[isalist] Re: Performance Oddity on TMG

  • From: Rob Moore <RMoore@xxxxxxxx>
  • To: "'isalist@xxxxxxxxxxxxx'" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 9 Aug 2010 14:50:03 -0400

We have been using URL Filtering. I've disabled it to see if it made any 
difference. It did not.

I've just finished watch the show. That was good. I'm not sure it helps me with 
this issue, though.

I've noticed that installing the Firewall Client and/or enabling proxy speeds 
up the loading pretty much back to normal. So that's a solution, I guess. I'm 
sure I'll still have some users who don't want to use proxy.

Remember that for the last couple of months we've been using TMG for all of our 
web browsing, and it's been working just fine. Then last week I made a few 
changes to TMG. The only changes I made were:

1.       Added two IP addresses (one for SMTP, one for OWA).

2.       Enabled Exchange publishing rules.

3.       Enabled outgoing SMTP to go out over a non-default IP address.

4.       Shut down the ISA server.

Now our web browsing is really slow.

The thing I don't understand is why did the above changes, which don't seem to 
have anything to do with HTTP traffic, cause such a big performance hit with 
the HTTP traffic. I've since turned ISA back on (although it's not connected to 
the external network, because at this point that would cause IP address 
conflicts). When my Exchange admin returns from vacation tomorrow, I plan to 
try two more things: putting the Exchange traffic back over the ISA server to 
see if things go back to  normal; try routing our outbound SMTP traffic over 
the default IP address to see if that has any impact.

Thanks,
Rob

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Friday, August 06, 2010 4:44 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Performance Oddity on TMG

Are you using URL Filtering?
What you describe sounds like connection failures to MRS.
You might want to grab a margarita and watch the 
show<http://www.msteched.com/2010/NorthAmerica/SIA308>.

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Rob Moore
Sent: Friday, August 06, 2010 11:36
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Performance Oddity on TMG

Here's another tidbit. I tried loading a website I've been using for testing 
purposes directly on the TMG server. It loaded up REALLY FAST. Still loads up 
rathter slowly on the client computers, though.

Rob

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Rob Moore
Sent: Friday, August 06, 2010 2:10 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Performance Oddity on TMG


1.       There are no disabled NICs in the binding order. The order is:

a.       LAN

b.      WAN

c.       Remote Access Connections

2.       The NIC drivers are from Broadcom, dated October 2009. Windows says 
they are up to date.

3.       NICs were set to autosense. I've reset them for specific speeds.

4.       DNS is only on the LAN NIC, and is set to its own IP address.

5.       I'm not sure how to set the percent of free memory to use for caching, 
or how to check it.

6.       Ditto with logging. I'm not sure how to set it or check it.

In any case, none of these things changed (at least as far as I know) when I 
enabled our Exchange publishing rules.

Rob

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Joseph King
Sent: Friday, August 06, 2010 12:18 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Performance Oddity on TMG

I'm sure you checked most of these, but it never hurts:

No disabled NICs above your usable NICs in the binding order?

No recent windows update to non-OEM NIC drivers?

NICs set to specific speed, not autosense?

DNS server(s) only on one of the NICs?

% of free memory to use for caching set too high?

Logging set too high?

Anyway, just some thoughts...

In Your Service,

Joseph King, MCSE
http://www.joking.net/


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Rob Moore
Sent: Friday, August 06, 2010 8:59 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Performance Oddity on TMG

Here's an odd one. At least I think it is. See what you think.

I've been very gradually migrating from ISA to TMG (just the standard, 
stand-alone version). For a couple of reasons, I did the migration manually 
rather than importing all the rules from ISA. For many weeks all of the rules 
have been migrated except the Exchange publishing rules. And all of our users 
and servers have been going through TMG, except for Exchange. Performance has 
been fine.

Two days ago we took the final plunge: I implemented all the Exchange 
publishing rules on the TMG server and shut down the ISA server. Email  flowed 
nicely. However, after a while we noticed that accessing most things on the 
Internet was quite slow. Sometimes pages wouldn't load, but a refresh would 
bring them around. Most pages loaded slowly. The only changes were the addition 
of two IP addresses and the Exchange publishing rules. (We do NOT have any 
Exchange services directly on the TMG server. TMG just passes SMTP traffic to a 
Barracuda, which then passes the non-spam to our Exchange server. The other 
Exchange rules are for publishing OWA and getting access via smart phones.)

(As an aside, when I implemented the Exchange rules on TMG, I just shifted the 
IP addresses from ISA to TMG. No restarts or anything. A Microsoft tech, when 
troubleshooting another TMG issue, told me that doing that shouldn't work, that 
a reboot should be required. But that's how I've generally been doing it for 
years with ISA and now TMG. Anyway, I ultimately did do a reboot.)

We've noticed over time another thing about the slowdown. Some pages initially 
don't load-you get an error. Then if you refresh, it loads more or less 
normally and then works more or less normally.

For some old reasons, we do not use proxy on our clients. But I've got my 
computer configured as a proxy client and it seems to be a bit speedier than 
the other computers.  Similarly, for some old reasons we don't use the firewall 
client. But on my computer, during some troubleshooting with MS on another TMG 
problem, I did install the firewall client on my computer.

The old ISA firewall had half as much memory and way less CPU. Yet it performed 
admirably with all the same traffic. When I look at Task Manager on the TMG 
server, the server is barely being taxed: CPU varies between 1% and 13%, mostly 
down around 1%; memory usage is steady at under 50%; the WAN card is running 
mainly under 5%, occasional spikes above 25%. I can't find anything interesting 
in the TMG console. In fact, when I run a report on everything for yesterday, 
it comes up empty. (Could that be because of restarting the Firewall Service, 
then later restarting the whole server?)

Any idea why things suddenly slowed down? Any idea how to approach 
troubleshooting it? The weirdest thing to me is that it happened when I put the 
Exchange publishing rules into production and turned off the ISA server. Seems 
unrelated to loading web pages.

Thanks,
Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rob Moore
Network Manager
215-241-7870
Helpdesk: 800-500-AFSC



Other related posts: