CacheGuard-OS
User's Guide - Version UF-2.2.2


The Network

A freshly installed CacheGuard-OS has no IP configurations at all and before being able to connect to it as an administrator (admin user), you must set an IP address for at least one of its network interfaces. The only way to set an IP address for the first time on a CacheGuard appliance, is to use the CacheGuard appliance console port. At the first login (as the admin user) via the console port, a command named setup is automatically executed and allows you to set CacheGuard's internal and external IP addresses. As an alternative method, you can use the ip command.

Network Interfaces

With a CacheGuard appliance, the network is divided in at least 2 zones: the internal zone and the external zone. The external zone is considered as an untrusted zone (the internet) while protected users and servers should be placed in the internal zone (considered as trusted). A third optional zone called auxiliary can be created and used as per your convenience (for instance, as a DMZ or as a Back Office zone). The internal zone can be optionally divided into sub zones using tagged VLANs.

CacheGuard appliance connects each zone via a distinct logical network interface. Hence, a CacheGuard appliance can support up to 3 logical network interfaces: the external, the internal and the auxiliary logical network interfaces. In this network topology, internal users and servers are routed via the internal interface while CacheGuard appliance uses its external interface to connect to the internet.

A logical network interface should be associated to at least one physical network interface. The link command allows you to associate a logical network interface to a physical (eth0, (eth1...) network interface. A link configuration in which more than one physical network interface is associated to a logical network interface is called link bonding. The link bonding is an active/backup link configuration that allows service continuity in case of a failure on a link connectivity. You can refer to the Link Bonding section for further information on the link bonding.

Appliance IP addresses

To support the IP protocol, a logical network interface must be associated to a main IP address. The ip command allows you to set main IP addresses. Additional IP addresses can be implicitly associated to a logical network interface by other commands. For instance, the vrrp command allows you to create floating IP addresses in HA mode while the rweb command may create IP aliases associated to a main IP address. The example below set the external IP address to 192.168.1.1 255.255.255.0 and the internal IP address to 10.20.0.254 255.255.0.0:

Using 802.1q VLANs

CacheGuard appliance supports 802.1q VLAN (Virtual LAN) tagging on its internal network interface to secure and isolate predefined functional traffic (admin, web, rweb...). When using tagged VLANs, a pseudo network interface is implicitly created for each defined VLAN. To use VLANs, you have to activate the VLAN mode by using the mode vlan on command and then configure VLANs with the help of the vlan and ip commands. Note that in VLAN mode, the native IP address associated to the internal network interface is no longer active and you should configure a separated IP address for each pseudo network interface. For instance, the following commands define tagged VLANS 10, 20 and 30 respectively associated to the web, rweb and admin functional traffic and set a distinct IP address for each created VLAN (all other functional traffic will be let in the default VLAN 0).

Network Routes

To route (or forward) IP traffic, you must create routing tables. CacheGuard-OS supports static routes only. However, you have the possibility to create multi gateways routes in order to balance the IP routing between multiple gateways. In a multi gateways configuration, gateway failures can be detected and the routing configuration is dynamically modified to no longer route the traffic via failed gateways. Please note that gateways in a route specification should be directly connected to a CacheGuard's network interface and have an IP address in the same network as the connected network interface IP address. As an example, the following commands allows you to create 2 default gateways via the 192.168.1.254 and 192.168.1.253 gateways and a static route to the 172.22.22.0 255.255.255.0 network via the 10.20.0.1 gateway.

Domain Name Servers

To connect to external name based services (for instance, websites), CacheGuard appliance needs a DNS (Domain Name Server) to translate domain names to IP addresses. CacheGuard appliance embeds a caching only DNS (Domain Name Server) that you can activate by adding the localhost (or the 127.0.0.1 loopback IP address) to the list of DNS servers. You have also the possibility to add external DNS to the system using the dns command. If you activate the internal DNS server, you will have the possibility to allow external clients to use it as a service. Please note that you have the possibility to restrict the DNS access to trusted networks only by using the access command. The example below, activate the internal DNS and allows IP clients to use it as a service.

DHCP Server

CacheGuard appliance integrates an easy to handle DHCP server that you can activate to deliver dynamic IP addresses to connected devices. The dhcp command allows you to define dynamic IP address ranges and/or fixed IP addresses for particular devices identified by their MAC addresses on an Ethernet network. Please note that dynamic IP addresses can only be delivered to devices that are connected to the internal network interface (or the web interface in VLAN mode). The example below, activate the DHCP server, configure it to deliver dynamic IP addresses between 10.20.0.11 and 10.20.0.15 and fixes the IP address 10.20.0.10 and the hostname john for a device having the 00:01:00:02:00:03 MAC address.

