2.3 Understanding Installation Scenarios

When planning a WebMarshal installation, you can use a single server for all functions, or an array of servers. You can install the WebMarshal Proxy Server in several scenarios.

2.3.1 Single Server or Array

You should consider an Array installation of WebMarshal if the following requirements apply:

High or growing Web request volume: An Array allows you to add WebMarshal Processing Servers to provide additional capacity.

Multiple Web gateways: at separate locations with the same access policies and centralized report­ing. A WebMarshal Array Manager can manage policy for multiple gateways over WAN connections, with a single TCP port required for connectivity in many cases.

Redundancy: Each WebMarshal Processing Server can continue to process requests independently if other servers fail.

Information 

Note: To maintain session logging correctly, each client must use a single processing server for an entire browsing session. One way to achieve this requirement is to set up Microsoft Windows Network Load Balancing using the NLB Client “Single Affinity” setting.

 

2.3.2 WebMarshal Proxy Server

The WebMarshal Proxy Server can be installed in any of three scenarios.

Information 

Note: In each case you can configure a single WebMarshal server or an array of servers.

 

1.As a standalone proxy server. In this scenario, all Web requests are passed to the WebMarshal server, and all responses are returned from the Web (or WebMarshal proxy cache) through the WebMarshal server. Firewall rules should be configured to restrict Web traffic so that users cannot bypass WebMarshal.

Figure 2: WebMarshal proxy installation

WM_standalone.jpg 

2.Chained to another proxy server running on another physical server. In this scenario, all Web requests are passed to the WebMarshal server. WebMarshal delivers the requests to the other server, and all responses are returned from the Web through the other server to WebMarshal and then to the clients. Firewall rules should be configured to restrict Web traffic so that users cannot bypass WebMarshal. Access rules on the other proxy server should be configured to allow traffic only from WebMarshal.

Information 

Note: In any chained installation, WebMarshal usually must be the first server in the chain (the client browsers must connect to WebMarshal directly). If WebMarshal is not the first server in the chain, the WebMarshal access policy will not be applied correctly because the client cannot be determined.

A proxy server or load balancer can be inserted before WebMarshal if it can forward the client credentials, or if it inserts an X-Forwarded-For header and you use IP based authentication (see Trustwave Knowledge Base article Q21183).

 

Figure 3: Separate server chained installation

WM_chained_separate.jpg 

3.Chained to another proxy server running on the same physical server.

Figure 4: Same server chained installation

WM_chained_same.jpg 

If WebMarshal is installed on the same server as another proxy server, each must use a different port. Configure WebMarshal using the WebMarshal Configuration Wizard or the Proxy Settings pages in WebMarshal Global Settings. Be sure the other proxy software is configured appropriately.

For example, WebMarshal could be configured to accept requests at the address 10.3.1.1:8080. The other proxy software might use 127.0.0.1:3128. The other proxy should only accept requests from WebMarshal.

WebMarshal User Guide October 2023
< Previous Section   |   Next Section >
Full document: see WebMarshal Documentation.