I am searching for the best practice of securely deploying windows domain controller and exchange in a small-medium size network (50+ users, 20+ virtual servers). The topology is single firewall staying between wan and internal router (l3 switch) and firewall has a dmz leg. We have users, servers etc. vlans. How would you deploy them ?
Thanks.
I am trying to figure out exactly how to configure nginx and tomcat to work together correctly.
Nginx has a worker connections setting and tomcat has max threads (assuming native apr connector for tomcat). Since nginx is connecting with HTTP/1.0 to backend, keepalive is not needed for tomcat.
I set keep-alive timeout to 30s in nginx. If 100 req/s is the target and each request finishes in 1s, there can be 100 requests * 30 seconds each = 3000 concurrent connections that can be opened to nginx and there will be 100 concurrent connections to tomcat.
So if I set worker connections to 6000 in nginx (worker process is 1, and nginx consumes 2 connection per request I think. One for client and one for backend) and max threads to 100 in tomcat (which is already 200 by default), this will work.
Is there any conceptual problem in this calculation? The exact numbers do not matter.
Thanks.
When I look the mod_status page I see the following (using mod_proxy to send request to tomcat):
9.56 requests/sec - 46.4 kB/second - 4970 B/request 193 requests currently being processed, 57 idle workers
Does requests currently being processed mean currently 193 requests are waiting a response from tomcat ? If it is so, there is a problem here right ? We should expect to see a similar number for requests/sec and requests currently being processed ? So this means tomcat is responding late (comparing to requests per second) ?
Mete
I know this is yet another question on how to setup network but I hope you are not bored of such questions yet.
The site is also an office, so it includes windows dc, windows ad, exchange, sql, file sharing, development app servers and other pcs.
In addition to office (internal) things, there are both test and prod environments consisting of a web server-app server-sql stack. There is also ftp service open to public.
I consider:
dmz1 - web server - exchange edge - ftp
dmz2 - app server - sql for app server
internal - dc and ad - exchange hub and transport - internal file sharing - sql for internal use - app servers for internal use - pcs
public -> dmz1, only web, ftp and smtp public -> dmz2 not possible public -> internal not possible
dmz1 -> dmz2 is possible from web servers to app servers by using http or ajp dmz1 -> internal is only possible for exchange, otherwise not possible
dmz2 -> internal not possible
Does this sound ok ? Any other recommendations ? It will be configured using either MS ISA or Jupiter SSG. Thank you.
I am considering to buy a UTM-1 firewall. However, I didnt get exactly what concurrent users mean. There are three models for Concurrent Users 16/32 or Unlimited. What does this mean ? How is concurrent user measured ?