I have 7.1.5 MWG and i am planning to test the ICAP Connection via Web Washer.
At this moment i need any documentation that describes how web proxies multiplex different client's payloads onto single ICAP connections?
I'm tryingto get my arms around several issues when sizing webproxy/Prevent environments:
1.) How to determine if a web proxy can multiplex client requests? Are therespecific configuration settings in the web proxy to do this, or is itautomatic?
2.) How does Prevent know how to reassemble complete client requests from a multiplexed ICAP connection?
Multiple web requests ride on a single TCP session to the ICAP server (DLP). Just like multiple HTTP/1.1 requests ride on a single port 80 TCP connection to a web server or a proxy. It's not really multiplexing.
You do not have to be concerned with which user's web request goes to which ICAP sessions. There is no correlation between them.
Prevent, or any ICAP server, takes each encapsulated request and handles them individually. The request includes the X-Client-IP and the X-Authenticated-User (if available) to determine who the original web request belongs to.
Multiple web requests ride on a single TCP session to the ICAP server (DLP).
-> Is there any setting that we have to configure in order to allow multiple web request on single connection ? Or its automatic ?
I have one scenario: ICAP Prevent can handle maximum of 4096 connection but if web proxy has 8000 clients connected then how the web proxy will behave:
Will it refuse rest connections ?
Or will it Queue up?
Or it will try to handle multiple web request in single TCP connections ?
There is no configuration setting that determines which request goes to which TCP session. It's automatic.
MWG honors the Max-Connecions that Prevent tells it:
[root@reconnex ~]# telnet localhost 1344
Connected to localhost.
Escape character is '^]'.
ICAP/1.0 200 OK
Date: Tue, 08 Mar 2011 08:04:07 GMT
Service: Reconnex iGuard ICAP Server 1.0
X-Include: X-Client-IP, X-Server-IP, X-Authenticated-User
If you have multiple Prevent servers, it will rotate amongst them. If no ICAP server is available, you can choose to fail open if desired, otherwise it will block the connection.
Ok agree, but if i have more then 4096 Clients connected to Web Proxy,
->How do i determine whether Web Washer can handle multiple client requests?
->Will it try to put multple clients request in single tcp connections Or will it drop the connection beyond 4096 connections?
->If not then will it close the old connection/session and re-establish new connection for next clients in the list?Message was edited by: anurag on 8/24/11 4:40:47 PM CDT
It manages the concurrent connections to ICAP itself. If there is no connection, it will create one. If there is an existing connection in use, it will create a new one, if there is an existing connection that is finished but still connected, it will reuse the connection.
Just how many users do you actually have? 4000 users does not create 4000 connections. The only traffic that goes to DLP will be POST data that has content. Normal web requests do not usually get sent to DLP.
All users would have to POST data with content at the exact same moment to even get close to that 4096 number.
If we compare it to a proxy connection from all your browsers to port 9090, 4000 intensive users generally will only generate peak traffic to about 400 requests/second. Of that, only about 40 requests (10%) would be POST data. Even when MWG is the ICAP server for a different brand of proxy, it would typically only use about 100 connection maximum for REQMOD.