01-29-2013
#3 is easy on the firewall, as it is just a filtering router, but all hosts require real IP addresses. Some firewall software can do packet inspection for viruses, I hear. That would up the ante for firewall CPU and RAM usage. For 100 users, all are probaly OK. You need to consider how many are on the net, how many are doing web with lots of little GETs, especially if they do not use HTTP/1.1 persistent connections. With proxy, that has higher overhead. And how many are doing high bandwidth, heavy data transfer -- web backup or movie download, for instance. Web proxy gives you a lot of monitoring and control options.
Last edited by DGPickett; 01-29-2013 at 10:42 AM..
9 More Discussions You Might Find Interesting
1. Solaris
I need to add a PCI NIC to a sunblade 100 running solaris 8. Im new to this and was hoping someone could give me some card names and models which will work for this system and has a driver for this sparc system.
thanks (3 Replies)
Discussion started by: meyersp
3 Replies
2. IP Networking
Hi;
I have a UNIX box (SCO 5.0.2) with two (2) NIC cards. One card (NIC1) talks to a network 57.14.65.x/27. The other card NIC2) talks to users on 57.14.103.x and 57.14.105.x with subnet mask of 255.255.0.0. If I set NIC2 to this subnet mask (255.255.0.0) it seems like the NIC traffic is now... (2 Replies)
Discussion started by: texaspanama
2 Replies
3. High Performance Computing
Hello
I have 2 machines with 3 NIC cards.
When I setup veritas, I receive this message:
e1000g1 has an IP address configured on it. It could be a public NIC on ken.
Are you sure you want to use e1000g1 for the first private heartbeat link?
As if e1000g1 should not have an IP address.... (2 Replies)
Discussion started by: melanie_pfefer
2 Replies
4. HP-UX
I am running HP_UX 11.23 with 4 NIC cards (this is our TSM server)
I have 4 subnets we are backing across. trying to keep traffic on their subnets. I only have one route statment should I add more.
route add net 123.99.8.0 netmask 255.255.255.0 123.99.8.254
route add net 123.99.67.0 netmask... (2 Replies)
Discussion started by: myork
2 Replies
5. Red Hat
We have a setup of two nodes which has two NIC cards in each. One is built in and another is D-Link (external NIC card). We are unable to ping to the external NIC cards in both. Eg: Node A has two IPs 192.168.1.10 (eth0) and 192.168.2.10 (eth1) and Node B has two IPs 192.168.1.20 (eth0) and... (3 Replies)
Discussion started by: durgaprasadr13
3 Replies
6. HP-UX
Hello,
I am trying to move an HP UX from one locaion to another. The new location don't have any Fiber switches.
On the back of my server I see 2 RJ 45 for console management the other for networking , the server also has a fiber NIC card. When I disconnec the fiber and want to user regular... (1 Reply)
Discussion started by: ldaliosmane
1 Replies
7. IP Networking
Hi,
What is the best reference that gives in detail on nic cards configuration , assigning multiple ip addresses to a single interface, netlink library etc and all basic stuff at this level..?
Thanks (2 Replies)
Discussion started by: Gopi Krishna P
2 Replies
8. IP Networking
I am new in squid proxy.
My question is how to (and if it's necessary) to set one NIC for inbound traffic (http requests) and one NIC for outbound traffic (http answers)?
Thank you in advance! (4 Replies)
Discussion started by: aixlover
4 Replies
9. Ubuntu
I found an old post that talks about 2 nice cards and it is driven by the IP address .... but I didn't understand it because the 2 people skipped information for me the newbie..
Can someone help me... I have the proxy server setup and I believe I have enabled the 2nd nic card, I just need one... (1 Reply)
Discussion started by: trilju2005
1 Replies
LEARN ABOUT CENTOS
negotiate_kerberos_auth
negotiate_kerberos_auth(8) System Manager's Manual negotiate_kerberos_auth(8)
NAME
negotiate_kerberos_auth - Squid kerberos based authentication helper
Version 3.0.4sq
SYNOPSIS
negotiate_kerberos_auth [-h] [-d] [-i] [-r] [-s Service-Principal-Name]
DESCRIPTION
negotiate_kerberos_auth is an installed binary and allows Squid to authenticate users via the Negotiate protocol and Kerberos.
OPTIONS
-h Display the binary help and command line syntax info using stderr.
-d Write debug messages to stderr.
-i Write informational messages to stderr.
-r Remove realm from username before returning the username to squid.
-s Service-Principal-name
Provide Service Principal Name.
CONFIGURATION
This helper is intended to be used as an authentication helper in squid.conf.
auth_param negotiate program /path/to/negotiate_kerberos_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
NOTE: The following squid startup file modification may be required:
Add the following lines to the squid startup script to point squid to a keytab file which contains the HTTP/fqdn service principal for the
default Kerberos domain. The fqdn must be the proxy name set in IE or firefox. You can not use an IP address.
KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME
If you use a different Kerberos domain than the machine itself is in you can point squid to the seperate Kerberos config file by setting
the following environmnet variable in the startup script.
KRB5_CONFIG=/etc/krb5-squid.conf export KRB5_CONFIG
Kerberos can keep a replay cache to detect the reuse of Kerberos tickets (usually only possible in a 5 minute window) . If squid is under
high load with Negotiate(Kerberos) proxy authentication requests the replay cache checks can create high CPU load. If the environment does
not require high security the replay cache check can be disabled for MIT based Kerberos implementations by adding the following to the
startup script
KRB5RCACHETYPE=none export KRB5RCACHETYPE
If negotiate_kerberos_auth doesn't determine for some reason the right service principal you can provide it with -s HTTP/fqdn.
If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service principal per realm to the HTTP.keytab file and use the -s
GSS_C_NO_NAME option with negotiate_kerberos_auth.
AUTHOR
This program was written by Markus Moeller <markus_moeller@compuserve.com>
This manual was written by Markus Moeller <markus_moeller@compuserve.com>
COPYRIGHT
This program and documentation is copyright to the authors named above.
Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).
QUESTIONS
Questions on the usage of this program can be sent to the Squid Users mailing list <squid-users@squid-cache.org>
REPORTING BUGS
Bug reports need to be made in English. See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with
your bug report.
Report bugs or bug fixes using http://bugs.squid-cache.org/
Report serious security bugs to Squid Bugs <squid-bugs@squid-cache.org>
Report ideas for new improvements to the Squid Developers mailing list <squid-dev@squid-cache.org>
SEE ALSO
squid(8) ext_kerberos_ldap_group_acl(8)
RFC4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows,
RFC2478 - The Simple and Protected GSS-API Negotiation Mechanism,
RFC1964 - The Kerberos Version 5 GSS-API Mechanism,
The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
The Squid Configuration Manual http://www.squid-cache.org/Doc/config/ http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
negotiate_kerberos_auth(8)