RE: NT Authentication

[Amirmadhi Foorood <Foorood.Amirmadhi () Columbia net>]

I do not know if there are any scalable, NT-Domain aware, Proxy products out
there other than MSProxy or not.  I have worked with both Netscape and
Microsoft Proxies.  If you need performance, stick Netscape Proxy.  If you
need NT domain feature functionality you better stay with MSProxy.  There
are interesting futures in MS Proxy , aside from NT domain features, such as
"Intelligent Dynamic Caching" which is great.  Also there are other usual NT
applications "memory leakage" problem as well.

Speaking of performance of the MSProxy, from NT side, it depend on the NT
domain complexity (number of Domains, WINS, and proxy-user Groups Domain
Accounts) and basically your LAN performance under NT.

Scalability in MSProxy 2.0 is bases on the Array configuration (more than
one MSProxy). But in this type of design, MSProxy would not work with other
add-on product that provide internet site control and filtering.  This
feature seems to have become very attractive in upper management's eyes in
large corporations.  In the case that you need more than one proxy and
setting up the proxies independently, you will lose some of the advantages
of intelligent caching features and also you will need to rely on how good
is you Internal DNS for round-robining your MSProxies.

Assuming good NT Domain, LAN performance, and average Internet access per
proxy-user (I can not find any definition for numerical normalization), at
least excluding the video streaming, the rule of thumb for scalability
figure that I can suggest to you per a typical NT system ( NT 4.0, Pentium
Pro 200 MHz, 128 MB Memory, SCSI Disk ) running MSProxy 2.0 is the
following. 

2500 proxy user NT domain accounts in eight different domains for which
there are 250 concurrent proxy user connections.
This provide good connectivity (assuming T1).
Above 300 concurrent user connections, I have not tested but there are
semi-evidence that indicates it will start degrade.

Existing problem with MSProxy 2.0 (Microsoft is working on it) are;
Inetinfo's process moderate memory leakage and very high CPU utilization.
Drop me an email if you need more specific information on MSProxy.



Foorood Amirmadhi
Infrastructure
mailto:foorood.amirmadhi () columbia net


> -----Original Message-----
> From: Steve () po i-way co uk [SMTP:Steve () po i-way co uk]
> Sent: Wednesday, October 07, 1998 6:31 AM
> To:   firewall-wizards () nfr net
> Subject:      NT Authentication
>
> Hi,
>
> I have been asked a few times recently to specify a proxy which can get
> Authentication from an NT domain.  This seems to be sites which are
> using DHCP.
>
> I often like to specify a FW which has an internal proxy where the
> site admin team can control the insides clients Internet access.  This
> means they can make all the changes for individual users and don't have
> to go near the FW.  In the past I have used Wingate and IP's but more
> and more sites seem to want this authentication to come from an NT
> domain ala M$ Proxy server I guess.
>
> Being no genius on NT I wondered if anyone has any other product
> suggestions, alternative ways of doing this etc.  Any actual
> experiences with Microsofts proxy would be good too - I think we all
> know how dubious the security is, the management possibilities seem
> useful though.
>
> TIA
>
> S
>
>
> --