I hear a lot of complaints about ISA firewall performance on the ISAserver.org Web boards and mailing lists. It's not that performance is a big issue with the ISA firewall, but since our charter is to solve ISA firewall problems, people are going to bring up things that are wrong with the firewall, rather than spending a lot of time on how everything is working without any issues.
The common complaint is that "Web pages are slow to open". Slow is a relative term. For example, I have a 20Mbps FiOS Internet connection and two users in my office, so my perception of slow is going to be different from an office that has 50 users sharing a 1.54Mbps T1 line.
Most of the time the complainant characterizes slow as a relative measurement of subjective performance, comparing the subjective end-user experience when the client is behind the ISA firewall, and when the client is not behind the ISA firewall. Of course, many times the network infrastructure is so horked that you can't be sure that the clients are behind, in parallel or in front of the ISA firewall. For this reason it's always a good idea to get a network diagram to confirm request/response paths.
By the time I work out the kinks in the network infrastructure and ISA firewall client types, the two most common issues regarding ISA firewall performance are related to DNS and authentication. I've found that DNS issues are by far the most common reasons for performance complaints and the ISA firewall. By troubleshooting your DNS infrastructure and tying that information to your ISA firewall client types, you'll be able to reliably solve these DNS related problems.
The other common category of ISA firewall performance problem has to do with authentication. A properly deployed ISA firewall will force authentication for almost all connections made through the firewall (there will always be some types of connections that aren't/can't be authenticated, such as server requests from machines that do not have logged on users). If you have a large number of authentication requests, this can bog down the ISA firewall and the authentication mechanisms used to authenticate and authorize your clients.
To this end, I'd like to recommend a great article that describes the firewall's Web proxy authentication process and methods you can use to improve Web proxy client authentication performance. The article is Improving Web Proxy Client Authentication Performance on ISA Server 2006 and you can find it at http://technet.microsoft.com/en-us/library/bb984870.aspx
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)