Dear All,
I'm pretty new to Squid and have troubles running it in the following environment:
* LAN with 250 users
* Windows Active Directory Service (ADS)
Web Security Solution consisting of
* IBM Proventia Web Filter performing URL filtering
* Trend Micro InterScan Web Security Suite (IWSS) performing Antivirus scanning
Both products (Webfilter and AV scanner) are installed on virtual machines running under VMware ESX 3.02.
Both of them have an integrated, non-caching proxy server.
Starting from the user PC, we have the following proxy chain:
User PC => Web Filter proxy => IWSS proxy = > Internet
I want to use ADS objects like usernames in the Web Filter configuration - e.g. to create a rules based on usernames instead of IP addresses.
Problem: The proxy server included in Proventia Web Filter has no ADS/NTLM auth support, but can act as an ICAP server.
In order to use ADS objects in the Web Filter config you need an additional, NTLM auth-capable proxy server.
Since there is no such proxy server in our LAN yet, we obtained a preconfigured Squid for Windows package containing
* SquidNT 2.5 Stable12 binaries
* NTLM auth support
I installed the Squid package on the same virtual machine where the Web Filter is installed.
SquidNT acts as an ICAP client, authenticating proxy users against our AD.
The Proventia Web Filter acts as an ICAP server, telling SquidNT if the authenticated user is allowed to access the requested site.
So the proxy chain now looks like this:
User PC => Squid proxy (ICAP client) => Web Filter (ICAP server) => IWSS proxy => Internet
Unfortunately we have the following problems with SquidNT:
1. Excessive RAM consumption
After starting the SquidNT service, Windows Task manager shows that squid.exe uses about 9,000 KB of RAM.
A working day and many user requests later, squid.exe uses about 700,000 KB (!!) of RAM!
Although the virtual machine has 1 GB of RAM assigned, Windows XP SP2 started to expand its paging file in order to satisfy the ever-increasing RAM demand of squid.exe.
Monitoring Windows Task Manager, you can watch squid.exe's memory consumption counting up every 5 seconds.
This means I have to restart the SquidNT service at least once a day - otherwise the paging file would fill up the harddisk completely.
After restarting SquidNT, it returns back to its initial RAM footprint of about 9,000 KB, but starts to count up its memory consumption immediately.
I already set memory_pools to off in squid.conf, but this freed up 1,600 KB, which is nothing compared to 700,000 KB.
Since we had repeated Squid fatal errors due to insufficient ntlm_auth processes in the beginning, I have set the number of these processes to 35
(auth_param ntlm children 35).
Q: Although these are separate processes, can they be the cause for Squid sucking RAM like a black hole?
Is there anything else I can do against it - besides restarting the Squid service?
2. Service instabilities
Occasionally, users get a message in their browser telling them that the proxy has rejected the connection.
I checked the Squid server immediately after having received this message myself, but squid.exe was running as always.
Obviously there are situations where Squid ceases its service for a short time, being unable to service user requests during this period.
Q: What can be done to enhance reliability/stability of SquidNT?
3. Problems accessing certain websites with Internet Explorer (IE) through Squid
Our users have problems accessing the following sites:
a) Bank website hosting a Java-based Internet banking application (website complains about missing Java support/invalid browser configuration)
b) Website running a Citrix portal delivering applications over the Web
Both applications use HTTPS and work when
* using the IWSS proxy, bypassing Squid; independent of browser
* using the Squid proxy, but Firefox instead of IE
Problem: IE is our standard browser and is installed everywhere.
Q: Is there any IE setting, which has to be changed in order to make "special" Web applications work over Squid?
Ideas and hints regarding any of these issues are appreciated.
Many thanks in advance,
Peter
_____________________________________________________________________
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
http://smartsurfer.web.de/?mc=100071&distributionid=000000000066
Received on Tue Mar 11 2008 - 15:54:55 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT