Re: [squid-users] Troubles with SquidNT in complex environment

From: Guido Serassio <guido.serassio@dont-contact.us>
Date: Tue, 11 Mar 2008 23:46:31 +0100

Hi,

At 22:52 11/03/2008, Peter Weichenberger wrote:
>Dear All,
>
>I'm pretty new to Squid and have troubles running it in the
>following environment:
>
>* LAN with 250 users
>* Windows Active Directory Service (ADS)
>
>Web Security Solution consisting of
>* IBM Proventia Web Filter performing URL filtering
>* Trend Micro InterScan Web Security Suite (IWSS) performing
>Antivirus scanning
>
>Both products (Webfilter and AV scanner) are installed on virtual
>machines running under VMware ESX 3.02.
>Both of them have an integrated, non-caching proxy server.
>
>Starting from the user PC, we have the following proxy chain:
>
>User PC => Web Filter proxy => IWSS proxy = > Internet
>
>I want to use ADS objects like usernames in the Web Filter
>configuration - e.g. to create a rules based on usernames instead of
>IP addresses.
>Problem: The proxy server included in Proventia Web Filter has no
>ADS/NTLM auth support, but can act as an ICAP server.
>In order to use ADS objects in the Web Filter config you need an
>additional, NTLM auth-capable proxy server.
>Since there is no such proxy server in our LAN yet, we obtained a
>preconfigured Squid for Windows package containing
>
>* SquidNT 2.5 Stable12 binaries
>* NTLM auth support

First, you should upgrade to Squid 2.6 and add also Negotiate authentication.

>I installed the Squid package on the same virtual machine where the
>Web Filter is installed.
>SquidNT acts as an ICAP client, authenticating proxy users against our AD.
>The Proventia Web Filter acts as an ICAP server, telling SquidNT if
>the authenticated user is allowed to access the requested site.
>
>So the proxy chain now looks like this:
>
>User PC => Squid proxy (ICAP client) => Web Filter (ICAP server) =>
>IWSS proxy => Internet
>
>Unfortunately we have the following problems with SquidNT:
>
>1. Excessive RAM consumption
>After starting the SquidNT service, Windows Task manager shows that
>squid.exe uses about 9,000 KB of RAM.

This is a know and fixed old bug for Squid STABLE 12:
http://www.squid-cache.org/bugs/show_bug.cgi?id=1522

>A working day and many user requests later, squid.exe uses about
>700,000 KB (!!) of RAM!
>Although the virtual machine has 1 GB of RAM assigned, Windows XP
>SP2 started to expand its paging file in order to satisfy the
>ever-increasing RAM demand of squid.exe.

Please: use a Server OS ......

>Monitoring Windows Task Manager, you can watch squid.exe's memory
>consumption counting up every 5 seconds.
>This means I have to restart the SquidNT service at least once a day
>- otherwise the paging file would fill up the harddisk completely.
>After restarting SquidNT, it returns back to its initial RAM
>footprint of about 9,000 KB, but starts to count up its memory
>consumption immediately.
>
>I already set memory_pools to off in squid.conf, but this freed up
>1,600 KB, which is nothing compared to 700,000 KB.
>
>Since we had repeated Squid fatal errors due to insufficient
>ntlm_auth processes in the beginning, I have set the number of these
>processes to 35
>(auth_param ntlm children 35).

If you are using IE7, Negotiate here could help you.

>Q: Although these are separate processes, can they be the cause for
>Squid sucking RAM like a black hole?
>Is there anything else I can do against it - besides restarting the
>Squid service?

Upgrade Squid to latest 2.6.

>2. Service instabilities
>Occasionally, users get a message in their browser telling them that
>the proxy has rejected the connection.
>I checked the Squid server immediately after having received this
>message myself, but squid.exe was running as always.
>Obviously there are situations where Squid ceases its service for a
>short time, being unable to service user requests during this period.

Expected, because you are running on a Workstation OS:
http://smallvoid.com/article/winnt-tcpip-max-limit.html

>Q: What can be done to enhance reliability/stability of SquidNT?
>

Run Squid on Windows 2003 Server.

>3. Problems accessing certain websites with Internet Explorer (IE)
>through Squid
>Our users have problems accessing the following sites:
>a) Bank website hosting a Java-based Internet banking application
>(website complains about missing Java support/invalid browser configuration)

Latest Java VM is NTLM aware.

>b) Website running a Citrix portal delivering applications over the Web

Not sure if there is something to do here., but there are many
changes/improvement into 2.6.

>Both applications use HTTPS and work when
>* using the IWSS proxy, bypassing Squid; independent of browser
>* using the Squid proxy, but Firefox instead of IE
>
>Problem: IE is our standard browser and is installed everywhere.
>
>Q: Is there any IE setting, which has to be changed in order to make
>"special" Web applications work over Squid?
>
>
>Ideas and hints regarding any of these issues are appreciated.

Again, first upgrade to latest 2.6 STABLE 18.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Tue Mar 11 2008 - 16:48:39 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT