We have reached into a finalized design to run transparent proxy setup. The figure below shows the network diagram.
This is the finalized design, i will go through the logical flow of traffic since it might not be that clear from first look. Traffic will reach the core network, from there it will be routed to PBR. The PBR process will send traffic of 80 and 443 to the load balancers, while rest of traffic will be routed with the default policy. Load balancers will load balance the proxies using two or three virtual IPs.
The proxy will be installed in one leg setup. with the feature to reflect the client source IP. This is important to have a full transparent setup, so that private IPs can be natted to pool of public IPs (instead of 1 as right now).
Once that is done, the packet shaper will insure fair share of bandwidth by dividing the big pipe into 2 or 3 main segments that will be shared based on the source IPs (group based shaping), and another dynamic partition to give the IPs fair bandwidth (user based shaping).
We have multiple firewalls and VPN concentrator to provide the required security