OneConnect and Proxy/Squid Load Balancing

Posted By Hamish on 03/23/2010 5:38 AM

 

 

Firstly, why do you need to have all the school's connections goto the same squid server? Is this an absolute requirement? Or a nice to have?

 

 

 

 

This is only in place so that SSL connections goto the same squid box for banking and things like that. We might look at doing SSL persistence and have http traffic load balanced across the squid cluster.

 

 

 

Leaving aside questions of return traffic (Because the LTM will do all this automatically for you), you need to consider the effect of authentication that may occur between the client browser and the proxy (I've seen some scenarios where the webserver only checks the FIRST request and 'assumes' that following requests are the same user... Oops...). You need to get the mask correct for the oneconnect IP address matching too (The only time I really use it is for SSL and bypassing one of the ends that doesn't do HTTP keepalives).

 

 

 

 

This might pose a problem if we are to use OneConnect. A school could have different restrictions for teachers and students, so if a teacher was to authenticate first then from what you're saying this could potentially mean that a student might just be allowed through using the same credentials as the teacher???

 

 

 

In order to answer those questions would require a lot more information... e.g. Do you do authentication? And by what method?

 

 

H

 

 

 

Yes we do authentication. The squid box does the authentication, but I'm not 100% sure how it all works as I don't really look after the squid boxes.