Forward Proxy Sizing Guide

These guidelines show the relative power of SG appliances.Appropriate configurations can vary significantly from these guidelines and will depend on technical requirements. Forward Proxy Assumes 70% peak CPU load with complex policies, 15% SSL, ICAP, content filtering, access logging and limited streaming content. SGOS Proxy Edition is required for forward proxy deployments. Special rules apply for ‘mixed use’ configurations, which run both forward proxy and WAN optimization in a single appliance. For suggestions on how to handle this situation, please refer to the Sizing Guide for WAN Optimization Deployments. Max Internet Bandwidth Maximum client-side throughput for ProxySG. If you do not have a proxy deployed, use your available internet connectivity as a guide. If a proxy is in place, this number represents the client (internal) bandwidth number. Server (Internet) utilization will typically be lower. Employee Count The total number of employees that use the system. Employees might have multiple desktops. This number assumes that 100% of desktops have web connections open at any moment, though up to 80% are used for background tasks. Adjust this number if per user Internet use is known to differ. For limits on the number of desktops that can use the appliance concurrently, refer to Licensed Client IPs.. Recommended Max ProxyClients Managed Maximum number of ProxyClient instances connecting to and serviced by a Client Manager, regardless of the features enabled on the ProxyClient (filtering, acceleration or both), at 50% CPU utilization. Updates can be posted to all clients in a two-hour window. Licensing ProxySGs are licensed based on concurrent client IP addresses only. Other parameters such as Max Internet Bandwidth and Employee Count are suggested values based on the physical capacity of the system. Licensed Client IPs Licensed users are measured by the number of unique client IP addresses with open inbound TCP connections to the ProxySG. The measurement is instantaneous and concurrent. It is not based on the average over any time interval. The administrator can configure the ProxySG to either bypass connections from new users when the license limit is exceeded, to delay them until another client drops all of its connections or to attempt to accept them. The default is to accept them. Hardware Spec Hardware-based SSL acceleration is included on all models, except S500, which includes AESNI support in the CPU. A separate license is not required to activate SSL termination. Ports on bypass-capable network interfaces can be configured to be bridged pairwise or to act independently. Copyright © 2013 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue Coat, ProxySG, PacketShaper, ProxyClient and BlueSource are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Page 1 of 2 600. The customer values rack space at $2500 per rack unit per year. Inc.000 reduction in operating costs over five years. One fewer AV appliance is required. Blue Coat Systems. However. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems. the fact that the customer requires room for growth means that the SG600-35-PR is not appropriate.installation of a second power supply will provide continuous operation should one of the power supplies fail. if appropriate. • Organization has 1700 employees. in the U. they are now available at no charge on all 300. Specifications are subject to change without notice. however. The customer will redeploy the existing configuration to a different site. 9000 and S500 models. ProxyClient and BlueSource are registered trademarks of Blue Coat Systems. Inc. the quote should include two of each appliance: 2 x SG900-10B-PR and 2 x AV1200-A. in this case. To meet the redundancy requirement. the two remaining SG90045 units can together handle 26. Operational cost savings: at $2500 per rack unit per year. This solution allows 40% growth both in throughput and user capacity. 900. The most obvious solution is to install a pair of SG9000-30 appliances each with two AV2400-A appliances. no matter when they were purchased. Blue Coat. Cost: the list price of the hardware for the SG900-45-PR cluster is about 15% less than the comparable SG9000-30-PR cluster. Page 2 of 2 . assumes no responsibility for its use. and worldwide. For further protection from failure. all with Internet access • One Internet gateway with 30Mbps connectivity • Requires N+1 redundancy and room for growth (+30%) EXAMPLE 2: Forward Proxy Cluster Example Forward Proxy Deployment • • • A customer has reached the capacity limit of a redundant pair of SG9000-20 appliances with redundant AV2400-A units. ProxySG. All other trademarks mentioned in this document are the property of their respective owners.S.   Headroom: In the unlikely event of failure of an SG900-45. the customer should purchase an SG900-10B. after including ProxyAV units.000 users at 400Mbps. a less obvious solution might be better: a cluster of three SG900-45-PR appliances. Inc. purchase and Copyright © 2013 Blue Coat Systems. PacketShaper. Less rack space: a total of six rack units are required for the SG900-based cluster versus twelve for the SG9000-based cluster. All rights reserved worldwide. This cluster provides several benefits:    Although the organization has 1700 employees. Inc. The replacement configuration must allow for 40% growth over the existing configuration. six fewer rack units would translate to a $75. EXAMPLE 1: Secure Web Gateway Project NOTE: Include the appropriate additional options for all models:  Include the web filtering licenses for appliances that require web filtering  Include the Flash streaming licenses where appropriate  Include the Web Application Protections subscription where appropriate  Include the Cache Pulse subscription where appropriate There is no need to purchase software SSL licenses. The appropriate AV license and service options should be included in the quote. the same as the SG9000-30. Information contained in this document is believed to be accurate and reliable. Factor the load balancing mechanism into this analysis. each with one AV2400-A appliance.