HaCluster is a Load-balancer service dedicated for Artica Proxy that allows you to build a pool of internet access resource.
Here all main features:
¶ Dedicated Load-balancing service for HTTP proxies
The HaCluster feature is designed to build a pool of clustered proxies with a load-balancing service.
The Pool of proxy can be connected to the Active Directory Service with Kerberos method and/or can using transparent method.
|
 |
¶ Mixed infrastructure
HaCluster provides the possibility to distribute the load on proxies in connected mode and/or in transparent mode.
This allows it to offer a mixed infrastructure including both Active Directory-connected workstations and nodes without having proxy settings in the browsers.
¶
¶ Getting Started
Since the infrastructure consists of a load-balancer and a proxy farm, you need to install at least 2 or 3 Artica servers, all of which have an enterprise license.
- Install the HaCluster feature
The load-balancer drive clusters parameters in order to link them in the pool.
It receives requests events in central mode for monitoring and troubleshooting.
¶ Add/remove backends inside the Proxies farm.
Adding nodes to a cluster farm has been simplified as much as possible while still maintaining a high level of secure communication between nodes. You can install an Artica node using the ISO or by cloning the virtual machine.
HaCluster then automatically links the remote server, configures it, and gets it ready for production use as quickly as possible.
Your 3 servers (the load balancer and the 2 Artica servers as proxy) must have a valid Artica server license.
- Connecting an Artica proxy to the farm from the HaCluster
To link an Artica proxy server from the load balancer, you can send a command to the remote Artica node to join the farm
- Connecting an Artica proxy to the farm from the node itself
To link an Artica proxy server from the node, you can use the Unix console to join the farm.
- How to disconnect a backend from the farm ?
There are two methods to disconnect a backend server.
From the HaCluster load-balancer or on the backend itself
- About the License
If you have a Gold license, it’s automatically shared with all nodes in the cluster farm.
This way, you don’t waste time managing a license across your farm.
¶ The Master server ( central cluster configurator )
- Define the Master Cluster.
The Master Cluster is one Artica server that holds the configuration set.
It's on this server that you need to administer the proxy settings so that the farm replicates the settings on the clones.
¶ Manage the Load-balancer the HaCluster itself
- Define the balance method
methods used to load-balance proxies : Lowest connection, Round-Robin, Strict hashed ip
- Automatic detection and load investigation.
Most balancers detect an overloaded node by connecting to a listening port and then, calculate the response time.
In many cases, especially with proxy technology, this is not enough.
Artica Agents installed on each proxy will report the real state of servers load
- Manage Health Checks
HaCluster uses the method of polling your backend servers by attempting to request a statistics report from the proxy service at a set interval.
- Microsoft Active Directory support
HaCluster is compatible with Microsoft Active Directory 2008, 2012, 2016, 2019, 2022
It uses the Kerberos method to identify with your Active Directory.
The objective is as follows: The Load-balancing service is the single point that provides the initialization of the Kerberos session.
Backend proxies use the token produced for the Load-balancer to identify credentials sent by browsers.
This means that you must also allow proxies to connect to your Active Directory.
See :
- Prerequisites for the Active Directory connection
- Kerberos connection with a standard account.
- Active Directory connexion wizard
- Adjusting Kerberos encryption types
- kinit: Preauthentication failed while getting initial credentials
¶ Centralized Proxy logs.
HaCluster has features to centralize legal records from web proxy services registered in the farm.
Proxy server logs contain the requests made by users and applications on your network.
This does not only include the most obvious part : web site request by users but also application or service requests made to the internet (for example application updates).
- Centralized logs with HaCluster
When connecting a new backend to the HaCluster, it is automatically defined to send relatime access events using syslog to the HaCluster Load-balancer service.
- Monitor haCluster and backends
You can monitor 3 types of events, the balancing service, user requests on the farm and the status of the backend servers.
- Forward relatime events to a SIEM/log sink
HaCluster is able to receive real-time request events from different backend proxies and to consolidate them.
It is also able to retransmit this consolidation to a log sink or a SIEM
¶ Incompatible NAT for the load balancer
When the Artica Load-balancer send order, the Artica Proxy client retrieve the Load-balancer IP from the SSL connection.
This IP address not be masqueraded by a firewall.
If it is the case, Artica Proxy clients will try to communicate directly with the firewall instead of the load-balancer. (If you need this feature, please contact the support to evaluate required development.)
¶ Syslog Port: UDP 514
- The access requests are sent by the clustered proxies trough Syslog.
- Ensure that the UDP 514 port is open from clustered proxies to the Artica load balancer.
¶ Artica HTTPS Port: TCP 9000
- Both clustered proxies and load balancer communicate through RESTful API using the Artica Web console (by default TCP 9000 ).
- Ensure that SSL is enabled on all Artica Web consoles and there is not firewall rules that deny communications between Artica servers.
¶
[SETUP]: Setup Failed Transparent port return failed
It is possible that during the setup, a backend return Failed caused by transparent port is not correctly opened.
In this case, click on the “setup error” icon of the proxy
