Why Web Proxy Clients Perform Better than SecureNAT Clients

By /

In forward Web proxy scenarios, Web browsers are configured to use the ISA Firewall as their Web proxy. In Internet Explorer, for example, this is done by setting Use a proxy server or Automatically detect settings in Internet Options.

When Web clients are configured to use the ISA Firewall as their Web proxy device, they open connections directly to the ISA Firewall’s Web proxy listener, and send the proxy requests for locations on the Internet. (For example, Internet Explorer will open two connections to the Web proxy component when sending HTTP 1.1 requests.) When the ISA Firewall receives a request for a server, it opens a connection to this server, and reuses it for other requests coming from other clients to the same server. This leads to a star connection topology and leads to less resource utilization on the ISA Firewall and better performance.

The performance advantage of this scenario is that it allows for high reuse of connections, which minimizes the number of open connections as well as the connection rate.

In transparent proxy scenarios, client Web browsers are unaware of the ISA Firewall’s presence and are configured as SecureNAT clients. They sense that they are routed directly to servers on the Internet with no device between the SecureNAT client and the Internet Web server other than routers.

Specifically, SecureNAT clients access Internet servers directly by opening connections with the target Web sites. This leads to a considerable increase in connection rate, because after a user asks for a page on a new server, the Web browser shuts down its connections with the current Web server and opens new connections with the new Web server. This is typical of transparent proxy and has an negative effect on ISA Firewall performance. Typically, the client-side connection rate in transparent proxy is approximately three times higher than in forward proxy, which consumes approximately twice as many processor cycles per request.

Transparent proxy is a popular scenario because it is easy to deploy, especially for Internet service providers (ISPs) that have a heterogeneous client base. Unfortunately, there is a significant performance price to pay for this convenience.

In general, ISA Server requires twice the amount of CPU resources for transparent proxy as compared to forward proxy.

Adapted from http://www.microsoft.com/technet/isa/2006/perf_bp.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: [email protected]
MVP — Microsoft Firewalls (ISA)

About The Author

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top