HaCluster is a Load-balancer service dedicated for Artica Proxy that allows you to build a pool of internet access resource.
Here all main features:
¶ Dedicated Load-balancing service for HTTP proxies
The HaCluster feature is designed to build a pool of clustered proxies with a load-balancing service.
The Pool of proxy can be connected to the Active Directory Service with Kerberos method and/or can using transparent method.
|
 |
¶ Infrastructure
HaCluster provides the possibility to distribute the load on proxies in connected mode and/or in transparent mode.
This allows it to offer a mixed infrastructure including both Active Directory-connected workstations and nodes without having proxy settings in the browsers.
- HaCluster and the transparent method
haCluster supports transparent load balancing of browser traffic to a proxy farm.
It acts as a Layer 4 or Layer 7 load balancer that can distribute client HTTP/HTTPS requests across multiple proxy servers without requiring any browser configuration
- Internal Bandwidth Diagnostics Between haCluster and Proxies
HaCluster has the ability to perform bandwidth tests between the load balancer and proxy servers within the farm.
This feature allows administrators to actively measure and monitor the network performance between the load balancer and each proxy node.
¶ Getting Started
Since the infrastructure consists of a load-balancer and a proxy farm, you need to install at least 2 or 3 Artica servers, all of which have an enterprise license.
- Install the HaCluster feature
The load-balancer drive clusters parameters in order to link them in the pool.
It receives requests events in central mode for monitoring and troubleshooting.
¶ Add/remove/configure backends inside the Proxies farm.
Adding nodes to a cluster farm has been simplified as much as possible while still maintaining a high level of secure communication between nodes. You can install an Artica node using the ISO or by cloning the virtual machine.
HaCluster then automatically links the remote server, configures it, and gets it ready for production use as quickly as possible.
Your 3 servers (the load balancer and the 2 Artica servers as proxy) must have a valid Artica server license.
- Connecting an Artica proxy to the farm from the HaCluster
To link an Artica proxy server from the load balancer, you can send a command to the remote Artica node to join the farm
- Connecting an Artica proxy to the farm from the node itself
To link an Artica proxy server from the node, you can use the Unix console to join the farm.
- How to disconnect a backend from the farm ?
There are two methods to disconnect a backend server.
From the HaCluster load-balancer or on the backend itself
- DNS load-balancing backend service for proxies
Artica provides an integrated DNS load-balancing system specifically designed to optimize and accelerate DNS queries generated by local backend proxy servers
- About the License
If you have a Gold license, it’s automatically shared with all nodes in the cluster farm.
This way, you don’t waste time managing a license across your farm.
¶ The Master server ( central cluster configurator )
- Define the Master Cluster.
The Master Cluster is one Artica server that holds the configuration set.
It's on this server that you need to administer the proxy settings so that the farm replicates the settings on the clones.
¶ HaCluster as a DNS Load-Balancer
The HaCluster product can act as a powerful DNS load-balancer by leveraging its built-in proxy farm.
With this configuration, DNS requests from client workstations are intelligently distributed across multiple proxy backends, ensuring high availability, improved performance, and redundancy.
- Turn on the Hacluster DNS feature
HaCluster monitors the health of each proxy and automatically routes queries to the most responsive servers, providing a reliable and scalable DNS resolution service for your network.
- DNS Farm Monitoring with HaCluster
HaCluster provides built-in capabilities to monitor and manage your DNS proxy farm in load-balancing mode
- Centralized DNS Logging with HaCluster
The HaCluster load-balancer centrally receives all DNS requests through Syslog from its proxy backends
¶ Web-Filtering
- Central Web-filtering error page.
When your backends use web filtering, your users are redirected to an error page if a website is blocked.
By default, this error page is hosted on each backend on port 9025/9026.
With HaCluster, you can centralize the handling of these error page requests.
¶ Manage the Load-balancer the HaCluster itself
- Define the balance method
methods used to load-balance proxies : Lowest connection, Round-Robin, Strict hashed ip
- Automatic detection and load investigation.
Most balancers detect an overloaded node by connecting to a listening port and then, calculate the response time.
In many cases, especially with proxy technology, this is not enough.
Artica Agents installed on each proxy will report the real state of servers load
- Manage Health Checks
HaCluster uses the method of polling your backend servers by attempting to request a statistics report from the proxy service at a set interval.
¶ Microsoft Active Directory support
HaCluster is compatible with Microsoft Active Directory 2008, 2012, 2016, 2019, 2022
It uses the Kerberos method to identify with your Active Directory.
The objective is as follows: The Load-balancing service is the single point that provides the initialization of the Kerberos session.
Backend proxies use the token produced for the Load-balancer to identify credentials sent by browsers.
This means that you must also allow proxies to connect to your Active Directory.
See :
- Prerequisites for the Active Directory connection
- Kerberos connection with a standard account.
- Active Directory connexion wizard
- Adjusting Kerberos encryption types
- kinit: Preauthentication failed while getting initial credentials
¶ Centralized events / monitoring.
HaCluster has features to centralize legal records from web proxy services registered in the farm.
Proxy server logs contain the requests made by users and applications on your network.
This does not only include the most obvious part : web site request by users but also application or service requests made to the internet (for example application updates).
- Centralized logs with HaCluster
When connecting a new backend to the HaCluster, it is automatically defined to send relatime access events using syslog to the HaCluster Load-balancer service.
- Monitor haCluster and backends
You can monitor 3 types of events, the balancing service, user requests on the farm and the status of the backend servers.
- Forward relatime events to a SIEM/log sink
HaCluster is able to receive real-time request events from different backend proxies and to consolidate them.
It is also able to retransmit this consolidation to a log sink or a SIEM
¶ Syslog Port: UDP 514
- The access requests are sent by the clustered proxies trough Syslog.
- Ensure that the UDP 514 port is open from clustered proxies to the Artica load balancer.
¶ Artica HTTPS Port: TCP 9000
- Both clustered proxies and load balancer communicate through RESTful API using the Artica Web console (by default TCP 9000 ).
- Ensure that SSL is enabled on all Artica Web consoles and there is not firewall rules that deny communications between Artica servers.
¶
[SETUP]: Setup Failed Transparent port return failed
It is possible that during the setup, a backend return Failed caused by transparent port is not correctly opened.
In this case, click on the “setup error” icon of the proxy
¶ FAQ
- http-check only supports disable-on-404 (v4.30)
- Incompatible NAT to the load balancer
When the Artica Load-balancer send order, the Artica Proxy client retrieve the Load-balancer IP from the SSL connection.
This IP address not be masqueraded by a firewall.
If it is the case, Artica Proxy clients will try to communicate directly with the firewall instead of the load-balancer.
(If you need this feature, please contact the support to evaluate required development.)