Best Practices - High Availability Configuration Size Limits
When configuring the Proxy HA (High Availability) network mode, you need to consider the number of Web Gateway appliances to include in the configuration.
In most cases, multiple appliances are run in a network and configured as nodes that are administered using Central Management functions.
Usually, one of these nodes is configured as the director node that directs incoming web traffic to the other nodes, which are termed scanning nodes since their job is to scan this traffic.
On a particular appliance, network interfaces are usually configured in a two-leg solution, which uses separate interfaces for incoming and outgoing web traffic, or in a three-leg solution, which uses an additional interface for Central Management communication.
When working with a network that is configured in this way, the following should be taken into account:
- The added maximum throughput of the scanning nodes must not exhaust or exceed the maximum throughput that can be achieved by the director node.
- Under the Proxy HA network mode, only a scaling of up to 1 gigabit per second is possible due to internal restrictions.
- We recommend that you leave a clear safety margin regarding the number of scanning nodes that could theoretically be configured under these conditions.
- For example, with a throughput of 100 megabits per second for a scanning node and a director node that uses a 1 GbE network interface, ten nodes would be possible, but we recommend five.
- With a throughput of 300 megabits per second on a scanning nodes and the same director node, three nodes would be possible, but we recommend two.
The maximum throughput on a scanning node varies with the appliance model that is used as a node and how a node is configured, for example, whether anti-malware filtering or the web cache are enabled or not. To find this value for a node, you can use a sizing calculator.
Calculations look different when a director node uses a 10GbE network interface, rather than a 1GbE network interface, or when IP spoofing is enabled in a configuration. This is explained in the following.
10GbE network interfaces
When a 10GbE network interface is installed on the director node, the maximum throughput for this node increases accordingly. However, the internal scaling limit for a Proxy HA configuration must still not be exhausted or exceeded.
- For example, with a throughput of 100 megabits per second for a scanning node, more than five nodes are possible, but we still recommend to keep the number of nodes below ten.
- With a throughput of 300 megabits per second, three nodes are possible, and we recommend not to use more.
IP spoofing
When IP spoofing is configured, data packets pass through the director node twice, once when the director node directs them to the scanning nodes and a second time when they are returned from the scanning nodes to the director node, as this node forwards the data packets to their original IP addresses.
This means the maximum throughput is only 500 megabits per second on the director node if a 1GbE network interface is used while the internal scaling limit for a Proxy HA configuration remains the same.
The number of scanning nodes must be adapted accordingly.
- For example, with a throughput of 100 megabits per second for a scanning node and a director node that uses a 1GbE network interface, the number of scanning nodes must be less than five.
If a 10GbE network interface is used, the number of scanning nodes can be higher, but we still recommend five. - With a throughput of 300 megabits per second for a scanning node and a director node that uses a 1GbE network interface, there should be only one scanning node.
If a 10GbE network interface is used, we recommend not to configure more than three scanning nodes.