Note: This topic applies to the Kenilworth Release.
After configuring upstream proxy settings, see Configuring an Upstream Proxy, you can use a single upstream proxy for all web requests.
|1.||Go to the Web proxy > Upstream proxy > Manage policies page.|
|2.||In the Global options panel, configure the following:|
|•||Default upstream proxy — This setting determines the default proxy which is used when upstream proxies are not available, not configured or not allowed by policies.|
From the drop-down list, select an upstream proxy.
|•||Allow direct connections — Select this option to allow direct connections to origin servers.|
If allowed, direct connections will be made as a final fall-back if the default proxy is unavailable or not configured.
For more information, see Enforcing Upstream Proxy Usage.
|•||Leak client IP with X-forwarded-For header — Select this option to send the originating IP addresses of client requests upstream.|
|3.||Click Save. Guardian starts using the single upstream proxy.|
There are three potential destinations for a web request forwarded to an upstream proxy. These are as follows, in order of precedence:
|1.||A pool of one or more proxies which are allowed by the upstream proxy policies, to service the request.|
|2.||The default proxy, if configured.|
|3.||Direct forwarding of requests to their origin servers, if allowed. An origin server is defined as the target destination of web request, i.e. the server from which a requested resource originates.|
Upstream proxy policies are additive. Guardian checks requests against all the policies, in order. Any proxy which is allowed to service a particular request is added to the proxy pool in step 1. If the final pool for a request contains two or more proxies, load-balancing and fail-over rules decide which one will be sent the request.
Note: The rules above only apply to requests serviced by Guardian. If a client behind Guardian is able to obtain direct, unfiltered web access, the client’s requests will be treated no differently from other Internet traffic.
By configuring multiple upstream proxy policies, you can balance the web request load across two or more upstream proxies.
To load balance using upstream proxy policies:
|1.||On the Web proxy > Upstream proxy > Proxies page, configure the upstream proxies you will be using. See Configuring an Upstream Proxy and Configuring Source and Destination Filters for more information.|
|2.||Go to the Web proxy > Upstream proxy > Manage policies page and click Advanced.|
|3.||From the Load balancing panel, choose the required Load balancing method:|
|•||Source IP — Based on the client’s IP address, Guardian selects one proxy from the set of allowed proxies and uses it as long as that proxy is available.|
For example: three requests for example.com from one machine might all go via proxy A; three requests from the machine next to it might all go via proxy B.
|•||Username — Based on the client’s username, Guardian selects one proxy from the set of allowed proxies and uses it as long as that proxy is available.|
For example: three requests for example.com while logged in as Alice might all go via proxy A; three requests while logged in as Bob might go via proxy B, even if Bob has the same IP as Alice.
|•||Round-robin — Guardian cycles through the proxies one by one. Three requests for example.com, with three proxies allowed to serve the request, would send one request via each.|
|4.||From the Manage upstream proxy policy panel, configure the following:|
|•||Upstream proxy — From the drop-down list, select the proxy for which you are configuring the policy.|
|•||Source filter — From the drop-down list, select Everything.|
|•||Destination filter — From the drop-down list, select Everything.|
|•||Action — Select Allow.|
|•||Comment — Optionally, enter a comment describing the proxy.|
|•||Enabled — New policies are enabled by default. Clear the check box to create a disabled policy.|
|5.||Click Save. Guardian creates the policy and lists it in the Upstream proxy policies table.|
|6.||Configure policies for other upstream proxies by repeating steps 2, 3, and 4 above.|
Once you have configured policies for the upstream proxies you require, Guardian will check any web requests against the policy table and each of the proxies will be allowed to service the request, so load balancing and failover rules will be used to pick the most suitable proxy. Guardian monitors availability of upstream proxies automatically and avoid forwarding requests to unavailable proxies.
If none of the proxies permitted to service a request are available, Guardian will use the default proxy. If the default proxy is not available, or if no default proxy is configured, the request will be forwarded directly to its origin server.
If you want to prevent web requests from being forwarded directly to their origin servers when other permissible upstream proxies are unavailable, disable the Allow direct connections option.
Note: As the Allow direct connections option eliminates the last option for forwarding requests in failure scenarios, only use it to implement strict requirements that all traffic go through an upstream proxy.
For finer-grained control of direct connection behavior, you can configure policies using the dummy upstream proxy option None. For example, to prevent only YouTube traffic from being sent directly, enable the Allow direct connections option, then create a policy with upstream proxy None, action Block, and a destination filter corresponding to the youtube.com domain.
Conversely, to allow direct access only for requests to certain sites, disable Allow direct connections and create None, Allow policies matching those requests for which direct access is permissible. This may be useful for bandwidth conservation, if direct access is routed over a slower link than access to the upstream proxies.