5 Replies Latest reply on Aug 24, 2011 6:06 PM by eelsasser

    Need help in connection sizing for prevent appliance



      I have 7.1.5 MWG and i am planning to test the ICAP Connection via Web Washer.


      At this moment i need any documentation that describes how web proxies multiplex different client's payloads onto single ICAP connections?


      I'm tryingto get my arms around several issues when sizing webproxy/Prevent environments:


      1.)  How to determine if a web proxy can multiplex client requests? Are therespecific configuration settings in the web proxy to do this, or is itautomatic?

      2.) How does Prevent know how to reassemble complete client requests from a multiplexed ICAP connection?


      Help appreciated.

        • 1. Re: Need help in connection sizing for prevent appliance

          Multiple web requests ride on a single TCP session to the ICAP server (DLP). Just like multiple HTTP/1.1 requests ride on a single port 80 TCP connection to a web server or a proxy.  It's not really multiplexing.


          You do not have to be concerned with which user's web request goes to which ICAP sessions. There is no correlation between them.


          Prevent, or any ICAP server, takes each encapsulated request and handles them individually. The request includes the X-Client-IP and the X-Authenticated-User (if available) to determine who the original web request belongs to.

          • 2. Re: Need help in connection sizing for prevent appliance

            Multiple web requests ride on a single TCP session to the ICAP server (DLP).

            -> Is there any setting that we have to configure in order to allow multiple web request on single connection ? Or its automatic ?


            I have one scenario: ICAP Prevent can handle maximum of 4096 connection but if web proxy has 8000 clients connected then how the web proxy will behave:

            Will it refuse rest connections ?

            Or will it Queue up?

            Or it will try to handle multiple web request in single TCP connections ?

            • 3. Re: Need help in connection sizing for prevent appliance

              There is no configuration setting that determines which request goes to which TCP session. It's automatic.


              MWG honors the Max-Connecions that Prevent tells it:


              [root@reconnex ~]# telnet localhost 1344


              Connected to localhost.

              Escape character is '^]'.

              OPTIONS icap://


              ICAP/1.0 200 OK

              Date: Tue, 08 Mar 2011 08:04:07 GMT

              ISTag: "McAfee-052501-2011-82698"

              Methods: REQMOD

              Service: Reconnex iGuard ICAP Server 1.0

              Options-TTL: 3600

              Max-Connections: 4096

              Preview: 4096

              Allow: 204

              Transfer-Preview: *

              Encapsulated: null-body=0

              X-Include: X-Client-IP, X-Server-IP, X-Authenticated-User


              If you have multiple Prevent servers, it will rotate amongst them. If no ICAP server is available, you can choose to fail open if desired, otherwise it will block the connection.

              • 4. Re: Need help in connection sizing for prevent appliance

                Ok agree, but if i have more then 4096 Clients connected to Web Proxy,


                ->How do i determine whether Web Washer can handle multiple client requests?

                ->Will it try to put multple clients request in single tcp connections Or will it drop the connection beyond 4096 connections?

                ->If not then will it close the old connection/session and re-establish new connection for next clients in the list?


                Message was edited by: anurag on 8/24/11 4:40:47 PM CDT
                • 5. Re: Need help in connection sizing for prevent appliance

                  It manages the concurrent connections to ICAP itself. If there is no connection, it will create one. If there is an existing connection in use, it will create a new one, if there is an existing connection that is finished but still connected, it will reuse the connection.


                  Just how many users do you actually have? 4000 users does not create 4000 connections. The only traffic that goes to DLP will be POST data that has content. Normal web requests do not usually get sent to DLP.


                  All users would have to POST data with content at the exact same moment to even get close to that 4096 number.


                  If we compare it to a proxy connection from all your browsers to port 9090, 4000 intensive users generally will only generate peak traffic to about 400 requests/second. Of that, only about 40 requests (10%) would be POST data. Even when MWG is the ICAP server for a different brand of proxy, it would typically only use about 100 connection maximum for REQMOD.