Sizing Guide for ProxySG Deployments Forward Proxy SGOS Version 6.

2 16 May 2011 Deployment Mode

Model Forward Proxy Client Manager for ProxyClient
Recommended Max ProxyClients Managed

Licensing
Licensed Client IPs Storage CPU Memory Cores

Hardware Spec
Preinstalled Cards and Available Slots On-board Network Ports Power Supply

Max Internet Bandwidth

Employee Count

Suggested ProxyAV *

Drives

Total Storage (GB)

Bypass
1 1 1 1 1 1 2 2 4 4 2 4 8 12 2GB 2GB 4GB 4GB 4GB 4GB 6GB 8GB 12GB 16GB 8GB 16GB 40GB 64GB 1 open slot 1 open slot 1 open slot 2 open slots 2 open slots 2 open slots 2 open slots SSL, 3 open slots SSL, 3 open slots SSL, 3 open slots
SSL, Compression, 2 open slots
Note: Hardware SSL support is included on all models

Other
1 x 1000BT 1 x 1000BT 1 x 1000BT 1 x 1000BT 1 x 1000BT 1 x 1000BT 2 x 1000BT 2 x 1000BT 2 x 1000BT 2 x 1000BT Single Single Single Single Single Single Single Single Redundant Redundant Redundant Redundant Redundant Redundant
Redundancy

300-5 300-10 300-25 600-10 600-20 600-35 900-10 900-20 900-30 900-45 9000-10 9000-20 9000-30 9000-40

6Mbps 6Mbps 10Mbps 12Mbps 20Mbps 30Mbps 60Mbps 90Mbps 155Mbps 200Mbps 155Mpbs 250Mbps 400Mbps 622Mbps

30 150 300 500 1000 1800 3500 6000 10,000 13,000

AV510-A AV510-A AV510-A AV1200-A AV1200-A AV1200-A AV1200-A AV1400-A AV1400-A AV2400-A

800 800 2000 2000 3000 4000 8000 10,000

30 150 No limit 500 1000 No limit 3500 6000 No limit No limit No limit No limit No limit No limit

1 1 1 1 2 2 2 2 3 4 8 10 10 15

250 250 250 250 500 500 1000 2000 3000 4000 4000 5000 10,000 15,000

2 x 1000BT 2 x 1000BT 2 x 1000BT 2 x 1000BT 2 x 1000BT 2 x 1000BT 2 x 1000BT 2 x 1000BT 2 x 1000BT 2 x 1000BT 4 x 1000BT 4 x 1000BT 4 x 1000BT 4 x 1000BT

AV1400-A 10,500 16,000 AV2400-A 26,000 2 x AV2400-A 40,000 3 x AV2400-A

* Security Mode; Performance Mode often can use less powerful ProxyAV hardware

optional

These guidelines show the relative power of SG appliances. Appropriate configurations can vary significantly from these guidelines and will depend on technical requirements.

moment, though up to 80% are used for background tasks. Adjust this number if per user Internet use is known to differ. For limits on the number of desktops that can use the appliance concurrently, refer to Licensed Client IPs.. Recommended Max ProxyClients Managed Maximum number of ProxyClient instances connecting to a Client Manager, regardless of the features enabled on the ProxyClient (filtering, acceleration or both).

Forward Proxy
Assumes 70% peak CPU load with complex policies, 15% SSL, ICAP, content filtering, access logging and limited streaming content. SGOS Proxy Edition is required for forward proxy deployments. Special rules apply for mixed use configurations, which run both forward proxy and WAN optimization in a single appliance. For suggestions on how to handle this situation, please refer to the Sizing Guide for WAN Optimization Deployments. Max Internet Bandwidth Maximum client-side throughput for ProxySG. If you do not have a proxy deployed, use your available internet connectivity as a guide. If a proxy is in place, this number represents the client (internal) bandwidth number. Server (Internet) utilization will typically be lower. Employee Count The total number of employees that use the system. Employees might have multiple desktops. This number assumes that 100% of desktops have web connections open at any

Licensing
ProxySGs are licensed based on concurrent client IP addresses only. Other parameters such as Max Internet Bandwidth and Employee Count are suggested values based on the physical capacity of the system. Licensed Client IPs Licensed users are measured by the number of unique client IP addresses with open inbound TCP connections to the ProxySG. The measurement is instantaneous and concurrent. It is not based on the average over any time interval. The administrator can configure the ProxySG to either bypass connections from new users when the license limit is exceeded, to delay them until another client drops all of its connections or to attempt to accept them. The default is to accept them.

