Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Question on web proxy architecture

From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 20 Feb 2006 17:06:57 -0500

-----Original Message-----
Subject: [fw-wiz] Question on web proxy architecture


issue:  we have a new web proxy and a shiny new AV server looking for a

home in our network 

of 500 users.

it will be handling the usual HTTP, IM and streaming

the current proxy architecture is 'proxy on a stick' with a single

interface handling all 

in/out connections. it seems to do ok performance wise

I'm not really concerned about performance but I would like to know what

others have 

experienced.


If performance doesn't matter, then your architecture probably won't matter.
If the AV server and the web proxy are different systems and the AV server
is supposed to perform AV scanning of web traffic (which will be via proxy
I'm sure), that will likely dictate your architecture.

For instance, can the AV proxy forward to an upstream proxy?  Does it
support ICP for caching proxies?  Are sessions on the AV proxy tied to
client IP address?  For more than a few AV proxies I've looked at, the
answer to these questions is no.

In the lamest of AV proxies, in order to get the reporting and
authentication to work and have  it work with another proxy, I've seen
configurations in which the client requests to the AV proxy via browser
settings and then the connection is handled by a second transparent proxy in
order to provide caching and content filtering.  Not pretty or
performance-friendly, but it works.



so the question is where best to place the proxy?  what are the security

implications of 

having a proxy on a stick? its still proxying is it not?


The main issue with proxy-on-a-stick is that it requires that something else
force traffic through the proxy.  This is usually as simple as configuring
your firewall to deny all outbound web traffic unless it comes from the
proxy server.

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: