CacheGuard-OS
User's Guide - Version UF-2.2.2

WAN Optimisation

CacheGuard appliance uses several technologies to optimise the WAN (and LAN) bandwidth usage to offer availability and QoS (Quality of Service). Technologies like the HTTP compression or Web caching allow you to save your network bandwidth when browsing the Web while the traffic shaping can be used to reserve the required bandwidth for your most critical applications. All those features can be activated at the same time on the same CacheGuard appliance.

Web Caching

The Web Caching is one of the main and historical CacheGuard appliance feature. The Web caching consists of storing browsed Web contents (or served Web contents in reverse mode) on disks before sending them to Web clients. In this way, cached Web contents can be retrieved from local disks instead of requesting them again from the Web. Consequently, you can save your network bandwidth with Web caching. You can use the mode cache on command to activate the Web Caching.

Cached Object Size

For performance reasons, CacheGuard appliance caches only objects within a size range. The cache command can be used to modify the upper and lower sizes for Web caching. It is important to note that size limit for Web caching should be modified with caution: caching all objects (even very small) may decrease performances as i/o disks can slow down the traffic while network i/o may be faster (even with a low bandwidth network). Similarly caching too big objects may rapidly saturate the Web cache with objects fetched only by few people. To configure the Web caching to only cache Web objects between 20 KB and 51200 KB, you can use the following commands:

• cache object 20 51200
• apply

Caching Big Objects

I some cases it can useful to cache very big objects that are used by many people such as PC (or smartphone) OS updates. To cache big objects (larger than 256 MB which is the upper limit size to cache regular Web objects) you must activate the big object caching and set its limits. The activation of big object caching allows you to reserve a limited area in your Web cache to store big objects without the disadvantage of having your whole cache saturated by very big objects. The size of this area varies and depends on the size of your hard disk(s) and other parameters given during the installation. To activate the caching of big objects with a size from 131073 KB (128 MB) to 2097152 KB (2 GB), you can use the following commands:

• cache bigobject on 131073 2097152
• apply

Peer Caches

Two or more CacheGuard appliances can be paired to allow each other to share their respective Web caches. You can use the peer command to pair a CacheGuard appliance with other CacheGuard appliances. A paired CacheGuard appliance is called a peer CacheGuard. CacheGuard peers can be implemented in parallel or be chained. In a parallel implementation, when a CacheGuard peer receives a request for a Web object from a Web client, it tries first to find it in its own Web cache. In case where the requested object is not found, before requesting the Web object from the internet, it tries to find it from its peers. In this way, several peers can share their Web caches to optimise the bandwidth saving. In a chained implementation, when a CacheGuard peer receives a request for a Web object from a Web client, it tries first to find it in its own Web cache. In case where the requested object in not found, it systematically asks the requested object from its chained (remote) peers (and never directly send request to the internet). In a chained configuration, a local CacheGuard is paired with one or more remote peers (called next peers) while remote peers should be configured to allow other peers (called previous peers) to send them Web requests. If more than one next peer are configured on a CacheGuard appliance, they would be all requested in load balancing & sharing way.

HTTP Compression

CacheGuard appliance can compress the Web traffic to reduce its size in order to save the network bandwidth. The HTTP compression is especially helpful to optimise low bandwidth networks with too many packet collisions such as WiFi or satellite based networks. When the HTTP compression is activated, the appliance compresses all received textual files (html, JavaScript, XML...) from the Web before sending them to Web clients. All modern Web browsers recognise compressed contents and automatically decompress them before displaying them. You can use the mode compress on command to activate the HTTP compression.

