3 ISA Server Quick Performance Tweaks
In today’s infrastructures, every performance gain you can get you should take. In this article we will look at three performance tweaks for ISA Server 2000 so you can make sure your ISA Server is running as optimized as possible. We will look at:
· Client Browsers
· NIC connections
· Enable IP Routing
In this article, I will take a 3-tiered approach at performance tweaking by giving you a client performance fix, a network performance fix and a server performance fix. Hopefully you can use them all.
Client Browsers: Tweak the Client
Our first performance tweak we will look at is configuring your client’s web browsers for optimal performance. Any time you have a component on your network make a decision instead of you telling it what to do, latency is added. In other words, if you let your browser try to find a proxy connection, then it may take longer than if you just tell it where it needs to go.
1. First, open your Internet Explorer Browser and navigate to your Proxy settings
2. When the Browser window is open (IE 5 and above), go to Tools => Internet Options and open the Internet Options for the browser
3. Once opened, click on the connections tab and go to LAN Settings…
4. You will now have your LAN Settings open as seen in Figure 1.
Figure 1: LAN Settings Configuration
5. Once opened, you can see that the Automatic Configuration of your LAN Settings will override your Manual Settings so remove the check in the ‘Automatically detect settings’ check box.
6. Remember, when a client has to look for something on the network, it may be slower than if you tell it exactly where to go and that exactly what we are going to do now.
7. In figure 2, you can see that the browser settings are hard coded into the browser as well as the port settings at 8080.
Figure 2: Hard coding the ISA Server settings into your Browser
8. Make sure you add the IP address, DNS name or port that you have specifically configured for your ISA Server implementation.
9. If you click on the advanced tab you can specify either different addressing and ports (like 1080 for SOCKS), or other settings like your companies Intranet you want to configure for Proxy bypass.
10. Once you close out of the Browser settings, reopen your Internet Browser and test to make sure you entered the correct information.
11. If you are a Netscape Navigator user, you can do the same thing by opening up your Netscape Browser and following these steps
12. Go to Edit => Preferences and the Preferences dialog box will open as seen in figure 3.
Figure 3: Netscape Preferences Configuration
13. Once you open preferences, you can follow the path in figure 3, to get to the proxy settings. Click on the Advanced section and then proxies…
14. Once opened, you can see on the right side of the dialog box a way to hard code the proxy settings on the browser. These are the same settings, as you would have put in the Internet Explorer Browser, it’s just a different browser.
That’s it! You have just optimized your client connections for the desktop to access and use ISA Server 2000 faster. You can also find more information about auto configuration problems on TechNet:
Q315810 Browser Slow to Respond When Using Automatic Configuration Script
Q209266 Auto-Proxy Functions Supported by Internet Explorer
Lets move to the next quick and easy tweak to make sure your ISA Server is running optimized.
NIC connections: Tweak the Network Connection
On your ISA Server 2000, you have 2 or more NICs installed. This is the network interface connection for your internal network, external network and perhaps a DMZ. If this is the case (and really no matter how you have the ISA Server configured), you need to make sure you are running at optimal speed and bandwidth. Lets take a look at how to check what we have and optimize it if possible.
On any device, you have to have an interface to the network and its rated by some sort of speed. Most likely you are running at 10/100 Mbps speed and perhaps half or full duplex. How do you know? Lets take a look:
1. First, there are many ways to check the speeds of your interface connections. We will look at one way although there are multiple. Go to the Network and Dialup Connections applet within the Control Panel.
2. Go to your interface connection (probably called Local Area Connection) and right click it.
3. Select ‘Status’ form the menu and you will see figure 4
Figure 4: Local Area Connection Status
4. In figure 4, we see that your speed is running at 100 Mbps. That is good (unless you want it to be faster at Gigabit speed), but if you see the wrong thing, like 10 Mbps, then you may have a Network settings misconfiguration.
5. You can also note that you are probably not sure if you are running at Full Duplex or not. Full-duplex transmission is the 2-way communication that takes place in both directions simultaneously. This doubles the speed and eliminates the need for CSMA/CD
6. To configure full duplex transmission on your ISA Server interfaces, go to the network properties again in the control panel but this time when you right click on the interface, do not pick status, select properties instead.
7. Once you select properties, click on the ‘configure’ button up on the top of the network properties dialog box.
Figure 5: NIC properties
8. You will open a new dialog box as seen in figure 5. In the NIC properties, select the advanced tab as seen in the figure.
9. Select Media type and in the value field on the right, select the appropriate speed for your connection. I selected 100 Mbps at Full Duplex.
10. Click OK and you are finished. Do the same for all connections on your server
I would like to mention here that you need to plan out this change over of speeds with whoever does the infrastructure on your network (if it is not you) because you may have to also configure settings on the Switch you are plugged into. For instance, if you are running on a 10 Mbps hub, then you will loose communications if you do this change on your server so make sure you look at the following:
· What is the device you are connecting to and what is it configured at?
· What are the limitations on your own NIC?
Sometimes, you can purchase a NIC that will not support these settings; or you may purchase a network device like a hub or switch that will not support full duplex networking. Make sure you plan this out before making the cutover, but when you do, you will find yourself operating at speeds of over 100 times faster depending on what you choose to go with: 100 Mbps, 1000 Mbps, half or full duplex. Also, make sure you monitor your WAN connection after you make the change for bottlenecking because if you make the server too fast, it will all rush to the server only to be held up at the WAN.
Lets look at the difference from what I had the server running at (10 Mbps Half duplex), to a newer 100 Mbps Full Duplex.
Testing your new settings:
In this test, I did a Netstat command with the Switch ‘e’ and an interval setting of about 10 seconds. This way I could see the change as network activity went on.
First Setting at 10/half
D:\>netstat –e 10
Bytes 40771141 8488192
Unicast packets 73784 67213
Non-unicast packets 3754 3754
Discards 0 0
Errors 0 0
Unknown protocols 0
Second Setting at 100/full
D:\>netstat –e 10
Bytes 722343 711573
Unicast packets 24377 24375
Non-unicast packets 0 0
Discards 0 0
Errors 0 0
Unknown protocols 0
You can see the differences in the traffic from the netstat command from before the settings change to after.
Another quick setting you can check within the network properties is to go to the advanced setting menu option within the advanced menu… when you open advanced settings you can change the binding order for the NICs. Make sure ONLY TCP/IP is configured, but if you have something else in there by accident, either remove it or set the binding order for TCP/IP first and make sure its on top. This will slow down a server considerably depending on how you have it configured.
Please note: You may need to check the settings on the switch to hard code the port to 100 and full. This TechNet article will give you an idea if you have not done this before:
Q247609 Poor Performance with Catalyst 2948G LAN Switch
Enable IP Routing: Tweak the Server Software
In our last ISA Server 2000 performance tweak, we will look at enabling IP Routing on the server to increase speed performance. There is a Knowledge base article that describes the exact procedure step by step, so I will explain what it means and then you can download the Q article to follow. In this section of this article we will deploy another performance tweak for ISA Server 2000.
ISA Server 2000 while in Kernel mode will maintain secondary connections for secure network address translation (NAT) clients which is said to help improve throughput on the secondary connections. These Secondary connections will only be supported if ISA Server has an installed application filter that can process the protocol. The example used in the Q article is based on FTP. What the Q article is trying to explain is that if you use an FTP connection, you will need to use port 20, but as secondary connections are needed (as with using FTP), then you will begin making connection with ports over 1024. The article discusses that because the primary connection is enabled only if the requirements for all applicable rules are met, and the secondary connection is established only after the primary connection is established, there is no need to inspect the traffic for this connection. If you need to use this feature, then you can enable Internet Protocol routing on your ISA Server. The use of IP Routing will allow the ISA Server to send data for those secondary connections, which saves you CPU cycles and increases performance. Make sure you enable IP packet filters before you can enable IP routing so security is maintained on the ISA Server.
To enable IP forwarding:
1. Start the ISA MMC
2. Open Access Policy
3. Right click the IP Packet Filters folder => click Properties
4. On the General tab => click to select the Enable Packet filtering => select Enable IP routing check box
Q279347 Enable IP Routing on ISA Server to Increase Performance
In this article, we looked at simple to do, high speed fixes you can implement on your ISA Server 2000 to ensure optimal performance. We looked at three simple tweaks that can really make a difference on your network for performance. I tried to take a 3-tiered approach at this by giving you a client performance fix, a network performance fix and a server performance fix. Hopefully you can use them all.