Example Proxy HA configuration Using HAProxy (MWG >= 8.2)
Overview
Starting with SWG version 8.2, Skyhigh Security introduced a new HAProxy feature. This makes manual changes mandatory if you update frome an older version that is using mfend. This article is to show a simple example configuration for Proxy HA mode.
HAProxy support for ICAP Proxy was introduced with following SWG versions: 8.2.12, 9.2.3, 10.0. The configuration for ICAP is the same as for HTTP.
Action plan
- Upgrade or install latest main version
- Perform configuration changes as indicated below
- In case of any failures, create a Service Request and provide:
- feedback file
- short description about used interfaces and their need (in-/outbound, IP addresses)
Example Proxy HA configuration
This is a config example to create a proxy HA cluster with 2 SWG's.
Interfaces:
- SWG1 eth0: 10.116.40.3
- SWG2 eth0: 10.116.40.4
SWG1 Configuration:
- Scanners table: 10.116.40.4 (type: Peer Director), 10.116.40.3 (type: Scanner)
- Director priority: 90
- VIP: 10.116.40.5/32
- VRRP: eth0
- HTTP: 10.116.40.3:9090 (in general, bind management IP address to every port you want to configure)
- FTP (if enabled): 10.116.40.3:2121
SWG2 Configuration:
- Scanners table: 10.116.40.3 (type: Peer Director), 10.116.40.4 (type: Scanner)
- Director priority: 50
- VIP: 10.116.40.5/32
- VRRP: eth0
- HTTP: 10.116.40.4:9090 (in general, bind management IP address to every port you want to configure)
- FTP (if enabled): 10.116.40.4:2121
Test HA feature from GUI on the active director:
"Troubleshooting" > "Network tools" > type in parameter "all" > choose "hastats".
Output on active director:
hastats all : Mode: Active Director HTTP - IPv4 +-------------+------+-------------------+-------------------+ | Server |Status|Sessions per Second|Cumulative Sessions| +-------------+------+-------------------+-------------------+ |10.116.40.4 | UP | 0 | 0 | +-------------+------+-------------------+-------------------+ |10.116.40.3 | UP | 0 | 0 | +-------------+------+-------------------+-------------------+
FTP not configured
If you run the test on redundant director, it will only say to run this command on active director.
NOTES:
- We highly recommend to use a /32 subnet mask for any VIP address
- You can configure multiple VIPs. At least one needs to be on the same interface as the VRRP.
- Director priority =0 = scanning only node
- Director priority >0 = possible director node
- If you want to configure a scanning-only machine, set director priority to =0 and most options will automatically grey out.
- In this case you MUST change the HTTP listener from 10.116.40.3:9090 back to 0.0.0.0:9090 (same for any other active listener)