Path: Cache > Client Accelerator
Figure 96
The Client Accelerator tab lets you configure the appliance as a forward proxy server. It lets you specify which IP addresses receive forward proxy requests from browsers and the ports that the appliance listens on for forward requests.
Enable Client Acceleration (Forward Proxy): Enables the appliance to handle forward proxy services. Browsers using this service must be configured with the appliance as a proxy server or must be enabled to obtain the proxy address automatically using WPAD. To activate the service, you must check one or more IP addresses for this service in the Proxy IP Addresses list.
Proxy IP Addresses: Displays all appliance IP addresses. You must check all addresses that you want to have forward proxy services on.
Proxy Port: Identifies the port from which the appliance will receive forward proxy requests and send requested data back to the requesting browsers.
Enable Automatic Proxy Configuration (WPAD): Enables WPAD listening on all IP addresses configured for client acceleration.
IMPORTANT: These IP addresses must not be used by any other appliance service that uses port 80. For example, a single IP address cannot provide both WPAD and Web server acceleration services that are configured to use port 80. The latter will always override WPAD. The same is true for any other service configured to use port 80.
The WPAD standard provides automatic configuration of browsers to use proxy services on a network. It requires browsers on the network to be configured to request and use WPAD information. Configuration procedures vary for each browser.
For more information on configuring your network for WPAD, see Setting Up Forward Proxy with WPAD.
For information on customizing the WPAD implementation on your appliance, see Customizing Web Proxy Auto-Discovery.
Enable Logging for Client Acceleration: Enables logging of forward activity.
Log Options: Lets you specify how often new log files are started and how long log files are retained. See Using Appliance Logging Services and Log Options Dialog Box.
Enable Authentication: Causes the appliance to require authentication of users wanting to use its client accelerator services. Clicking Authentication displays the Add Authentication Profiles dialog box. For more information, see Add Authentication Profiles Dialog Box.
IMPORTANT: Excelerator requires that each service (including authentication) uses a unique IP address and port combination. The default authentication port is 443. Attempts to enable authentication for more than one service on the same IP address and port will result in a TCP bind error.
DNS Name: If the authentication profiles selected for this service are not Basic or NTLM profiles, the initial information exchanges between the requesting browsers and the cache device are SSL-encrypted.
If the Subject Name in the SSL certificate on the cache device is not the IP address of the cache device, the value of this field must match both the DNS name returned from the browser's DNS lookup and the Subject Name in the cache device's certificate. Otherwise, browsers will issue security alerts to users.
SSL Listening Port: The port on which the appliance listens for authentication requests.
Certificate: This drop-down list displays any certificates you have stored on your appliance. System-generated certificates do not appear in the list.
Use this field to select the certificate you created specifically for the appliance's client accelerator services. This will prevent browsers from receiving certificate confirmation messages each time they access the appliance. For more information, see Managing Appliance Certificates.
Enable X-Forwarded-For: Headers used to pass browser ID information along with browser request packets. If the headers are included, Web servers can determine the origin of browser requests they receive. If the headers are not included, browser requests have anonymity.
Checking the X-Forward-For option causes the appliance either to add information to an existing X-Forwarded-For or Forwarded-For header, or to create a header if one doesn't already exist.
Leaving the option unchecked causes the appliance to remove X-Forwarded-For headers from any forward proxy requests passing through the appliance.
You must weigh the desires of browser users to remain anonymous against the desire of Web server owners (e-commerce sites, for example) to collect data about who is accessing their sites.
Enable Custom Cache Control Header: Lets you enable the caching of objects on the appliance while preventing caching by requesting browsers.
Custom cache control headers are designed primarily to be used in Web server accelerators. However, very large hosting sites sometimes prefer to place forward or transparent accelerators in front of their server farms rather than creating hundreds or even thousands of Web server accelerator services.
For details on how the headers work, see Custom Cache Control Header Dialog Box.
