Way 1 - Short Lived DNS Round Robin Proxy Nodes

In this case we will deploy as many proxy nodes as needed and add IP address of each node to one short lived DNS A record. The browsers will access the proxy by this FQDN and because of round robin IP resolve scheme load will be more or less evenly distributed among all nodes.

Please note, this is not a real high availability solution as DNS server cannot track if a node in the cluster went down. Client browsers may still try connecting to a non-available cluster node for a short period of time.

  1. Create new type A record for proxy.example.lan and set the TTL to 15 seconds with IP address 192.168.178.10 for example.

    ../../../_images/node17.png
  2. Create new type A record for the same proxy.example.lan and set the TTL to 15 seconds with IP address 192.168.178.11 for example.

    ../../../_images/node27.png
  3. From another workstation check that nslookup is able to correctly resolve proxy.example.lan record into two IP addresses configured.

    ../../../_images/nslookup7.png
  4. Deploy two virtual appliances of Web Safety and assign IP address of 192.168.178.10 for the first node and 192.168.178.11 for the second node. For the instructions on how to assign static IP for a virtual appliance see article How to Set Static IP Address in VA.

  5. Follow the usual Active Directory configuration steps described in previous articles for each virtual appliance, but when configuring Kerberos authenticator provide the SPN based on proxy.example.lan and check the Use GSS_C_NO_NAME checkbox. This will let the node process requests for Kerberos authentication from browsers based on credentials contained in the request and not based on SPN (SPN still needs to be configured though).

    ../../../_images/gcc_c_no_name7.png