Rule Placement Concepts
Novell Cool Solutions: Tip
By Scott Jones
Digg This -
Posted: 12 Apr 2002
Consider whether the WAN site proxy servers are dedicated function boxes or already loaded down with other services. Also consider whether the customer wants to use CyberPatrol and whether they are willing to buy a separate license for each server (CP rules must be on the server objects, so they can only apply to a single server; multiple licenses are required for multiple servers).
Generally, rule execution should happen as close to the users as possible to a) avoid WAN traffic when unneeded (like a deny) and b) to distribute the rule execution load between multiple servers rather than pummel the parent(s) with authentication and ACL activity as well as the proxy/cache load.
DS issues are pretty minimal, as long as the tree is healthy by normal standards; ACLCheck only walks the tree for rules when the server is first booted, once every 24 hours, when a rule is created or modified, and when you click the "refresh server" button in NWAdmin.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com