Loading....

Overview:

Starting with MWG version 8.2, McAfee introduced a new HAProxy feature. This makes manual changes mandatory if you update frome an older version that is using mfend. This article is to show a simple example configuration for Proxy HA mode.

HAProxy support for ICAP Proxy was introduced with following MWG versions: 8.2.12, 9.2.3, 10.0. The configuration for ICAP is the same as for HTTP.

 

Action plan:

  • Upgrade or install latest main version
  • Perform configuration changes as indicated below
  • In case of any failures, create a Service Request and provide:
  • > feedback file
  • > short description about used interfaces and their need (in-/outbound, IP addresses)

 

Example Proxy HA configuration

This is a config example to create a proxy HA cluster with 2 MWG’s.

Interfaces:

  • MWG1 eth0: 10.116.40.3
  • MWG2 eth0: 10.116.40.4

MWG1 Configuration:

  • Scanners table: 10.116.40.4 (type: Peer Director), 10.116.40.3 (type: Scanner)
  • Director priority: 90
  • VIP: 10.116.40.5/32
  • VRRP: eth0
  • HTTP: 10.116.40.3:9090 (in general, bind management IP address to every port you want to configure)
  • FTP (if enabled): 10.116.40.3:2121

MWG2 Configuration:

  • Scanners table: 10.116.40.3 (type: Peer Director), 10.116.40.4 (type: Scanner)
  • Director priority: 50
  • VIP: 10.116.40.5/32
  • VRRP: eth0
  • HTTP: 10.116.40.4:9090 (in general, bind management IP address to every port you want to configure)
  • FTP (if enabled): 10.116.40.4:2121

Test HA feature from GUI on the active director:

“Troubleshooting” > “Network tools” > type in parameter “all” > choose “hastats”.

Output on active director:

hastats all :

Mode:  Active Director

HTTP – IPv4

+————-+——+——————-+——————-+

|   Server    |Status|Sessions per Second|Cumulative Sessions|

+————-+——+——————-+——————-+

|10.116.40.4  |  UP  |         0         |         0         |

+————-+——+——————-+——————-+

|10.116.40.3  |  UP  |         0         |         0         |

+————-+——+——————-+——————-+

FTP not configured

If you run the test on redundant director, it will only say to run this command on active director.

NOTES:

  • We highly recommend to use a /32 subnet mask for any VIP address
  • You can configure multiple VIPs. At least one needs to be on the same interface as the VRRP.
  • Director priority =0 = scanning only node
  • Director priority >0 = possible director node
  • If you want to configure a scanning-only machine, set director priority to =0 and most options will automatically grey out.
  • In this case you MUST change the HTTP listener from 10.116.40.3:9090 back to 0.0.0.0:9090 (same for any other active listener)

 Proxy Modes  
Total 0 Votes:
0

Tell us how can we improve this post?

+ = Verify Human or Spambot ?

Back To Top