Configure the IBM Security Web Gateway Appliance as a front-end load balancer and a web reverse proxy

One of the main features of the IBM® Security Web Gateway Appliance is its front-end load balancing function, which lets the appliance automatically direct web requests from clients to an appropriate reverse proxy based on a specified scheduling algorithm. This article explains the steps needed to configure an appliance as both the front-end load balancer (FELB) and as a web reverse proxy.


Bhavan Kasivajjula (, Advisory Software Engineer, IBM

Photo of Bhavan KasivajjulaBhavan Kasivajjula is an advisory software engineer working for the IBM Security Systems division at the Australia Development Laboratory on the Gold Coast. He is part of the Solutions team supporting the adoption of Web Gateway Appliance by customers.

Philip Nye (, IBM Security Solution Architect, IBM

Photo of Philip NyePhilip Nye is an IBM security solution architect with the Australia Development Laboratory on the Gold Coast. He is a member of the IBM Security Center of Excellence, which is part of the world-wide SWAT mission. The IBM Security Center of Excellence works primarily with pre-sales and enablement teams around the world, striving to make IBM customers successful using IBM Security Systems products.

26 November 2013

Identity and access intelligence

Identity and access management infrastructures are becoming a major source of security intelligence information. EMA analysts have published a new report that describes the nature of identity and access intelligence and the factors driving this aspect of security evolution. To learn about this aspect of IT security, download and read "Identity and Access Intelligence: Transforming Enterprise Security."

The IBM Security Web Gateway Appliance is a network appliance–based security solution that provides both access control and protection from web-based threats. It is available as both a hardware appliance and as a virtual appliance.

The main features of the Web Gateway Appliance include front-end load balancing capabilities and centralized management of web reverse proxy servers. A front-end load balancer is a server that uses a virtual IP address to accept requests from a client, determines which reverse proxy server is most suitable based on a scheduling algorithm, and forwards the requests to that reverse proxy server. Figure 1 shows a typical setup.

Figure 1. Configuration with two front-end load balancers and multiple reverse proxy servers
A chart showing a typical configuration

A typical case in a customer environment would be to leverage this front-end load balancing capability to achieve high availability. Given the Web Gateway Appliance's capability both to provide load balancing and to act as a reverse proxy server, a single appliance can be used for both.

This article describes the step-by-step details necessary to configure a single Web Gateway Appliance to act as both a front-end load balancer and as a reverse proxy server.


The steps described in this article are applicable only to Web Gateway Appliances running version 7.0 with at least fix pack 1.


There are two typical scenarios related to the front-end load balancer configuration on a Web Gateway Appliance. A customer can configure the appliance to act as:

  • Both a front-end load balancer and a reverse proxy server
  • Purely a load balancer by having all reverse proxy instances outside the appliance

Scenario 1

Figure 2 shows a configuration with both a front-end load balancer and a reverse proxy server.

Figure 2. Scenario 1 configuration
A chart showing a Scenario 1 configuration

The objective is to load balance an HTTP request to external address across two WebSEAL instances, where WebSEAL-1 is co-located on the appliance, and WebSEAL2 is separate.

Network overview

The front-end load balancer on the appliance performs load balancing through network routing. Therefore, it is important to separate the front-facing and rear-facing interfaces across different network subnets. In this sample configuration, those two networks are 172.20.0.x and 10.150.26.x.

Table 1. Sample scan job allocation
Front-facing interfacesRear-facing interfaces
Load balancer — virtual IP172.20.0.213Application physical interface (P.2)
WebSEAL 1 secondary interfaceWebSEAL 1 primary interface
Application physical interface (P.1) balancer — gateway IP10.150.26.126
WebSEAL 2 Host default gateway
WebSEAL 2 Host IP address10.150.26.144
Management interface
Management interface IP (M.1) In a production deployment, the management interface should be on a (third) network subnet separate from all of  the application interfaces.

The management interface (M.1) allows administration of the appliance through the local management interface (LMI). The application interface (P.1 or P.2) enables you to configure any applications like the web reverse proxy to run on the appliance.


The following steps guide you through configuring the IP addresses and WebSEAL reverse proxy instances to achieve the configuration described above.

  1. Virtual IPs are used to enable load balancer replication. Note that the management interface,, maps to the ap-wga71 host name in the DNS in this configuration. Ensure that there are at least two application interfaces enabled on the Web Gateway Appliance.
    Figure 3. Virtual IP mapping
    Screenshot showing virtual IP mapping
  2. Log on to the LMI. From Manage System Settings > Network Settings > Application Interfaces, ensure that the two application interfaces are enabled. The interface P.1 is the external-facing IP of the appliance, and P.2 is the internal-facing IP.
    Figure 4. Application interfaces
    Screenshot showing application interfaces
  3. Configure a web reverse proxy instance to listen on the internal-facing interface (P.2). In the sample configuration, the web reverse proxy instance ws1 is configured to listen on the interface. Select Secure Reverse Proxy Setting > Reverse Proxy. Click New.
    Figure 5. New reverse proxy interface
    Screenshot showing new reverse proxy interface
  4. Configure the FELB:
    1. Select Manage System Settings > Network Settings > Front end load balancer.
    2. On the General tab, specify the following settings:
      1. Load Balancer : Enabled
      2. Gateway address :
      3. Mask :
      4. Interface : P.2
        Figure 6. Settings under General tab
        Screenshot showing new reverse proxy interface
    3. On the Servers tab, create a new virtual server and specify the details. A virtual server is the load balancing Virtual IP.
      1. Enabled : checked
      2. Name : public-server
      3. Virtual address :
      4. Port : 80
      5. Mask :
      6. Interface: P.1
        Figure 7. Virtual server interface
        Screenshot showing adding of virtual server interface
    4. Specify the servers that need to be load balanced. Initially, we show how to load balance only to the single reverse proxy instance located on the load balancer appliance (WebSEAL 1). After this configuration has been tested, you can add other instances, such as WebSEAL 2. Select the newly created public-server and click Real Servers. Create a new entry and specify the following details:
      1. Enabled : checked
      2. Address :
      3. Weight : 1
        Figure 8. Real server IP address
        Screenshot showing real server IP address
    5. Click Save and subsequently deploy the changes.
  5. Update the web reverse proxy instance ws1 created in step 3 and add a secondary interface for ws1 to listen on the virtual server address created under FELB configuration step 4c.
    1. Select Secure Reverse Proxy Settings > Reverse Proxy.
    2. Select the web reverse proxy created in Step 3 and click Edit.
    3. Go to the last tab, Interfaces, and click New. Specify the following settings:
      1. Application Interface IP Address :
      2. HTTP Port : 80
      3. HTTPS Port : 443
      4. Web HTTP Port : 80
        Figure 9. Reverse proxy configuration
        Screenshot showing reverse proxy configuration
  6. Click Save and deploy the settings.
  7. Make sure you restart the web reverse proxy after you make this update for the changes to take effect. You can do this by selecting each WebSEAL instance under Secure Reverse Proxy Settings > Reverse Proxy and clicking Restart.
  8. The load balancer is now configured to load balance as follows: Traffic received on will be forwarded to the WebSEAL 1 real server listening on
  9. To test this configuration, access the public server using and authenticate to log in. Upon successful authentication, you should see a page similar to Figure 10.
    Figure 10. IBM Security Access Manager WebSEAL
    Screenshot IBM Security Access Manager WebSEAL
  10. Add a second WebSEAL instance to the load balancer configuration: repeat step 4d to add details of the WebSEAL 2 instance as a Real Server to the public-server virtual server.
    • Enabled : Checked
    • Address :
    • Weight : 1
  11. Make sure that on the server running the WebSEAL 2 instance, the default gateway is set to the FELB's gateway virtual IP. For example, if the WebSEAL 2 instance is running on Windows®, you can edit the TCP/IPv4 properties of the Local Area Connection Properties under Networking and Sharing Center.
    Figure 11. IPV4 properties
    Screenshot showing IPV4 properties
  12. Configure the FELB for HTTPS traffic on port 443: repeat step 4c by specifying the port as 443 instead of 80 and add the Real Servers as in step 4d.
    Figure 12. Port 443
    Screenshot showing port 443

Scenario 2

Figure 13 illustrates the configuration corresponding to scenario 2 described above.

Figure 13. Configuration where appliance is load balancer only; all reverse proxy instances are outside (Scenario 2)
Screenshot showing scenario 2

The steps required to configure the front-end load balancer are identical to steps 4a to 4c under Configuration. Repeat step 9 for each of the WebSEAL reverse proxy instances before adding them to the front-end load balancer configuration as described in steps 4d and 4e.


The IBM Security Web Gateway Appliance provides load balancing capabilities along with the ability to create and manage reverse proxy server instances. This unique combination can be leveraged to achieve High Availability of their web resources.



developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Security on developerWorks

ArticleTitle=Configure the IBM Security Web Gateway Appliance as a front-end load balancer and a web reverse proxy