Understanding ISA Firewall, H.323 and packet filter Performance counter.

The main types of performance counters categories are listed below the others are pretty general. In this tutorial I will cover the counters in bold.

  1. Web Proxy service performance counters

  2. Bandwidth control performance counters

  3. Cache performance counters

  4. Firewall service performance counters

  5. H.323 filter performance counters

  6. Packet filter performance counters

  7. Default counters

Firewall Service (FWSRV.EXE)

  1. The Firewall service is a circuit-level proxy for Winsock applications.

  2. The ISA Firewall service gives Winsock client applications the ability to perform as if they were directly connected to the Internet.

  3. If the HTTP redirector is set to (“default” no one has configured it) then the HTTP requests are sent to the Web proxy service and caching can be used.

  4. The Firewall service runs as a stand-alone service on W2k if installed as firewall mode. Note: if you installed ISA in firewall mode ISA Server does not maintain a cache.

  5. It establishes gateway connections between the Winsock applications on the client and the Internet host. The LAN remains secure, because communication is channeled through ISA.

  6. The Firewall service can be enhanced by using application filters.

  7. The Firewall client captures API calls from the Winsock applications and redirects it to the Firewall service, which makes the actual call.

  8. The control channel manages remote Winsock messages and delivers the LAT to the firewall client. It also establishes TCP connections from the client to ISA and this channel is used to build the virtual connections while connecting with a remote applications.

  9. This service uses a control channel to communicate service management, connection and authentication information on UDP port 1745.

  10. This service uses the LAT do determine what clients are on the trusted network.

To see how the Firewall service interacts with other ISA services checkout my Understanding ISA services tutorial. Click on the link below. http://www.isaserver.org/authors/magalhaes/tutorials/Understanding ISA services.htm

You can also look at an article by Curt Simmons Click on the link below. http://www.isaserver.org/pages/tutorials/isa_server_performance.htm

How to tell if your firewall service is not running properly?

It is always a good idea to check that all of your ISA services are running after a server restart or when the peak hours are in progress. Make sure that you can access local sites and web based applications quickly using the Firewall client without any errors. If this is so then you will not need to go any further because everything is working. If you have complaints from users check that the settings are correct then close all applications including Internet explorer and the try again. Then ask if the application has worked before. If not then maybe the application will not work. Try the application from another machine to isolate if the problem is general. If you still can’t connect check the settings within the application and make sure that those settings are correct. Check that the appropriate ISA filters are created or active. Look at your event logs to see what types or errors you are receiving when you are not able to connect.

Here is a summary of the Firewall service, H.323 and packet filter performance counters for easy reading and quick perusal. This table is a summarized version of the counters descriptions found in the ISA help files, I have gone through them and taken out only the relevant information.

Firewall service performance counters

Performance Counter


Accepting TCP Connections

Displays objects waiting a TCP connection from Firewall clients.

Active Sessions

Displays active sessions for the Firewall service.

Active TCP Connections

Displays all active TCP connections currently passing data. Excludes pending connections.

Active UDP Connections

Displays all active UDP connections.

Available Worker Threads

Displays Firewall worker threads available or waiting in the completion port queue.

Back-connecting TCP Connections

Displays all TCP connections awaiting an inbound connect call to complete. This is the call on behalf of the Internet machine placed by the firewall to the client from a listening socks port.

Bytes Read/sec

Displays bytes read by the data-pump /sec.

Bytes Written/sec

Displays bytes written by the data-pump /sec.

Connecting TCP Connections

Displays all TCP connections pending between the Firewall service and remote computers.

DNS Cache Entries

Displays current DNS entries cached as a result of Firewall service activity.

DNS Cache Flushes

Displays number of times DNS cache has been flushed or cleared by the Firewall service.

DNS Cache Hits

Displays all DNS names found within the DNS cache by the Firewall service. A high figure means that DNS cache is optimal.

DNS Cache Hits %

Displays % of DNS names serviced by DNS cache, from all the DNS entries retrieved by the Firewall service.

DNS Retrievals

Displays all DNS names retrieved by the Firewall service.

Failed DNS Resolutions

Displays failed gethostbyname and gethostbyaddr API calls.

Kernel Mode Data Pumps

Displays kernel mode data pumps created by the Firewall service.

Listening TCP Connections

Represents number of connection objects that wait for TCP connections from remote Internet computers.

Memory Allocation Failures

Displays memory allocation errors. Cause could be due to miss configuration.

Non-connected UDP mappings

Displays mappings available for UDP connections.

Pending DNS Resolutions

Displays gethostbyname and gethostbyaddr API calls pending resolution, used to resolve host DNS names and IP addresses for Firewall service connections.

SecureNAT Mappings

Displays mappings created by Secure NAT.

Successful DNS Resolutions

Displays gethostbyname and gethostbyaddr API calls successfully returned. These calls are used to resolve host DNS names and IP addresses for Firewall service connections. For more info read my tutorial on how ISA clients use DNS.

TCP Bytes Transferred/sec by Kernel Mode Data Pump

Displays TCP bytes transferred by the kernel mode data-pump /sec.

UDP Bytes Transferred/sec by Kernel mode Data Pump

Displays UDP bytes transferred by the kernel mode data-pump/sec.

Worker Threads

Displays Firewall worker threads currently active.


The H.323 protocol filter allows multimedia enriched applications like net meeting to place calls through the H.323Gatekeeper filter. Net meeting allows you to video conference use an electronic white board, exchange files, text chat and have voice conversations with two or more parties. If the firewall is H.323 compliant then you will be able to place these calls through it. Most new video conference systems comply with this standard and have had huge success over Microsoft networks. H.323 protocol filter does not directly allow clients to communicate directly with their peers and acts as a true proxy. This method protects the integrity of your network making it more secure and avoiding personal attacks on unsuspecting users.

H.323 filter performance counters

Performance Counter


Active H.323 Calls

Displays H.323 calls currently active.

Total H.323 Calls

Displays all H.323 calls handled by the H.323 filter since the ISA Server computer was started

Packet filtering

If packet filtering is enabled (disabled by default) ISA server lets administrators control IP traffic to and from ISA Server. All packets on the external Network interface card are dropped unless rules allow them to be transmitted, either statically by IP packet filters or dynamically by access policy or publishing rules.

Packet filter performance counters

Performance counter


Packets Dropped Due to Filter Denial

Displays packets dropped because dynamic packet filtering rejected the data. Default ‘deny-all’ policy in ISA Server and other explicit deny rules impact directly on this counter.

Packets Dropped Due to Protocol Violations

Displays all packets dropped resulting from a protocol anomaly other than the default filtering rules. If you enable intrusion detection, this should have direct impact on this counter.

Total Dropped Packets

Displays sum of dropped or filtered packets.

Total Lost Logging Packets

Displays all dropped packets that cannot be logged.

Summary: This tutorial will help you isolate issues that are related to the Firewall service performance counter, H.323 filter performance counters and Packet filter performance counters. I have outlined these counters. The remaining counters will appear in the next tutorial. To understand how to access the built in ISA performance monitor and how to add counters please refer to my previous tutorial on the web proxy service counters as it is briefly detailed in that tutorial.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top