On Wed, 10 Mar 2004, Ted Kaczmarek wrote: > Transparent is fool proof(assuming you do your homework)
Fact: Only about 1% of the people deploying transparent proxying do the homework on what this actually involve at the protocol level, and at least 95% does so in an environment where it can not be done correctly. > but implicit is definitely more robust. In Fail over situation > transparent really starts to shine. It is very simple to originate a > default route through a L4 redirect, with implicit the only good option > is dns timeout. It is not complex to add a load balancer infront of a farm of proxies. In addition PAC scripts provide very easy paths. > If you really a crackpot you can redirect both for fail over. Service > and health checks are a sweet thing. These are ortogonal to the transparent vs configured proxy question. > I opted for transparent because the administration is fool proof and > auth is not required. > Just works....... Transparent mode does not "just works". Transparent mode does most often work for the majority, but there is a big can of worms which will bite sooner or later. Some of the most noticeable include: - Path MTU discovery issues, seen if any client as a Path MTU smaller than the normal, such as a dialup tuned for interactive use or a VPN client. - Authentication not possible as you already mentioned - Browsers not expecting a proxy and therefore not sending the same information as when using a proxy (Reload button not working etc..) But when it works it "feels great". Regards Henrik
