Sk, We have the same problem here.
The problem with clients typing a proxy server in manually, is that if that proxy goes offline, all browsing stops - it's much better to use the WPAD standard (draft-ietf-wrec-wpad-01.txt) to push a proxy.pac script (http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html) to clients so you can specify a list of proxies to try, and even allow to go direct if none are working. Most of our clients have autoconfigure set, and I force any remaining traffic to WCCP. It is quite easy to build a Squid server which handles direct and wccp simultaneously - proxy-aware goes to port 3128 and the rest is picked up and redirected by the WCCP router as destined for port 80 on non-internal IPs. So the other half of my solution is as follows: We use Group Policy to try to force all IE clients to have Automatically detect settings ticked. This makes IE look for http://wpad.<defaultdomain>/wpad.dat. in dns I have: wpad IN CNAME <intranetserver> In the root of our Intranet server, I have a wpad.dat file (which on our network is actually an ASP file that examines the client IP before returning the autoproxy script to IE. - I took this more complicated approach because on some Win2K boxes, the MyIPAddress() javascript function is broken, and I want to split our traffic across multiple squids and multiple Internet feeds based on subnet. To make it execute, I configure the IIS server to map GETs for *.dat files to asp.dll.) Be aware that IE sometimes issues GET for wpad and sometimes for the IP - I use host headers for each. Also check out the various issues to do with proxy caching in the Microsoft world. Your wpad.dat will deliver something like the following; the first three lines just stop internal servers being accessed through squid: function FindProxyForURL(url, host) { if (isPlainHostName(host) || dnsDomainIs(host, ".ourinternaldomain.co.uk") || dnsDomainIs(host, ".anotherinternaldomain.co.uk")) return "DIRECT"; else return "PROXY webproxy1:3128; PROXY webproxy2:3128; DIRECT"; } Hope that helps Phil -----Original Message----- From: sk [mailto:[EMAIL PROTECTED] Sent: 13 December 2004 11:31 To: Damian-Grint Philip Subject: Re: [squid-users] wccp and MTU Thanks a lot for this idea! Here situation has been complicated. some clients are asked to put the proxy in their ie. some are not asked. and more. some are bypasssed from wccp. really confused what to do. Pls help. SK ----- Original Message ----- From: "Damian-Grint Philip" <[EMAIL PROTECTED]> To: "Squid Users" <[EMAIL PROTECTED]> Sent: Monday, December 13, 2004 5:45 PM Subject: RE: [squid-users] wccp and MTU If you can't get around the MTU/DF problem, you can always force the DF bit off in a particular direction using route maps (we have ieclient->privaterouter->greovermpls->privaterouter->squidwccp->thirdpar tyrouter->mpls->ourfirewall->internet): access-list 100 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 ! don't touch internal traffic access-list 100 permit ip 10.0.0.0 0.255.255.255 any ! mark internet-bound traffic only for WCCP access-list 100 deny ip any any access-list 102 deny tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 ! don't touch internal traffic access-list 102 permit tcp any 10.0.0.0 0.255.255.255 ! but do match traffic returning from the internet access-list 102 deny tcp any any ip wccp version 1 ip wccp web-cache redirect-list 100 route-map clear-df permit 10 match ip address 102 set ip df 0 interface Ethernet0/0 ip address 10.64.0.254 255.255.0.0 no ip redirects ip wccp web-cache redirect out ip route-cache same-interface ip policy route-map clear-df ipx network 64 encapsulation SAP Where our squid boxes are on the E0/0 network and so is the next hop to the internet - here, the DF is switched off on returning traffic before it is pushed into GRE tunnels back to clients. -----Original Message----- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 10 December 2004 13:38 To: sk Cc: Squid Users Subject: Re: [squid-users] wccp and MTU You can try the patch in Bug #1154 Regards Henrik On Fri, 10 Dec 2004, sk wrote: > Thanks for the reply. > > Could you throw some more light on how to set the path mtu. > > TIA > Sk > > ----- Original Message ----- > From: "Henrik Nordstrom" <[EMAIL PROTECTED]> > To: "sk" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Friday, December 10, 2004 8:04 PM > Subject: Re: [squid-users] wccp and MTU > > >> On Fri, 10 Dec 2004, sk wrote: >> >>> Could somebody tell how to set mtu for wccp redirection >>> >>> a lot of clients using pppoe have problem with wccp redirection. They > can >>> work if they point their browsers directly to the squid. >> >> I guess these PPPoE users using a smaller MTU than the default? Such >> situation is a common source of problems with most WCCP routers as they do >> not track connections and fails to send the ICMP "must fragment" messages >> to the Squid server. >> >> The MTU is set by the MTU of the interface or route on the Squid server. >> >> Another viable option is to disable Path-MTU discovery towards the >> clients. >> >> Regards >> Henrik >> > ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________
