Optimizing ISA performance - Nine Basic Steps

[patris1]

کد:

http://www.isaserver.org/tutorials/Optimizing-ISA-performance-Part1.html

PART-1


The meaning of performance

System Performance is usually measured by the time a system takes to respond to specific user requests, or to accomplish a specific task. Two main ideas should be measured when trying to understand performance. The first concept which should be considered is the design of the high-performance applications, and secondly the testing of the performance of existing systems and code, this is attributable to the applications developed for ISA server 2004 as well as for the ISA 2004 code itself.
Independent of the type of system, there are general guidelines that help you to attain high performance within your system. Many of these guidelines may appear targeted at a specific language, product version, or even type of application, but all of them contain information that help increase your awareness of key performance issues and possible solutions (this applies to all ISA versions).
ISA Server capacity depends on CPU, memory, network, and disk hardware resources and throughout the article series you will be reminded of this where appropriate.
9 basic steps to improve ISA performance

1. Use the Microsoft Firewall Client program instead of Secure Network Address Translation
The Microsoft firewall client performs better than secure network address translation (NAT) when the ISA is required to support secondary connections. The Secure NAT client is typically used for non Microsoft installations or for legacy environments, as well as some server installations. The Microsoft Firewall client has many benefits over the typical Web and secure NAT client. Because this agent was designed to speak directly to ISA, it leverages some key performance enhancers.
2. (For multi processing Server computers) Set the processor affinity for each network adapter to a single CPU and ensure a CPU-maximized system with adequate capacity
The processor affinity for each network adapter can be set to a single CPU on a multiprocessor computer. By doing this it can improve processor efficiency and enhance the throughput of ISA Server.
It is most cost effective to have a system bound to a set CPU resource, making sure that this capacity utilization is never exceeded due to the expense incurred to upgrade or increase the capacity of the CPU. It is much easier to keep the CPU capacity usage constant and adapt other resources such as the memory, network and disk hardware as required. This tactic is often overlooked and can result in excessive spending on CPUs, as the CPU is typically the more expensive option in the hardware stack right now.
3. Adjust the parameters of specific network adapters and continuously monitor network capacity
The parameters of specific network adapters can be adjusted to improve their performance
As with the CPU capacity it must be insured that the network capacity is not exceeded to obtain the best performance. Every network device (network adapters, routers, hubs, switches) has a capacity limit; the usage should remain below this limit to maintain acceptable performance levels. This is done through continuous monitoring of the network activity. For this reason the network performance on the infrastructure fabric should be isolated for critical servers like ISA server.
ISA is heavily reliant on networking components and this is a critical part of building a high performance ISA server computer. As bandwidth becomes more readily available throughout the world, the usage and capacity increases. This is attributed to new usage patterns like with VOIP and other such bandwidth hungry protocols. These protocols will start to consume more of the capacity and also push the limits of the bandwidth.
Very soon the STD internet bandwidth convergence trend will become 100mbps internet links that facilitate such services and therefore planning needs to be performed now to ensure that, in the future, bandwidth will not contend with other hungry protocols that facilitate logging and remote management etc.
It is recommended that an extra network card/s be used for logging to remote SQL servers and for remote management of the ISA server so that the traffic is not under contention with other critical protocols like the ones used for communication.

Diagram 1.1: The above diagram depicts the design that will improve the ISA performance by removing the impedance that remote logging and remote management may introduce to the main network service link

4. Determining Memory Capacity
ISA Server memory has various functions; they include storing network sockets for internal data structures and for pending request objects amongst others.
It must be ensured that the memory capacity usage is not exceeded to obtain good ISA performance and functioning, as with the CPU and network capacity components discussed previously. The memory capacity can be easily increased if it is found to be problematic and causing a decrease in performance due to limitations being exceeded. Monitoring is a key factor when dealing with capacity issues such as memory.
5. Use IP routing where possible in ISA Server
By using IP routing in ISA server performance is increased.
6. Logging in ISA Server
ISA encourages three methods of logging, they are MSDE logging, SQL remote database logging and File Logging. MSDE logging is when records are written directly to the MSDE database and file logging refers to the writing of the records to a text file. MSDE has more features than File logging but it uses more system resources thus decreasing ISA performance. ISA performance can be enhanced by changing from the default MSDE logging to file logging, however capacity and scalability are then compromised. For this reason SQL logging is introduced, but it must be noted that this type of remote logging needs to be monitored to ensure that the SQL server is available.
If logging is not required, it can easily be disabled to increase ISA performance. This is especially true for some CARP and high caching environments.
7. Increase the TCP/IP buffer sizes in the registry
You can use Registry Editor to increase the TCP/IP buffer sizes in the registry. This should be undertaken with caution. If this is done incorrectly problems may occur which will result in the re-installation of the operating system. Before this is attempted, a back up of the registry should be made and the ISA professional should have a clear understanding of the procedure involved in restoring the registry if problems should occur.
8. Enable the FTP Kernel Mode Data Pump
To optimize ISA performance Registry Editor can be used to enable the FTP kernel mode data pump. Kernel mode does not require the data to be passed through the entire operating system thus less processing is required and performance is enhanced.
Again it must be noted that care should be taken when utilizing this option to prevent problems from occurring and re-installation of the operating system. Whenever Registry Editor is used a back up of the registry should be made and the ISA professional should have a clear understanding of the procedure involved in restoring the registry if problems should occur.
9. Application and Web Filters
An Application filter registers to a specific protocol port and packets sent to this port pass through the application filter. The filter determines the packets' destination according to predetermined policy. TCP filtering is used when no application filter is being utilized. TCP filters require only a small amount of the resources that application level filtering requires.
Application filtering requires more processing than TCP filtering for the following reasons:

• Application filters consider the data’s payload whereas TCP filtering looks only at the TCP/IP header information thus enhancing performance.
• Application filters work in user mode and TCP filtering works in kernel mode. Kernal mode does not require the data to be passed through the entire system thus less processing required compared to when application filters are utilized thus increasing system performance.

Summary

In part one of this article we covered some of the interesting changes that could be made to ISA and its components when increasing the performance of Microsoft flagship firewall products. In the second article we take a look at other methods that can be used to further make the ISA experience faster. Look out for part two of this article series.

---

موضوعات مشابه:

• Upgrading hosts from ESX to ESXi in eight steps
• Optimizing ISA 2004 caching
• Optimizing ISA Server 2004 firewall policies
• SolutionBase: Steps to take to fix Linux when it won't start

---

[patris1]

کد:

http://www.isaserver.org/tutorials/Optimizing-ISA-performance-Part2.html

PART-2


In this part 2 of the two part series on ISA performance, we will cover performance tweaks that improve ISA Server 2004, these guidelines specifically take into account the services that ISA server serves. Because of ISA’s multi layered architectural approach and sophisticated policy engine, it is extremely important that resources are carefully controlled and that only unnecessary resource consumers are disabled. It is strongly advised that, before making changes to your ISA server, a backup is made and the restore is tested.
ISA 2004 provides clients and networks with Security, Caching and filtering services. As vendors start to exploit the potential of the ISA 2004 exposed APIs, new advanced applications for ISA 2004 are found.
Each resource has a capacity limit, and as long as all resources are consumed below their limit, the best possible system performance is achieved. When one of these limits is exceeded a decrease in performance occurs. This can be resolved by increasing the available capacity to the resource which is lacking in capacity. Once this is done, performance should take a positive turn once again.
For ISA to perform at its optimal capacity, ISA needs to be continuously monitored and run within a comfortable range. The steps to monitoring ISA were covered in the two part article about hardening ISA 2004 (Hardening ISA Server 2004 (Part 1) & Hardening ISA Server 2004 (Part 2)). Once ISA monitoring is working, you are well on your way to obtaining an optimal ISA Server.
To ensure that ISA is running within a comfortable range, the ISA server capacity should be well planned. This involves considering the available and actual bandwidths on every network that is linked to an ISA Server computer, the number of users and various application metrics; with the availability of bandwidth on networks being the most important aspect. The number of users is less indicative of the needed capacity as they are not all following the same usage patterns simultaneously. Initially, planning for maximum network capacity may be conservative, because capacity requirements often increase over time. To accommodate future growth, you should also plan for processing power upgrades. For this reason it is often recommended to plan for 1.5 times the amount of users, at very least, that your ISA server environment will cater for.
Recently a network with ISA 2004 as its gateway was built for over 30,000 users. To ensure that the servers would handle the load, the specification was carefully considered. Microsoft has released sizing tools for most products including ISA 2004 and ISA 2006 and these tools can be used to size your ISA installation. This tool is used as a guideline and it must be noted that there are still other tweaks discussed in this document that will improve ISA’s performance.
It is recommended that a thorough assessment of the ISA server performance be done using the sizing tools supplied by Microsoft. After the assessment, the respective hardware that will satisfy the requirements resulting from the assessment should be procured. The ISA server should then be installed and after, tested using performance measuring tools. These tools can be used to establish baselines that can be reordered and then later used to compare reported data. Before establishing these baselines it is pertinent that all third party software that is not linked to ISA or the respective windows installation is removed. Third party software that is installed on ISA can have counter effects on performance, especially if the installation is untested. A staged approach is recommended as the next step in moving some of the more tolerant users onto the system. These pilot users will help identify glitches and performance issues if any arise.
In terms of hardware, my tips for before procuring the hardware are to ensure that the server’s disks, RAM and CPU are optimally specified to work with each other. If budget allows, I would advise to use 15000 RPM disks for an environment with a high caching requirement. Note that CARP (Cache Array Routing Protocol) is used to enhance the availability and performance of a scaled ISA solution, this in turn improves performance. The faster the FSB (Front side bus) the quicker ISA can handle the transfer of data and the processing of data.
The three factors of performance, namely RAM, CPU, and Disk, have limits for which they perform to and when these limits are reached the performance is degraded. Using monitoring applications like MOM and/or performance monitor with thresholds that alert the security professional, will ensure that the upgrade or tweak can be applied in a timely fashion.
Packet Filtering

