Firewall Wizards mailing list archives
RE: NT Authentication
From: Amirmadhi Foorood <Foorood.Amirmadhi () Columbia net>
Date: Fri, 9 Oct 1998 10:46:28 -0500
I do not know if there are any scalable, NT-Domain aware, Proxy products out there other than MSProxy or not. I have worked with both Netscape and Microsoft Proxies. If you need performance, stick Netscape Proxy. If you need NT domain feature functionality you better stay with MSProxy. There are interesting futures in MS Proxy , aside from NT domain features, such as "Intelligent Dynamic Caching" which is great. Also there are other usual NT applications "memory leakage" problem as well. Speaking of performance of the MSProxy, from NT side, it depend on the NT domain complexity (number of Domains, WINS, and proxy-user Groups Domain Accounts) and basically your LAN performance under NT. Scalability in MSProxy 2.0 is bases on the Array configuration (more than one MSProxy). But in this type of design, MSProxy would not work with other add-on product that provide internet site control and filtering. This feature seems to have become very attractive in upper management's eyes in large corporations. In the case that you need more than one proxy and setting up the proxies independently, you will lose some of the advantages of intelligent caching features and also you will need to rely on how good is you Internal DNS for round-robining your MSProxies. Assuming good NT Domain, LAN performance, and average Internet access per proxy-user (I can not find any definition for numerical normalization), at least excluding the video streaming, the rule of thumb for scalability figure that I can suggest to you per a typical NT system ( NT 4.0, Pentium Pro 200 MHz, 128 MB Memory, SCSI Disk ) running MSProxy 2.0 is the following. 2500 proxy user NT domain accounts in eight different domains for which there are 250 concurrent proxy user connections. This provide good connectivity (assuming T1). Above 300 concurrent user connections, I have not tested but there are semi-evidence that indicates it will start degrade. Existing problem with MSProxy 2.0 (Microsoft is working on it) are; Inetinfo's process moderate memory leakage and very high CPU utilization. Drop me an email if you need more specific information on MSProxy. Foorood Amirmadhi Infrastructure mailto:foorood.amirmadhi () columbia net
-----Original Message----- From: Steve () po i-way co uk [SMTP:Steve () po i-way co uk] Sent: Wednesday, October 07, 1998 6:31 AM To: firewall-wizards () nfr net Subject: NT Authentication Hi, I have been asked a few times recently to specify a proxy which can get Authentication from an NT domain. This seems to be sites which are using DHCP. I often like to specify a FW which has an internal proxy where the site admin team can control the insides clients Internet access. This means they can make all the changes for individual users and don't have to go near the FW. In the past I have used Wingate and IP's but more and more sites seem to want this authentication to come from an NT domain ala M$ Proxy server I guess. Being no genius on NT I wondered if anyone has any other product suggestions, alternative ways of doing this etc. Any actual experiences with Microsofts proxy would be good too - I think we all know how dubious the security is, the management possibilities seem useful though. TIA S --
Current thread:
- NT Authentication Steve (Oct 07)
- Re: NT Authentication Joseph S. D. Yao (Oct 07)
- RE: NT Authentication Joe Ippolito (Oct 09)
- <Possible follow-ups>
- RE: NT Authentication Noller, Gregory (Oct 09)
- Re: NT Authentication Vin McLellan (Oct 09)
- RE: NT Authentication Amirmadhi Foorood (Oct 09)
- RE: NT Authentication Amirmadhi Foorood (Oct 13)
- RE: NT Authentication Stout, Bill (Oct 13)
- Re: NT Authentication Joseph S. D. Yao (Oct 07)