Configure Proxy Settings for a Director Node in Transparent Router Mode

Last updated
Save as PDF

To configure proxy settings for a director node in Transparent Router mode, configure the director role for this node as well as port redirects and proxy ports.

This is part of the procedure for configuring the Transparent Router mode. For on overview of the complete procedure, see Configure the Transparent Router Mode.

Select Configuration | Appliances.
On the appliance tree, select the appliance that runs as director node, then click Proxies.
Under Network Setup, select Transparent Router.

Specific Transparent Router settings appear below the Network Setup settings.
Configure one or more port redirects that let requests sent from clients of Secure Web Gateway be redirected to a particular port.
1. Under Port redirects, click Add.
  
  The Add Port Redirects window opens.
2. Configure the following for a new port redirect that applies to connections under HTTP or HTTPS:
  - Protocol name — http
    
    http covers connections under both HTTP and HTTPS.
  - Original destination ports — 80, 443
    
    These are the default destination ports. They cover connections under both HTTP and HTTPS.
    
    If you also want to filter HTTPS traffic, enable the HTTPS Scanning rule set, which is by default provided on the rule set tree, but not enabled.
  - Destination proxy port — 9090
    
    9090 is the default proxy port on an appliance.
    
    If you need to use other ports due to the requirements of your network, change these settings as needed.
    
    To configure a port direct for connections under FTP, select this protocol. Default ports are preconfigured, which you can change as needed.
Continue with Director priority, which is located below the Scanners table.

Move the slider on the scale that is provided here to a high value, for example, 99.

Moving the slider also makes the remaining Transparent Router settings accessible. Continue with configuring these settings.
Scanners table — In this table, fill in the IP addresses of the outbound network interfaces for the nodes in a cluster that run as scanning nodes as well as their roles. Roles are referred to as types in this table.

Click the Add icon and proceed as follows:
1. Fill in an entry for the director node itself if this node participates in the scanning. Otherwise do not fill in an entry for this node.
  If the director node participates in the scanning, select Scanner as role, regardless of the fact that it is a director node.
2. Fill in entries for all other scanning nodes in the cluster, including scanning-only nodes, as well as backup nodes that participate in the scanning.
  Select Scanner as role if a node is a scanning-only node and Peer/Director if it is a backup node.
  
  For example, you have a cluster with a director node (appliance 1) and a backup node (appliance 2) that both participate in the scanning as well as two nodes that only run as scanning nodes (appliances 3 and 4).
  
  Then four entries are required in this table, one for the director node and three more for the other appliances:
  - Outbound IP address of the director node (appliance 1) — Type: Scanner
  - Outbound IP address of the backup node (appliance 2) — Type: Peer/Director
  - Outbound IP address of one scanning only node (appliance 3) — Type: Scanner
  - Outbound IP address of the other scanning only node (appliance 4) — Type: Scanner
Relay port — Configure a TCP port as relay port. This is a port that the scanning nodes in the cluster will use to forward web traffic to external destinations.
Probe interval — Set this interval as the time (in milliseconds) to elapse before the director node sends the next probe packet to the scanning nodes.

Probe packets are sent to verify that the scanning nodes are still alive.

If you specify 0, no probe packets are sent.
Inactivity timeout — Set a timeout (in seconds) for inactivity on the connections between the clients and the internal load balancer.
Load balancing algorithm — Select a load balancing algorithm for the load balancer.
Select one of the following:
- Round robin — Traffic is forwarded to the scanning nodes one after another.
- Leastconn (Least connections) — Traffic is forwarded to the scanning node with the lowest number of currently active connections.
Stickiness — Enable sticky sessions between clients and the scanning nodes using the client IP addresses as sources.

If you want to run an FTP proxy under the Transparent Router mode, this option must be enabled.
Virtual IPs — Configure a virtual IP address (VIP address) that is to serve as the cluster address when multiple Secure Web Gateway appliances are running as nodes in a cluster.

a. Click the Add symbol and in the Add Virtual IP window that opens, enter a VIP address in CIDR notation under Virtual IP.

