Are you running a transparent proxy for your BYOD?
Untick inspect https traffic. Does it make a difference?
After removing all of our BYOD from our Smoothwall box over half term today with less than 400 users logged into Smoothwall our load averages are still crazy high. Roughly 650% CPU for dansguardian and 100% for datastore.
Can you confirm this is normal CPU load usage for the amount of users vs. hardware spec?
We had this on one site. Turned out to be a bad (everything, everywhere for everyone) choice of HTTPS inspect rule. Once I was a bit more sensible (by selecting the groups in who rather than everyone things got much better.
OMG I can't believe this after months of problems, 4 tickets, countless technicians, phone calls and remote sessions I think I have found the fix. Was reading the latest news letter November 2013 from Smoothwall and in there it had a section entitled "Force NoSSL on Google!"
It mentions users who have been using Smoothwall HTTPS filtering which we do won't have seen any issue but you can use the Beta Google NoSSLSearch to prevent inappropriate content if you don't use HTTPS interception.
Now this got me thinking if Google is our highest usage domain and all traffic is going through HTTPS and being decrypted and inspected for students (excluding updates, banks etc) this is going to cause a huge load as @brougham mentioned earlier. So I made a new content modification policy with the new Beta Google NoSSLSearch for everyone and all I can say is WOW, the load averages have come down from 12-13 to 3-4 this is amazing, we were considering spending £5k to solve this problem as everyone suggested it was a hardware issue. I am both annoyed and relieved that this is now sorted. I just hope support read this and can add this to their knowledgebase so other customers don't have to spend the amount of time I have fixing this for themselves.
Although I've come into this thread late, it is worth explaining a bit about that Sophos thing. Essentially, every time the client machine makes a request, Sophos intercepts the request and sends a request of its own upstream to Sophos to check that the request is 'safe' before it is passed along to the Default Gateway or Proxy. This effectively doubles or triples the number of requests made which can have a serious impact on box performance. Annoyingly Sophos won't actually TELL you what it's doing either. I had a case recently where a web page wouldn't load properly and we tried everything we could think of until I noticed the Sophos application on the client machine. We turned it off and immediately the site worked like a charm. Sophos is probably one of our biggest headaches simply because it doesn't pop up a little 'Sophos is protecting you from the big bad' so there is no way of knowing whether it is your web filter or Sophos that is interfering with a site. Additionally, Sophos will not support authentication requests so if you are running NTLM, requests will fail unless you add the Software Updates category to your auth exceptions.
Out of curiosity, if you were to look in our knowledgebase for an article about this issue, how would you search for it? What search terms would you use?
Last edited by AMLightfoot; 5th November 2013 at 02:29 PM.
lmgtfy (5th November 2013)
I believe that change has also made a significant difference to us as well. The other interesting thing I found was that if I put just that rule into a category group, it then doesn't show up on any policy wizards - if I add in another rule as well (or add it to an already used category group) it does and applies. May just be something odd with our Smoothy, but wondered if anyone else saw the same thing. (or whether there's a setting somewhere related to [beta] categories)
There are currently 2 users browsing this thread. (0 members and 2 guests)