Chapter 16 PERFORMANCE ANALYSIS AND OPTIMIZATION 453 After reporting is enabled, the data from all the SQL logs is com- bined to one log database on the ISA Server. This occurs once each day regardless of whether any reports are scheduled. The monthly report summary process combines all daily databases into a single, monthly summary. To view the reports, open the Internet Security and Acceleration Server\ Servers and Arrays\name\Monitoring\Reports and open the report type you want to view. In the Details pane, double-click the report. It will be displayed in Internet Explorer. The following reports are predefined on ISA Server: á Summary reports á Web Usage reports á Application usage reports á Traffic and utilization reports á Security reports It’s important to realize that each report is made up of several subreports in the form of graphs and charts. Table 16.1 lists the charts and graphs available in each report. TABLE 16.1 REPORTS WITHIN REPORTS Report Subreports Summary Protocols used in descending order Traffic by protocol Top users Traffic by user Top Web sites Traffic by Web sites Cache performance Cache usage breakdown Traffic Traffic by date Daily traffic Traffic by time of day NOTE Who Can Generate Reports? In order to generate reports you must be in the local Administrators group on the ISA Server. If the ISA Server is in an array then you must be in the local Administrators group on every ISA Server computer in the array and able to access and launch DCOM objects on every server in the array. TIP When Did That Occur? It’s impor- tant to note that data in the reports is not compiled in real-time. In fact, data in the reports is from at least the day before. Reports and their timeframes are • Daily—Show previous day’s activity • Weekly—Show previous week’s activity • Monthly—Show previous month activity • Yearly—Show previous year’s activity • Specified period—Custom EXAM continues 22 mcse CH16 6/5/01 12:17 PM Page 453 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 454 Part V MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER Web Usage Report Top Web users Web traffic by users Top Web sites Traffic by Web sites Protocols Web traffic by protocols HTTP responses HTTP response breakdown Object types Web traffic by object types Top browsers Web traffic by browser Operating system Web traffic by operating system Browser vs operating system Application Usage Report Protocols Application traffic by protocols Top application users Application traffic by users Top applications Traffic by application Operating systems Web traffic by operating system Top destination Traffic by destination Traffic and Utilization Protocols Traffic by protocols Traffic Traffic by date Cache performance Cache usage breakdown Connections Peak simultaneous connections by date Processing time Processing time by date Daily traffic Traffic by time of day Errors Error breakdown Security Authorization failures Authorization failures by user Dropped packets Dropped packets by users TABLE 16.1 R EPORTS WITHIN REPORTS Report Subreports continued 22 mcse CH16 6/5/01 12:17 PM Page 454 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 16 PERFORMANCE ANALYSIS AND OPTIMIZATION 455 Summary Reports Summary reports combine data from the Web proxy service log and the firewall service log. They illustrate network traffic usage and are sorted by application. Many of the items in this report are displayed in more detail in the other reports. This information is valuable to network administrators to help them determine trends traffic pat- terns, as well as the types of applications used to access Web data. Knowing the application use allows decisions to be made on making sure the ISA Server allows the traffic that is necessary, but does not allow unnecessary traffic. Being able to see traffic patterns helps them identify peak usage andtrends in usage. A portion of a sum- mary report can be found in Figure 16.2. Web Usage Web usage reports display such items as top Web users, common responses, and browsers in use. In other words, they are pictures of how the Web is being used in the company. The information used comes from the Web Proxy Service logs. Knowing how the Web is being used helps to identify whether there are adequate controls on Web usage as well as who the major users are. When attempting to analyze needs for greater bandwidth, it is useful to know something about the actual usage of the Web. A portion of a Web usage report is displayed in Figure 16.3. FIGURE 16.2 The summary report. 22 mcse CH16 6/5/01 12:17 PM Page 455 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 456 Part V MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER Application Usage The application usage report focuses on incoming and outgoing traffic and shows the following: á Top users á Amount of incoming and outgoing traffic á Client applications á Destinations Because it focuses on incoming and outgoing traffic, the application usage report can also provide valuable information about the usage of published servers on the internal network. A sample report is in Figure 16.4. FIGURE 16.3 The Web usage report. 22 mcse CH16 6/5/01 12:17 PM Page 456 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 16 PERFORMANCE ANALYSIS AND OPTIMIZATION 457 Traffic and Utilization The traffic and utilization report can determine trends in usage. This helps in planning network capacity and determining bandwidth policies. By tracking the cache hit ratio ,you can determine potential areas for improvement, either by enlarging the size of the cache, or scaling out and adding another ISA Server to the array. A sample traffic and utilization report is in Figure 16.5. The Web proxy and firewall service logs are used to provide: á Usage by application protocol and direction á Average peaks á Cache hit ratio á Errors á Statistics FIGURE 16.4 The application usage report. 22 mcse CH16 6/5/01 12:17 PM Page 457 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 458 Part V MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER Security The security report combines data from all three logs. The informa- tion in this report can help you identify attacks or security violations after they have occurred. A sample report is in Figure 16.6. FIGURE 16.5 Traffic and utilization report. FIGURE 16.6 The security report. 22 mcse CH16 6/5/01 12:17 PM Page 458 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 16 PERFORMANCE ANALYSIS AND OPTIMIZATION 459 OPTIMIZING PERFORMANCE Optimize the performance of the ISA Server computer. Considerations include capacity planning, allocation priorities, and trend analysis. In addition to diagnosing problems, reports, logs, and tools can be used to analyze ISA Server performance and determine what might need to be done to optimize its performance. There are four areas to look at: á Using the Registry to optimize performance á Analyzing performance using Performance Monitor á Analyzing performance using reporting and logging á Controlling RAM used by caching Using the Registry to Optimize Performance ISA Server can be managed by the ISA Server Management Console, by using Administration COM objects and by Registry entries. The majority of this book focuses on using the Management Console. Using Administration COM objects is a little beyond our scope, (you will find them described in the SDK if you are interested). However, there are Registry settings that you should take note of. Obviously, before making any changes to the Registry, you will use the normal precautions and find out more of the implications of making these changes. Registry keys that can affect cache perfor- mance (located at HKLM\System\CurrentControlSet\Services\ W2cache\Parameters) are described in Table 16.2. NOTE Cache Off Results In this chapter we are talking about analyzing and optimizing ISA Server in situ—that is, in its native envi- ronment, your network. It is interesting to note ISA Servers performance against other caching products at an independent test (see From Web polygraph site http://www.mea- surement-factory.com/results/pub- lic/cacheoff/N03/report.by-alph.htm l ). In the test an ISA Server with a single processor managed 750 requests per sec- ond. An ISA Server with four processors man- aged 2,000 requests /sec. These rates are about 10 times the rate produced by Proxy Server. Two types of measurements were made “overall throughput” (how many requests users generate) and hit throughput (rate at which the requests are served from cache). ISA Server was the top scorer here for both. The difference between the two, or “response time improvement” is even more important as it says what the caching server is doing for you. ISA Server response time improvement was 50 percent. 22 mcse CH16 6/5/01 12:17 PM Page 459 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 460 Part V MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER TABLE 16.2 DEFAULT SECURITY GROUP FILE PERMISSIONS Parameter Description Usage TZ Persistent Maximum time interval If set to one minute and Interval Threshold in minutes that recovery the w3proxy service stops data will be inconsistent. unexpectedly, at most one minute will be lost while the cache is recovered. Recovery MRU Time interval in minutes. Content cache in the last X Size Threshold What data will be minutes prior to failure of recovered first? Web proxy service will be How much of it? recovered first. MaxClientSession Size of pool for client An object is freed and sessions objects. memory returned to system memory if the pool has more than X objects. Set to a high value and objects are freed less frequently (but more memory is used). OutstandAccept Number of listeners Set high to minimize the waiting for a connection number of rejected to be established; versus connection requests. number of accepts pending for a connection to be established before rejecting the new connection. Analyzing Performance Using Performance Monitor Analyze the performance of the ISA Server computer by using Performance Monitor. When ISA Server installs, it makes two consoles available for use in its management: The ISA Server Management console and the ISA Server Performance Monitor. Although the ISA Server Management Console is used to administer the ISA Server, the ISA Server Performance Monitor is used to analyze the functioning of the ISA Server itself. When opened, it displays the Windows 2000 Performance Monitor and System Monitor preconfigured with ISA Server specific objects and counters (see Figure 16.7). It is important to understand what these counters mean; a section later in this chap- ter introduces you to some of the more common counters. The ISA Server online help can be used to find the meaning of others. 22 mcse CH16 6/5/01 12:17 PM Page 460 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 16 PERFORMANCE ANALYSIS AND OPTIMIZATION 461 It is important to note that the design of this console is open; that is, you can add counters for measurement, extract data to text files for analysis, and create logs which gather these statistics in the back- ground at scheduled times. To use the charts, graphs, and logs produced by Performance Monitor you should be knowledgeable about: á Configuring performance monitoring á Analyzing and optimizing ISA Server using Performance Monitor á Using traditional server objects in ISA Server analysis Configuring Performance Monitoring The first decision to make in performance monitoring is in choosing the monitoring method. Two possibilities exist: graphs and logs. Although graphs are real-time and allow you to observe an event while it’s happening, they are usually only valuable for short periods. Graphs can be used to grab a snapshot of ISA Server health at any time of the day. They are good diagnostic tools that may be used when systems seem to be running slow or experiencing other FIGURE 16.7 ISA Server Performance Monitor. NOTE Objects and Counters A performance object can be thought of as logical group of counters that are associated with a resource or service (such as memory or processor). A performance counter then is the data item associated with an object. It represents some value which can be interpreted as relative performance of that object, or some concrete measurement. 