mailing list archives
RE: Question on web proxy architecture
From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 20 Feb 2006 17:06:57 -0500
Subject: [fw-wiz] Question on web proxy architecture
issue: we have a new web proxy and a shiny new AV server looking for a
home in our network
of 500 users.
it will be handling the usual HTTP, IM and streaming
the current proxy architecture is 'proxy on a stick' with a single
interface handling all
in/out connections. it seems to do ok performance wise
I'm not really concerned about performance but I would like to know what
If performance doesn't matter, then your architecture probably won't matter.
If the AV server and the web proxy are different systems and the AV server
is supposed to perform AV scanning of web traffic (which will be via proxy
I'm sure), that will likely dictate your architecture.
For instance, can the AV proxy forward to an upstream proxy? Does it
support ICP for caching proxies? Are sessions on the AV proxy tied to
client IP address? For more than a few AV proxies I've looked at, the
answer to these questions is no.
In the lamest of AV proxies, in order to get the reporting and
authentication to work and have it work with another proxy, I've seen
configurations in which the client requests to the AV proxy via browser
settings and then the connection is handled by a second transparent proxy in
order to provide caching and content filtering. Not pretty or
performance-friendly, but it works.
so the question is where best to place the proxy? what are the security
having a proxy on a stick? its still proxying is it not?
The main issue with proxy-on-a-stick is that it requires that something else
force traffic through the proxy. This is usually as simple as configuring
your firewall to deny all outbound web traffic unless it comes from the
firewall-wizards mailing list
firewall-wizards () honor icsalabs com