Ever wonder if you’re running a trial or full version of the ISA Firewall? If so, then check out this quick tip from ISA Firewall MVP, Tarek Majdalani at http://elmajdal.net/isaserver/How_To_Identify_a_Tr...6.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

In forward Web proxy scenarios, Web browsers are configured to use the ISA Firewall as their Web proxy. In Internet Explorer, for example, this is done by setting Use a proxy server or Automatically detect settings in Internet Options.

When Web clients are configured to use the ISA Firewall as their Web proxy device, they open connections directly to the ISA Firewall’s Web proxy listener, and send the proxy requests for locations on the Internet. (For example, Internet Explorer will open two connections to the Web proxy component when sending HTTP 1.1 requests.) When the ISA Firewall receives a request for a server, it opens a connection to this server, and reuses it for other requests coming from other clients to the same server. This leads to a star connection topology and leads to less resource utilization on the ISA Firewall and better performance.

The performance advantage of this scenario is that it allows for high reuse of connections, which minimizes the number of open connections as well as the connection rate.

In transparent proxy scenarios, client Web browsers are unaware of the ISA Firewall’s presence and are configured as SecureNAT clients. They sense that they are routed directly to servers on the Internet with no device between the SecureNAT client and the Internet Web server other than routers.

Specifically, SecureNAT clients access Internet servers directly by opening connections with the target Web sites. This leads to a considerable increase in connection rate, because after a user asks for a page on a new server, the Web browser shuts down its connections with the current Web server and opens new connections with the new Web server. This is typical of transparent proxy and has an negative effect on ISA Firewall performance. Typically, the client-side connection rate in transparent proxy is approximately three times higher than in forward proxy, which consumes approximately twice as many processor cycles per request.

Transparent proxy is a popular scenario because it is easy to deploy, especially for Internet service providers (ISPs) that have a heterogeneous client base. Unfortunately, there is a significant performance price to pay for this convenience.

In general, ISA Server requires twice the amount of CPU resources for transparent proxy as compared to forward proxy.

Adapted from http://www.microsoft.com/technet/isa/2006/perf_bp.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Installing ISA 2006 on Microsoft Virtual Server 2005 R2 is supported.

Because the Windows operating system that hosts Virtual Server cannot be protected by the ISA Firewall on a virtual server, the ISA Firewall in a Virtual Server environment should not be used in an edge firewall scenario, and this configuration is not supported. You can use this configuration securely in other scenarios, such as:

• A production deployment in which the ISA Firewall on Virtual Server provides Web proxy services such as forward proxy, publishing, and caching, and is protected by an edge firewall, such as an additional ISA Firewall or array of ISA Firewalls
• A laboratory deployment

If you encounter high \Process\wspsrv\Virtual Bytes performance counter values (values of 1,800,000,000 (1.8 GB) indicate that there may be a problem), you may consider using the ISA Firewall on Virtual Server 2005 R2, as an alternative to buying another ISA server computer. Consider the following:

• Define the number of guest operating systems hosted by the virtual server. After virtual bytes exceed 1.8 GB, you should consider adding a virtual operating system to the computer after adding 2 GB of RAM.
• Add RAM to the host computer (2 GB for each guest operating system).
• Install Microsoft Virtual Server 2005 R2 on your server
• Install guest operating systems.
• Install and configure the ISA Firewall on each guest operating system.
• Use an external load balancer, for example, Domain Name System (DNS) round-robin hardware based or Windows Network Load Balancing (NLB), to spread traffic among the ISA Firewalls

Measurements of a remote procedure call (RPC) over Secure HTTP (HTTPS) publishing scenario on a dual-core, dual-processor 2.2 GHz server with 8 GB of RAM showed the following:

• A single installation of the ISA Firewall on a host computer handled 40000 concurrent connections with approximately 2 GB of virtual memory.
• Three ISA Firewalls installed on three virtual operating systems handled 60000 concurrent connections with only 1.3 GB used by each virtual computer. This model could be scaled out to more virtual computers (for example, four, eight, and so on) depending on the amount of RAM and the processing power of the hosting server. The tests were run on three computers.
• CPU utilization in both cases was almost the same.

Adapted from: http://www.microsoft.com/technet/isa/2006/perf_bp.mspx

As you can see, MS Virtual Server 2005 R2 can allow you to significantly scale out your ISA Firewalls to provide support for an additional tens of thousands of connections. Keep in mind that the ISA Firewall in a virtual environment cannot protect the host operating system, so you’ll need an ISA Firewall or ISA Firewall array in front of your virtual ISA Firewall environment to protect the host operating system hosting the guest ISA Firewalls.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

In most situations, a single computer has enough processing power to secure traffic going through standard Internet links. According to market research reports on Internet usage, most corporate Internet link bandwidths are between 2 and 20 Mbps. This indicates that an entry-level computer with a single or dual processor will suffice for most ISA Server deployments.

According to outbound firewall test results, ISA Server running on a single Pentium 4 2.4-GHz processor can provide a throughput of approximately 25 Mbps at 75 percent CPU utilization. This means that for each T1 Internet link (1.5 Mbps), the Microsoft Firewall service will utilize only 4.5 percent of the CPU resources. Dual Xeon 2.4-GHz processors can provide a throughput of approximately 45 Mbps (T3) at 75 percent utilization of the CPU, or 2.5 percent utilization of the CPU for every T1.

This is important information for those who are considering using the ISA Firewall as an internal firewall to segregate internal security zones. While 45Mbps is good for Internet connectivity, it represents a chokepoint for internal networks that run at 100Mbps and above. You might want to consider a quad core and do some testing if you have higher bandwidth requirements on your internal segments.

From: http://www.microsoft.com/technet/isa/2006/perf_bp.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)