After you upgrade, you'll find three new fields in the SWG manager.

• Scanner table: A typical deployment setup consists of SWG appliances that operate as Directors and Scanners.
  With MFEND, the Active director can identify the scanners in the setup automatically. With the new change, you must explicitly configure the scanners on both the directors (Active and Backup) in your deployment. A new table has been introduced in the Manager to configure the scanning nodes. How to configure the scanner table for each mode is explained individually below.
   
• Relay Port: TCP port opened on Director nodes for use by the scanners, to relay traffic to the external servers.
   
• Scanner Probe interval: This setting is an interval in milliseconds and controls when the director sends the health check probe request to the scanners. This probe checks and reports if the scanner is up. A probe request is sent to all IPs recorded in the scanner table. If you enter the value 0, no scanner probes are sent.

NOTE: In the following example, we use a setup with two Directors and one Scanner. Many of the terminologies remain the same as used in documentation for previous MFEND-based setups. Differences, if any, are explicitly called out in the documentation.

Proxy HA Mode

To configure the Active Director: 

1. Configure the network interface to use for the Virtual IP (VIP). In this case, it's interface eth1.
   
   NOTE: For details about how to configure the network interfaces, see the Skyhigh Web Gateway 8.2.x Interface Reference Guide.
   
   We recommend that you use a /32 subnet mask when you configure this IP address on the cluster nodes.
    
2. Select Proxy configuration, Network Setup.
3. For Deployment mode, select Proxy HA.
4. Configure the newly added Scanners table.
   Specify the nodes that are part of the deployment mode as a Scanner or Peer/Director. Scanners perform traffic filtering and Directors perform load sharing.
    
   • You can assign a node to act as a Redundant Director for redundancy. In that scenario, enter the IP of the Redundant Director (for example, 192.168.10.11) and select the Type as Peer/Director. 
      
   • If the Active Director is used as a scanner, enter the IP address of the Active Director's network interface in the Scanners table. Then, set the Type as scanner. 
     Add any other appliances configured as a scanner to the Scanners list (for example, 192.168.10.12). Remember to set the director priority to 0 in such cases.
      
5. Increase the Active Director's priority and keep it higher than the Redundant Director.
   Keep the default values for the Relay Port and Scanner Probe Interval fields.
   • Relay Port:  When the default port number is used for another purpose in your setup, change this port accordingly.  
     
     NOTE: You must configure the same port value for all directors.​
      
   • Scanner Probe Interval: By default, the probe is sent every two seconds. You can change this interval if needed.
      
6. Configure the HTTP and FTP listener ports with the interface IP address that you configured above. 
   
   NOTE: If you've modified the default port ranges for the FTP listener and server listener, you must reconfigure them manually after the upgrade so that no ports are used in that range. If the default port range is used before the upgrade to version 8.2, it's automatically updated with the latest default values. For example, client listener port 15000–20000 and server listener port 20001–25000.
    
7. You can configure multiple VIPs, if needed. At least one needs to be on the same interface as that of the VRRP.

To configure the Redundant Director: 
The configuration steps are identical to those of the Active Director, but configure the Redundant Director's priority to be lower than that of the Active Director. 

To configure Scanners: 
For scanners, configure the network interfaces in the same network as the directors. Select the mode as Proxy HA, set the director priority as 0, and configure the HTTP and FTP listener ports with 0.0.0.0:<port>. For example, 0.0.0.0:9090.

Router Mode:

To configure the Active Director: 

1. Configure the network interfaces for inbound (client-side) and outbound (server-side) traffic.
   
   NOTE: In this example, we use eth2 for inbound and eth3 for outbound.
    
2. Select the Configuration tab, and click Proxies.
3. Under Network Setup, select the Mode as Transparent Router.
4. Configure the port redirects for the traffic to be intercepted. For example, HTTP (80 / 443) and FTP (21).
   For details about port redirect, see the Skyhigh Web Gateway 8.2.x Product Guide. 
5. The Scanners table contains the outbound (server side) IP address of Active Director, Redundant Director, and Scanners.
   The Redundant Director IP is listed with type Peer/Director. All scanners and the Active Director itself are listed as the type Scanner.
   Enter the IP addresses in the Scanners table.
    
   1. Select Configuration, Appliances.
   2. On the Appliances tree, select the appliance you want to configure, and then click Proxies (HTTP(S), FTP, ICAP, and IM).
   3. Configure the following for each SWG appliance node in transparent router mode:
       
      • Scanner Table:
        1. Add the interface IPs of the scanners.
        2. Select the Type as Scanner.
           • On Active Director, if you want to make that device also a scanner, add the outbound interface IP as scanner with type as scanner.
           • On Active Director, if you want to make the Redundant Director a Scanner, add the outbound interface IP as scanner with the type as Peer/Director.
           • On Redundant Director, if you want to make that device also a scanner, add the outbound interface IP as scanner with type as scanner.
           • On Redundant Director, if you want to make the Active Director a Scanner, add the outbound interface IP as scanner with the type as Peer/Director.
             
             NOTE: If the Active Director isn't used as a scanner, don't enter the Active Director's interface IP in the scanner table.
           
           
           • Increase the Active Director's priority to a higher value than that of the Redundant Director. Keep the default value for the Relay port and Scanner probe interval.
              
      • ​​Relay Port: If the default port numbers are used for some other purposes in your setup, the ports can be adjusted accordingly.
        1. Select Configuration, Appliances.
        2. On the Appliances tree, select the appliance that you want to configure, and click Proxies (HTTP(S), FTP, ICAP, and IM).
        3. Configure the new Relay port to each SWG appliance node in transparent router mode.
        4. Click Save Changes.
           
           ​​NOTE: You must use the same port value across all directors.
            
      • Scanner Probe Interval:  By default, the probe is sent every two seconds, and can be changed if needed. 
        1. Select Configuration, Appliances.
        2. On the Appliances tree, select the appliance you want to configure, and click Proxies (HTTP(S), FTP, ICAP, and IM).
        3. Configure the new Scanner Probe Interval for each SWG appliance node in transparent router mode.
        4. Click Save Changes.
           
           NOTE: You don't need to change the VIP's and VRRP-related configuration. If you enter 0, no scanner probes are sent.
            
6. Configure the HTTP and FTP listener ports with the outbound interface IP: 
   1. Select Configuration, Appliances.
   2. On the appliances tree, select the appliance you want to configure, and click Proxies (HTTP(S), FTP, ICAP, and IM).
   3. Add the outbound interface IP of the device.
   4. Append the port numbers that the proxy listens to.
      
      NOTE: If the default port ranges for FTP listener are different in your existing setup, take care to reconfigure them manually after upgrade so that no ports are used in that range. If default port range is used before you upgrade to version 8.2, it's automatically updated with latest default values. These ranges are client listener port 15000–20000 and server listener port 20001–25000.

To configure the Redundant Director: 
Configure the Redundant Director identical to that of the Active Director, but set the Redundant Director's priority lower than that of the Active Director.

To configure Scanners: 
The scanners are attached to the Director's outbound interface. Configure the network interface on these scanners in the same network as the director's outbound network interface. Then, select the mode as Transparent Router, set the director priority as 0, and configure the HTTP and FTP listener ports with 0.0.0.0:<port> (for example, 0.0.0.0:9090).

Bridge Mode:
Bridge Mode support is a work in progress. This function is available in a forthcoming release.

New Ports Used:
HAProxy now uses UDP port 1025 on 127.0.0.1 to collect syslogs.

Recommendations:
To configure the FTP listener:
Make sure that the TCP ports configured under client/server listener port ranges are freely available (not assigned or used already). These port ranges are used by the internal load balancer and if incorrectly configured, the setup doesn't work as expected.

Upgrade:

• After you complete the upgrade, reboot the system according to the documentation.

 
To configure Deployment Modes:

Transparent modes are best configured with the following two distinct steps:

1. Add Network interface changes/IPs in the Network Interface tab, and then click Save.
   After the configuration is saved, you're logged out from the Manager. The appliance network settings service then restarts. This restart applies the system changes needed before you go to the next step.
2. Log on to the Manager.
   Make your needed changes in the Proxy Configuration and click Save.