DNS Related Performance Problems for the ISA Firewall
One of the more common questions that come up on the www.isaserver.org message boards and mailing list pertains to ISA firewall performance. The common compliant is that the "Internet was fast" before the ISA firewall was installed and then after placing the ISA firewall inline, the "Internet" became "slow". While "fast" and "slow" are relative terms, the point is that it appears to the ISA firewall admin that performance has been adversely affected by the addition of the ISA firewall.
Probably the most common reason for poor ISA firewall performance is a DNS related misconfiguration. The best DNS configuration on the ISA firewall is to configure DNS settings on a single interface on the ISA firewall, and that should be an interface closest to an internal DNS server that can resolve Internet host names (typically the internal interface, but it doesn’t have to be). Then you move that interface to the top of your interface list in the Advanced settings in the Network Connections window. Note that this is a simplification, but it will work for 90%+ ISA firewall admins who have an internal DNS server.
One thing you should never do is include an IP address of an external DNS server. Because of how the Windows DNS client system works, it is possible that the internal DNS server will be dropped from the DNS list and then you’ll be stuck with only an external DNS server for name resolution and then the ISA firewall won’t be able to resolve internal host names and lose connectivity to the internal AD/DCs.
DNS is critical for proper functioning of the ISA firewall. The ISA firewall uses DNS to find the Internal domain controller. It also uses DNS to confirm that an IP address doesn’t match a FQDN that is listed in a URL Set or Domain Name Set that you’ve set in a Deny rule. In addition, ISA Enterprise Edition needs to use DNS to find its own name and if the ISA firewall array can’t resolve its own name, errors will occur in the Firewall service.
Poor performance could be due to a DNS attack, or you might have compromised hosts or an internal network DNS network misconfiguration that leads to an excessive number of DNS requests being forwarded through the ISA firewall. The best way to start investigating this problem is to use Network Monitor and PerfMon. Here’s are some things you can check:
- \ISA Server Firewall Packet Engine\Backlogged Packets > 10
- \ISA Server Firewall Service\Worker Threads > 100
- Network captures show gaps of several seconds between DNS queries and their responses.
For more information on troubleshooting ISA firewall performance issues, check out: http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/isa_2004_perftroubleshooting.mspx
Thomas W Shinder, M.D.
MVP -- ISA Firewalls