search cancel

How to send traffic to preferred WSS data center using explicit proxy forwarding method

book

Article ID: 252669

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy Web Security Service - WSS

Issue/Introduction

1. In case of explicit proxy forwarding to WSS using on-prem ProxySG, if the auto selected data center location via proxy.threatpulse.net is not providing the nearest / desired WSS data center location, you can use on-prem ProxySG configuration to selectively send traffic to your preferred location.

2. Also this is helpful in case the auto selected location by proxy.threatpulse.net is not providing desired performance, you will have the ability to control within the on-prem ProxySG to failover to a different WSS data center location.

Environment

This is only applicable when using on-prem ProxySG to explicitly forwarding traffic towards WSS

Resolution

The general guidance to setup on-prem explicit proxy forwarding to WSS can be found in this article . Along with the complete setup guide this provide the steps for setting up forwarding host on the on-prem ProxySG and CPL policies for forwarding traffic to WSS. You can use the same guidance but instead of creating one set of forwarding host , you have to create 3 sets of forwarding host for 3 different data center location.  All the different data center's location name and forwarding host VIP name can be found under KB 208150.

For example if your on-prem ProxySGs are located in Toronto, we can use the nearest data center VIP gcato2-vip1.threatpulse.net as primary location. As a secondary location we can use Montreal data center VIP gcamo1-vip1.threatpulse.net. And as a tertiary location you can relay on the default WSS host name proxy.threatpulse.net. With these three sets of forwarding host, on-prem ProxySG's forwarding host configuration should look like below

 
Using this 3 sets of forwarding host, for each group (primary secondary and tertiary ) create /update  failover sequence CPL on the on-prem ProxySG like below. This will be under forwarding layer 
 
; Unintercepted SSL
url.scheme=(ssl, tcp) forward(PrimaryWSSHTTP8080, SecondaryWSSHTTP8080, TertiaryWSSHTTP8080)
; Intercepted SSL
url.scheme=https forward(PrimaryWSSInterceptedHTTPS8084, SecondaryWSSInterceptedHTTPS8084, TertiaryWSSInterceptedHTTPS8084)
; Plaintext HTTP
url.scheme=http forward(PrimaryWSSSecure8443, SecondaryWSSSecure8443, TertiaryWSSSecure8443)

 

Having the 3 failover hosts in a sequence will provide below advantages

1. On-prem ProxySG by default performs TCP based health check. If on-prem proxy observes Primary forwarding hosts are failing it will automatically switch over to secondary and tertiary group. also will automatically go back to Primary groups when health check is recovered.

2. This provides customers with a better control on their side for situation where customer's data center IP is not connecting to the closest WSS data center location using proxy.threatpulse.net.

3. Also this provided customer a control to manually failover to a different data center, incase if there is degraded performance observed on the primary datacenter location.  Proxy admin can execute following commands or script them from management center as well to failover to secondary data center

conf t
health-check
disable sick fwd.PrimaryWSSSecure8443
disable sick fwd.PrimaryWSSHTTP8080
disable sick fwd.PrimaryWSSInterceptedHTTPS8084
exit

This is make the on-prem ProxySG to consider primary forward hosts group is no longer healthy and it will automatically start sending traffic to secondary groups based the configured CPL policy. This does not drop (on interrupt user's live session) the exiting connections that were already established with primary groups. Only new connections that are made on the on-prem ProxySG will be forwarded to the secondary group. 

Also This change can be done from the web UI of the on-prem ProxySG. From configuration --> health check --> edit all the Primary forwarding hosts and disable the health check as unhealthy like below

 

To revert back to the primary group again, proxy admin can enable the health check on primary group using below CLI commands. Also can be scripted via management center

conf t
health-check
enable fwd.PrimaryWSSSecure8443
enable fwd.PrimaryWSSHTTP8080
enable fwd.PrimaryWSSInterceptedHTTPS8084
exit

Incase of manual failover to the tertiary group, both primary and secondary groups failover has to be marked as "unhealthy / sick". Tertiary failover will always go back to the default global Geo load balancing logic provided by Broadcom to select the most optimized WSS data center location.

Attachments