Traffic Shaping

CacheGuard appliance embeds a bandwidth manager that allows you to shape and schedule the network traffic according to your requirements. The appliance distinguishes between two types of network traffic: traffic exchanged with the appliance itself and traffic that are only routed via the appliance (for which the source or destination are not the appliance itself). You can use the mode qos on command to activate the traffic shaping. Then the qos command can be used to configure the traffic shaping for both types of traffic. Exchanged traffic types with or via the appliance can be the following:

• antivirus: requests/responses exchanged between the embedded antivirus and external services/clients.
• file: exchanged files between CacheGuard appliance and file servers.
• peer: requests/responses between CacheGuard appliance and other CacheGuard appliances.
• rweb: Web requests/responses between the embedded reverse Web proxy and real Web servers.
• tweb: Web requests/responses between the embedded transparent Web proxy and Web clients.
• web: Web requests/responses between the embedded Web proxy and Web clients.
• vpnipsec: encrypted network traffic exchanged via the embedded IPsec VPN server.
• default: any other network traffic that are not matched by the traffic types above add exchanged with or via the CacheGuard appliance.

Configuring the traffic shaping with a CacheGuard appliance is straightforward: you must first define the total available (incoming and outgoing) bandwidth in kbps (kilo bits per second) for all network interfaces (external, internal and auxiliary). Then you can assign a percentage of those total bandwidths (or simply a bandwidth value in kbps) to every type of network traffic listed above. The ingress and egress keywords used by the qos command refer respectively to incoming and outgoing traffic from a network interface. The following commands activate the traffic shaping and set the total available bandwidth for the external interface to 10 000 kbps (10 Mbps) and the total available bandwidth for other interfaces to 1000 000 kbps (1 Gbps):

• mode qos on
• qos bandwidth external ingress 10000
• qos bandwidth external egress 10000
• qos bandwidth internal ingress 1000000
• qos bandwidth internal egress 1000000
• qos bandwidth auxiliary ingress 1000000
• qos bandwidth auxiliary egress 1000000
• apply

To reserve 40% of the external available bandwidth for Web browsing (via the Web proxy) and 60% for Web traffic exchanged between CacheGuard appliance and (cloaked) real Web servers connected to the internal network interface, you can use the following command:

• qos shape web external ingress 40%
• qos shape web external egress 40%
• qos shape rweb external ingress 60%
• qos shape rweb external egress 60%
• apply

Bandwidth Borrowing

The traffic shaping configuration can be strict or flexible. In a flexible configuration, reserved but non used bandwidth for a traffic type can be borrowed to other traffic types. In the example above, as we reserved 6 Mbps ( 60% of 10000 kbps) on the external network interface for reverse Web traffic, if the actual bandwidth consumption for the reverse Web traffic is only 4 Mbps, the remaining non used bandwidth (2 Mbps) can be borrowed to the Web traffic type.

The borrowing can be activated or deactivate for the ingress or egress traffic on every network interface. For instance, if you want to strictly allocate 4 Mbps to Web traffic and do not allow to exceed that bandwidth limit, you must deactivate the borrowing on the external network interface by using the following commands:

• qos borrow external ingress off
• qos borrow external egress off
• apply

QoS Fine-Tuning

The traffic shaping can be fine-tuned for some types of traffic to allocate more or less bandwidth to a given network. For instance, you can reserve 90% of the Web browsing bandwidth to a given network and limit it to 10% for another network. The QoS fine-tuning is a contextual setting that you can configure in the context of some commands. For instance, when you allow a netwrok to have Web access by using the access web command, you have the possibility to specify a QoS percentage value to fine-tune the Web browsing bandwidth for that network. As an example, the following commands, reserve 90% of the bandwidth allocated to Web browsing on the internal network interface for the 10.26.0.0 255.255.0.0 network and let only 10% for the 172.18.2.0 255.255.255.0 network. As only 30% of the total available bandwidth on the internal network interface can be used for Web browing, in the end, the allocated bandwdth to the the 10.26.0.0 255.255.0.0 and 172.18.2.0 255.255.255.0 networks would respectively be 270 Mbps (90% of 30% of 1000000 kbps) and 30 Mbps (10% of 30% of 1000000 kbps).

• qos shape web internal ingress 30%
• qos shape web internal egress 30%
• access web add internal 10.26.0.0 255.255.0.0 90%
• access web add internal 172.18.2.0 255.255.255.0 10%
• apply

It is interesting to note that you can combine the Web caching, the parallel & chained peering, the HTTP compression and the traffic shaping for an even better bandwidth saving.