Load balancing Smoothwall Secure Web Gateway (SWG)
Updated on November 19, 2025
•
Published on March 8, 2023
Benefits of load balancing Smoothwall SWG
Load balancing a Smoothwall Secure Web Gateway (SWG) deployment provides High Availability, enhanced performance, and scalability:
- High Availability (HA): Load balancing ensures that the web filtering service remains continuously available even if one of the Smoothwall SWG appliances fails. By distributing traffic across multiple Smoothwall devices in a cluster, the system gains fault tolerance. If a single appliance experiences a hardware failure, software crash, or needs to be taken offline, the load balancer automatically redirects all new and existing traffic to the remaining healthy servers. This prevents a single point of failure (SPOF) and ensures that users’ internet access and security filtering are not interrupted, maintaining business continuity.
- Enhanced performance: Load balancing optimizes resource usage across the SWG cluster, leading to faster response times for users. Incoming web traffic (including complex tasks like SSL/TLS decryption and content inspection) is evenly distributed among all available Smoothwall SWG appliances. This prevents any single appliance from becoming overloaded or creating a performance bottleneck. By dividing the workload, each appliance handles a smaller volume of requests, allowing it to process and inspect web traffic more quickly, which in turn reduces latency and improves the overall user experience.
- Scalability: Load balancing allows you to easily expand your web gateway capacity as your organization’s needs grow. If your user base or internet traffic volume increases, you can simply add more Smoothwall SWG appliances to the load-balanced cluster. The load balancer will automatically begin distributing traffic to the new resources without requiring service downtime. This dynamic capability allows the security infrastructure to adapt to fluctuating demands, ensuring consistent security and performance whether you’re handling peak traffic or planning for long-term organizational growth.
About Secure Web Gateway
The Secure Web Gateway (SWG) from Smoothwall offers a proactive approach to small business content filters with real-time content analysis and mobile enterprise web filtering technology. Without being solely reliant on URL blocklists, SWG is able to analyze and categorize web content to filter inappropriate or illegal content that could otherwise threaten the security of your client’s information, or the safety and wellbeing of your employees and customers.
Smoothwall has also been able to extend SWG coverage to include your mobile devices carried by your workers while they are away from the office. It eliminates anonymous proxies, prevents malware and protects resources in real-time, and that is only part of why Secure Web Gateway is the Top Ten Reviews Bronze Award winner.
Why Loadbalancer.org for Smoothwall?
Loadbalancer’s intuitive Enterprise Application Delivery Controller (ADC) is also designed to save time and money with a clever, not complex, WebUI.
Easily configure, deploy, manage, and maintain our Enterprise load balancer, reducing complexity and the risk of human error. For a difference you can see in just minutes.
And with WAF and GSLB included straight out-of-the-box, there’s no hidden costs, so the prices you see on our website are fully transparent.
More on what’s possible with Loadbalancer.org.
How to load balance Secure Web Gateway
The load balancer can be deployed in 4 fundamental ways: Layer 4 DR mode, Layer 4 NAT mode, Layer 4 SNAT mode, and Layer 7 Reverse Proxy (Layer 7 SNAT mode).
For Smoothwall Secure Web Gateway, Layer 4 DR mode is recommended. In this mode, traffic from the client to the Web Gateway passes via the load balancer, return traffic passes directly back to the client which maximizes performance. Direct routing works by changing the destination MAC address of the incoming packet on the fly which is very fast. This mode is transparent by default meaning that the Web Gateway sees the real client IP address and not the IP address of the load balancer. Due to its speed, overall simplicity and effectiveness, Direct Routing (DR) mode with source IP persistence is our recommended method and can be used in both Explicit Proxy Mode & Transparent Routed Proxy Mode.
For more on how to deploy Secure Web Gateway, see the deployment guide below.
Web Gateway deployment modes
There are two implementation methods that are typically used:
- Explicit Proxy Mode (Recommended): This mode requires the load balancer’s VIP address to be defined in users’ browsers. This means that the load balancer will receive client requests and distribute these requests across the back-end Web Gateways. Smoothwall refer to this as “Non-Transparent Mode”.
- Transparent Routed Proxy Mode: With this mode, client requests must be routed to the load balancer/Web Gateway cluster. This can be achieved by either setting the default gateway on the client PCs to be the load balancer, or by adding rules to the default gateway device. Rules would typically be configured for HTTP & HTTPS traffic on ports 80 and 443. Smoothwall refer to this as “Transparent Mode”. Please refer to the section Option 2 – Transparent Routed Proxy Mode for configuration details.
Load balancing deployment concept
About Layer 4 DR mode load balancing
One-arm direct routing (DR) mode is a very high performance solution that requires little change to your existing infrastructure.
DR mode works by changing the destination MAC address of the incoming packet to match the selected Real Server on the fly which is very fast.
When the packet reaches the Real Server it expects the Real Server to own the Virtual Services IP address (VIP). This means that you need to ensure that the Real Server (and the load balanced application) respond to both the Real Server’s own IP address and the VIP.
The Real Servers should not respond to ARP requests for the VIP. Only the load balancer should do this. Configuring the Real Servers in this way is referred to as Solving the ARP problem.
On average, DR mode is 8 times quicker than NAT for HTTP, 50 times quicker for Terminal Services and much, much faster for streaming media or FTP.
The load balancer must have an Interface in the same subnet as the Real Servers to ensure Layer 2 connectivity required for DR mode to work.
The VIP can be brought up on the same subnet as the Real Servers, or on a different subnet provided that the load balancer has an interface in that subnet.
Port translation is not possible with DR mode, e.g. VIP:80 → RIP:8080 is not supported. DR mode is transparent, i.e. the Real Server will see the source IP address of the client.
