Example Transparent Proxy configuration using HAProxy (mfend replacement)
Overview:
Starting with MWG version 8.2, McAfee introduced a new HAProxy feature. This makes manual changes mandatory if you update from an older version that is using mfend. This article is to show a simple example configuration for Transparent Proxy mode.
HAProxy support for ICAP Proxy was introduced with following MWG versions: 8.2.12, 9.2.3, 10.0. The configuration for ICAP is the same as for HTTP.
Action plan:
- Upgrade or install latest main version
- Perform configuration changes as indicated below
- In case of any failures, create a Service Request and provide:
-feedback file
-short description about used interfaces and their need (in-/outbound, IP addresses)
Example Transparent Router Configuration
This is a config example to create a transparent proxy HA cluster with 2 MWG’s. Each MWG has 2 interfaces.
In this mode, the clients connect to VIP (inbound) as default gateway on ports 80 and 443. Haproxy (process) rewrites the port from 80/443 to configured HTTP listener port 9090 (mwg-core process).
Interfaces – A minimum of 2 interfaces is mandatory, in this example we have simply an in- and outbound interface
- MWG1 eth0 (inbound): 10.116.40.3, eth1 (outbound): 192.168.40.3
- MWG2 eth0 (inbound): 10.116.40.4, eth1 (outbound): 192.168.40.4
MWG1 Configuration:
- Scanners table (contains outbound IP’s): 192.168.40.4 (type: Peer Director), 192.168.40.3 (type: Scanner)
- Director priority: 90
- VIP (inbound): 10.116.40.5/32
- VIP (outbound): 192.168.40.5/32
- VRRP: eth1 (Must be the outbound interface)
- HTTP (use outbound IP): 192.168.40.3:9090 (in general, bind management outbound IP address to every port you want to configure)
- FTP (if enabled, use outbound IP): 192.168.40.3:2121
MWG2 Configuration:
- Scanners table (contains outbound IP’s): 192.168.40.3 (type: Peer Director), 192.168.40.4 (type: Scanner)
- Director priority: 50
- VIP (inbound): 10.116.40.5/32
- VIP (outbound): 192.168.40.5/32
- VRRP: eth1 (Must be the outbound interface)
- HTTP (use outbound IP): 192.168.40.4:9090 (in general, bind management outbound IP address to every port you want to configure)
- FTP (if enabled, use outbound IP): 192.168.40.4:2121
Test HA feature from GUI on the active director:
“Troubleshooting” > “Network tools” > type in parameter “all” > choose “hastats”.
Output on active director:
hastats all :
Mode: Active Director
HTTP - IPv4
+-------------+------+-------------------+-------------------+
| Server |Status|Sessions per Second|Cumulative Sessions|
+-------------+------+-------------------+-------------------+
|192.168.40.4 | UP | 0 | 0 |
+-------------+------+-------------------+-------------------+
|192.168.40.3 | UP | 0 | 0 |
+-------------+------+-------------------+-------------------+
FTP not configured
If you run the test on redundant director, it will only say: to run this command on active director.
NOTES:
- We highly recommend to use a /32 subnet mask for any VIP address
- Director priority =0 = scanning only node
- Director priority >0 = possible director node
- If you want to configure a scanning-only machine, set director priority to =0 and most options will automatically grey out.
- In this case you MUST change the HTTP listener from 10.116.40.3:9090 back to 0.0.0.0:9090 (same for any other active listener)