Kerberos for web proxy clients

Andi: The iRule would go on the VS for the proxyconf at the LTMs; essentially, instead of feeding out a PAC file from the servers, you'd have the LTM generate one for you for each user based on that user's location.

If you want to enable a failover capability, then it's possible to do that with individual proxies via the PAC file. When returning the proxy servers, you can return several PROXY statements in the return statement of a PAC file's JS method, and the browser's behavior is to attempt a connection to each proxy in sequence. If a proxy becomes unavailable, the browser client will simply move to the next one in the list. For IE, for example, it will try the first proxy and move on to the next after not getting a response in just over a second. Here's an example:

return "PROXY proxy1.domain.com:8080; PROXY proxy2.domain.com:8080; PROXY proxy3.domain.com:8080"

This would require modifying the iRule a bit to hand out a list of regional proxies rather than a single name, but it's doable. You could then force down a proxy anytime you like and your browser clients on that proxy would migrate to the next in the list. You would ensure proper load distribution by dividing the user population up by network -- then set their primary proxy to be the closest regional one, failing over to the next closest, and the next.

It's an approach that would require a little forethought and planning, but in the end analysis, I'd be willing to bet it'd be more precise than GTM for this purpose.