This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Load balance web proxy across specified PAT address group

Hello, I am trying to reconfigure our UTM for a scenario that accomplishes some goals that we do not have today:

  • I would like to convert our masquerade rules to all SNAT rules if possible, because they use less processing power and they are easier to read in my opinion;
  • I would like to separate web proxy traffic so that it will egress on different assigned PAT addressing, based on the source network if possible;
  • In one of the PAT groups, I would like to configure port load balancing for the associated web proxy traffic per this technote from Sophos;

I have done a fair amount of research on how to accomplish all these objectives, or where the limitations of the UTM may be. I am getting conflicting information between the forum and Sophos support.

Sophos support published How to change the outgoing interface for Web Filtering almost immediately after I submitted questions about this. That's nifty, but I've also found other solutions to change the web proxy egress address here, here and here. After speaking with them today, I believe they have also confirmed that it may be impossible to have web proxy traffic exit on different external addresses based on the source (also confirmed for SNAT here and here).

So I guess my questions for the experts here are:

  • please confirm whether or not web proxy must egress on a single external IP (or group) and cannot change based on the traffic source;
  • please confirm HOW you make this port load balancing feature work - is there more than one way to accomplish this?
  • is there some reason that I should use masquerade rules? why not use SNAT for all my PAT needs?

One other thing I should mention: I have multiple additional addresses linked to my external interface. These are mostly used for specific-case DNATs. I do not wish to use this addressing as part of the PAT port load balancing scheme. I would like to designate 3 specific external IP addresses for the PAT port load balancing group if possible.

Thank you



This thread was automatically locked due to age.
Parents
  • Kevin, thanks for finding How to change the outgoing interface for Web Filtering which was published last Friday - we've waited a long time for this capability!  Rather than use the suggested method of enabling this capability, do the following as root:

    cc set http enable_out_interface 1

    We now have the ability to assign a different Interface and/or Additional Address as the public IP for Web Filtering traffic based on the traffic source.  Create a different Web Filtering Profile for different internal IPs and subnets and assign an address per Profile.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob.

    Sounds like you are saying that you can change the proxy external IP address based on the traffic source (using the Web Filtering Profile feature) - that's great because it's what I would like to do.

    Can you please comment on the other important piece regarding this Office365 technote? The technote is specifically related to web proxy traffic and allowing multiple load-balanced external IPs. However, I cannot figure out how to configure this?

    For example, if I were to use the GUI feature and Web Filtering Profiles ... how can I implement the proxy load balancing to use more than one address?

    Thanks

  • There is no "load balancing" per se.  I would do something like create a Profile for each /21 subnet in use and then assign a different Additional Address to each Profile.  That limits each public IP to serving less than 2K internal IPs.  Is that what you were looking for?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I had thought of that idea as well, and it is certainly a possibility given that we can identify the source of the traffic.

    However, why does the technote state "To resolve this issue add multiple (e.g. three) external IP addresses to a single UTM interface or multiple separate external interfaces. The UTM may then load balance traffic across those interfaces in order to create 3 x 40,959 ports per IP address or interface, thus creating 122,877 available ports." ?

    For that matter... we currently have webproxy using the default external interface, an interface which has 10+ additional addresses attached to it. The proxy never sends traffic to any of the additional addresses. So that makes me question what this technote is actually about?

    Thanks

Reply
  • I had thought of that idea as well, and it is certainly a possibility given that we can identify the source of the traffic.

    However, why does the technote state "To resolve this issue add multiple (e.g. three) external IP addresses to a single UTM interface or multiple separate external interfaces. The UTM may then load balance traffic across those interfaces in order to create 3 x 40,959 ports per IP address or interface, thus creating 122,877 available ports." ?

    For that matter... we currently have webproxy using the default external interface, an interface which has 10+ additional addresses attached to it. The proxy never sends traffic to any of the additional addresses. So that makes me question what this technote is actually about?

    Thanks

Children
  • That statement in the KB article is incorrect.  Uplink Balancing can't be done among Additional Addresses on a single interface.

    Only a single "(Address)" object is accepted in the 'Interface for outgoing traffic' field.  What I suggested is the only possibility unless you put the three addresses on three, separate Interfaces that all feed into a switch between the UTM and the ISP.  You can then use Uplink balancing, and you wouldn't need multiple Profiles.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA