Clustering

Clustering in Web Security Manager is based on VRRP. It allows for configuring high availability WSM pairs running Active/Passive with automatic fail-over within 3 seconds.

When deployed in combination with a load balancer in a separate load balancing pool many WSM nodes can be run Active/Active with the policy synchronized across all nodes by the master.

1.1. Cluster virtual IP configuration

The Cluster virtual IP configuration section allows for adding new virtual interfaces with virtual IP addresses.

It is important that the exact same number of interfaces are configured on the master and slave and that the interfaces are configured in the same order.

Virtual IP address of the cluster.

Virtual IP

This is the IP address the nodes in the cluster are sharing. The netmask defining the virtual IP's subnet.

Netmask

The netmask should be the same as the netmask assigned to the IP address of the physical interface to which Inbound Traffic is bound. The type of the virtual IP.

Type

Drop down list Options

FAILOVER MASTER and FAILOVER BACKUP

Default

FAILOVER MASTER

To configure a failover IP address, on the master select FAILOVER MASTER

and on the slave select FAILOVER BACKUP. See the examples below for more information. Which interface to bind the cluster intrface to..

Interface

Drop down list Options

System interfaces Default

First interface in the list

1.2. Synchronization configuration

When Web Security Manager nodes are running a cluster one of the Web Security Manager nodes can be designated the TEACH role and the slave the LEARN role .

In order to keep load balancing and backup nodes up-to-date with the current configuration the TEACHER is keeping the LEARNER updated with changes to configured websites.

To keep the synchronization packages private in the cluster the messages are encrypted using a password as key. Synchronization messages can be sent using either MULTICAST or UNICAST.

Enable or disable proxy settings synchronization.

Enable proxy set- tings synchroniza- tion

Check box

If enabled, Web Security Manager will synchronize the current ACL database and other parameters with other Web Security Manager nodes.

Synchronization role.

Mode

Drop down list If set to Teach, this Web Security Manager will multicast the ACL data-

base to other Web Security Manager installations. If set to Learn, this

Web Security Manager will update it's ACL database according to syn- chronization messages from other Web Security Manager installations. Synchronization settings affects the operation of the Learner. When

synchronization is enabled and the node synchronization mode is set to Learn, the node will not sample learn data but wait for the node

master to dispatch a policy.

Note

You need to configure an interface that will be used for synchron- ization before the ACL database synchronization will be activ- ated.

Password used for synchronization message authentication.

Password

Input field Valid input

Any string.

A long password is recommended as it do not have to be memorable by humans.

Input example

98974953Q38512432324CU4859229842784

Default value

none

Synchronization network protocol.

Protocol

Drop down list Options

MULTICAST

UNICAST

Default

MULTICAST

The MULTICAST method is selected by default. This method is the easiest to configure but as the name suggests the messages are sent to all nodes within the network and may not always work in complex networks. To keep network traffic at a minimum and to make things work in complex networks UNICAST should be preferred.This method requires the LEARN node to be specified on the TEACH node. When sending

synchronization messages using UNICAST the TEACHER sends the messages directly to the LEARNERS ip address using UDP.

How websites are synchronized are synchronized in a cluster.

Sync type

Drop down list Options

FULL SYNC

TEMPLATE

Default

FULL SYNC

This option applies to learning nodes and controls how websites are synchronized.

FULL SYNC

Everything, including "Listen IP", backend servers and health checking configuration is synchronized.

For HTTPS websites and HTTP websites configured to listen to a specific IP address it is required that the same IP addresses are configured on the learn node - typically in the form of a Cluster IP address configured for high availability or load balancing. Otherwise configuring the proxy core will fail.

TEMPLATE

When new website configuration is received by slave node: All in- formation, including listen IP is included but website is created with disabled status meaning it will not served by the learning node until the website is enabled in ADC : Virtual Host (Section 1, “Virtual host”).

When synchronizing changes Listen IP, backend server configura- tion, load balancing settings and health checking configuration will not be synchronized. This allows for synchronizing across datacen- ters or for synchronizing a cluster that is used in combination with a network load balancer.

The IP address(es) of the other node(s) in the cluster.

Peer(s)

Input field This input field is disabled if MULTICAST is selected. In this case it displays

the multicast address which cannot be changed. Valid input

The IP address(s) of the corresponding node(s) in the cluster - i.e. on the TEACHER it should be the LEARNER(s) and vice versa. Note that the IP address should be the IP address assigned to the network interface to which synchronization is bound on the corres- ponding node.

To synchronize to more than one LEARNER node using UNICAST add a list of LEARNER IP addresses separated by comma or space.

Default value

none

1.3. Cluster configuration examples

Below are given examples of configuring a high availability cluster running in active/passive mode and a "self load balancing" cluster running in active/active mode.

1.3.1. Configuring a fail-over cluster

To configure a fail-over (active/passive) cluster of two Web Security Manager nodes do the following: Create a FAILOVER-MASTER interface by doing the following: