tonymontana
join:2001-11-01
Caldwell, NJ
| Sufficient Server?
i started a new job that isn't a active directory domain so i've had to do alot of backward thinking to issues that occur in a large(40 pc) windows workgroup. our main POS(point of sale) software seems to suffer from serious slowdowns despite the fact the win2k3 sql 2005 server has 3ghz xeon and 16gb of ram. alot of the time the xp pro sp2 clients are idle and not actively querying or committing to the DB. i'm in the process on tweaking all the clients to rid them of spyware,uneeded startup apps/services, and a tcpip.sys connection hack
anyway so i quickly setup samba,bind,ssh with ubuntu server. the server is an old dell collecting dust the specs are something like
p3 833
320mb ram(plan to up it to the 512 max)
40gb 7200rpm drive
10/100 intergrated lan on 100 switch
the server will only be functioning as wins master browser and dns cache. are those specs sufficient to handle 45pc's?
i setup about 20 clients to use it today as their wins and dns but today with the weather/weekend i couldn't get a good idea of usage. free/used mem was split about 160/160 with no swap being used
nbt broadcasts are way down on the clients and i didn't have any issues resolving websites
question 2 is whether this will work over our PVC. that would add another 40pc's. as it stands our remote sites RDP into another win2k3 terminal server to use the POS software and connect to the db locally. connecting to the terminal server and access to network drives(not realy needed the remotes) is done by ip. all web browsing both home office and remotes was done through the isp's dns |
|
shdesigns
Powered By Infinite Improbabilty Drive
Premium
join:2000-12-01
Stone Mountain, GA
 ·Atlantic Nexus
| A PIII is fine for WINS and DNS server. I have a dual-PIII/512meg as a file/mail/wins/web/irc/eggdrop/dnscache server and it uses no swap and is hardly worked. It serves files via a gigabit card at over 50Mbytes/sec.
If by PVC you mean VPN, then if you add the server IP as a WINS server in the clients, then they will all be able to access PC's by name. |
|
tonymontana
join:2001-11-01
Caldwell, NJ
| thanks i figured as much since keeping a wins db and dns resolver cache don't seem like resource hogs. i plan on upping the ram once i can dig up another 256 stick
by PVC i mean private virtual circuit fractional t1 frame relay links. we have 7 remote stores with much smaller workgroups from 2-8 PC's. i believe this is doable too and the traffic generated by registering with the WINS server, and dns queries should be neglible right? It's critical that this doesn't impact of the connection betweent the stores and the terminal server. Right now there is no netbios resolution since the LAN segments are contained within PVC links so all connections to the terminal server, and file server are done by their private ip's. DNS queries all goto the same isp dns server.
now question 3. SQUID cache
with the ram upped to 512 and lets say all 80-90 pc's connected what kind of performance can i expect. the harddrive is 40gb ata100 7200rpm 8mb and i should have lots of room for the cache since only base,ssh,bind,samba, and squid are installed. As it stands users have no restrictions on internet usage and from what i've seen users are actually too busy and more mature than to spend any time downloading/streaming. there is one critical java app that accesses a 3rd party website, but i believe that is just for login authentication and local download of db. what type of impact if any would this have on our PVC? i've never setup squid before how well does it handle https sessions |
|
leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
clubs: 
| said by tonymontana  :what type of impact if any would this have on our PVC? You don't describe the topology change well enough to answer that question properly.
Possibility 1.: the 7 remote locations currently make direct Internet access through their ISP connection and only traffic targeted for the main office traverses the PVC. By changing the Internet access from the remote sites to go through the main office traffic through the PVCs will increase. Whether or not squid is used at the main office is completely irrelevant in this case since even cached content will go repeatedly through the PVCs. The only way to reduce some of the traffic increase would be squid caches at all the remote locations. The effectiveness of that would depend on the type of Internet accesses made. Some Internet content is really not cacheable, much more Internet content is marked not cacheable to cause browsers to always download the latest ads!
Possibility 2: the only Internet access for the remote sites is already only by going through the main office network. In this case there will be no increase in traffic on the PVCs and by caching static content on the squid server you will reduce some Internet bandwidth for the main office Internet connection.
said by tonymontana : i've never setup squid before how well does it handle https sessions It handles them really well, but there are a few things you should be aware off:
- secure content from https sessions is not cached. The main reason to use the proxy is therefore not valid with https sessions. It is still commonly done because squid also provides logging and access controls which are still meaningful even without caching. However if you don't need logging or access controls, why bother squid with the https traffic ?
- there are two ways a browser can use a proxy server for a SSL (https) connection. The common way is to use the CONNECT request which establishes a transparent pipe between browser and destination server. In this case squid only passes the bytes back and forth and does not attempt any interpretation of their content (which would be rather difficult since they are encrypted). Encryption/decryption takes place in the browser and the web server and does not involve the proxy server. However it is also possible for squid to terminate SSL connections. This is less common and as far as I know works by the browser making normal GET/POST requests with a https url. In that scenario the traffic between browser and proxy server is unprotected (usually not an issue since it is on the local lan especially if it is switched ethernet). More importantly the task of encryption and decryption moves from the browser to the proxy server. If several users make SSL connections in that way it would result in significant cpu load on the proxy server. I'm not aware off any modern browser that does not support the CONNECT method, but perhaps some may fall back to the second method if CONNECT does not work (perhaps because you decided to block certain sites? In that case be sure to block all request methods and not just CONNECT).
P.S.: Be prepared to be amazed how quickly your squid cache grows!
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire! |
|
