RE: NT Authentication

[Amirmadhi Foorood <Foorood.Amirmadhi () Columbia net>]

Hi,

I do not know if there is any scalable, NT-Domain aware, Proxy product out
there other than MSProxy or not.  I have worked with both Netscape and
Microsoft Proxy.  If you need performance, stick Netscape Proxy.  If you
need NT domain feature functionality you better stay with MSProxy.  There
are interesting futures in MS Proxy such as "Intelligent Dynamic Caching"
which is great,  and also other usual NT applications "memory leakage"
problem.

Scalability in MSProxy 2.0 is bases on the Array configuration . But in this
type of design, MSProxy would not work with other add-on product that
provide internet site control and filtering.  This feature seems to have
become very attractive in upper management's eyes in large corporations.

Assuming average Internet access per proxy-user (I can not find any
numerical normalization for it), at least excluding the video streaming, The
rule of thumb for scalability figure that I can suggest to you per a typical
NT system ( NT 4.0, Pentium Pro 200 MHz, 128 MB Memory, SCSI Disk ) running
MSProxy 2.0 is the following. 

2000 proxy user for which there are 50-70 concurrent user proxy connections.
This provide good connectivity (assuming T1).
Above 70 concurrent user connections, performance will be degrading and you
need to baby-sit the MSProxy.  Let me know if you need more specific
information on this.




Foorood Amirmadhi
Columbia Information Systems
mailto:foorood.amirmadhi () columbia net
                            

> -----Original Message-----
> From: Steve () po i-way co uk [SMTP:Steve () po i-way co uk]
> Sent: Wednesday, October 07, 1998 6:31 AM
> To:   firewall-wizards () nfr net
> Subject:      NT Authentication
>
> Hi,
>
> I have been asked a few times recently to specify a proxy which can get
> Authentication from an NT domain.  This seems to be sites which are
> using DHCP.
>
> I often like to specify a FW which has an internal proxy where the
> site admin team can control the insides clients Internet access.  This
> means they can make all the changes for individual users and don't have
> to go near the FW.  In the past I have used Wingate and IP's but more
> and more sites seem to want this authentication to come from an NT
> domain ala M$ Proxy server I guess.
>
> Being no genius on NT I wondered if anyone has any other product
> suggestions, alternative ways of doing this etc.  Any actual
> experiences with Microsofts proxy would be good too - I think we all
> know how dubious the security is, the management possibilities seem
> useful though.
>
> TIA
>
> S
>
>
> --