Poor client web browsing performance
- From: aaron.johnson@xxxxxxxxx
- Date: 14 Dec 2005 17:12:54 -0800
I've switched all our users from an old proxy 2.0 server to ISA 2004,
and they've noticed that performance is quite poor compared to the
proxy server. I haven't been able to nail down a specific cause,
although I suspect a DNS or network table configuration issue. Here's
some specs to start off with:
The Proxy 2.0 server ran on a WinNT 4.0 sp6 P3-500mhz box with 256mb of
ram, dual nics. It was starting to crash frequently so I decided to
upgrade.
The ISA 2004 (sp1) server is running on a Win2003 server with dual Xeon
2.66ghz cpus, 2gb ram, dual nics.
Caching is enabled with a 60gb size limit.
We do run an internal DNS server because our AD domain is not "legal".
That DNS server is configured with the ISA server's internal NIC
address as a forwarder, 1 second timeout. All workstations are
configured via dhcp with this server as the primary DNS and the ISA as
the secondary.
The ISA server also runs DNS and is in fact our master DNS for our
external "legal" domain names. We run our own web and mail servers.
The ISA server has IIS installed, running on port 81. There's some
minor web pages there, one of which is a re-director to our "real" web
site. A web publishing rule takes traffic from "anywhere" destined for
the ISA sever and bridges it from 80 to 81.
Those 3 functions; Proxy/ISA, DNS, and IIS all ran fine on the proxy
server it replaced.
The first firewall policy rule is called "unrestricted internet
access", allowing all outbound protocols, from Internal networks and
vpn clients, to external networks, for a user set called "authorized
internet users". That user set has an AD group in it called "Internet
Users". Basically I add a user to that group and they get internet
access.
A side note: I started a log looking for "denied connections" and I've
seen some DHCP, netbios, and other protocols get denied that should
just stay inside our network. This troubles me but I'm not sure it's a
problem.
The "internal" network set contains all the standard private ip ranges,
plus an extra one of 161.1.0.0 - 161.1.255.255. We have some old
printers that I haven't switched over to a private 172 address yet.
We've tried the following configurations on the clients:
1) no firewall client installed, proxy enabled in internet settings &
manually entered. HTTP 1.1 through proxy enabled.
2) firewall client installed, proxy disabled. We have a 3rd party app
that won't work with proxy enabled for some reason (authentication I
think)
3) firewall client installed, proxy enabled in internet settings &
manually entered. HTTP 1.1 through proxy enabled.
I suppose I could try setting up auto-configuration if that would
really make a difference. I don't think it would work for the people
that need the 3rd party app (option #2) though.
I have an entire department that wants their own internet connection.
They think they are slow because everyone uses the same connection. I
really can't allow that but they might have enough authority to go
around me, which would pose a serious security risk.
Anyone see anything or have suggestions?
.
- Prev by Date: Re: ISA not talking to WAN
- Next by Date: Re: Blocking "linked" web sites
- Previous by thread: Re: VNC
- Next by thread: New setup confirmation
- Index(es):
Relevant Pages
|
Loading
