On Wed, 10 Mar 2004, Ted Kaczmarek wrote:
> Transparent is fool proof(assuming you do your homework)
Fact: Only about 1% of the people deploying transparent proxying do the
homework on what this actually involve at the protocol level, and at least
95% does so in an environment where it can not be done correctly.
> but implicit is definitely more robust. In Fail over situation
> transparent really starts to shine. It is very simple to originate a
> default route through a L4 redirect, with implicit the only good option
> is dns timeout.
It is not complex to add a load balancer infront of a farm of proxies. In
addition PAC scripts provide very easy paths.
> If you really a crackpot you can redirect both for fail over. Service
> and health checks are a sweet thing.
These are ortogonal to the transparent vs configured proxy question.
> I opted for transparent because the administration is fool proof and
> auth is not required.
> Just works.......
Transparent mode does not "just works".
Transparent mode does most often work for the majority, but there is a big
can of worms which will bite sooner or later.
Some of the most noticeable include:
- Path MTU discovery issues, seen if any client as a Path MTU smaller
than the normal, such as a dialup tuned for interactive use or a VPN
client.
- Authentication not possible as you already mentioned
- Browsers not expecting a proxy and therefore not sending the same
information as when using a proxy (Reload button not working etc..)
But when it works it "feels great".
Regards
Henrik
Received on Thu Mar 11 2004 - 01:28:19 MST
This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:02 MST