High Availability

CacheGuard appliance uses several technologies to assure the High Availability of services that it offers. The HA in a CacheGuard appliance is based on the redundancy and resiliency concepts. If you plan to implement CacheGuard solutions to secure and/or optimise critical services in your organisation, it is highly recommended to implement the HA offered in CacheGuard-OS.

The VRRP Protocol

By associating several CacheGuard appliances in HA mode, you can assure service continuity and HA (High Availability) in case of a (software or hardware) failure on one of them. To associate two (or more) CacheGuard appliances in HA mode, you must activate the HA mode on them by using the mode ha on command. In HA mode, up and running appliances automatically start to handle the network traffic that has been initially destined to a failed appliance. The HA mode is based on VRRP (Virtual Router Redundancy Protocol) and can be configured using the vrrp command.

When using the VRRP, two (or more) CacheGuard appliances share the same virtual IP (VRRP IP) address (in addition to their real IP addresses) on their same network interface. External services/clients should then address appliances configured in HA mode by using their VRRP IP addresses (and not their real IP addresses). A VRRP IP address can then be master (active) or backup on a network interface. The master VRRP IP is active on a network interface until a failur on that network interface. Following that failure, the backup VRRP IP becomes active (on the backup appliance). Each CacheGuard appliance embeds a service called health checker that continuously verifies the health the services running on it. In case of a repetitive failure on a service, the health checker deactivates its network interfaces allowing other associated appliances in HA mode to fail over the failed appliance.

Link Bonding

As seen before, logical network interfaces (internal, external and auxiliary) should be associated to at least one physical network interface. However, you have the possibility to a associate a logical network interface to more than one physical network interface. The association of a logical network interface to more than a physical network interface is called link bonding. The link bonding can be configured using the link command. In a link bonding configuration, there is always an active link while others are backup links. In this context, a link is composed of a NIC (Network Interface Card), a cable and a port on network switch. When a logical network interface is configured with link bonding, if the active link associated to that logical network interface fails, traffic are no longer exchanged via that failed link and a backup link is then activated to handle the network traffic for that logical network interface.

HA Network Example

The diagram below shows a highly available network architecture based on the redundancy and resiliency of all its components. In this network architecture, logical network interfaces of each CacheGuard appliance are connected to two distinct switches. To eliminate any SPoF (Single Point of Failure), the CacheGuard appliance as well as the internet router are doubled-up. The following commands configure the two CacheGuard appliances in HA mode to offer the best-ever level of availability.

First Appliance Configuration

Second Appliance Configuration

In this example, the first CacheGuard appliance (cacheguard1) has its active default gateway set to 192.168.2.254 (which is the LAN IP address of the internet router on the left). This CacheGuard appliance is then configured to use the 192.168.2.253 IP address (which is the LAN IP address of the internet router on the right) as its default gateway in case of a failure on the 192.168.2.254 gateway (internet router on the left). The same VRRP IP addresses are used on both appliances but with inverted states (the master and backup VRRP IP addresses are inverted). In this way, both CacheGuard appliances can be solicited by clients in an active/active mode.

In addition, each CacheGuard appliance operates in a link bonding configuration in which its external logical network interface is associated to its eth0 and eth2 Ethernet cards while its internal logical network interface is associated to its eth1 and eth3 Ethernet cards. Finally, the Web caching is activated on on both appliances and each is configured to request the other's HA Web cache using the peer ha... command for an even better bandwidth saving.

The two CacheGuard appliances configured in this way, can then be used in an active/active mode with the help of a WPAD (Web Proxy Auto Discovery) script set on Web browsers. Note that CacheGuard appliance in HA mode, provides a WPAD script via the http://<cacheguard-internal-ip-address>/ha.pac URL where <cacheguard-internal-ip-address> is an internal master VRRP IP address. The provided WPAD script supports sticky connectivity in order to reach a give target URL requested by a given Web client, always via the same Web proxy (in normal circumstances when both CacheGuard appliances are up and running).

You can also use your own WPAD script to share the total Web traffic on both CacheGuard appliances according to your needs. To use a WPAD script, save it in a file having the ".pac" extension and put it on Web server availabe from your Web browsers. Be sure that the "application/x-ns-proxy-autoconfig dat" mime-definition is set for WPAD script files on that Web server. A WPAD script can be as follows:

function FindProxyForURL( url, host )
{
  if (url.substring(0, 5) == "http:"   ||
  url.substring(0, 6) == "https:") {
  
  if ( (Math.floor( Math.random() * 2)) == 0 ) {
  return "PROXY 172.18.2.254:8080 ; DIRECT";
  }
  else {
  return "PROXY 172.18.2.253:8080 ; DIRECT";
  }
  }
  return DIRECT;
}

The network architecture above and its' associated CacheGuard appliance configurations allow you to support various failure sceneries such as, but not limited to, one or more physical network card failures, one or more cable failures, one or more switch failures, one CacheGuard appliance failure, one internet router failure.