Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure the Proxy HA Mode for SOCKS Traffic

You can configure the Proxy High Availability (Proxy HA) mode also for web traffic that is going on under the SOCKS protocol.

This network mode provides high availability and load balancing functions to the filtering process Web Gateway uses to protect your network against threats arising from the web.

To implement this mode, set up a cluster of Web Gateway appliances as nodes in a Proxy HA cluster with one of them acting as the director node.

The director node distributes the work load that the filtering process requires to the other nodes in the cluster, which are referred to as scanning nodes. A director node can participate in the filtering process and take the role of a scanning node in parallel.

You can also configure one of the other nodes or more of them as backup nodes that take over the director role from the director node if this node becomes unavailable.

To extend the filtering process to web traffic coming in under the SOCKS protocol, you set up a SOCKS proxy on each node in the cluster.

On each of the nodes that act as scanning nodes, you also implement a rule set that provides the filtering functions for SOCKS traffic.

  1. Set up a director node for the Proxy HA cluster.
    1. Select Configuration | Appliances.
    2. On the appliances tree, navigate to the appliance you want to set up as director node. Then select Proxies and under Network Setup, select Proxy HA.
    3. Begin with Director priority, which is located below the Scanners table, and move the slider on the slider scale to a high value, for example, 97.
    4. In the Scanners table, enter an IP address for each appliance in the cluster and the role it takes.

      The role of the appliance that you have currently selected for configuration is always specified as Scanner, even if it is a director or backup node.

      Otherwise the role for director and backup nodes is Peer/Director. For a scanning-only node, the role is always Scanner.

      For example, enter the following.
      • For the director node: — Scanner
      • For a backup node: — Peer/Director
      • For a scanning-only node: — Scanner
    5. Under Virtual IPs, specify a network interface on this appliance and a virtual IP address (VIP address) for it.
      This VIP address serves as the cluster address.

      You can specify more than one network interface here and more than one VIP address for each interface.

      For example, you have configured eth2 and eth2.10 as network interfaces on this appliance and specified IP addresses for them under both IPv4 and IPv6.

      Then you can enter the following.
      • — eth2
      • fd02:169::250/64 — eth2
      • — eth2.10
      • fd02:170::250/64 — eth2.10
    6. Under VRRP interface, specify any of the network interfaces you have configured on this appliance.
      For the other options under Proxy HA, you can leave the default values.
  2. Set up a SOCKS proxy on the director node.
    1. Scroll down to the SOCKS Proxy section.
    2. Select Enable SOCKS proxy.
    3. Under Listener address in the table that is provided here, enter the IP address and the port on the director node that listens to requests for web access coming in from the clients as traffic under the SOCKS protocol.

      You can enter addresses under IPv4 and IPv6 here.

      For example, enter the following.
      • fd02:169::10:1080

        For the second entry, you can omit the address and only enter the port.
  3. Set up other appliances as nodes in the Proxy HA cluster.

    Set up at least one appliance as a scanning-only node. We recommend that you also set up an appliance as backup node.

    Repeat these substeps for every appliance you want to include in the cluster.
    1. Navigate to another appliance on the appliance tree. Then select Proxies and under Network Setup, select Proxy HA.
    2. Begin with Director priority and move the slider on the slider scale to a value as follows.
      • For a backup node: Lower than what you configured for the director node, but greater than 0, for example, 56
      • For a scanning-only node: 0
    3. Fill entries in the Scanners table only when setting up a backup node. When setting up a scanning-only node, no entries are required in this table.

      For example, enter the following when setting up a backup node.
      • For the director node: — Peer/Director
      • For the backup node: — Scanner
      • For a scanning-only node: — Scanner
    4. Configure all other options under Proxy HA for a backup or a scanning-only node as in step 1.
    5. Set up a SOCKS proxy on this appliance in the same way and with the same values as in step 2.
  4. Implement the SOCKS Proxy rule set on all scanning nodes in the cluster.
    If the director node also works as a scanning node, implement the rule set there as well.
    1. Select Policy | Rule Sets.
    2. Import the SOCKS Proxy rule set from the Common Rules group of the library.
    3. In the key elements view of this rule set, enter the protocol versions for the SOCKS traffic that is to be filtered to a whitelist.
  5. In the key elements view of this rule set, you can configure settings and add the protocol versions for the
    SOCKS traffic that is filtered to a whitelist.
    SOCKS traffic coming in under different protocol versions is blocked.

You have now set up a Proxy HA cluster with Web Gateway appliances as nodes that filter SOCKS traffic coming in from the clients.

  • Was this article helpful?