Is anyone using the new TCP persistence DMZ relay settings from 9.5.13? If so, can you share your experience?
Does the Parent relay in this new configuration need to be dedicated? Would its persistence settings adversely impact non-DMZ child relays?
We need to stand up a new DMZ relay and I’m considering whether to upgrade first so we can use the new settings.
Whether to use the DMZ Persistence is usually a matter of your network security policy. Some organizations wish to block DMZ servers from creating new, inbound TCP connections to their internal core servers; DMZ Relay Persistence overcomes this by having the parent relay on the inside establish a connection to the child relay in the DMZ, effectively reversing the usual connection flow.
In this setup we would usually have dedicated parent relays, but I don’t believe that’s strictly necessary. You do need to provide the parent with the list of child/dmz relays to which it should initiate the connections.
The performance impact on the parent relay should be similar to any other usual relay connections, so the usual tuning guidance applies, such as cache sizing, processor usage, RAM, bandwidth, etc. as well as OS tuning for the network stack if the relay is used in “High Capacity” mode (i.e. servicing more than a thousand clients on the relay).
Thanks @JasonWalker for your insights. I’ll have to discuss with my security folks.
Have you implemented this? If so, how did it go? Work as advertised?