sön 2007-04-29 klockan 13:59 -0500 skrev Fiero, Paul: > Aaahhhh, I see your point. I wasn't thinking before I spoke. To > bypass the normal route to the outside world would be in violation of > our security policy and would set a precedent that I don't think our > CIO is ready to defend Well, I can't speak for the design of your network. That's your headache. Can only give you alernatives in how to solve your question. If you replace a WCCP capable router with one without WCCP or other load balancing capabilities, and want to still have the same functionality then something needs to be added between the new router and Squid to distribute the load and provide fallback if the Squid is not running. This something may be running on the Squid servers (i.e. Linux LVS + heartbeat or similar running directly on one the servers in an HA setup), or separate (i.e. load balancer, or WCCP capable router). Having it separate is usually preferred as it is a fairly isolated and fail-proof thing needing much less administration and maintenance than the Squid servers. And I can only second what Amos said. All of this should most likely take place on the internal side of the firewall. Having servers outside the firewall is well, kind of defeats the purpose of having a firewall in the first place.. but if you trust the security awareness and strictness of everyone maintaining the servers you may obviously have local firewalls on each server or strictly secured servers, also works but requires a fair bit more discipline in server maintenance and setup. Regards Henrik
Attachment:
signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel
