Thanks for the insight.
Ted
On Thu, 2004-03-11 at 09:28 +0100, Henrik Nordstrom wrote:
> On Wed, 10 Mar 2004, Ted Kaczmarek wrote:
>
> > Transparent is fool proof(assuming you do your homework)
>
> Fact: Only about 1% of the people deploying transparent proxying do the
> homework on what this actually involve at the protocol level, and at least
> 95% does so in an environment where it can not be done correctly.
>
> > but implicit is definitely more robust. In Fail over situation
> > transparent really starts to shine. It is very simple to originate a
> > default route through a L4 redirect, with implicit the only good option
> > is dns timeout.
>
> It is not complex to add a load balancer infront of a farm of proxies. In
> addition PAC scripts provide very easy paths.
>
> > If you really a crackpot you can redirect both for fail over. Service
> > and health checks are a sweet thing.
>
> These are ortogonal to the transparent vs configured proxy question.
>
> > I opted for transparent because the administration is fool proof and
> > auth is not required.
> > Just works.......
>
> Transparent mode does not "just works".
>
> Transparent mode does most often work for the majority, but there is a big
> can of worms which will bite sooner or later.
>
> Some of the most noticeable include:
>
> - Path MTU discovery issues, seen if any client as a Path MTU smaller
> than the normal, such as a dialup tuned for interactive use or a VPN
> client.
> - Authentication not possible as you already mentioned
> - Browsers not expecting a proxy and therefore not sending the same
> information as when using a proxy (Reload button not working etc..)
>
> But when it works it "feels great".
>
> Regards
> Henrik
Received on Thu Mar 11 2004 - 07:40:03 MST
This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:02 MST