Start Your Engines
Web Acceleration with SuperLumin on Novell Open Enterprise Server
Written by Ken Baker
Novell BorderManager has been around for well over a decade—giving NetWare users perimeter security with robust Internet access controls, firewall services, content filtering functions and proxy and cache services. But as NetWare customers have moved to take advantage of the advanced features in Novell Open Enterprise Server on Linux, they haven’t had a BorderManager equivalent. That has now changed. Novell has announced that SuperLumin Networks will be providing the preferred BorderManager replacement with its SuperLumin Nemesis Web acceleration product. In fact, Novell has entered into an agreement with SuperLumin to make SuperLumin Nemesis available on the Novell pricelist and to enable Novell to provide front-line support to its customers for the next two years.
Transitioning BorderManager capabilities to a trusted partner allows Novell to put more focus on its collaboration offerings, while allowing its customers to deploy a best-in-class perimeter security and proxy cache product from an expert in that field.
Many customers might wonder about the rationale behind it. In essence, it comes down to a two-fold answer. Transitioning BorderManager capabilities to a trusted partner allows Novell to put more focus on its collaboration offerings, while allowing its customers to deploy a best-in-class perimeter security and proxy cache product from an expert in that field.
SuperLumin is known as an early provider of solutions for the Linux environment and an industry leader in perimeter security. It’s interesting to note that much of the SuperLumin engineering team consists of previous Novell employees that worked on the advanced development group for BorderManager, as well as Novell Internet Caching System, Novell iChain and Volera proxy cache solutions. Leveraging this combined expertise in Linux, perimeter security and caching, SuperLumin developed Nemesis from the ground up to provide a BorderManager replacement built on SUSE Linux Enterprise Server that delivers everything BorderManager customers want—and then some.
At Novell BrainShare 2010 in Salt Lake City, many Novell customers had an early glimpse of the SuperLumin product. At that time the SuperLumin team also took the opportunity to gather feedback from BorderManager customers as to what features and functions they would want in the SuperLumin offering. The services at the top of the list included forward proxy, transparent proxy, reverse proxy, client trust, ACL check, VPN and firewall. In response, SuperLumin has delivered all of these services in its Nemesis product and enhanced them far beyond what had been available in BorderManager.
Setting up SuperLumin Nemesis as an HTTP forward-proxy server is one of the most common methods for accelerating content delivery to your users' Web browsers. Once a browser has been configured to use SuperLumin as a forward-proxy server, all of the browser’s requests are sent to the SuperLumin proxy server, which will grab the Web objects from the origin Web server, serve them up to the user’s browser and then cache those Web objects in its local cache store. When subsequent requests for those same Web objects are received, the proxy server will then be able to deliver them from its local cache faster than if it had to access them from across the Internet. (See Figure 1.)
Making it even easier to take advantage of its caching services, SuperLumin also provides a transparent-proxy service. The transparent proxy works much the same way as the forward proxy—the main difference being that it eliminates the hassle of having to configure each of your users’ Web browser. It automatically accelerates HTTP content delivery for all of your network users by having you simply configure your network router or switch to route all HTTP traffic to the transparent-proxy service on the SuperLumin Nemesis proxy server.
One of the nice things about transparent proxy in SuperLumin Nemesis is that it provides superior stability over what had been provided by Novell BorderManager. Some customers avoided using transparent proxy in BorderManager due to a tendency to unexpectedly crash. This is not the case with SuperLumin Nemesis. As mentioned before, even though SuperLumin delivers much of the same functionality as BorderManager, it doesn’t share the same code base. This means that it also doesn’t inherit any flaws that might have existed in BorderManager.
In addition to forward- and transparent-proxy services, SuperLumin Nemesis provides a reverse-proxy service. Its reverse-proxy capability allows you to dramatically improve the performance and response time of your organization’s Web server by offloading all redundant content requests to the proxy service. By handling these redundant Web requests, your Web server bandwidth can be preserved for unique content and service requests, as well as supplying dynamic, uncached and updated content to the proxy server for subsequent caching.
Also, while forward- and transparent-proxy services cache content from hundreds and thousands of Web sites, a reverse-proxy can be used to cache specific Web sites or domains. For example, you can configure the reverse proxy to cache the content of multiple sites based on a list of host or domain names, such as www.novell.com, support.novell.com, or *.superlumin.com.
Additionally, you can place a reverse proxy in a local network to locally cache and accelerate desired content from specific sites. This allows the SuperLumin proxy server to take advantage of LAN speeds to locally deliver the cached content of these specific Web objects rather than relying on slower WAN speeds. For example, organizations that provide educational content can bring their content closer to individual schools by placing a reverse proxy at each school's local network to locally host the content of their Web sites for fast, local access.
Setting up SuperLumin Nemesis as an HTTP forward-proxy server is one of the most common methods for accelerating content delivery to your users' Web browsers.
