Does your ISA firewall seem pokey these days? Maybe you install ISA 2006 three years ago when you had only 300 users accessing the Internet through the firewall. Now your company has grown and you have over 2000 users connecting to the Internet through your firewall. You figured that the slow down was related to the bandwidth used, but your Internet pipe isn’t near full utilization and your internal network run gigabit Ethernet and isn’t anywhere near capacity.
So what might be causing the problem? Maybe it’s authentication. Assuming that you’re using your firewall to authenticate outbound access, the ISA firewall needs to authenticate all users accessing content when going through the firewall. That authentication traffic can pile up, and could possibly lead to what appears to be a poorly performing firewall.
The good news is that you can improve your Web proxy client authentication performance. The guys on the ISA firewall team have put together a great guide on how to improve Web proxy client authentication performance. You can find the article at:
In this article, they go through:
- Evaluating your current authentication scheme
- How NTLM works on Web proxy authentication
- NTLM and heavy load authentication traffic
- Multiple domains and the impact on authentication
- Improving authentication performance with Kerberos
It’s a nicely put together article with plenty of diagrams to help you understand what’s happening on the wire.
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer