add icon and proceed as follows:
    1. Fill in an entry for the director node itself if this node participates in the scanning. Otherwise do not fill in an entry for this node.
      If the director node participates in the scanning, select Scanner as role, regardless of the fact that it is a director node.
    2. Fill in entries for all other scanning nodes in the cluster, including scanning-only nodes, as well as backup nodes that participate in the scanning.
      Select Scanner as role if a node is a scanning-only node and Peer/Director if it is a backup node.

      For example, you have a cluster with a director node (appliance 1) and a backup node (appliance 2) that both participate in the scanning as well as two nodes that only run as scanning nodes (appliances 3 and 4).

      Then four entries are required in this table, one for the director node and three more for the other appliances:
      • Outbound IP address of the director node (appliance 1) — Type: Scanner
      • Outbound IP address of the backup node (appliance 2) — Type: Peer/Director
      • Outbound IP address of one scanning only node (appliance 3) — Type: Scanner
      • Outbound IP address of the other scanning only node (appliance 4) — Type: Scanner
         
  7. Relay port — Configure a TCP port as relay port. This is a port that the scanning nodes in the cluster will use to forward web traffic to external destinations.
  8. Probe interval — Set this interval as the time (in milliseconds) to elapse before the director node sends the next probe packet to the scanning nodes. Probe packets are sent to verify that the scanning nodes are still alive.
    If you specify 0, no probe packets are sent.
  9. Inactivity timeout — Set a timeout (in seconds) for inactivity on the connections between the clients and the internal load balancer.
  10. Load balancing algorithm — Select a load balancing algorithm for the load balancer.
    Select one of the following:
    • Round robin — Traffic is forwarded to the scanning nodes one after another.
    • Leastconn (Least connection) — Traffic is forwarded to the scanning node with the lowest number of currently active connections.
  11. Stickiness — Enable sticky sessions between clients and the scanning nodes using the client IP addresses as sources.
    If you want to run an FTP proxy under the Transparent Router network mode, this option must be enabled.
  12. Virtual IPs — Specify a virtual IP address (VIP address) that is to serve as the cluster address when multiple Web Gateway appliances are running in a cluster.
    Select a network interface, for example, eth0, to assign this VIP address to it.
    You can assign more than one VIP address to a network interface. You can also select more than one network interface.
    Any network interface that you select or leave here as selected by default is one of those that you have configured under the Network Interfaces settings, which are part of the system settings on a Web Gateway appliance.
    The cluster address is used by the node that is currently the active director. Using this address, the director node connects to the scanning nodes as well as to the clients that have their requests for web access redirected to Web Gateway.
  13. Configure the settings for health checks under the Virtual Router Redundancy Protocol (VRRP).
    • Virtual router ID — ID used for the health checks
      This ID must be the same on all cluster nodes.
      Default: 51
      You can leave the default ID unless you are already using VRRP elsewhere in your network with ID 51.
      Then change it here to make it unique for a cluster.
    • VRRP interface — Interface used for the health checks
      Default: eth0
      You can leave this default unless you are not using the eth0 interface on your appliances.
      The network interface that you select or leave here as selected by default is one of those that you have configured under the Network Interfaces settings, which are part of the system settings on a Web Gateway appliance.
      The VIP address of the network interface that is selected here is used when this node connects as active director to a scanning node in passive FTP mode. If more than one VIP address is configured for this interface, the address that was configured last is used.
      NOTE: If no network interface is selected as the VRRP interface, no connections can be run under FTP in Transparent Router mode.
  14. List of egress IPs for load distribution — Configure egress IP addresses in this list to be able to use more connections when forwarding incoming web traffic to the scanning nodes.
    Configuring egress IP addresses is optional. Configure them if more than 50,000 active connections are needed on one scanning node at the same time.
    As egress IP addresses, enter addresses that you added as IP aliases for network interfaces when you configured them under the Network Interfaces settings, which are part of the system settings on a Web Gateway appliance.
    The following must also apply to the IP aliases that you add as egress IP addresses. You must also have configured these IP aliases as IP addresses for the network interface that you selected as the VRRP interface in step 13.
    The load balancer on the active director node distributes incoming web traffic among the scanning nodes. The number of ports that can be used by this load balancer when connecting to these nodes is limited. By configuring egress IP addresses you can overcome this limit and increase performance.
  15. Configure IP spoofing as needed.
  16. If you want to run this director node as a proxy under HTTP, configure the HTTP Proxy settings as follows.
    1. Under HTTP proxy port, make sure Enable HTTP proxy is selected.
      This setting is selected by default. An entry for port 9090 is also configured by default.
    2. Fill in the IP address of the outbound network interface for the director node under Listener Address in the HTTP port definition list.
      Use the default entry that is provided in first position on the list, and replace the 0.0.0.0 with the outbound IP address, keeping port 9090.
      Leave the values in the remaining fields as they are unless you have a particular reason for changing them.
      Clicking Add opens the Add HTTP Proxy Port window, which allows you to add more HTTP proxy ports. Configure the outbound IP address of the director node for each of them.
  17. If you want to run this director node as a proxy under FTP, configure a listener address for it in the FTP Proxy settings.
    1. Under FTP proxy port, select Enable FTP proxy.
      An entry with FTP control port 2121 and FTP data port 2020 is configured by default.
    2. Fill in the IP address of the outbound network interface for the director node under Listener Address in the FTP port definition list.
      Use the default entry that is provided in first position on the list, and replace the 0.0.0.0 with the outbound IP address, keeping port 2121.
      Leave the values in the remaining fields as they are unless you have a particular reason for changing them.
      Clicking Add opens the Add FTP Proxy Port window, which allows you to add more FTP proxy ports.
  18. Click Save Changes.
  • Was this article helpful?