Kaspersky Web Traffic Security scans user HTTP, HTTPS and FTP traffic that passes through the proxy server.
The same Kaspersky Web Traffic Security suite is installed on all servers. It includes both traffic processing functionality and the ability to manage application settings. Traffic is then transmitted from users' computers through a proxy server to the Kaspersky Web Traffic Security node for scanning. If the scan result allows access to the requested web resource and the traffic does not contain viruses or other threats, the request is transmitted through the proxy server to the web server. The response of the web server is processed in a similar way. The traffic processing scheme is presented in the figure below.
How traffic is processed by Kaspersky Web Traffic Security
When processing traffic, the application can use information about user accounts and their membership in domain groups. To do so, you need to configure integration of Kaspersky Web Traffic Security with Active Directory. Integration with Active Directory allows you to use automatic account authentication when working with user roles in the application, and to recognize user accounts when creating workspaces and traffic processing rules. Primary user authentication will be performed on the proxy server. The proxy server passes the information received from Active Directory to the application along with the user's initial request. In this case, the proxy server and application nodes will interact with the Active Directory server independently of each other. The operating scheme of the application when configured for Active Directory integration is presented in the figure below.
Operating scheme of the application when integrated with Active Directory
If traffic processing requires two or more servers with the application installed, all servers are combined into a cluster. One of the servers in the cluster should be assigned the Node with role Control role. The other servers in the cluster will be assigned the Node with role Secondary role. You can configure traffic processing on all nodes, including on the node with role Control. The difference between a node with role Control and nodes with role Secondary is that application settings can be modified on the node with role Control. They are distributed from the node with role Control to all nodes with role Secondary in the cluster. Then each cluster node exchanges data with the Active Directory server independently of the node with role Control and other nodes with role Secondary. The interactions of components are presented in the figure below.
Scheme of interaction of application components
If the node with role Control fails, the application goes into emergency mode. In this case, the administrator must assign the Control node role to one of the nodes with role Secondary. Traffic processing will not be interrupted during this procedure. All nodes continue to process network traffic using the latest settings received from the node with role Control before the application switched to emergency mode. Subsequent configuration of settings is done on the new node with role Control. The role change scheme when the application goes into emergency mode is shown in the figure below.
Role changes when the application goes into emergency mode
If the volume of processed traffic involves a large number of cluster nodes, it is recommended to use load balancing.
The interaction between the application and the proxy server depends on the distribution kit. When Kaspersky Web Traffic Security (Standalone) is installed from an RPM or DEB package, you need to configure integration with an external proxy server. When the Kaspersky Web Traffic Security (Appliance) ISO image is deployed, a built-in proxy server is used.