Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Appliances Configured in ProxyHA with Central Management

  1. Last updated
  2. Save as PDF

Before upgrading appliances configured in ProxyHA with Central Management, complete all prerequisites. For more details, see Prerequisites to Upgrade Web Gateway Appliance.

Upgrade to Major or Minor Versions

This section outlines the process for upgrading three appliances configured in a ProxyHA cluster. Assume a scenario where you have 3 SWG nodes configured in a proxyHA setup with a central management cluster. 

  • SWG1 | Directory priority: 90 | Active director
  • SWG2 | Directory priority: 80 | Redundant director
  • SWG3 | Directory priority: 70 | Redundant director
Upgrade SWG3 Appliance
  1. Log in to the web UI of SWG1.
  2. Take a configuration back up. For more details, see Prerequisites to Upgrade Web Gateway Appliance
  3. Remove the SWG3 appliance from the cluster.
    1. Go to Configuration.
    2. From the Appliances tree, select SWG3.
    3. Click Delete

      Delete _1.png
       

  4. Stop traffic distribution to the SWG3 node:

    1. Access the web UI of the standalone SWG3 appliance.
    2. Go to Configuration > Proxies (HTTP(S), FTP, SOCKS, ICAP...).
    3. Disable all listeners (e.g., HTTP Proxy, FTP Proxy, ICAP Server).

      disable SWG3 listener_1.png
       

NOTE: Disabling all listeners stops the active director (SWG1) from distributing traffic to SWG3. Run hastats from the active director (SWG1) to confirm that SWG3 listeners are marked as Down.

2025-07-21_20-51-30_1.png 
 

  1. Log in to the standalone appliance SWG3 via the command line as the root user to upgrade the appliance to the intended or required version. For more details, see Standalone Appliance.  

NOTE: Skyhigh recommends using the yum command to streamline and simplify the upgrade process, provided that you have root access to the command line. 

  1. Reboot the SWG3 appliance.
    SWG3 is upgraded to a new version and is working as a standalone appliance.

Once the SWG3 appliance is rebooted and running the new version, enable the listeners to allow the active director to start distributing traffic to SWG3. At this point, SWG3 is part of the ProxyHA setup and not part of the central management cluster.

SWG3 enable listener back_1.png

Upgrade SWG2 Appliance

Follow the Steps 1-7 from the Upgrade SWG3 Appliance section. 

Upgrade SWG1 Appliance (Active Director)
  1. Log in to the web UI of SWG1.
  2. Go to Configuration > Proxies (HTTP(S), FTP, SOCKS, ICAP...).
  3. In proxyHA configuration, note the Director priority and change to 60 (lower than SWG2 and SWG3 appliances).

    director priority SWG1 set to 60.png

NOTE: This action triggers a new election process, during which SWG2 becomes the active director, as it has the highest priority among the remaining nodes. At this point, the active director (SWG2) distributes traffic only to SWG3.


 after director priority change, SWG2 becomes active director_1.png
 

  1. Disable all listeners (e.g., HTTP Proxy, FTP Proxy, ICAP Server) on SWG1.
  2. Log in to the standalone appliance SWG1 via the command line as the root user to upgrade the appliance to the intended or required version. For more details, see Standalone Appliance.  

NOTE: Skyhigh recommends using the yum command to streamline and simplify the upgrade process, provided that you have root access to the command line. 

  1. Reboot the SWG1 appliance.
    SWG1 is upgraded to a new version and is working as a standalone appliance.

Log into the web UI of SWG1, set the Director Priority to 90 (as recorded earlier in Step 3), and enable the listeners. This action triggers another election process, allowing SWG1 to be re-elected as the active director since it now holds the highest priority among the remaining nodes (SWG2 and SWG3). After the election, the system distributes traffic across all SWG nodes based on the load balancing algorithm configured in ProxyHA.

director priority SWG1_1.png

2025-07-21_20-54-09.png

Rejoin all nodes to the Central Management Cluster

Once the nodes are upgraded, to rejoin a node to the Central Management from the primary node:

  1. Log in to the web UI of SWG1
  2. Select Configuration > Appliances.
  3. On the Appliances toolbar, click Add/Join.
  4. Enter the Host name or IP address of the SWG2 appliance to be added.
  5. From the Network group drop-down, select a network group for the SWG2 appliance.
  6. Select Add Appliance.
  7. Click OK.

    rejoin central management snapshot1_1.png
     

  8. Follow Steps 1-7 to add SWG3 to the central management cluster.

Upgrade to Macro Version 

When upgrading to a macro version, you do not need to break up the cluster if the version differences are within the same macro. For the upgrade process, see Standalone Appliance.

NOTE: Once the upgrade is completed, make sure to verify it against the checklist. See Upgrade Checklist

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
  2. Tags
    This page has no tags.