S series appliance sales

Unanswered Question
Apr 29th, 2007

Hey, folks . I am a partner is sunny Dubai . We have numerous discussions here back and force with Ironport teams who are relucant for us to sale S series , many excuses , like not a good cache , no good url filtering yet and everything is coming , end users on the other hands are bugging me , since netcache and bluecoat are not that good .
Any experiences on saling S series ? Anybody installed it ? How hard it is to install it versus ordinary cache systems out their ?
Your views and sharing information will be much appreciated .

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smohan_ironport Tue, 05/01/2007 - 20:13


My name is Shalabh Mohan and I am the Product Manager for the Web Security product line. I would be happy to have detailed discussions with you on our relative strengths v/s the competition as well as the features we plan to add through the rest of this year which will help us position our product better.

We can also share real-life experiences, installs and what customers are saying. Let's schedule a specific call for this. Please let me know what are some good days/times for you. My email address is [email protected].


jwjorgensen Thu, 05/03/2007 - 03:57

Hello Everyone,

I work for a partner out of Oklahoma City, and have worked with the Web appliance. The setup of the box is VERY straight forward, I had no trouble setting up the box the first time. I had to go through local channel support to get the AsyncOS 5.1 code and license keys. The 5.1 code is much improved over 5.0. The policies in 5.1 are more modular and can be applied to specific LDAP groups or subnet addresses. One feature I would like to see as well as many customers is support for google safe search. Someone in the forum said that safe search is on the roadmap for future release, so that's good. It appears as if you might be able to enforce safe search by using regular expressions and custom URL categories. My overall opinion of the box is good.


P.S.- Shalahb, I also would like to get with you sometime to discuss the box in detail.

denisp_ironport Thu, 05/03/2007 - 08:34

Thank's for your reply , is it mandatroty for us to install L4-L7 monitor or it is complimentary ? Did you do it and if yes , did you push all the traffic from span port on the firewall or how did you deploy it ? What about reporting is it nice ?

jwjorgensen Thu, 05/03/2007 - 14:25

Hello Denis,

The L4 traffic monitor does not have to be run in order for the other features to work. When setting up an eval, I would DEFINITELY set it up though. In my opinion, the traffic monitor is one of the defining features of the box. Traffic monitor allows you to see suspect traffic that is leaving your network(e.g. p2p or phone-home traffic). When I set up an eval, I definitely want the customer to see the full features of the box.

The reporting, in my opinion, could use a little work. It's pretty good, but it could be a little more granular. (maybe I just haven't dug in enough to see the full capabilities)


denisp_ironport Thu, 05/03/2007 - 18:45

Jesse, thank's a lot for help. I am digging in these at the moment , S650 got 6 ports in total , one can be use for proxy and mngmnt , however for L4-L7 monitor two ports reserved , talking to some folks at Ironport they are telling me that for L4-L7 monitor only one port avaliable and it can be use only in span port mode , my questions are the following :

- what should we do with L4-L7 monitor , use one port or two ports in bridge mode on the box ?

- what is a thrugput of the L4-L7 monitor if I mirror a port of the firewall , where we have 5.000 users + and a gig speed will it handle it ?

did you try NTLM does it work as well ? did you try cache control , like wrongly cache object can it be ejected or not ?

I wish Ironport folks responding me ... :)

appreciate your respond

jwjorgensen Thu, 05/03/2007 - 18:54

It really depends on the capabilities of the network it is being installed on. If your switches support span, then you could create a span port for transmit and recieve and run the port in duplex mode. You could also create two span ports, one for transmit and one for recieve and run in simplex mode. If span is not supported, you would need to install network taps and connect them to the monitor ports on the appliance. As far as throughput on the interface, I do not know for sure, but I assume they are running wire speed on the interface(1Gbps). If you feel that the running in duplex mode would oversubcribe the port, then I would run simplex mode to divide tx and rx traffic.

denisp_ironport Thu, 05/03/2007 - 18:58

any idea on ntlm ... did you try it ?? we have many folks here in love with microsoft ...

jwjorgensen Thu, 05/03/2007 - 19:01

NTLM authentication works well. You can enforce that only network users are able to access the net. Also, you can create policies based on Groups or Users in Active Directory

smohan_ironport Thu, 05/03/2007 - 19:48


I responded to your specific queries separately over email. As far as NTLM is concerned, one of our advantages is that we support it natively out of the box - you do not need to install any binaries or agents on AD servers/Domain controllers.

We support several flavors of NTLM and you can also do transparent/single-sign on Authentication that allows for pop-less Auth (end users don't need to get prompted). Happy to share more technical details with you. I have also asked Patrice Roberts, your local SE to get in touch with you and walk you through all the features.


jowolfer Fri, 05/04/2007 - 17:22

Hi Denis,

I believe Shalabh has answered your questions via email, but I wanted to elaborate on one thing in this thread:

- what should we do with L4-L7 monitor , use one port or two ports in bridge mode on the box ?

The L4TM is not required, you 'can' run with just web proxy, but for maximum protection / detection, it's recommended you run the L4TM as well.

The 2 NIC ports for L4TM (T1 / T2) can be configured in 2 ways:

T1 only: Use a spanned port to send copies of packets
T1 and T2: Use a physical tap that copies incoming and outgoing traffic and puts this traffic into T1 and T2 respectively (one interface receieves incoming, the other receives the outgoing)

There is no 'bridge' mode for the L4TM. The L4TM solely works on sniffing copied packets from a physical tap, a spanned port, or a hub (all packets duplicated on each port - NOT recommended for performance / accuracy reasons).

I hope this helps!

denisp_ironport Fri, 05/04/2007 - 18:18

Josh , thank's a lot . Do you advise to deploy L4-L7 between core switch and a default routed firewall ?? I assume it is on gw firewall IP , so we can see non nated IP ?? what about traffic coming in non http and going out , we will just pass it on ?

appreciate your reply.

jowolfer Mon, 05/14/2007 - 16:55


You should deploy the L4TM in a location "pre-NAT". The reasons for this are two fold:

1. Reporting will be accurate in identifying which of your clients is attempting to access a malware destination

2. The 'bad' traffic will be sent a TCP RST packet from the M1 or P1 interface (depending on which is used for proxy data). If the L4TM is unable to see the pre NAT'd traffic, this RST will not reach the client, thus making the L4TM on report on the traffic without blocking.

Hope this helps!

denisp_ironport Mon, 05/28/2007 - 22:51

I can tell all of you now , I am dissapointed a lot after evaluation of the system , system doesn't do 80% of what we expect it to do , it is nice product and expansive one for antimalware , and antispyware and nothing more then that at the moment. Ironport have very long way to do to get with the other vendors ... , basic few NTLM features with upstream pareant proxy is not supported , we do not even mentioning such things as ICP , IP spoofing in http headers and many more things ...

jowolfer Tue, 05/29/2007 - 17:07


I think it would help if you clarified what functionality you are disapointed with.

The WSA supports NTLM with an upstream proxy. You cannot do double proxy NTLM authentication, due to the requirement for persistant connections. So you either have to perform NTLM on the WSA or on the upstream proxy, but cannot do both.

I will let Shalabh comment on ICP.

What exactly do you mean by "IP spoofing in http headers"? You want to write your own x-forwarded-for header, instead of having it pertain to the client proxying? If so, what would be the purpose for this?

smohan_ironport Wed, 05/30/2007 - 03:13

Denis, can you clarify what version of the OS you have tried out? From your comments, it seems like you may have been looking at the older OS versions.



This Discussion