Using transport layer stateful filtering instead of Web Proxy filtering reduces ISA’s CPU utilization for the same traffic patterns by a factor of 10. Together, stateful filtering and application filtering can be used in parallel to provide granular control over performance.
Bandwidth and traffic

If the enterprise’s bandwidth totals up to more than 25 mbps (T1) then a dual CPU of Xeon 2.4 Ghz is recommended, in many cases the bottleneck is not the CPU but actually the bandwidth.
Caching

If ISA cache is not used, turn it off. Note caching uses drive I/O. ISA also uses RAM when caching and for this reason, when tweaking ISA, both the RAM and Disk should be monitored.
Application and Web Filters

ISA 2004 Server makes use of application filters when inspecting security at the application level. Typically this is a dynamic-link library (DLL) that registers with a specific protocol port. Scanning happens when traffic is passed through the port. Application filters pass traffic though the usermode OS stack.
Because application filters are ISA firewall processing extenders, they will have an impact on the ISA server’s performance. If possible use an ISA firewall rule instead of a filter.
When no application filter is assigned to a port, the traffic undergoes standard TCP stateful filtering of the TCP/IP header information. To increase the performance of your ISA server the application level scanning can be turned off. Because of the feature richness of the application filters that ISA offers, a small overhead is experienced. If your hardware is under spaced than it is recommended that the hardware resources be increased to a more adequate level or that the application filtering be turned off.
Third party application and web filters can be a reason for performance degradation so it is recommended that, before either option is installed, the solution be tested thoroughly before implanting live.
Logging

Note SQL logging will use up more CPU cycles, especially for instances that have verbose logging enabled. Monitor the CPU usage and ensure that your CPU is correctly balanced for the load. It must also be noted that logging will consume bandwidth. Consistently hosting live reports reflecting the logged information will also consume resources and for this reason it is recommended that an alternate hosting server and network card is used for this sole purpose especially in large environments.

Internet link bandwidth
1 Mbps
5 T1 (7.5 Mbps)
25 Mbps
T3 (45 Mbps)
SQL transactions per second
25
188
625
1,125
SQL transaction bandwidth
92 kilobits per second (Kbps)
700 Kbps
2.3 Mbps
4.2 Mbps
Table 1.1: The table above is a Microsoft extract that depicts suggested usage for bandwidth consideration

Networks

When using networks, always try to use the highest available network link available. If there is a 1 GB link to the switch than use it, especially if high LAN access is required for intranets, internal browsing, caching and LAN access.
Tuning

• The /3GB Boot.ini Switch should be used for large systems with over 2 GB of memory and Windows Server 2003 (see article Q171793).
• In terms of mass authentication, RADIUS has the lowest taxing authentication system than Kerberos and NTLMv2. These are strong systems and are recommended over older, less secure systems.
• Use SSL where it’s needed only. This is a great PKI solution and must be used where needed, remembering that the cycle is taxing on the system.
• Use OWA over RPC if possible as OWA is 100kb per connection and RPC is 500kb per connection.
• Reduce the usage of SSL bridging if it is not needed. Double CPU cycles can be reduced.
• Use load balancing to reduce the load on one ISA system.

Microsoft has made an effort in helping customers when sizing and improving the performance of their ISA server. A significant amount of information is available on the internet specifically addressing performance improvements for ISA server and for the supported operating systems. If you are planning on installing ISA for the first time, an appliance may be the right solution for your organization as these pieces of equipment have been specifically designed to remove the guesswork from the capacity planning and performance measurement and management of ISA server.
For more detailed information refer to the link that follows: http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/bestpractices.mspx