Sophos Web Appliance: Providing Load Balancing and Failover with proxy.pac Files

  • Article ID: 38788
  • Rating:
  • 1 customers rated this article 3.0 out of 6
  • Updated: 22 Oct 2015

Using a Sophos Management Appliance to Load Balance Sophos Web Appliances

 Load Balancing can be done on a Sophos Management Appliance that has joined Web Appliances.  A SMA is required to do load balancing.

This link explains how to enable load balancing with a Sophos Management Appliance.

Using a proxy.pac File to Provide Load Balancing

If you have two or more Sophos Web Appliances in your organization, you can use the following script to provide simple load balancing and failover capabilities via round-robin DNS.

  1. Using a basic text editor, such as Notepad, create a file with the following content
    function FindProxyForURL(url,host) {    if (isInNet(myIpAddress(), "", ""))    return "PROXY; " +           "PROXY";    if (isInNet(myIpAddress(), "", ""))    return "PROXY; " +           "PROXY";    if (isInNet(myIpAddress(), "", ""))    return "PROXY; " +           "PROXY";    if (isInNet(myIpAddress(), "", ""))    return "PROXY; " +           "PROXY";    else    return "DIRECT";}
  2. Change the segment of the above script to match the domain name of your DNS server.
    This script checks a user's IP address and then directs them to a Web Appliance. It also incorporates failover by having "+" and an additional Web Appliance listing.
  3. Save this file as proxy.pac.
  4. Test the file by choosing the "configuration from a file" option in the "connect to the internet using a web proxy" page, using a web browser currently configured to connect directly to the internet. To access this option:
    • In Internet Explorer, select Tools > Internet Options > Connections > LAN Settings: Use automatic configuration script
    • In Firefox, select Tools > Options > Advanced > Network > Connection Settings: Automatic proxy configuration URL
  5. Also, test whether you correctly fail to a DIRECT connection to the internet. To do this, go to the TCP Advanced Settings page, select the DNS tab, and set the DNS name for this connection to "TEST". (Do not set it to register in DNS.) Click Apply, and then try to navigate to a known blocked site. You should now be accessing the internet directly and have access to the site.
  6. Deploy the tested proxy.pac file to your users by any one of the following methods:
    1. Distribute the tested proxy.pac file either by emailing it to your users or by posting it on an internal web server.

      Note: If you post the proxy.pac file on an internal web server, the link to it will be displayed as a text file unless unless you set the MIME type in your web server configuration:

      • For Apache 1.x, edit your /etc/apache/httpd.conf file by adding the following line:
        AddType application/x-javascript-config pac
        Then restart the Apache web server.
      • For Apache 2.x, edit your /etc/apache2/mods-available/mime.conf file by adding the following line:
        AddType application/x-javascript-config pac
        Then restart the Apache web server.
      • For IIS:
        1. In IIS Manager, right-click the website or website directory for which you want to add a MIME type, and click Properties.
        2. Click the HTTP Headers tab.
        3. Click Mime Types.
        4. Click New.
        5. In the Extension box, enter the file name extension: pac.
        6. In the MIME type box, enter the MIME type description: application/x-javascript-config.
        7. Click OK and then restart the IIS service.

      This option (a. using a proxy.pac file) requires the most work for users in your network.

      Note: By default, when a connection is established through a proxy server, the host name of the site and the proxy server name are cached. On future attempts to access the host name in the same session, Internet Explorer has cached information about which proxy to use. Therefore, all subsequent connections to the host are tried through the proxy that was used previously. This means that if the proxy server name that is cached is unavailable during the same session, the automatic proxy configuration script is not re-processed, and you receive a "Page Cannot Be Displayed" error message in Internet Explorer. You may want to disable the Automatic Proxy Result Cache to provide the proxy redundancy that you require. This will result in client-side processing of every GET request that is issued by Internet Explorer. As a result, Internet Explorer performance may be impacted depending on the logic of the Automatic Proxy Configuration Script and its size. The procedure for doing this is documented in the Microsoft Knowledge Base article

    2. Distribute the configuration as a wpad.dat file, which is documented in the Publishing Proxy Information as a wpad.dat File knowledgebase article.

      This method keeps more of the control over the proxy configuration process in your hands, but it still requires that your users set the "automatic proxy configuration" option in their browsers.

    3. Enforce the proxy configuration by Creating a Group Policy Object (GPO) on your Active Directory server.

      This does require that you have an Active Directory server, but it allows you to enforce your users' browser configuration to use the Web Appliance.

Support for problems with third-party products that this article discusses may be provided by the manufacturer of that product. Sophos does not support such third-party products. The third-party products that this article discusses are manufactured by companies that are independent of Sophos. Sophos makes no warranty, implied or otherwise, about the performance or reliability of these products.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent