The IBM Security Web Gateway Appliance is a network appliance–based security solution that provides both access control and protection from web-based threats. It is available as both a hardware appliance and as a virtual appliance.
The main features of the Web Gateway Appliance include front-end load balancing capabilities and centralized management of web reverse proxy servers. A front-end load balancer is a server that uses a virtual IP address to accept requests from a client, determines which reverse proxy server is most suitable based on a scheduling algorithm, and forwards the requests to that reverse proxy server. Figure 1 shows a typical setup.
Figure 1. Configuration with two front-end load balancers and multiple reverse proxy servers
A typical case in a customer environment would be to leverage this front-end load balancing capability to achieve high availability. Given the Web Gateway Appliance's capability both to provide load balancing and to act as a reverse proxy server, a single appliance can be used for both.
This article describes the step-by-step details necessary to configure a single Web Gateway Appliance to act as both a front-end load balancer and as a reverse proxy server.
The steps described in this article are applicable only to Web Gateway Appliances running version 7.0 with at least fix pack 1.
There are two typical scenarios related to the front-end load balancer configuration on a Web Gateway Appliance. A customer can configure the appliance to act as:
- Both a front-end load balancer and a reverse proxy server
- Purely a load balancer by having all reverse proxy instances outside the appliance
Figure 2 shows a configuration with both a front-end load balancer and a reverse proxy server.
Figure 2. Scenario 1 configuration
The objective is to load balance an HTTP request to external address http://172.20.0.213 across two WebSEAL instances, where WebSEAL-1 is co-located on the appliance, and WebSEAL2 is separate.
The front-end load balancer on the appliance performs load balancing through network routing. Therefore, it is important to separate the front-facing and rear-facing interfaces across different network subnets. In this sample configuration, those two networks are 172.20.0.x and 10.150.26.x.
Table 1. Sample scan job allocation
|Front-facing interfaces||Rear-facing interfaces|
|Load balancer — virtual IP||172.20.0.213||Application physical interface (P.2)||10.150.26.125|
|WebSEAL 1 secondary interface||WebSEAL 1 primary interface|
|Application physical interface (P.1)||172.20.0.212||Load balancer — gateway IP||10.150.26.126|
|WebSEAL 2 Host default gateway|
|WebSEAL 2 Host IP address||10.150.26.144|
|Management interface IP (M.1)||172.20.0.211||Note: In a production deployment, the management interface should be on a (third) network subnet separate from all of the application interfaces.|
The management interface (M.1) allows administration of the appliance through the local management interface (LMI). The application interface (P.1 or P.2) enables you to configure any applications like the web reverse proxy to run on the appliance.
The following steps guide you through configuring the IP addresses and WebSEAL reverse proxy instances to achieve the configuration described above.
- Virtual IPs are used to enable load balancer replication. Note that the
management interface, 172.20.0.211, maps to the ap-wga71 host name in the DNS in this configuration. Ensure that there are at least two application interfaces enabled on the Web Gateway Appliance.
Figure 3. Virtual IP mapping
- Log on to the LMI. From Manage System Settings > Network
Settings > Application Interfaces, ensure that the two application interfaces are enabled. The interface P.1 is the external-facing IP of the appliance, and P.2 is the internal-facing IP.
Figure 4. Application interfaces
- Configure a web reverse proxy instance to listen on the internal-facing
interface (P.2). In the sample configuration, the web reverse proxy
instance ws1 is configured to listen on the
10.150.26.125 interface. Select Secure Reverse Proxy
Setting > Reverse Proxy. Click New.
Figure 5. New reverse proxy interface
- Configure the FELB:
- Select Manage System Settings > Network Settings > Front end load balancer.
- On the General tab, specify the following settings:
- Load Balancer : Enabled
- Gateway address : 10.150.26.126
- Mask : 255.255.255.0
- Interface : P.2
Figure 6. Settings under General tab
- On the Servers tab, create a new virtual server and specify
the details. A virtual server is the load balancing Virtual IP.
- Enabled : checked
- Name : public-server
- Virtual address : 172.20.0.213
- Port : 80
- Mask : 255.255.255.0
- Interface: P.1
Figure 7. Virtual server interface
- Specify the servers that need to be load balanced. Initially, we show how to load
balance only to the single reverse proxy instance located on the load balancer appliance (WebSEAL 1).
After this configuration has been tested, you can add other
instances, such as WebSEAL 2. Select the newly created public-server
and click Real Servers. Create a new entry and specify the following details:
- Enabled : checked
- Address : 10.150.26.125
- Weight : 1
Figure 8. Real server IP address
- Click Save and subsequently deploy the changes.
- Update the web reverse proxy instance ws1 created in step 3
and add a secondary interface for ws1 to listen on the virtual
server address created under FELB configuration step 4c.
- Select Secure Reverse Proxy Settings > Reverse Proxy.
- Select the web reverse proxy created in Step 3 and click Edit.
- Go to the last tab, Interfaces, and click New. Specify the following settings:
- Application Interface IP Address : 172.20.0.213
- HTTP Port : 80
- HTTPS Port : 443
- Web HTTP Port : 80
Figure 9. Reverse proxy configuration
- Click Save and deploy the settings.
- Make sure you restart the web reverse proxy after you make this update for the changes to take effect. You can do this by selecting each WebSEAL instance under Secure Reverse Proxy Settings > Reverse Proxy and clicking Restart.
- The load balancer is now configured to load balance as follows: Traffic received on 172.20.0.213:80 will be forwarded to the WebSEAL 1 real server listening on 10.150.26.125:80.
- To test this configuration, access the public server using http://172.20.0.213
and authenticate to log in. Upon successful authentication, you should see a
page similar to Figure 10.
Figure 10. IBM Security Access Manager WebSEAL
- Add a second WebSEAL instance to the load balancer configuration: repeat step
4d to add details of the WebSEAL 2 instance as a Real Server to the
public-server virtual server.
- Enabled : Checked
- Address : 10.150.26.144
- Weight : 1
- Make sure that on the server running the WebSEAL 2 instance, the default
gateway is set to the FELB's gateway virtual IP. For example, if the WebSEAL 2
instance is running on Windows®, you can edit the TCP/IPv4 properties of the Local Area Connection Properties under Networking and Sharing Center.
Figure 11. IPV4 properties
- Configure the FELB for HTTPS traffic on port 443: repeat step 4c by specifying the port as 443 instead of 80 and add the Real Servers as in step 4d.
Figure 12. Port 443
Figure 13 illustrates the configuration corresponding to scenario 2 described above.
Figure 13. Configuration where appliance is load balancer only; all reverse proxy instances are outside (Scenario 2)
The steps required to configure the front-end load balancer are identical to steps 4a to 4c under Configuration. Repeat step 9 for each of the WebSEAL reverse proxy instances before adding them to the front-end load balancer configuration as described in steps 4d and 4e.
The IBM Security Web Gateway Appliance provides load balancing capabilities along with the ability to create and manage reverse proxy server instances. This unique combination can be leveraged to achieve High Availability of their web resources.
- Check out the Web Gateway Hardware Appliance Quick Start Guide and the Web Gateway Virtual Appliance Quick Start Guide.
- Learn about administering Web Gateway Appliance.
- Find out about configuring the front-end load balancer.
- Learn about managing reverse proxy server instances.
- Visit the Security On developerWorks blog to learn about new security-related how-to guides, articles, and demo videos.
- Sign up for the weekly Security On developerWorks newsletter for the latest security headlines.
- Follow @dwsecurity to get updates from the developerWorks security zone in real time.
- Start your journey to implement IT security through pragmatic, intelligent, and risk-based practices at Security on developerWorks.