Allow HTTP CONNECT Method: Lets you enable the forward proxy service to use the HTTP CONNECT method. For details, see Managing HTTP CONNECT Method Support.
Allow Only SSL CONNECT Traffic: Lets you have Excelerator check to ensure that HTTP CONNECT requests to the forward service contain SSL-related traffic. For details, see Managing HTTP CONNECT Method Support.
Enable Access Control: <>. For details, see Access Control Options Dialog Box.
Advanced Options: Lets you control the TCP receive window size for cache device fills from origin Web servers, the caching of objects on the cache device that would not normally be cached, and the filling and vending of browser no-cache requests by the cache device. For details, see Advanced Options (Tuning) Dialog Box.
Path: Cache > Client Accelerator > Enable logging for Client Acceleration > Log Options
Figure 97 
The Log Options dialog box lets you set logging format and other options for a proxy service.
Common: For information, see the Common Log File Format Web site.
Extended: For information, see the Extended Log File Forma Web site. For information on the appliance-specific extended log format, see About Extended Log Field Headers.
The list of possible fields to log includes User Name, Site Name, Fill Proxy, and Origin Server. These fields are not part of the extended log file format definition.
Rollover Options: Lets you specify how often new log files are started or rolled over. You can use either periods of time or log file size to trigger the start of a new file.
NOTE: If you specify file size as the trigger to start a new file and the appliance is shut down before and restarted after midnight, Excelerator will start a new log file automatically.
Old File Options: Lets you specify the disposition of old log files. The Do Not Delete option does not prevent the manual deletion of files nor the deletion of files specified in the FTP Log Push Configuration Dialog Box dialog box.
Path: Any Log Options dialog box > Log Push
Figure 98 
The FTP Log Push Configuration dialog box lets you schedule regular downloading and deleting of appliance log files to an FTP server, thus preventing a disk full condition and the loss of logging data.
IMPORTANT: Although this dialog box is accessed through the service-specific Log Options dialog boxes, FTP log push is a global feature that affects all log files on the appliance.
For more information on log file management, see Using Appliance Logging Services.
FTP Log Push Enable: Checking this box enables FTP Log Push for the appliance. All log files for the services checked under Log Types are affected.
Host Server: The DNS name or IP address of the FTP server to which log files are to be downloaded.
Login Name: A valid FTP login name.
Password: The password of the FTP login name.
Default Directory: A subdirectory located in the default directory of the FTP login name. If this directory doesn't exist, FTP Log Push will create it. All log files are downloaded in a subdirectory structure that mirrors the ETC/PROXY/DATA/LOGS directory on the appliance. For log file locations, see Getting Log Filenames.
IP Address: An appliance IP address through which FTP Log Push will send the log files.
FTP Log Push does not require that the appliance's mini FTP server be activated.
Delete Log Files from Excelerator Server after Successful Push: When selected, this option causes log files to be deleted immediately after they have been downloaded to the FTP server. This option overrides rollover and old file settings in the Log Options dialog box.
Log Push Result: A non-editable status box indicating if push operations were successful.
Push Logs When the Logs Roll Over: When this option is selected, log files are immediately downloaded and deleted when they are closed by a rollover operation.
Days to Push the Logs: Allows you to specify how often to push logs. You can push logs monthly, weekly, only on specific days, or every day. You can specify frequent pushing through the Push Logs When the Logs Roll Over option.
Time to Push the Logs: Specifies the hour at which the push will occur.
Log Types: Identifies the services whose logs are to be pushed. The Cluster option pushes all logs for any clustered services running on the appliance.
Path: Cache > Client Accelerator or Transparent Handling or Web Server Accelerator > Enable Authentication > Authentication Options
Figure 99 
The Add Authentication Profiles dialog box lets you select one authentication profile, which you can use to authenticate the users of the proxy service from which you accessed this dialog box.
Maximum Idle Time Before Requiring a New Login: The period of browser inactivity allowed before the appliance requests a new login.
Authenticate Only When User Attempts to Access a Restricted Page: This option is used in conjunction with access control policies created for the proxy service you are configuring. For information on access control, see Access Control.
If this option is checked, users are prompted to authenticate only when accessing pages that are covered by an access control policy. If this is not checked, users must authenticate whenever they attempt to use the proxy service being configured.
Cookie Domain: This optional field lets you explicitly specify the domain for which the authentication cookie will be set.
Excelerator's default authentication cookie generation works for domains of the form www.companyname.com.
For other domains such as international domain names wherein the right two fields are often top-level domains, the default generation can result in invalid cookie domain names, such as co.uk.
If you need to specify an authentication cookie domain, the following rules apply:
For example, foo.net is a valid, dot-delimited substring of setup.foo.net.
Existing Profiles: A list of the authentication profiles you haved created in Cache > Authentication. For more information, see Authentication Tab.
Service Profiles: The authentication profiles that are active for the proxy service you are configuring. You add a profile to the list by clicking a profile in the Existing Profiles list and then clicking Add. You can remove the profile from this list using the Delete button.
The list can contain one or two profiles as follows:
If you choose this combination, the AND Profiles and OR Profiles options are activated.
AND Profiles: If this option is selected, users must pass both the mutual authentication and the username/password authentication criteria to access the service.
OR Profiles: If this option is selected, users can use the service after passing either the mutual or the username/password profile's criteria.
Require Authentication Options: Clicking this button displays the Require Authentication on Request Header dialog box. This dialog box contains the following options.
Path: Cache > Web Server Accelerator > Enable Custom Cache Control Header > Header Options
Figure 100 
This dialog box lets you specify object headers that the appliance recognizes as overriding standard HTTP cache directives. The dialog box has two options that let you specify how the appliance refills objects with custom cache control headers when the objects expire in cache.
For more information on how objects expire and what happens when they do, see Overview and Managing Cache Freshness.
For more information on custom cache control headers, see Using Custom Cache Control Headers.
Use Get If-Modified-Since Request to See If Cached Copy Is Still Correct: When objects expire in cache and are subsequently requested by a browser, they are refilled in cache only if they have changed on the origin Web server. Otherwise, they are retained in cache and their expiration timer is set to the custom cache control header value.
Always Get a New Copy of Object: When objects expire in cache and are subsequently requested by a browser, they are refilled in cache and their expiration timer is set to the custom cache control header value. Excelerator doesn't check to see whether objects have changed on the origin Web server.
Path: Cache > Client Accelerator or Transparent Handling or Web Server Accelerator > Enable Access Control > Access Control Options
Figure 101 
The Access Control Options dialog box lets you assign access control policies to the proxy service through which you accessed the box. You assign policies to the service by selecting a profile in the Existing Access Control Policies list and clicking Add. The policy then moves to the Active Access Control Policies list. Use the Delete button to remove policies from the active list.
For more information on how access control policies function and how to create them, see Access Control.
Path: Cache > Client Accelerator or Transparent Handling or Web Server Accelerator > Advanced Options
Figure 102 
The Tuning dialog box lets you control the initial and subsequent TCP receive window size for cache device fills from origin Web servers, the caching of objects on the cache device that would not normally be cached, and the filling and vending of browser no-cache requests by the cache device.
Limit the Fill Bandwidth: This enables limits on the TCP receive window size for browser requests using the service.
Fill Bandwidth Limit: This sets the TCP receive window size for cache fills that occur after the initial fill request.
Initial TCP Receive Window Size: This sets the TCP receive window size for initial cache fill requests.
Cache Objects That Have No Validator or Expiration Date: This enables caching of objects that would not normally be cached becuase they have no validator or expiration date set.
For Browser No-Cache Requests: This controls the handling of browser requests that specify the request should not be filled from cache. Requests can be ignored (vended from cache without checking content freshness), refilled (automatically refilled from the origin Web server before vending), or revalidated (checked against the object on the origin Web server and refilled prior to vending if that object is fresher).