Loading....

Example Transparent Proxy configuration using HAProxy (mfend replacement)

Overview:

Starting with MWG version 8.2, McAfee introduced a new HAProxy feature. This makes manual changes mandatory if you update from an older version that is using mfend. This article is to show a simple example configuration for Transparent Proxy mode.

HAProxy support for ICAP Proxy was introduced with following MWG versions: 8.2.12, 9.2.3, 10.0. The configuration for ICAP is the same as for HTTP.

Action plan:

  • Upgrade or install latest main version
  • Perform configuration changes as indicated below
  • In case of any failures, create a Service Request and provide:

-feedback file

-short description about used interfaces and their need (in-/outbound, IP addresses)

Example Transparent Router Configuration

This is a config example to create a transparent proxy HA cluster with 2 MWG’s. Each MWG has 2 interfaces.

In this mode, the clients connect to VIP (inbound) as default gateway on ports 80 and 443. Haproxy (process) rewrites the port from 80/443 to configured HTTP listener port 9090 (mwg-core process).

Interfaces – A minimum of 2 interfaces is mandatory, in this example we have simply an in- and outbound interface

  • MWG1 eth0 (inbound): 10.116.40.3, eth1 (outbound): 192.168.40.3
  • MWG2 eth0 (inbound): 10.116.40.4, eth1 (outbound): 192.168.40.4

MWG1 Configuration:

  • Scanners table (contains outbound IP’s): 192.168.40.4 (type: Peer Director), 192.168.40.3 (type: Scanner)
  • Director priority: 90
  • VIP (inbound): 10.116.40.5/32
  • VIP (outbound): 192.168.40.5/32
  • VRRP: eth1 (Must be the outbound interface)
  • HTTP (use outbound IP): 192.168.40.3:9090 (in general, bind management outbound IP address to every port you want to configure)
  • FTP (if enabled, use outbound IP): 192.168.40.3:2121

MWG2 Configuration:

  • Scanners table (contains outbound IP’s): 192.168.40.3 (type: Peer Director), 192.168.40.4 (type: Scanner)
  • Director priority: 50
  • VIP (inbound): 10.116.40.5/32
  • VIP (outbound): 192.168.40.5/32
  • VRRP: eth1 (Must be the outbound interface)
  • HTTP (use outbound IP): 192.168.40.4:9090 (in general, bind management outbound IP address to every port you want to configure)
  • FTP (if enabled, use outbound IP): 192.168.40.4:2121

Test HA feature from GUI on the active director:

“Troubleshooting” > “Network tools” > type in parameter “all” > choose “hastats”.

Output on active director:
hastats all :
Mode: Active Director
HTTP - IPv4
+-------------+------+-------------------+-------------------+
| Server |Status|Sessions per Second|Cumulative Sessions|
+-------------+------+-------------------+-------------------+
|192.168.40.4 | UP | 0 | 0 |
+-------------+------+-------------------+-------------------+
|192.168.40.3 | UP | 0 | 0 |
+-------------+------+-------------------+-------------------+
FTP not configured

If you run the test on redundant director, it will only say: to run this command on active director.

NOTES:

  • We highly recommend to use a /32 subnet mask for any VIP address
  • Director priority =0 = scanning only node
  • Director priority >0 = possible director node
  • If you want to configure a scanning-only machine, set director priority to =0 and most options will automatically grey out.
  • In this case you MUST change the HTTP listener from 10.116.40.3:9090 back to 0.0.0.0:9090 (same for any other active listener)

 Proxy Modes  
Total 2 Votes:
0

Tell us how can we improve this post?

+ = Verify Human or Spambot ?

Back To Top