Hi,
At 22:52 11/03/2008, Peter Weichenberger wrote:
Dear All,
I'm pretty new to Squid and have troubles running it in the
following environment:
* LAN with 250 users
* Windows Active Directory Service (ADS)
Web Security Solution consisting of
* IBM Proventia Web Filter performing URL filtering
* Trend Micro InterScan Web Security Suite (IWSS) performing
Antivirus scanning
Both products (Webfilter and AV scanner) are installed on virtual
machines running under VMware ESX 3.02.
Both of them have an integrated, non-caching proxy server.
Starting from the user PC, we have the following proxy chain:
User PC => Web Filter proxy => IWSS proxy = > Internet
I want to use ADS objects like usernames in the Web Filter
configuration - e.g. to create a rules based on usernames instead of
IP addresses.
Problem: The proxy server included in Proventia Web Filter has no
ADS/NTLM auth support, but can act as an ICAP server.
In order to use ADS objects in the Web Filter config you need an
additional, NTLM auth-capable proxy server.
Since there is no such proxy server in our LAN yet, we obtained a
preconfigured Squid for Windows package containing
* SquidNT 2.5 Stable12 binaries
* NTLM auth support
First, you should upgrade to Squid 2.6 and add also Negotiate authentication.
I installed the Squid package on the same virtual machine where the
Web Filter is installed.
SquidNT acts as an ICAP client, authenticating proxy users against our AD.
The Proventia Web Filter acts as an ICAP server, telling SquidNT if
the authenticated user is allowed to access the requested site.
So the proxy chain now looks like this:
User PC => Squid proxy (ICAP client) => Web Filter (ICAP server) =>
IWSS proxy => Internet
Unfortunately we have the following problems with SquidNT:
1. Excessive RAM consumption
After starting the SquidNT service, Windows Task manager shows that
squid.exe uses about 9,000 KB of RAM.
This is a know and fixed old bug for Squid STABLE 12:
http://www.squid-cache.org/bugs/show_bug.cgi?id=1522
A working day and many user requests later, squid.exe uses about
700,000 KB (!!) of RAM!
Although the virtual machine has 1 GB of RAM assigned, Windows XP
SP2 started to expand its paging file in order to satisfy the
ever-increasing RAM demand of squid.exe.
Please: use a Server OS ......
Monitoring Windows Task Manager, you can watch squid.exe's memory
consumption counting up every 5 seconds.
This means I have to restart the SquidNT service at least once a day
- otherwise the paging file would fill up the harddisk completely.
After restarting SquidNT, it returns back to its initial RAM
footprint of about 9,000 KB, but starts to count up its memory
consumption immediately.
I already set memory_pools to off in squid.conf, but this freed up
1,600 KB, which is nothing compared to 700,000 KB.
Since we had repeated Squid fatal errors due to insufficient
ntlm_auth processes in the beginning, I have set the number of these
processes to 35
(auth_param ntlm children 35).
If you are using IE7, Negotiate here could help you.
Q: Although these are separate processes, can they be the cause for
Squid sucking RAM like a black hole?
Is there anything else I can do against it - besides restarting the
Squid service?
Upgrade Squid to latest 2.6.
2. Service instabilities
Occasionally, users get a message in their browser telling them that
the proxy has rejected the connection.
I checked the Squid server immediately after having received this
message myself, but squid.exe was running as always.
Obviously there are situations where Squid ceases its service for a
short time, being unable to service user requests during this period.
Expected, because you are running on a Workstation OS:
http://smallvoid.com/article/winnt-tcpip-max-limit.html
Q: What can be done to enhance reliability/stability of SquidNT?
Run Squid on Windows 2003 Server.
3. Problems accessing certain websites with Internet Explorer (IE)
through Squid
Our users have problems accessing the following sites:
a) Bank website hosting a Java-based Internet banking application
(website complains about missing Java support/invalid browser configuration)
Latest Java VM is NTLM aware.
b) Website running a Citrix portal delivering applications over the Web
Not sure if there is something to do here., but there are many
changes/improvement into 2.6.
Both applications use HTTPS and work when
* using the IWSS proxy, bypassing Squid; independent of browser
* using the Squid proxy, but Firefox instead of IE
Problem: IE is our standard browser and is installed everywhere.
Q: Is there any IE setting, which has to be changed in order to make
"special" Web applications work over Squid?
Ideas and hints regarding any of these issues are appreciated.
Again, first upgrade to latest 2.6 STABLE 18.
Regards
Guido
-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@xxxxxxxxxxxxxxxxx
WWW: http://www.acmeconsulting.it/
