Designing and Planning Proxy Services

This section contains examples of how you can design various applications of the Novell BorderManager 3.7 Proxy Services. This section contains the following information:


Web Client, Server, and Network Acceleration

This section describes the three primary ways to use proxy caching:

This section also provides several examples of how you can use caching. In these examples, Acme Company is implementing several proxy cache solutions to enhance its enterprise network: client acceleration, server acceleration, and network acceleration. For each type of caching, examples are given for both intranet and Internet use.


Web Client Acceleration (Standard Proxy Cache)

In Web client acceleration, the proxy server is located between clients and the Internet, as shown in the following figure. The proxy server intercepts requests from clients for Web pages and supplies the requested pages to the client, if cached, at LAN speed. This eliminates the delay that occurs when the origin Web site is accessed and minimizes the traffic between the corporate network and the Internet.

The proxy server makes requests to Web servers for the intranet clients, using appropriate protocols such as HTTP, FTP, and Gopher. The proxy server caches URLs, HTML pages, and FTP files to accelerate subsequent requests to the same objects.

Figure 9
Client Accelerator Configuration


Identifying Cache Sites

When planning the implementation of proxy servers and caching on your network, you must identify which sites would benefit from caching. Look for the following when identifying client acceleration sites:


Internet Client Acceleration Example

In this example, Acme Company wants to give its employees access to the wealth of information available on the Internet. However, the company also wants to restrict access only to those Internet Web sites that contribute to the workplace. This results in two requirements:

To meet both requirements, Acme Company implemented proxy servers as client accelerators in all of its facilities, using access control list rules established in NDS or eDirectory by the network administrator. All employee Web browsers are configured to operate through proxy servers. The proxy cache servers greatly accelerate Web page loading and permit control over Internet access. This configuration is shown in the following figure.

Figure 10
Internet Client Acceleration Configuration Example


Intranet Client Acceleration Example

Various groups within Acme Company have published extensively on internal Web sites. Some of the published information is company public, or accessible by all employees. Other information is privileged, or accessible only by employees who have a need to know. For example, some advanced development information is available only to certain engineering or management groups. The published information is spread across a large number of internal Web sites.

Acme Company has two requirements for intranet Web site access by employees:

Because of the flexibility of Proxy Services, the same proxy servers used to restrict Internet Web access in the first example, Web Client Acceleration (Standard Proxy Cache), can also be used to restrict access to intranet Web sites. In addition to storing the Internet access restrictions in eDirectory, the administrator stores intranet Web access rules. This approach gives the administrator centralized and global control of both Internet and intranet access from a single point, greatly simplifying access management.


Web Server Acceleration (HTTP Acceleration)

With Web server, or HTTP, acceleration, the proxy server acts as a front end to one or more Web servers and caches all information that belongs to the Web server, as shown in the following figure. When a client requests information from a Web server, the request is diverted to the proxy server. The proxy server supplies the cached pages to the client at high speed. This method accelerates access and takes the request load off the publishing Web servers, allowing them to handle publishing and dynamic content more efficiently.

Proxy Services can provide acceleration for all popular Web servers in any combination.

Figure 11
Web Server Accelerator Configuration


Identifying Cache Sites

When planning the implementation of proxy servers and caching on your network, you must identify which sites would benefit from caching. Look for the following when identifying server acceleration sites:


Internet Server Acceleration Example

Acme Company's public Web site, http://www.AcmeCo.com, receives millions of hits daily from a worldwide audience. The site was previously serviced by multiple Web servers. Recently, the company set up several proxy servers to serve as front ends to the Web servers, as shown in the following figure. This approach provides three important benefits:

Figure 12
Internet Server Accelerator Configuration Example


Intranet Server Acceleration Example

Many of the groups in Acme Company publish information on internal Web servers on the company's intranet. These servers are scattered around the world and are accessed by employees who are also located around the world. Unlike the information on the Acme public Internet Web site, much of the information published internally is sensitive and access to it must be restricted. Complicating this situation is that the information resides on a variety of Web server platforms, including NetWare, UNIX Apache, Netscape, and NCSA*, making access management complex and difficult.

Acme Company solved the problem by creating front ends to its intranet Web servers with proxy servers at each site. For example, at its headquarters, the company installed 10 proxy servers as front ends to the 50 intranet Web servers at that site, as shown in the following figure. Access control was transferred from the Web servers to the proxy servers. This approach results in the following benefits:

Figure 13
Intranet Server Accelerator Configuration Example


Network Acceleration (ICP Hierarchical Caching)

With network acceleration, or ICP hierarchical caching, multiple proxy servers are configured in a hierarchical, or mesh, topology, as shown in the following figure. The proxy servers are connected in a parent, child, or peer relationship. When a miss occurs, the proxy contacts the other servers in the mesh to find the requested cached information. The nearest proxy cache that has the requested information forwards it to the requesting proxy server, which in turn forwards it to the requesting client.

ICP hierarchical caching reduces the WAN traffic load and increases valuable bandwidth. In addition, because the requested information is sent from the nearest proxy server, network delays are minimized. This reduces user wait times and increases user productivity.

Figure 14
Network Accelerator Configuration


Identifying Cache Sites

When planning the implementation of proxy servers and caching on your network, you must identify which sites would benefit from caching. Look for the following when identifying network acceleration sites:


Intranet Network Acceleration Example

Acme Company is a large organization with worldwide facilities. As a result, employees and Web servers are widely scattered. Employees must have easy and fast access to internal Web information, regardless of their location or the location of the target Web server. In addition, because of the high cost of network equipment and the even higher cost of managing it, the company must obtain the highest utilization possible from its network resources.

Acme Company implemented a hierarchical mesh of proxy servers, as shown in the following figure. Hierarchical caching reduces the load on Web servers and reduces WAN traffic by allowing clients to access cached intranet Web information from the closest proxy server.

For example, a Los Angeles-based employee might be in Paris and need to access information from a Web site in Los Angeles. Although no one at the Paris office has recently accessed that information, an employee in the London office has, and the information is cached on the proxy server in London. Instead of routing the client's request all the way to Los Angeles, the proxy server in Paris can access the information from the proxy server in London. This reduces network delay and eliminates slower, more expensive transatlantic traffic on the network.

Figure 15
Intranet Network Accelerator Configuration Example


Internet Network Acceleration

Just as a hierarchical mesh of proxy servers can be used to accelerate intranet performance, it can be used on a much larger scale to accelerate Internet performance. The National Laboratory for Applied Network Research (NLANR) is working on such a project.

According to a recent NLANR report, the Internet's sustained explosive growth calls for an architected solution to the problem of scalable wide area information dissemination. While increasing network bandwidths helps, the rapidly growing populace will continue to outstrip network and server capacity as they attempt to access widely popular pools of data throughout the network. The need for more efficient bandwidth and server utilization transcends any single protocol such as FTP, HTTP, or whatever next becomes popular.

The basic Internet client-server model (in which clients connect directly to servers) is wasteful of resources, especially for highly popular information. A 1993 study of FTP traffic on the NSFNET backbone concluded that several well-placed caches could reduce FTP traffic by 44%. There are endless examples in which server systems have not been able to cope with the demands placed upon them for popular information.


Proxy Application Examples

This section contains examples of FTP, FTP reverse proxy, Mail (SMTP), News (NNTP), DNS proxy applications, and an example of SOCKS.

The following figure shows an example of FTP acceleration using a Novell BorderManager 3.7 proxy server on the firewall. The browser client can access the FTP server through the proxy server.

Figure 16
FTP Acceleration

The following figure shows an example of FTP reverse acceleration. In this example, the client accesses the two FTP servers on the intranet through the Novell BorderManager 3.7 proxy server on the firewall.

Figure 17
FTP Reverse Acceleration

The following two figures show two examples of using the Novell BorderManager 3.7 News proxy to connect to an external news server. The following figure shows an example of a small company without private news servers. The Novell BorderManager 3.7 proxy server acts as a news server, handling all browser requests from the intranet and the corresponding responses from the public news servers on the Internet. The next figure shows a larger company with its own internal news server. The internal news server uses the Novell BorderManager 3.7 proxy server to exchange articles with outside or public news servers.

Figure 18
News Proxy without an Internal News Server

Figure 19
News Proxy without an Internal News Server

The following two figures show two examples of using the Novell BorderManager 3.7 Mail proxy to connect to an external mail server. The following figure shows an example of a small company without an internal mail server. The Novell BorderManager 3.7 proxy server acts as a mail server, handling all SMTP and POP3 requests from the intranet and the corresponding mail from the external mail server on the Internet. The following figure shows a larger company with its own internal mail server. The internal mail server uses the Novell BorderManager 3.7 proxy server to exchange mail with outside or public mail servers.

Figure 20
Mail Proxy without an Internal Mail Server

Figure 21
Mail

The following figure shows an example of using DNS proxy. The Novell BorderManager 3.7 proxy server configured for DNS proxy handles traffic between the internal DNS name server and the DNS name server on the Internet.

Figure 22
DNS Proxy

The following figure shows an example of using a Novell BorderManager 3.7 server behind an existing SOCKS firewall.

Figure 23
Novell BorderManager 3.7 Server behind a SOCKS Firewall



  Previous Page: Additional Proxy Services Features  Next Page: Virtual Private Network Overview and Planning