کد:
http://www.carbonwind.net/ISA/BwdSplit/BwdSplit.htm
PART-1
-
1.Overview
- 2. Let's create a shaping rule
- 3. Another shaping rule
- 4. Let's create a quota rule
- 5. Testing the created Shaping and Quota rules
- 6. Client-side monitoring utility
- 7. Modifying the Traffic Counters on the fly from the Quota Counters Panel
- 8. The Download Managers cannot exhaust the bandwidth anymore
- 9. Conclusion
1.
Overview
ISA 2006 Firewall comes with a lot of nice features by default. But, like everything and everybody, it's not perfect. Unfortunetely it does not come with an integrated bandwidth manager.
As we have seen in a
previous article, without having a bandwidth manager installed on ISA can easily lead to an improper Internet bandwidth distribution among the users. Wasteful traffic can exhaust the Internet bandwidth and work related traffic will suffer. Unauthorized installations of download managers for example can seriously affect work related traffic(long delays, timeouts...).
That's why you should always allow only needed traffic to needed destinations.
A nice feature of ISA is the ability to authenticate users based on their Active Directory accounts.
So it will be nice to have a bandwidth manager that integrates with ISA and is able to control/limit bandwidth using Active Directory Groups And Users in addition to machine based control(using IP addresses). In this way the shaping and qouta rules will "follow" the users(the users can use any domain computer on the network). Whatever machine the users will use, they will be able to benefit from the bandwidth alocated to them and ISA will be able to control/limit it accordingly. The quality of the bandwidth per work related traffic alocated per user/groups will be constant, thus increasing work productivity. Non-work related(non-priority) traffic is limited, thus Internet connection costs are reduced.
Let's imagine the bellow situation(reduced and simplified).
User X is working with an application that connects him/her to a remote server. Another user Y is killing his/her time and surfs on the Internet, starts a couple of downloads and so on. Due to the "activity" of user Y, user X will not have a fixed, constant bandwidth allocated, although he/she is working at an important project. User X may experience spikes, delays and timeouts when using the needed application. These lead to frustration and thus to poor work productivity.
The solution will be to provide user X with a constant channel for his/her duties while limiting the bandwidth for non-work related activity(like the one of user Y). The shaping of the channel should be made per destination and per protocol.
In addition, it is very important to have a live picture of all users and their connections through ISA including a chart with the bandwidth utilization. And the ability to immediately disconnect offending users.
A powerful bandwidth manager should be able to do all these. Obviously a powerful bandwidth manager with plenty of options can help in many other situations.
In this article we will take a look at the current version of
Bandwidth Splitter. As writing this article the version is 1.21.
Bandwidth Splitter allows free-of-charge use with up to 10 clients. So you have the chance to see it in action yourself before placing an order. I've said it before and I can't stress enough how important is to have access to a trial version of a software in order to be able to see if it's actually good enough for you and if it does what its vendor promises. The difference with Bandwidth Splitter is the fact that if you have only a few clients(up to 10) you can use it for free. See
Figure1.
Figure1: Bandwidth Splitter License
Bandwidth Splitter impresses from the start because it's nicely integrated with ISA and with ISA's management console. See
Figure2.
Figure2: Bandwidth Splitter Integrated with ISA's Management Console
Also for remote administration, you can install only the administrative component of Bandwidth Splitter on remote computers with ISA Server management console installed.
An amazing fact about Bandwidth Splitter is how easy is to use. I was able to start managing the bandwidth in a second.
With Bandwidth Splitter you can manage the traffic of HTTP, HTTPS and FTP connections (for web proxy clients) and TCP/UDP connections (for SecureNAT clients, Firewall Clients and DMZ servers). Also you can manage the traffic of published servers.
With Bandwidth Splitter you create shaping and quota rules.
Shaping rules can be described as speed limitation rules. You can restrict the maximum speed for connections for individual users, user groups or IP address(per Networks, Subnets, individual computers, Computer Sets, URL Sets or Domain Name sets).
Quota rules restrict the amount of traffic that a specific user, a group of users, a host or a group of hosts may transfer within a period of time. Note that the quota rules will apply only when the source IP address is not in External Network and the destination IP address belongs to the External Network. If you have a server on an ISA DMZ and you are connecting say from the Internal network you cannot have a quota rule for these connections.
If you have an ISA DMZ, and the routing relationship between this DMZ and the External network is set to "route", and using access rules for example, you can apply shaping and quota rules for machines from this DMZ(control connections coming from the External Network) by checking "Treat connections from External network as accepted/inbound". This option is a little confusing until you start making some quick tests. See
Figure3.
Figure3: "Treat connections from External network as accepted/inbound"
Bandwidth Splitter uses entities of ISA Server for both shaping and quota rules. This is quite handy because eliminates the administrative overhead of creating separate entities within Bandwidth Splitter's administration interface.
For shaping rules you can use ISA entities within the following fields:
- the "Destinations" field can can contain: Networks, Subnets, Address Ranges, individual computers, Computer Sets, URL Sets or Domain Name sets, see
Figure4.
Figure4: Bandwidth Splitter Shaping Rule "Destinations" Field
- the "Applies to IP addresses" field can can contain: Networks, Subnets, Address Ranges, individual computers or Computer Sets, see
Figure5.
Figure5: Bandwidth Splitter Shaping Rule "Applies to IP addresses" Field
- the "Applies to User Sets" field can contain the Users Sets defined on ISA, see
Figure6. The option to control the speed limit per User Sets provides more power and more flexibility. It represents a big plus for Bandwidth Splitter.
Figure6: Bandwidth Splitter Shaping Rule "Applies to User Sets" Field
- the "Schedule" field can contain the Schedules defined on ISA, see
Figure7. However, ISA Schedules are not very flexible, you cannot define a schedule from say, 14:30-14:45, only from 14:00-15:00.
Figure7: Bandwidth Splitter Shaping Rule "Schedule" Field
For quota rules you can use ISA entities within the following fields:
- the "Applies to IP addresses" field can can contain: Networks, Subnets, Address Ranges, individual computers, Computer Sets, URL Sets or Domain Name sets with the observation that the quota rules will apply only when the source IP address is not in External Network and the destination IP address belongs to the External Network. See
Figure8.
Figure8: Bandwidth Splitter Quota Rule "Applies to IP addresses" Field
- the "Applies to User Sets " field can contain the Users Sets defined on ISA. See
Figure9. The ability to assign a traffic quota per User Sets provides more power and more flexibility. It represents another big plus for Bandwidth Splitter.
Figure9: Bandwidth Splitter Quota Rule "Applies to User Sets" Field
Bandwidth Splitter comes with a real-time monitoring feature. You can view the activity of all clients accessing Internet through ISA Server(the IP address of each client, the user name, the number of connections and so on). See
Figure10.
Figure10: Bandwidth Splitter Live Monitoring
If you are using quota rules you can visualize the traffic counter and the amount of remaining traffic. See
Figure11.
Figure11: Bandwidth Splitter Quota Counters
However you can only look, you do not have an option to disconnect an user.
Another minus for Bandwidth Splitter is the fact you cannot apply shaping rules based on protocols. By default all TCP and UDP protocols are shaped.
An interesting and very useful feature of Bandwidth Splitter is the fact that you can specify what's happening in case some connections do not match any shaping and/or quota rule. By default, "Do not filter connections" is selected, thus these connections are excluded from processing. As said before, exclusion occurs only when both types of rules are not found. If you select "Deny connections" instead of "Do not filter connections" then such connections will be denied. Therefore you have to carefully define your shaping and quota rules if you want to use this setting. See
Figure12 (the Advanced tab of the general options of Bandwidth Splitter).
Figure12: Action to Take When No Rules Found
2. Let's create a shaping rule
Let's create a shaping rule. I have created a test access rule on ISA allowing FTP, HTTP and HTTPS from Internal to External for All Authenticated Users. Thus this rules requires authentication. See
Figure13.
Figure13: ISA Internet Access Rule
Actually to apply a Bandwidth Splitter rule to users or user groups you need authentication on ISA's rule(only Web Proxy Clients or/and Firewall Clients can authenticate).
What I want to accomplish: to allocate a constant bandwidth to a group of users for their work duties and each invidual user belonging to this group to have a fixed and constant bandwidth allocated. The group of users is called "RegularUsers".
To accomplish all these I will create a shaping rule for work required destinations. Work required destinations include Computer Sets, URL Sets and Domain Name sets. They have been already created because you cannot create new destinations(ISA's entities) on the fly from Bandwidth Splitter's wizard.
Start the wizard for creating a new shaping rule. See
Figure14.
Figure14: New Bandwidth Splitter Shaping Rule
Enter a name for this rule. See
Figure15.
Figure15: Bandwidth Splitter Shaping Rule Name
Click Next.
Apply this rule to the "RegularUsers" Users Set. See
Figure16.
Figure16: Bandwidth Splitter Shaping Rule "Applies to Regular Users" Users Set
Click Next.
As said before the "Destinations" field will contain a Computer Set(populated with remote servers IP addresses), an URL Set and a Domain Name set. The last two ones include for example links to various online documentation and support sites. See
Figure17.
Figure17: Bandwidth Splitter Shaping Rule "Work-Related Destinations"
Click Next.
The Schedule for this shaping rule is set to Always. I want the working users to benefit from this bandwidth all the time(working hours, extra hours...). See
Figure18.
Figure18: Bandwidth Splitter Shaping Rule "Schedule"
You can create an ISA schedule for your company's work hours for example if you want to. See
Figure19.
Figure19: ISA New Work Schedule
Click Next.
Now you need to specify bandwidth limits for this shaping rule. I have choosed as the shaping mode the sum of incoming and outgoing traffic and set a limit of 160 kbps. You can shape separately incoming and outgoing traffic, shape incoming traffic only or shape outgoing traffic only. See
Figure20.
Figure20: Bandwidth Splitter Shaping Rule Specify the Bandwidth Limits
Also here you can decide if you shape or not cached web content and if you want to enable or not HTTP Boost.
So what does this HTTP Boost ?
According to the manual, HTTP Boost mode lets you accelerate web surfing. It will make surfing much more comfortable due to these accelerations. You can select a content type set for which the HTTP Boost mode will be used on the Advanced tab of the general options of Bandwidth Splitter, in the HTTP Boost content type set list. See
Figure21.
Figure21: Bandwidth Splitter "HTTP Boost"
When enabling HTTP Boost, you are allowing a new speed limit for a certain amount of time for a certain content type. So, temporarily, a user who has been inactive for a certain minimum period of time, will be able to access the specified content type at a speed higher than the main speed limit value. By default, the content types for which HTTP Boost applies(only if you check the "Enable HTTP Boost" checkbox on your shaping rule), are text and HTML content, images, JavaScript and Flash animation. As can be seen from
Figure21, you can specify other content types if you want. If you do not check the "Enable HTTP Boost" checkbox on your shaping rule, HTTP Boost is disabled. Enabling HTTP Boost for work-related destinations can be very useful.
Next you have the chance to limit the number of concurrent connections. See
Figure22.
Figure22: Bandwidth Splitter Shaping Rule Limit No. of Concurrent Connections
This setting is kinda confusing. What type of concurrent connections ?
Some quick tests show that this limit applies to both TCP and UDP connections send to all destinations. It's not a limit that applies to connections made per destination, it applies globally. When a user is browsing and he/she will exceed the number of concurrent connections allowed, and error page will appear. See
Figure23.
Figure23: Bandwidth Splitter Default "Too many connections" Error Page
This error page(along with other error pages like "Access not allowed" or "Traffic quota limit reached") can be customised.
Click Next.
A very important and useful setting appears. You can assign the specified 160 kbps bandwidth individually to each user or distribute this bandwidth between users. See
Figure24.
Figure24: Bandwidth Splitter Shaping Rule "Shaping Type"
As intended I had assigned the specified 160 kbps bandwidth individually to each user.
The other option to distribute the bandwidth between users lets you do this distribution statically or dynamically.
For example, if the RegularUsers group contains 4 active users and Static bandwidth distribution is checked, then their individual speed limit will be 160 / 4 = 40 kbits/s. This can lead to a waste in bandwidth because two users can only require at a certain moment only 20 kbits/s and 30 kbits/s respectively. However, Static bandwidth distribution may guarantee, when there is no free/unused bandwidth available, an equal distribution(40 kbits/s per user) among active users of the total allocated bandwidth(per group 160 kbits/s).
If Static bandwidth distribution is unchecked, then this unused bandwidth can be distributed between the other two users which at that certain moment may need more bandwidth. The downside of this, according to the manual, is that when there is no free/unused bandwidth, the users who have more connections or better links to the servers could have precedence over the rest users.
Click Next.
We can configure Extra Parameters for our work shaping rule. See
Figure25.
Figure25: Bandwidth Splitter Shaping Rule "Extra Parameters"
I will check the "Don't count traffic on account of traffic quota" checkbox because I will also define later a quota rule for these users and I do not want to impose a limit on allowed work related traffic. I only want to impose a limit on non-work traffic related. If users exceed this limit, they can continue their work, only non-work traffic related being blocked.
Click Next.
Review your shaping rule settings and click Finish. See
Figure26.
Figure26: Bandwidth Splitter Shaping Rule Click Finish
Apply the changes.
3. Another shaping rule
Next I will create another shaping rule for this group of users. This rule is inteded to limit the speed to non-work related destinations. Users are allowed to browse certain web sites. To keep it simple, for this test, The "Destinations" field will contain the "External Network". See
Figure27.
Figure27: Bandwidth Splitter Shaping Rule "External Destinations"
I have choosed as the shaping mode the sum of incoming and outgoing traffic and set a limit of 400 kbps. It's a higher speed limit because I want to dynamically distribute this bandwidth between active users. See
Figure28 and
Figure29.
Figure28: Bandwidth Splitter Shape Total Traffic
Figure29: Bandwidth Splitter Dynamically Distribute Bandwidth Between Active Users
This time the "Don't count traffic on account of traffic quota" checkbox will be unchecked because there will be a quota rule for this kind of traffic for these users. See
Figure30.
Figure30: Bandwidth Splitter Shaping Rule "Extra Parameters"
Review your settings and click Finish. See
Figure31.
Figure31: Bandwidth Splitter Shaping Rule Click Finish
Apply the changes.
And by now we have two shaping rules. See
Figure32.
Figure32: Bandwidth Splitter Two Shaping Rules
4. Let's create a quota rule
As I mentioned before, I want to create a quota rule to limit per day the amount of non-work related traffic. Please remember that I have checked the "Don't count traffic on account of traffic quota" on the work-related shaping rule, thus work traffic will be unaffected by this quota rule. Also you may create a shaping rule for destinations needed for various updates, rule for which the traffic counter will not apply too. So let's create a quota rule. See
Figure33.
Figure33: Bandwidth New Quota Rule
Enter a name for this quota rule. See
Figure34.
Figure34: Bandwidth New Quota Rule Name
Click Next.
As said before this quota rule will apply to the "RegularUsers" User Set. See
Figure35.
Figure35: Bandwidth New Quota Rule "Applies To"
Click Next.
Now you can specify the traffic qouta for this rule.
I have selected to limit the sum of incoming and outgoing traffic. You can also limit separately incoming and outgoing traffic, limit incoming traffic only or limit outgoing traffic only.
The traffic amount allowed by this rule was set to 50 MB.
This quota rule will not apply to cached web content.
I want to start a 50 BM traffic counter for each active user of the "RegularUsers" group. This counter will be reset daily. You can reset this counter weekly, monthly or never. If the user does not consume the entire amount of traffic allowed, the remainder can be transferred to the next period. See
Figure36.