Re: Speed of OWA connectivity?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: al (ask~me_at_nowhere.com)
Date: 03/10/04 

Date: Wed, 10 Mar 2004 19:30:57 -0000

"Tim Hackbart [MSFT]" <Timhack@online.microsoft.com> wrote in message
news:uM76G%23sBEHA.2308@tk2msftngp13.phx.gbl...
> al
>
> The thing that jumps out to me is the SSL overhead. The encryptions and
> decryption definitely has a cost associated with it, as far as processor
> time etc.

Well me too - which I why I thought the CPU usage would reveal if that were
the case. However the CPU is steady around 3%!

>
> I would try to take SSL out of the picture.
> Where do you terminate your SSL connection?

SSL terminates both at the ISA and the FE server. I say both, as the ISA
will always decrypt the SSL to examine the packets and then re-package it to
send via SSL to the FE server (maintaining the SSL namespace by using a
manual hosts entry).

> If you do it on the ISA box and then bridge HTTP to the FE server, then I
> would test hitting the FE server with HTTP and then compare with going
> through the ISA box.

Non-SSL to the FE server is fast internally. I can't enable normal HTTP
through the firewalls - too many configuration changes to live systems that
would need change controls raising!!

> If you terminate SSL on the ISA box and then bridge HTTPS to the FE server
> then your SSL cost is doubled.
>
Oh, that sounds like what I said before I think, so yes, but isn't the SSL
cost down to CPU time?

> I am not sure that the SSL process is the issue, but it would be something
> to look at.

It certainly was my first guess - just don't know how to establish it given
my CPU results. I believe you can buy SSL-offloading network cards these
days? I've used IPSEC-offloading ones before and not noticed any
difference, but then it was a low-capacity server.

Anyone else used one of these cards and have an opinion?

a

Relevant Pages

  • Most users cant connect to our SSL-- help!
    ... I've included all relevant SSL settings from our ... Subject: Large percentage of customers cannot connect to https: ... server, which then grinds indefinitely. ... "2) Your secure order form is not working. ...
    (comp.security.misc)
  • Most users cant connect to our SSL-- help!
    ... I've included all relevant SSL settings from our ... Subject: Large percentage of customers cannot connect to https: ... server, which then grinds indefinitely. ... "2) Your secure order form is not working. ...
    (comp.security.ssh)
  • Most users cant connect to our SSL-- help!
    ... I've included all relevant SSL settings from our ... Subject: Large percentage of customers cannot connect to https: ... server, which then grinds indefinitely. ... "2) Your secure order form is not working. ...
    (comp.security.unix)
  • Re: Antw: Re: LDAP Authentication Problem
    ... TLSv1 und wird auf einen SSL Client Hello Request mit TLSv1 nicht ... antworten anstatt ein SSLv3 Server Hello. ... the LDAP PAM module and the shadow package. ...
    (de.comp.sys.novell)
  • Re: Dealing with SSL processing via hardware
    ... If the "hardware" is basically just a single CPU computer with Linux and OpenSSL installed on ROM wrapped in a sealed box, then I would suppose you could emulate the exact same performance characteristics by adding another CPU to your main server computer and only using that CPU for running the same SSL and socket software you would have inside the sealed box. ...
    (borland.public.delphi.non-technical)