Copyright 2011 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue Coat, ProxySG, PacketShaper, ProxyClient and BlueSource are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Page 1 of 2

Hardware Spec
Hardware-based SSL acceleration is included on all models. A separate license is not required to activate SSL termination. Ports on bypass-capable network interfaces can be configured to be bridged pairwise or to act independently.

Although the organization has 1700 employees, the fact that the customer requires room for growth means that the SG600-35-PR is not appropriate; the customer should purchase an SG900-10. To meet the redundancy requirement, the quote should include two of each appliance: 2 x SG900-10-PR and 2 x AV1200-A. The appropriate AV license and service options should be included in the quote. For further protection from failure, purchase and installation of a second power supply will provide continuous operation should one of the power supplies fail. NOTE: If web filtering is required, the appropriate web filtering licenses should also be included along with the desired service option. There is no need to purchase software SSL licenses; they are now available at no charge on all 300, 600, 900 and 9000 models, no matter when they were purchased.

EXAMPLE 1: Secure Web Gateway Project Organization has 1700 employees, all with Internet access One Internet gateway with 30Mbps connectivity Requires N+1 redundancy and room for growth (+30%)

EXAMPLE 2: Forward Proxy Cluster

Example Forward Proxy Deployment

Model

Forward Proxy

Deployment Mode
Model Forward Proxy Client Manager for ProxyClient
Recommended Max ProxyClients Managed

Max Internet Bandwidth

Employee Count

Suggested ProxyAV *

300-5 300-10 300-25 600-10 600-20 600-35 900-10 900-20 900-30 900-45 9000-10 9000-20 9000-30 9000-40

6Mbps 6Mbps 10Mbps 12Mbps 20Mbps 30Mbps 60Mbps 90Mbps 155Mbps 200Mbps 155Mpbs 250Mbps 400Mbps 622Mbps

30 150 300 500 1000 1800 3500 6000 10,000 13,000

AV510-A AV510-A AV510-A AV1200-A AV1200-A AV1200-A AV1200-A AV1400-A AV1400-A AV2400-A

800 800 2000 2000 3000 4000 8000 10,000

A large customer has reached the capacity limit of a redundant pair of SG9000-20 appliances with redundant AV2400-A units. The customer will redeploy the existing configuration to a different site. The replacement configuration must allow for 40% growth over the existing configuration. The customer values rack space at $2500 per rack unit per year.

Max Internet Bandwidth

Employee Count

Suggested ProxyAV *

300-5 300-10 300-25 600-10 600-20 600-35 900-10 900-20 900-30 900-45 9000-10 9000-20 9000-30 9000-40

6Mbps 6Mbps 10Mbps 12Mbps 20Mbps 30Mbps 60Mbps 90Mbps 155Mbps 200Mbps 155Mpbs 250Mbps 400Mbps 622Mbps

30 150 300 500 1000 1800 3500 6000 10,000 13,000

AV510-A AV510-A AV510-A AV1200-A AV1200-A AV1200-A AV1200-A AV1400-A AV1400-A AV2400-A

The most obvious solution is to install a pair of SG9000-30 appliances each with two AV2400-A appliances. This solution allows 40% growth both in throughput and user capacity.

However, in this case, a less obvious solution might be better: a cluster of three SG900-45-PR appliances, each with one AV2400-A appliance. This cluster provides several benefits:

AV1400-A 10,500 16,000 AV2400-A 26,000 2 x AV2400-A 40,000 3 x AV2400-A

AV1400-A 10,500 16,000 AV2400-A 26,000 2 x AV2400-A 40,000 3 x AV2400-A

* Security Mode; Performance Mode often can use less powerful ProxyAV hardware

Headroom: In the unlikely event of failure of an SG900-45, the two remaining SG90045 units can together handle 26,000 users at 400Mbps, the same as the SG9000-30. Cost: the list price of the hardware for the SG900-45-PR cluster is about 15% less than the comparable SG9000-30-PR cluster. One fewer AV appliance is required. Less rack space: a total of six rack units are required for the SG900-based cluster versus twelve for the SG9000-based cluster, after including ProxyAV units. Operational cost savings: at $2500 per rack unit per year, six fewer rack units would translate to a $75,000 reduction in operating costs over five years. Factor the load balancing mechanism into this analysis, if appropriate.

Copyright 2011 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue Coat, ProxySG, PacketShaper, ProxyClient and BlueSource are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Page 2 of 2