This VIP address is used as the cluster address by the node that is currently the active director. Using this address, the director node connects to the
scanning nodes as well as to the clients that have their requests for web access redirected to Secure Web Gateway.

b. Under Network interface, select an interface from the drop-down menu to assign this VIP address to it.

You can repeat substeps a and b to assign more than one VIP address to a network interface. You can also select more than one network interface. If more than one VIP address is configured for the same interface, the address that was configured last is used as the current address.

Any network interface that you select here is one of those that you have configured under the Network Interfaces settings, which are part of the system settings on a Secure Web Gateway appliance.

If you are not configuring the Transparent Router mode on multiple appliances, but only on a single appliance, you still need to configure a VIP address here. This is required because this address is needed to enable redirection of web traffic from the clients to the proxy port that you have configured on this appliance to listen to this traffic.
Configure the settings for health checks under the Virtual Router Redundancy Protocol (VRRP).
- Virtual router ID — ID used for the health checks
  
  This ID must be the same on all cluster nodes. Default: 51
  
  You can leave the default ID unless you are already using VRRP elsewhere in your network with ID 51. Then change it here to make it unique for a cluster.
- VRRP interface — Network interface used for the health checks
  
  Default: eth0
  
  The network interface that you select here must be the one you selected in substep 12b to assign the VIP address to it. If you have configured more than one VIP address and assigned them to more than one network interface, you can also select more than one network interface here.
  
  The VIP address of the network interface that is selected here is used when this node connects as active director to a scanning node in passive FTP mode. If more than one VIP address is configured for a network interface, the node uses the address that was configured last.
  
  If no network interface is selected as the VRRP interface, no connections can be run under FTP in Transparent Router mode.
List of egress IPs for load distribution — Configure egress IP addresses in this list to be able to use more connections when forwarding incoming web traffic to the scanning nodes.

Configuring egress IP addresses is optional. Configure them if more than 50,000 active connections are needed on one scanning node at the same time.

As egress IP addresses, enter addresses that you added as IP aliases for network interfaces when you configured them under the Network Interfaces settings, which are part of the system settings on a Secure Web Gateway appliance.

The following must also apply to the IP aliases that you add as egress IP addresses. You must also have configured these IP aliases as IP addresses for the network interface that you selected as the VRRP interface in step 13.

The load balancer on the active director node distributes incoming web traffic among the scanning nodes. The number of ports that can be used by this load balancer when connecting to these nodes is limited. By configuring egress IP addresses you can overcome this limit and increase performance.
Configure IP spoofing as needed.
If you want to run this director node as a proxy under HTTP, configure the HTTP Proxy settings as follows.
1. Under HTTP proxy port, make sure Enable HTTP proxy is selected.
  
  This setting is selected by default. An entry for port 9090 is also configured by default.
2. Fill in the IP address of the outbound network interface for the director node under Listener Address in the HTTP port definition list.
  
  Use the default entry that is provided in first position on the list, and replace the 0.0.0.0 with the outbound IP address, keeping port 9090. Leave the values in the remaining fields as they are unless you have a particular reason for changing them.
  
  Clicking Add opens the Add HTTP Proxy Port window, which allows you to add more HTTP proxy ports. Configure the outbound IP address of the director node for each of them.
If you want to run this director node as a proxy under FTP, configure a listener address for it in the FTP Proxy settings.
1. Under FTP proxy port, select Enable FTP proxy.
  
  An entry with FTP control port 2121 and FTP data port 2020 is configured by default.
2. Fill in the IP address of the outbound network interface for the director node under Listener Address in the FTP port definition list.
  
  Use the default entry that is provided in first position on the list, and replace the 0.0.0.0 with the outbound IP address, keeping port 2121. Leave the values in the remaining fields as they are unless you have a particular reason for changing them.
  
  Clicking Add opens the Add FTP Proxy Port window, which allows you to add more FTP proxy ports.
Click Save Changes.

You have now configured proxy settings for a director node in Transparent Router mode.

Continue with configuring settings for an appliance you want to include as a scanning node in the cluster. For information about how to configure these settings, see Configure a Scanning Node in Transparent Router Mode.