Kerberos for web proxy clients

I think you may still be able to do this by distributing a PAC file from your proxyconf.gtm-domain.net VS directly (using something like the iRule I posted above), but determining which proxy name to hand out based on some sort of logic within the iRule. Think about this: with GTM, you're basing your returned IP on your knowledge of things about the user's _resolver_, not where the user actually is. If you change the proxy host that a user gets when you're generating the PAC file for the user, then you've got the actual USER connecting over a TCP connection coming in -- you can localize both the user's address _and_ whatever you can get from their TCP session to select the best proxy for them.

 

 

It'd suggest combining logic like the iRule above on your proxyconf.gtm-domain.net VS with "TCP::rtt". Then you can hand out proxy hostnames that match your Kerberos SPNs for the proxies that are already working, while at the same time maintaining a "closest-to-the-user" approach. As a side benefit, you don't need any pool members attached to the proxyconf VS, as it'll all come out of an iRule. Yes, this moves you away from using GTM's "QoS" functions, but there's a lot more you can do from a load-balancing perspective if you can deal with a user directly as opposed to dealing with their LDNS.