2.3 Understanding Installation Scenarios
When planning a WebMarshal installation, you can use a single server for all functions, or an array of servers. You can install the WebMarshal Proxy Server in several scenarios.
You should consider an Array installation of WebMarshal if the following requirements apply:
•High or growing Web request volume: An Array allows you to add WebMarshal Processing Servers to provide additional capacity.
•Multiple Web gateways: at separate locations with the same access policies and centralized reporting. A WebMarshal Array Manager can manage policy for multiple gateways over WAN connections, with a single TCP port required for connectivity in many cases.
•Redundancy: Each WebMarshal Processing Server can continue to process requests independently if other servers fail.
The WebMarshal Proxy Server can be installed in any of three scenarios.
|
Note: In each case you can configure a single WebMarshal server or an array of servers. |
1.As a standalone proxy server. In this scenario, all Web requests are passed to the WebMarshal server, and all responses are returned from the Web (or WebMarshal proxy cache) through the WebMarshal server. Firewall rules should be configured to restrict Web traffic so that users cannot bypass WebMarshal.
Figure 2: WebMarshal proxy installation
2.Chained to another proxy server running on another physical server. In this scenario, all Web requests are passed to the WebMarshal server. WebMarshal delivers the requests to the other server, and all responses are returned from the Web through the other server to WebMarshal and then to the clients. Firewall rules should be configured to restrict Web traffic so that users cannot bypass WebMarshal. Access rules on the other proxy server should be configured to allow traffic only from WebMarshal.
|
Note: In any chained installation, WebMarshal usually must be the first server in the chain (the client browsers must connect to WebMarshal directly). If WebMarshal is not the first server in the chain, the WebMarshal access policy will not be applied correctly because the client cannot be determined. •A proxy server or load balancer can be inserted before WebMarshal if it can forward the client credentials, or if it inserts an X-Forwarded-For header and you use IP based authentication (see Trustwave Knowledge Base article Q21183). |
Figure 3: Separate server chained installation
3.Chained to another proxy server running on the same physical server.
Figure 4: Same server chained installation
If WebMarshal is installed on the same server as another proxy server, each must use a different port. Configure WebMarshal using the WebMarshal Configuration Wizard or the Proxy Settings pages in WebMarshal Global Settings. Be sure the other proxy software is configured appropriately.
For example, WebMarshal could be configured to accept requests at the address 10.3.1.1:8080. The other proxy software might use 127.0.0.1:3128. The other proxy should only accept requests from WebMarshal.