We just recently deployed four Blue Coat ProxySG 510 appliances along with two Blue Coat ProxyAV 810 appliances in our enterprise. The Blue Coat ProxySG appliance is essentially a proxy server that integrates with NTLM/AD authentication and content filtering. The Blue Coat ProxyAV appliance is essentially an Anti-Virus solution, you choose which AV engine to license from Kaspersky, Sophos, McAfee or Panda, for all Internet content.
We have two Internet links located at different geographically locations. We placed two Blue Coat ProxySG 510 appliances at one location along with a single Blue Coat ProxyAV 810 appliance. We setup each ProxySG with it’s own VIP and made each box a backup to the other. We duplicated that same configuration at the second geographic location with two Blue Coat ProxySG 510s and a single Blue Coat ProxyAV 810. The folks that are familiar with the Blue Coat product line might think that the 510 model is probably somewhat undersized for the size of our environment but our design was to use all four 510s in an active/active configuration as opposed to an active/standby configuration. In the event of a appliance failure we may have some high utilization but we won’t suffer an outage.
How did we achieve the load balancing and high availability?
It’s not really that difficult, although let’s not tell the folks writing the checks that. You’ll need to use a PAC file with some special JavaScript code to help provide the poor mans load balancing. The VIPs will provide the redundancy within each geographic site and we’ll trust the browser to provide the redundancy between the two geographic sites.
// // Blue Coat Proxy Auto-Configuration File (PAC) // // This PAC file will provide a poor mans load balancing solution by // hasing the IP address of the client to help spread the load of the // client across two different ProxySG appliances. The variables at // the top of the PAC file need to be adjusted to the specific VIP // addresses of each ProxySG appliance. // function FindProxyForURL(url, host) { // Declare Variables var OLDPROXY = "PROXY 10.1.20.100"; var HECTOR = "PROXY 10.1.127.60"; var FERGAL = "PROXY 10.1.127.65"; var MEG = "PROXY 10.2.127.60"; var SEAN = "PROXY 10.2.127.65"; var SITE1VIP1 = "PROXY 10.1.127.62"; var SITE1VIP2 = "PROXY 10.1.127.63"; var SITE2VIP1 = "PROXY 10.2.127.62"; var SITE2VIP2 = "PROXY 10.2.127.63"; var ipSubs = myIpAddress().split("."); var localIP = myIpAddress(); ret = URLhash(url); // Use DIRECT if the destination is just a plain WINS name if (isPlainHostName (host) || // Use DIRECT if the host is within the michaelfmcnamara.com domain space dnsDomainIs(host, ".michaelfmcnamara.com") || // Use DIRECT if the host is within the RFC1918 ten-dot-zero address space isInNet(host, "10.0.0.0", "255.255.0.0") || return "DIRECT"; // Use DIRECT if the URL starts with 10.* if (shExpMatch(url, "http://10.*") || shExpMatch(url, "https://10.*")) return "DIRECT"; // Use the Blue Coat Proxy for an remaining URL matching "http:" if( url.substring(0, 5) == "http:" ) { if (isInNet(myIpAddress(), "10.1.0.0", "255.255.0.0") { if ( (ipSubs[3] % 2) == 0 ) { return SITE1VIP1 + ":8080"; } else { return SITE1VIP2 + ":8080"; } } else { if ( (ipSubs[3] % 2) == 0 ) { return SITE2VIP1 + ":8080"; } else { return SITE2VIP2 + ":8080"; } } } else if( url.substring(0, 6) == "https:" ) if (isInNet(myIpAddress(), "10.1.0.0", "255.255.0.0") { if ( (ipSubs[3] % 2) == 0 ) { return SITE1VIP1 + ":8080"; } else { return SITE1VIP2 + ":8080"; } } else { if ( (ipSubs[3] % 2) == 0 ) { return SITE2VIP1 + ":8080"; } else { return SITE2VIP2 + ":8080"; } } } else if( url.substring(0, 5) == "ftp:" ) { if (isInNet(myIpAddress(), "10.1.0.0", "255.255.0.0") { if ( (ipSubs[3] % 2) == 0 ) { return SITE1VIP1 + ":8080"; } else { return SITE1VIP2 + ":8080"; } } else { if ( (ipSubs[3] % 2) == 0 ) { return SITE2VIP1 + ":8080"; } else { return SITE2VIP2 + ":8080"; } } } else if( url.substring(0, 5) == "mms:" ) { if (isInNet(myIpAddress(), "10.1.0.0", "255.255.0.0") { if ( (ipSubs[3] % 2) == 0 ) { return SITE1VIP1 + ":1775"; } else { return SITE1VIP2 + ":1775"; } } else { if ( (ipSubs[3] % 2) == 0 ) { return SITE2VIP1 + ":1775"; } else { return SITE2VIP2 + ":1775"; } } } else { return "DIRECT"; } } // This line is just for testing; you can ignore it. But, if you are having // problems where you think this PAC file isn't being loaded, then change this // to read "if (1)" and the alert box should appear when the browser loads this // file. // // This works for IE4, IE5, IE5.5, IE6 and Netscape 2.x, 3.x, and 4.x. // This does not work for Mozilla (and probably not for Netscape 6.x). // (For IE6, tested on Win2K) // if (0) { alert("DEBUG: PAC file LOADED"); } function URLhash(name) { var cnt=0; var str=name.toLowerCase(name); if ( str.length ==0) { return cnt; } for(var i=0;i < str.length ; i++) { var ch= atoi(str.substring(i,i + 1)); cnt = cnt + ch; } return cnt ; } /* URLhash2( ) for directory name hash computing version. written by SHARP Corp in Feb 1997 Objects in a same directory will be accessed via the same proxy. Use URLhash2( ) instead of URLhash( ) if you prefer to use persistent connection in HTTP 1.1 http://www.sharp.co.jp/sample/test/img/mebius.png http://www.sharp.co.jp/sample/test/img/zaurus.png http://www.sharp.co.jp/sample/test/img/wiz.png <-------------------------------------> directory name hashing here */ function URLhash2(name) { var cnt=0; var dirptr=0; var str=name.toLowerCase(name); if ( str.length ==0) { return cnt; } /* skip filename in directory */ for(var i=str.length - 1;i >=0 ; i--) { if ( str.substring(i,i +1) == '/' ) { dirptr = i+1 ; break; } } for(var i=0;i < dirptr; i++) { var ch= atoi(str.substring(i,i + 1)); cnt = cnt + ch; } return cnt ; } function atoi(charstring) { if ( charstring == "a" ) return 0x61; if ( charstring == "b" ) return 0x62; if ( charstring == "c" ) return 0x63; if ( charstring == "d" ) return 0x64; if ( charstring == "e" ) return 0x65; if ( charstring == "f" ) return 0x66; if ( charstring == "g" ) return 0x67; if ( charstring == "h" ) return 0x68; if ( charstring == "i" ) return 0x69; if ( charstring == "j" ) return 0x6a; if ( charstring == "k" ) return 0x6b; if ( charstring == "l" ) return 0x6c; if ( charstring == "m" ) return 0x6d; if ( charstring == "n" ) return 0x6e; if ( charstring == "o" ) return 0x6f; if ( charstring == "p" ) return 0x70; if ( charstring == "q" ) return 0x71; if ( charstring == "r" ) return 0x72; if ( charstring == "s" ) return 0x73; if ( charstring == "t" ) return 0x74; if ( charstring == "u" ) return 0x75; if ( charstring == "v" ) return 0x76; if ( charstring == "w" ) return 0x77; if ( charstring == "x" ) return 0x78; if ( charstring == "y" ) return 0x79; if ( charstring == "z" ) return 0x7a; if ( charstring == "0" ) return 0x30; if ( charstring == "1" ) return 0x31; if ( charstring == "2" ) return 0x32; if ( charstring == "3" ) return 0x33; if ( charstring == "4" ) return 0x34; if ( charstring == "5" ) return 0x35; if ( charstring == "6" ) return 0x36; if ( charstring == "7" ) return 0x37; if ( charstring == "8" ) return 0x38; if ( charstring == "9" ) return 0x39; if ( charstring == "." ) return 0x2e; return 0x20; }
Let me provide some explanation of the PAC file attached above. First you may notice that I have the function URLhash and URLhash2 included in the PAC file. I don’t actually use those functions although I may in the future.
There are two geographic sites (10.1.0.0/16 and 10.2.0.0/16) each with two Blue Coat ProxySG appliances and a single ProxyAV appliance. Overall there are four ProxySG appliances and two ProxyAV appliances. The PAC file will essentially route all requests “statically” to the local ProxySG appliancesĀ with the script load balancing the client requests, depending on the client’s IP address, to one of the two local ProxySG appliances. If you wanted geographic redundancy you could alter the “return” statement like so;
"PROXY 10.1.127.62:8080; 10.2.127.62:8080"
In this case the browser will attempt to contact the proxy server at 10.1.127.62:8080 and if the browser is unable to contact that proxy it will then try the proxy server at 10.2.127.62:8080. You’ll need to make sure that you include the (semicolon) “;” between each proxy server.
This solution has been working really well. The Blue Coat ProxySG appliance has a really impressive policy and rule base. You can do almost anything you want including coaching pages and warning banners. We current have our Blue Coat ProxySG appliances running Websense (onbox) for content filtering.
Cheers!