Firewall Wizards mailing list archives
RE: Question on web proxy architecture
From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 20 Feb 2006 17:06:57 -0500
-----Original Message----- Subject: [fw-wiz] Question on web proxy architecture
issue: we have a new web proxy and a shiny new AV server looking for a
home in our network
of 500 users. it will be handling the usual HTTP, IM and streaming the current proxy architecture is 'proxy on a stick' with a single
interface handling all
in/out connections. it seems to do ok performance wise I'm not really concerned about performance but I would like to know what
others have
experienced.
If performance doesn't matter, then your architecture probably won't matter. If the AV server and the web proxy are different systems and the AV server is supposed to perform AV scanning of web traffic (which will be via proxy I'm sure), that will likely dictate your architecture. For instance, can the AV proxy forward to an upstream proxy? Does it support ICP for caching proxies? Are sessions on the AV proxy tied to client IP address? For more than a few AV proxies I've looked at, the answer to these questions is no. In the lamest of AV proxies, in order to get the reporting and authentication to work and have it work with another proxy, I've seen configurations in which the client requests to the AV proxy via browser settings and then the connection is handled by a second transparent proxy in order to provide caching and content filtering. Not pretty or performance-friendly, but it works.
so the question is where best to place the proxy? what are the security
implications of
having a proxy on a stick? its still proxying is it not?
The main issue with proxy-on-a-stick is that it requires that something else force traffic through the proxy. This is usually as simple as configuring your firewall to deny all outbound web traffic unless it comes from the proxy server. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Question on web proxy architecture david_harris (Feb 20)
- RE: Question on web proxy architecture Paul Melson (Feb 23)