multiple branches, multiple proxies?

[lockmac]

Hi thier.
Currently, we have 5 branches across Australia. We have our datacenter which receives our internet connection and pushes it through a proxy, in which all branches connect to through our WAN.

We are thinking of getting a dedicated internet connection at each branch.

How would we go about this in terms of proxy? Would we have to have a separate proxy for each branch? Is their a way where each proxy server can get its list of allow/deny (most likely use squid or similar) from a central place, or have them keep up to date so we don't have to change each proxy?

Cheers

 

[Crusty]

I'm not too familiar with squid, but assuming it stores the acls in flat files it is trivial to use a cron job to rsync the files from a central server and reload the lists into squid.

 

[jlazzaro]

what is your current WAN solution...FR, MPLS, etc? what is your current proxy solution? you would need a separate proxy at each site if you wish to filter ALL internet traffic. ive only used BlueCoat proxies, but i don't think squid has replication built in. im sure you could script something to sync the proxy acl's...

the real question is do you really want to support this type of decentralized infrastructure? multiple proxies, firewalls, rule sets, and entry points into your network. what exactly are you trying to solve? redundancy, throughput, functionality, etc?

this of course depends on a lot of factors, but I would stand up your second largest site as a redundant / load balanced Internet exit point. you would only have 2 proxies/firewalls to manage, added availability, and lightened load on the DC. again, this is assuming A LOT.

 

[lockmac]

The reason we want to do this is really for a few reasons:
- added redundancy for when our WAN goes out- we could just create a VPN tunnel to over the internet
- speed: our WAN is only capable of 512kb/s, so we have 3 of them. We want an internet connection so we can free up one of our WAN links

I think the idea of just having a proxy at each site would be the best and just setup CRON jobs to replicate the squid.allowlist and squid.denylist to each site, perhaps hourly.