Hi all, We currently have a setup with proxies that use NTLM authentication (we hope to upgrade to kerberos in the future) and based on the username send the user to one of several parent proxies, to improve caching we would like to instead route all traffic through one proxy that is heavily optimized for caching (has it's own large storage etc.). I saw in the documentation that it is possible to pass the authentication to the parent, as far as I can tell I can 'tell' the parent in several ways how to route the client: - I can pass the username to the parent - I can 'NAT' the users connection as it leaves the child proxy (src ip rewrite rules) and have source IP based rules on the parent. - I could setup multiple instances of the same parent with different login details and 'route' based on username to each of said 'parents' It seems to me that the second option would result in better performance on the one hand but on the other hand it would add more obfuscation, however performance is more important to me. Am I correct in my analysis? Is passing the username to parent a lot slower, would it require another ntlm-auth binary running on the parent or can the username just pass cleartext between the proxies and therefor the whole 'authentication' is a lot faster.... Thanks for your brain-cycles, Eli
