This article applies to:
- What traffic can safely bypass WebMarshal?
- How can I reduce the scanning load on WebMarshal?
- How can I reduce the connection load on the WebMarshal Proxy?
The following are suggested best practices to minimize load on WebMarshal. Before implementing any changes, you should consider whether these practices meet your needs and requirements.
Manage what file types are scanned by particular rules
Some files can be safely excluded from some rules because they will be very unlikely to trigger those rules.
- For example, consider excluding CSS files from the 'Adult and Nudity' and 'Offensive Content' Content Analysis rules. These rules use large TextCensor scripts, and can be resource intensive to run, but CSS files will not contain this content in a way visible to the user.
Do not scan or cache internal/intranet traffic
Intranet sites will typically be entered in the proxy exclusion list of browsers.
- Scanning is designed to check or limit browsing to public sites that you do not control. Content and security of data on internal sites should be controlled at the source. For instance, all intranet servers should have resident malware scanning enabled and files from these servers can be trusted.
- Although it is possible to use the WebMarshal proxy cache to reduce load on intranet web servers, Trustwave recommends against using WebMarshal for this purpose. Cached content is unpacked and scanned each time it is requested, and performing this action for intranet content can significantly increase the processing load on WebMarshal.
- To configure internal site exclusions, use WPAD.DAT or PROXY.PAC files, or other automated configuration settings, to deliver settings to client computers. See article Q14513.
- NOTE: Simply selecting "Bypass proxy server for local addresses" may not work in all cases. You may need to enter server FQDNs and IP addresses explilcitly in the browser bypass list or WPAD.DAT. See Microsoft KB article 262981.
Manage Windows Updates
If Windows Update traffic is consuming significant resource, you can choose to allow this traffic to bypass the WebMarshal proxy. Windows Updates are generally considered to be safe, particularly when accessed by the automated processes.
Sites that have a large number of workstations should strongly consider using WSUS to manage updates.
- You can bypass the WebMarshal Proxy for Windows Update sites. See article Q10726 for a recent list of required sites, and see the section "Automatic Updates" for further details.
- For details about WSUS and WebMarshal, see article Q11582.
Manage other updates
- If you use other applications that offer an enterprise update function, you should use this function. For instance, many virus scanning products provide this ability.
- You may wish to add other trusted update sites to the WebMarshal Proxy Bypass list. For instance Flash and Java updates could be allowed to bypass WebMarshal scanning.
Manage unwanted devices and applications
- Devices or applications that connect to WebMarshal will consume proxy resource even if they cannot present login credentials or authenticate. Repeated connections from these unwanted sources can cause significant reduction in WebMarshal performance.
- Examples of sources that have caused issues for some customers are iTunes, applications running on handheld devices, and Windows Update.
- To investigate this possibility, see WebMarshal Proxy and Controller logs.
- In the Controller log you can check for repeated entries like:
PolicyCache_MatchUser: None lookup failed
- Also check in Active Sessions for applications that are connecting correctly but are always being denied access.
- To correct this situation, configure the offending devices or applications in a valid way, or remove them.
Note on Proxy Bypass
- When a site is entered in the Proxy Bypass list, requests to the site are not processed by the WebMarshal Engine. This can provide significant benefit for memory and processing usage.
- However, these requests still consume connections to the server. If you encounter "Server too busy" errors, you should review the information in Q14152.
It may be technically possible to allow trusted applications to access selected sites directly, by configuring "pinhole" rules at the firewall. Doing so would completely eliminate the connection to the WebMarshal proxy for these applications, and could further enhance performance. However it would also introduce risk and administrative overhead. You should carefully evaluate the need and risk.
Minimizing load can be particularly useful in a virtualized environment. To learn more about WebMarshal requirements for virtualization, see Trustwave Knowledge Base article 14312.