You use the Throttle Server(nnn) event
Also, on 7.3.2, there will be support for DSCP marking of specific traffic so you can coursely prioritizes QoS.
Do you have any more information about this new feature you can pass on?
I'm looking at some problems we have accessing a certain site (search.cnipr.com) and would like to know if this feature would help prioritise traffic to the site - I don't think the exisiting throttling will achieve the desired effect.
Testing indicates that it seems to be the website that is most at issue (significantly slows down in the afternoon when I guess US internet users are accessing it) and cannot handle the traffic but I'd like to see if there's anything I can do with the MWG.
I have noticed that if I use a speedcheck tool to measure download speed, the speed is approx half going through the proxy then if I bypass it. Of course I realise that there are other factors involved here and will be consulting our network service guys to see if there's anything they can do also eg VLAN QoS etc.
If you are asking about the DSCP feature, I can provide a bit of input.
7.3.2 beta adds the feature to set a DSCP flag on traffic. As with any other rule, you can set whatever criteria you want to trigger the rule and then set the DSCP flag via Events.
So, for example, you could create a rule that identifies traffic to Social Networking sites and set a DSCP flag that your routers will understand to mean to de-prioritize that traffic.Or prioritize the traffic if that's what you want.
Another angle -- if you're dealing with a website with slow response, you may want to enable Extended Timeout for that specific destination. For example, I have a rule that uses this criteria:
URL.Destination.IP is in range list Extended Timeout OR
URL.Host is in list Extended Timeout Host
If that rule is activated, Event Enable Proxy Control <Extended Timeout> is applied.
The Extended Timeout config has the checkbox for Change timeout value selected and a subsequent Connection timeout value that exceeds the default (which I think is something like 120 seconds). We had a remote system that was generating reports that took over 2 minutes to complete, so it is now part of the Extended Timeout group.
Thanks for the info re DSCP. After further testing we've discovered that it's an external problem as we bypassed the proxy and created simple packet filters for that host on the firewall but there was no change. We have a proxy in the far east so I configured my browser to use this one (same version as my normal proxy) and performance was vastly improved.
I like the tip on timeouts although I don't think in this instance it would have changed anything.
For the time being I will see if we can configure the users to use a different browser configured to the far east proxy. More long-term I would imagine that I could create a rule set that identifies a request for the site and routes it through the far east proxy without configuring an extra browser.
URL.Host is inlist [wildcardlist for *.cnipr.com]
Event: enable next hop proxy
although I don't seem to be having much success initiailly...tcpdump shows that tcp is being fwded to the next hop proxy but I'm getting a http 502 bad gateway error/ MWG bad response "the proxy did not receive a valid response in time".
need to do some testing!
looks like it's an authentication issue.
If I'm using ntlm authentication against AD, how does the authentication pass to the next hop proxy. My redirect rule is in with the standard global whitelist rule set which is after authentication > site review template > troubleshooting > global whitelist