Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1369
Views
0
Helpful
1
Replies

Failover proxy server configuration on ESA 11.1.0-128

Go to solution
rolelael
Level 1
Level 1

‎06-18-2019 06:46 AM

Hello

 

We are setting up redundancy in on of our other countries….  We use a single cluster setup ( with seperate groups for each country ) 

 

The proxy server config for

- Services updates

- Advanced Malware Protection

 

points to a single http(s)://fqdn.host:8080

 

But in each country we have a seperate proxy server …. In case one country goes down, we still need updates + AMP protection ( file analysis etc )

 

Is there any way for failover config with proxy servers ? ( for ldap profiles there is :-) )

 

And we cannot ( for various reasons ) split cluster configs -> so we cannot setup seperate settings machine based….

 

Tx

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎06-18-2019 11:27 AM

There isn't a facility in the ESA for more than one proxy server.

As an example, you want the ESAs in Germany to use the proxy in the UK, if the proxy in Germany fails, right?



I think your best option is "global load balancing", where something like an F5 or Netscaler manages the "fqdn.host" by watching the various proxies and serves up an active and local one via dns (you delegate the "fqdn.host" DNS look up to the load balancers and set the TTL very short so everyone gets an up-to-date lookup)



You might be able to do something similar if you have a smarter DNS server than MS.






View solution in original post

0 Helpful
1 Reply 1

Go to solution
Ken Stieers
VIP
VIP

‎06-18-2019 11:27 AM

There isn't a facility in the ESA for more than one proxy server.

As an example, you want the ESAs in Germany to use the proxy in the UK, if the proxy in Germany fails, right?



I think your best option is "global load balancing", where something like an F5 or Netscaler manages the "fqdn.host" by watching the various proxies and serves up an active and local one via dns (you delegate the "fqdn.host" DNS look up to the load balancers and set the TTL very short so everyone gets an up-to-date lookup)



You might be able to do something similar if you have a smarter DNS server than MS.






0 Helpful
Customers Also Viewed These Support Documents