22 mcse CH16 6/5/01 12:17 PM Page 461 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 462 Part V MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER problems. The ISA Server Performance Monitor opens in graph view and already collecting statistics and displaying them in a graphical view. To analyze performance you might need to add additional counters. To do so, follow Step by Step 16.3. STEP BY STEP 16.3 Add Performance Counters 1. Open ISA Server Performance Monitor (Start, Programs, ISA Server Performance Monitor). 2. Right-click System Monitor node. In the Details pane, click Add Counters. 3. In the Performance Object box, select the object to monitor. 4. To monitor all the counters for this object, click All Counters. 5. Or to select the counter to monitor, click Select Counter from list and select those you want to monitor. 6. To monitor all instances of the object, click All Instances. 7. Or, to select the instance to select, check Select Instances From List, and select the instance you want to monitor. 8. Click Add. 9. Click Close. Although graphs give you animmediate visual feel for your system, logs can be saved and keep extensive records for monitoring, analyzing, and researching trends over time. To capture performance data in a log, follow Step by Step 16.4. To view it, follow Step by Step 16.5. NOTE What Is an Instance? As used in Performance Monitor, an instance identities which object to monitor if there are more than one of the same type. For example, a multiprocessor computer would show several processor instances. 22 mcse CH16 6/5/01 12:17 PM Page 462 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... necessary to ISA Server configuration, addition of more powerful hardware, ISA Server added to the array, or a change in policy which reduces the availability of Web services to users and thus the need to expand the size of the array or purchase more hardware Controlling RAM Used by Caching Control the total RAM used by ISA Server for caching If the ISA Server computer is only used as a caching server, it... purchase PDF Split-Merge on www.verypdf.com to remove this watermark 463 22 mcse CH16 464 6/5/01 Par t V 12:17 PM Page 464 MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER Optimizing ISA Server Using Performance Monitor Making graphs and logs is all fine and well, but the purpose behind doing so is to analyze the performance of the ISA Server system and use that information to optimize it, to determine when... tests to What goes in the baseline test? You will want to measure common functions of ISA Server and add typical keys that will help you understand the system functions A good place to start is with those keys selected to appear in the ISA Server Performance Monitor Estimated Time: 1 hour 20 minutes 1 Open the ISA Server Performance Monitor and record the objects and counters that are being measured... has the authority to create reports for all ISA Servers in the array when C Too much RAM is allocated D Not enough RAM is allocated 6 Analysis determines that the demand on the ISA Server cache is far greater than the size of the cache can effectively handle You cannot purchase another drive to enlarge the size of your cache, nor can you set up another ISA Server in the array Which of the following... “Optimizing ISA Server Using Performance Monitor.” Answers to Exam Questions 1 D A, B, and C are incorrect The time that the report is generated is at 12:30 A.M None of the other times are before this time See the section, “Analyzing ISA Server Performance Using Reports.” 2 A, D B is incorrect Reports are viewed in Monitoring C and E are incorrect, there is no Configuring node See the section, “Analyzing ISA Server. .. Reduce the size of the maximum URL cached in memory • Use scheduled downloads instead of active caching 22 mcse CH16 470 6/5/01 12:17 PM Par t V Page 470 MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER STEP BY STEP 16.6 Managing RAM Usage 1 Right-click Internet Security and Acceleration Server\ Servers and Arrays\name\Cache Configuration and select Properties 2 Click the Advanced tab 3 Enter the amount... being underutilized 22 mcse CH16 6/5/01 12:17 PM Page 467 Chapter 16 PERFORMANCE ANALYSIS AND OPTIMIZATION Counter (Object) Description Usage Memory usage ratio percent Ratio between amount Because ISA Server tends of fetches from memory to favor usage of RAM cache and from disk cache over drive, if more is being used from cache then perhaps not enough memory is available for ISA Server to use Requests/sec... installation, it is a good idea to disable several common unnecessary services: á Computer browser Minimum System Requirements Use the following minimum system requirements as the starting point in determining the actual hardware specifications for your ISA Servers Table 3 provides estimates of disk space to reserve for cache as well as the number of recommended ISA Servers per hundreds of users Table... in ISA Server is based on licensed technology from Internet Security Systems, Inc (www.iss.net) á System hardening templates An ISA Server Security Configuration Wizard can be used to apply system security settings to all servers in an array á Virtual Private Networking ISA Server can function as the endpoint for a Virtual Private Network (VPN) A VPN extends a private network by creating a secure link... computer is only used as a caching server, it will use RAM as primary cache storage for more efficient service However, if the ISA Server computer is used for other services, this characteristic, is not beneficial You can, however, throttle down the amount of RAM used by ISA Server for caching; to do so, follow Step by Step 16.6 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark . console and the ISA Server Performance Monitor. Although the ISA Server Management Console is used to administer the ISA Server, the ISA Server Performance. the ISA Server computer by using Performance Monitor. When ISA Server installs, it makes two consoles available for use in its management: The ISA Server