Authentication and Access Control
One of the features that BorderManager customers most wanted to see in SuperLumin Nemesis, and which SuperLumin delivers, is the client trust feature. Client trust essentially provides eDirectory single sign-on. If users have already authenticated to eDirectory, SuperLumin Nemesis automatically recognizes those authentications and then automatically authenticates them in the background to the proxy service so users are not bothered with authentication prompts. While this was called client trust in BorderManager, it is simply referred to as SuperLumin single sign-on in SuperLumin Nemesis.
Beyond SuperLumin single sign-on for eDirectory environments, SuperLumin Nemesis provides a variety of other authentication options that can leverage your NTLM single sign-on, LDAP or RADIUS authentication infrastructure. It also supports external authentication from third-party Web-based authentication services.
SuperLumin delivers another frequently requested BorderManager feature called ACL Check, known simply as Access Control in SuperLumin Nemesis. It provides rule-based access controls that allow you to permit or block access to specific Internet sites. Using the SuperLumin browser-based management GUI, you can customize your own access control strategy by blocking content for all users, specific groups or individual users. You can block destinations by URL, a single IP address, an IP address range or an IP subnet. You can also create broad rules using wildcards to block or grant access to certain pages on a Web site.
(See Figure 2.)
In addition to blocking specific sites at a granular level with access controls, SuperLumin Nemesis has a set of APIs that provide hooks for third-party content filtering providers. Currently, ContentKeeper has an off-box and on-box content filtering solution that integrates with SuperLumin. A number of other filtering providers have plans to take advantage of this capability as well.
Beyond single sign-on and ACL controls, BorderManager customers also wanted firewall capabilities. You can use SuperLumin Nemesis as a firewall solution in much the same way that you may have used BorderManager. As with BorderManager, SuperLumin Nemesis provides stateful packet inspection and packet filtering at the port, IP and IP Range levels, but it’s much easier to set up in SuperLumin. For example, adding static or dynamic network address translation (NAT) is as simple as clicking a button. (See Figure 3.)
Social and Video Acceleration
While SuperLumin Nemesis delivers (and enhances) the services on Linux that BorderManager customers have long wanted, it also goes beyond BorderManager by delivering functionality such as social and video cache.
If you use a proxy service other than SuperLumin, you’ll find that you typically don’t experience any Web acceleration when you re-visit pages on social media sites such as YouTube or Facebook. This lack of acceleration occurs because most social media sites distribute their workload among multiple servers in order to handle heavy traffic volumes. When you watch a video on YouTube, your proxy server will cache the video locally with the idea that if you want to watch it again you’ll be able to download and view it much faster. However, when you click to watch the video again, YouTube most likely will serve up the video from a different server—preventing your proxy server from recognizing the video as the same content and requiring a completely new download over the Web. As a result, you could end up with several copies of the same video clip eating up network bandwidth and storage space in your local cache without giving you any added performance benefit.
By contrast, the social media and video cache features in SuperLumin Nemesis can recognize that the video or other social media content that you re-visit is actually the same content even though it happens to be coming from another server. As a result, rather than downloading it again, it will serve up the social content from its local cache. Not only does this significantly enhance the user experience, but it can free up considerable bandwidth, especially in university and college settings where it’s not uncommon to find 30-50 percent of network bandwidth being consumed by students visiting social media sites. (See Figure 4.)
In terms of video caching, SuperLumin also provides “hole filling,” which allows the proxy service to cache those portions of a video that a user actually watches. For example, users often skip ahead or jump back when watching long videos. Most proxy servers don’t handle this type of jumping back and forth, but SuperLumin will cache the portions of the video actually watched, allowing for better viewing performance of those video segments. This also allows for higher resolution viewing from services like Microsoft Silverlight that 1) use an adaptive protocol to determine available user bandwidth, and 2) can recognize that the video is being served up faster by the cache, resulting in a higher resolution.
SuperLumin Nemesis also enhances the performance of live video. For example, if your organization is hosting a live Web broadcast of your CEO to all employees, instead of requiring your branch office users to fetch the live stream from your originating server, SuperLumin Nemesis can take advantage of the typical two- to five-second delay in downloading the video to fetch the data, cache it at the branch office’s local proxy server and then send it locally to all the branch office users. So, instead of having 50 to 100 downloads of the same stream come across the WAN to individual users, it can come across in a single stream to the branch office, then split into multiple streams as needed when it arrives at the local proxy server.
The social media and video cache features in SuperLumin Nemesis can recognize that the video or other social media content you re-visit is actually the same content even though it happens to be coming from another server.
Wait No Longer, Look No Further
Whether you’ve been waiting for a BorderManager replacement before making the move from NetWare to Linux, or you have simply been on the lookout for a full-featured, best-in-class proxy and caching server, you need look no further than SuperLumin Nemesis. And from now until the end of March 2011, if you buy a three-year maintenance contract for SuperLumin Nemesis, the license for the product is free. For more information about SuperLumin Nemesis, the relationship between Novell and SuperLumin, and the promotion, visit www.superlumin.com/border.php..