发新话题
打印

[转载]Optimizing ISA performance (Part One) Nine Basic Steps

[转载]Optimizing ISA performance (Part One) Nine Basic Steps

原始连接:http://www.isaserver.org/tutoria ... formance-Part1.html

If you would like to be notified of when Ricky Magalhaes releases Optimizing ISA performance (Part Two) please sign up to our ISAserver.org Real-Time Article Update newsletter.

The meaning of performanceSystem Performance is usually measured by the time a system takes to respond to specific user requests, or to accomplish a specific task. Two main ideas should be measured when trying to understand performance. The first concept which should be considered is the design of the high-performance applications, and secondly the testing of the performance of existing systems and code, this is attributable to the applications developed for ISA server 2004 as well as for the ISA 2004 code itself.

Independent of the type of system, there are general guidelines that help you to attain high performance within your system. Many of these guidelines may appear targeted at a specific language, product version, or even type of application, but all of them contain information that help increase your awareness of key performance issues and possible solutions (this applies to all ISA versions).

ISA Server capacity depends on CPU, memory, network, and disk hardware resources and throughout the article series you will be reminded of this where appropriate.

9 basic steps to improve ISA performance1. Use the Microsoft Firewall Client program instead of Secure Network Address Translation

The Microsoft firewall client performs better than secure network address translation (NAT) when the ISA is required to support secondary connections. The Secure NAT client is typically used for non Microsoft installations or for legacy environments, as well as some server installations. The Microsoft Firewall client has many benefits over the typical Web and secure NAT client. Because this agent was designed to speak directly to ISA, it leverages some key performance enhancers.

2. (For multi processing Server computers) Set the processor affinity for each network adapter to a single CPU and ensure a CPU-maximized system with adequate capacity

The processor affinity for each network adapter can be set to a single CPU on a multiprocessor computer. By doing this it can improve processor efficiency and enhance the throughput of ISA Server.

It is most cost effective to have a system bound to a set CPU resource, making sure that this capacity utilization is never exceeded due to the expense incurred to upgrade or increase the capacity of the CPU. It is much easier to keep the CPU capacity usage constant and adapt other resources such as the memory, network and disk hardware as required. This tactic is often overlooked and can result in excessive spending on CPUs, as the CPU is typically the more expensive option in the hardware stack right now.

3. Adjust the parameters of specific network adapters and continuously monitor network capacity

The parameters of specific network adapters can be adjusted to improve their performance

As with the CPU capacity it must be insured that the network capacity is not exceeded to obtain the best performance. Every network device (network adapters, routers, hubs, switches) has a capacity limit; the usage should remain below this limit to maintain acceptable performance levels. This is done through continuous monitoring of the network activity. For this reason the network performance on the infrastructure fabric should be isolated for critical servers like ISA server.

ISA is heavily reliant on networking components and this is a critical part of building a high performance ISA server computer. As bandwidth becomes more readily available throughout the world, the usage and capacity increases. This is attributed to new usage patterns like with VOIP and other such bandwidth hungry protocols. These protocols will start to consume more of the capacity and also push the limits of the bandwidth.

Very soon the STD internet bandwidth convergence trend will become 100mbps internet links that facilitate such services and therefore planning needs to be performed now to ensure that, in the future, bandwidth will not contend with other hungry protocols that facilitate logging and remote management etc.

It is recommended that an extra network card/s be used for logging to remote SQL servers and for remote management of the ISA server so that the traffic is not under contention with other critical protocols like the ones used for communication.


Diagram 1.1: The above diagram depicts the design that will improve the ISA performance by removing the impedance that remote logging and remote management may introduce to the main network service link

4. Determining Memory Capacity

ISA Server memory has various functions; they include storing network sockets for internal data structures and for pending request objects amongst others.

It must be ensured that the memory capacity usage is not exceeded to obtain good ISA performance and functioning, as with the CPU and network capacity components discussed previously. The memory capacity can be easily increased if it is found to be problematic and causing a decrease in performance due to limitations being exceeded. Monitoring is a key factor when dealing with capacity issues such as memory.

5. Use IP routing where possible in ISA Server

By using IP routing in ISA server performance is increased.

6. Logging in ISA Server

ISA encourages three methods of logging, they are MSDE logging, SQL remote database logging and File Logging. MSDE logging is when records are written directly to the MSDE database and file logging refers to the writing of the records to a text file. MSDE has more features than File logging but it uses more system resources thus decreasing ISA performance. ISA performance can be enhanced by changing from the default MSDE logging to file logging, however capacity and scalability are then compromised. For this reason SQL logging is introduced, but it must be noted that this type of remote logging needs to be monitored to ensure that the SQL server is available.

If logging is not required, it can easily be disabled to increase ISA performance. This is especially true for some CARP and high caching environments.

7. Increase the TCP/IP buffer sizes in the registry

You can use Registry Editor to increase the TCP/IP buffer sizes in the registry. This should be undertaken with caution. If this is done incorrectly problems may occur which will result in the re-installation of the operating system. Before this is attempted, a back up of the registry should be made and the ISA professional should have a clear understanding of the procedure involved in restoring the registry if problems should occur.

8. Enable the FTP Kernel Mode Data Pump

To optimize ISA performance Registry Editor can be used to enable the FTP kernel mode data pump. Kernel mode does not require the data to be passed through the entire operating system thus less processing is required and performance is enhanced.

Again it must be noted that care should be taken when utilizing this option to prevent problems from occurring and re-installation of the operating system. Whenever Registry Editor is used a back up of the registry should be made and the ISA professional should have a clear understanding of the procedure involved in restoring the registry if problems should occur.

9. Application and Web Filters

An Application filter registers to a specific protocol port and packets sent to this port pass through the application filter. The filter determines the packets' destination according to predetermined policy. TCP filtering is used when no application filter is being utilized. TCP filters require only a small amount of the resources that application level filtering requires.

Application filtering requires more processing than TCP filtering for the following reasons:

Application filters consider the data’s payload whereas TCP filtering looks only at the TCP/IP header information thus enhancing performance. Application filters work in user mode and TCP filtering works in kernel mode. Kernal mode does not require the data to be passed through the entire system thus less processing required compared to when application filters are utilized thus increasing system performance.SummaryIn part one of this article we covered some of the interesting changes that could be made to ISA and its components when increasing the performance of Microsoft flagship firewall products. In the second article we take a look at other methods that can be used to further make the ISA experience faster. Look out for part two of this article series.

If you would like to be notified of when Ricky Magalhaes releases Optimizing ISA performance (Part Two) please sign up to our ISAserver.org Real-Time Article Update newsletter.

About Ricky M. MagalhaesRicky M. Magalhaes is a security specialist that has worked as a consultant and IT technical specialist for the past 8 years. He has been primarily responsible for implementation and design of Security, network architecture, communications, network infrastructure and Security R&D for many South African organizations that he works with. He is a windows 9x product specialist and has been working with the windows product since version win 3.11. He has also written articles on security for www.windowsecurity.com ; www.ISAserver.org ; www.governmentsecurity.com and many other well known security and technology websites.
曾几何时,有人对我说:装B遭雷劈。我说:去你妈的。于是,这个人又对我说:如果再说脏话,上帝会惩罚你的。我说:我操上帝。结论:彪悍的人生不需要上帝。

TOP

发新话题