October 2008 - Posts

Using Internet Explorer 7 and a FQDN in proxy settings improves internet performance

Posted Thursday, October 09, 2008 2:50 PM by PeterBanbury

Why using Internet Explorer 7 and specifying the FQDN in proxy settings improves internet performance for schools with local Websense Servers

From our experience in the field, when setting proxy settings many schools seem to have used the IP address of the filtering server (not good practise in case the IP ever needs to be changed) or have specified the NetBIOS name (e.g. inet1-1234) we have also seen many schools are still using Internet Explorer 6 or Firefox.

Internet explorer 6 has a known limitation that it cannot support Kerberos authentication with a proxy server, Firefox also has this limitation unless specifically configured to use Kerberos.

http://support.microsoft.com/kb/321728/

When Kerberos authentication is not available, NTLM will be the preferred authentication.

There are several disadvantages of this. NTLM will create a secure channel to a single Domain controller, so the load will not be distributed to multiple DC’s.

There is also a built in limitation of 5 concurrent authentication requests when using NTLM, therefore in a busy environment such as a school, requests will be queued which may cause a lag and affect internet performance.

Illustration: Internet Explorer 6 or Firefox using windows integrated authentication and proxy

Illustration: Internet Explorer 6 or Firefox using NTLM authentication and proxy

When using Internet Explorer 7 with the fully qualified domain name of the filtering server specified in proxy settings, Kerberos authentication is utilised. There are several advantages to this:

• Removes the high intensive workload that we have from the ISA Server to a single Domain Controller;

• The client is responsible to obtain the authorization (Kerberos Ticket-Granting Service Request) from the Domain Controller when ISA Server requests authentication to access a web site;

• The authentication request will be distributed among all Domain Controllers (KDCs) available in the domain.

Illustration: Internet Explorer 7 using Kerberos authentication

Illustration: Internet Explorer 7 using Kerberos authentication and proxy

In summary, using Internet explorer 7 and the FQDN name of the proxy server in proxy settings means that the clients will be responsible for authenticating themselves against a number of DC’s. Once authenticated the ticket is kept and sent with each request, opposed to NTLM whereby the ISA is responsible for authenticating users for every request sent against a single Domain Controller.

Regards

Marc Turner
Kent Community Network

 

with no comments