Hi, the latest newsletter on www.isaserver.org explains how the bandwidth part of ISA server works. You can subscribe for this newsletter. Here is a copy of the newsletter: -----Original Message----- From: ISAserver.org [mailto:isainfo@xxxxxxxxxxxxx] Sent: dinsdag 18 december 2001 11:44 To: List Member Subject: ISAserver.org Newsletter of December 2001 <http://www.isaserver.org/index.htm> The #1 unofficial ISA Server resource site ISAserver.org Newsletter of December 2001 Sponsored by: GFI <http://www.gfisoftware.com/stats/adentry.asp?adv=40&loc=16> Software Ltd. & WebTrends <http://www.isaserver.org/pages/WebTrends.htm%20> ISAserver.org Newsletter December, 2001 In this issue: * Feature: Working with ISA Server Bandwidth Rules * ISAServer.org Learning Zone Articles of Interest * Q Articles of the Month * Mailing List Post of the Month * Web Board Post of the Month * ISA Server Link of the Month * Ask Dr. Tom * ISA Server Guru's of the Month - Jeremy Cooke Welcome to the Isaserver.org newsletter! Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@xxxxxxxxxxxxx <mailto:tshinder@xxxxxxxxxxxxx> 1. Feature: Working with ISA Server Bandwidth Rules By Thomas W Shinder, M.D., MCSE, etc. 1. What are ISA Server Bandwidth Rules? 2. What the Help File Says About Bandwidth Rules 3. What Bandwidth Rules Actually Do (from what I can tell) 4. Creating Bandwidth Rules 5. Testing and Troubleshooting Bandwidth Rules 6. Summary 1. What are ISA Server Bandwidth Rules? Bandwidth Priorities and Bandwidth Rules are some of the least understood features of ISA Server. 'Shaping' inbound and outbound traffic can be done by using Bandwidth Rules. Bandwidth Rules allows you to control the amount of available bandwidth assigned to a type of connection. The 'type' of connection is defined by the bandwidth rule, and the Bandwidth Priority determines that amount of bandwidth assigned to the connection type. It's important to know that Bandwidth Rules do not allow you to assign an absolute amount of bandwidth to a particular connection. A lot of people ask if they can control that amount of bandwidth used for downloading MP3s. For example, they want to limit the amount of bandwidth for MP3 downloaders to about 3K. While this would be nice, at this time it's not possible to exert this kind of fine tuned bandwidth control using ISA Server Bandwidth Rules. Even though you cannot exert absolute control over bandwidth in this way, we've found Bandwidth Rules to be very helpful in reducing the amount of bandwidth assigned to spurious applications while at the same time guaranteeing that bandwidth is reserved for business critical applications. 2. What the Help File Says About Bandwidth Rules What do Bandwidth Rules actually do? I think there might be a lot of confusion on this issue because of how they're explained in the Help File: "Bandwidth rules determine what connection gets priority over another. Microsoft Internet Security and Acceleration (ISA) Server bandwidth control does not limit how much bandwidth can be used. Rather, it informs the Windows 2000 quality of service (QoS) packet scheduling service how to prioritize network connections. Any connection that does not have an associated bandwidth rule will get a default scheduling priority. On the other hand, any connection with an associated bandwidth rule will be scheduled ahead of default scheduled connections." From reading this description, you get the impression that QoS is a major player in determining how Bandwidth Rules work. However, one of the fixes for broken Bandwidth Rules is to disable QoS on the network interfaces! I'd like to say I had an explanation for this, but at this time, it remains an Unresolved ISA Server Mystery. Let's add a bit more confusion to the mix. Examine this excerpt from the Help File: "For example, imagine that you create a bandwidth rule called VIP that uses a bandwidth priority called Maximum, which sets outbound and inbound bandwidth to the maximum rate of 200. The bandwidth rule might allow a client set that includes all senior executives and specifies all protocols, any content, and at any time. In the scenario, it is assumed that the network is fairly congested and only a limited amount of bandwidth remains. When two requests arrive, one from two senior executives and one from any other employee, the VIP bandwidth will be split between the two requests from the senior executives and the remaining bandwidth will be allocated to the other employee." This makes it sound like Bandwidth Rules are able to look at the type of connection requests (as defined by Bandwidth Rules and Bandwidth Priorities) and then dynamically assign bandwidth to the higher priority connection. For example, if you have a 100K connection to the Internet and only 10K remains unused, you might think that the remaining 10K will be dynamically allocated to the VIP group. The problem with this (from my experiences) is that this is not true! Instead, it depends on the amount of bandwidth already assigned to VIP group. 3.What Bandwidth Rules Actually Do (from what I can tell) Bandwidth Rules depend on Bandwidth Priorities. You can configure Bandwidth Priorities in the Policy Elements sections of the ISA Management Console. Bandwidth Priorities are configured for: . Direction: inbound and outbound . Value between 0-200 Inbound and outbound bandwidth for a particular priority is assigned a value between 0 and 200 (inclusive). For example, you might create the following Bandwidth Priorities: High - Inbound 200 Outbound 100 Medium - Inbound 100 Outbound 50 Low - Inbound 50 Outbound 25 These Bandwidth Priorities can be assigned to protocols, users/groups, destinations, content types or time of day. Imagine that we have three groups of users: VIPs, Full Timers and Part Timers. We might configure Bandwidth Rules for these groups in the following way (all examples take into account inbound bandwidth only, to make things a bit simpler): VIPs - High Full Timers - Medium Part Timers - Low Now, imagine that we have a mythical 100K connection to the Internet. What would happen if just VIPs had active connections to the Internet? VIPs (High) - Active - 100K Full Timers (Medium) - Inactive - 0K Part Timers (Low) - Inactive - 0K Since only VIPs are connected to the Internet, all the available bandwidth is assigned to members of the VIPs group. So far, so good. Now, what would happen if a member of the Part Timers groups established a connection to the Internet through the ISA Server? VIPs - Active - 67K Full Timers - Active - 33K Part Timers - Inactive - 0K The amount of bandwidth assigned to the VIPs has dropped from 100K to 67K. The reason for this is that bandwidth is apportioned based on the relative values of the Bandwidth Priorities that are active at the time. In this case, when VIPs Rule and the Full Timers Rule are invoked, they activate the High and Medium Bandwidth Priorities. The bandwidth assigned to each group is based on the relative values of their bandwidth priorities. So, we can determine how much bandwidth each group is assigned by adding the values of the active bandwidth priorities together, and then divide each bandwidth priority by the total. Then, multiple the result by the total amount of bandwidth available to the connection. The process is shown below: VIPs (High) 200 + Full Timers (Medium) 100 = 300 VIPs (High) 200/300 = 0.67 Full Timers (Medium) 100/300 = 0.33 Assigned bandwidth: VIPs (High) = (0.67)(100K) = 67K Full Timers (Medium) = (0.33)(100K) = 33K What would happen if all three groups had active connections to the Internet via the ISA Server? Let's go through the calculations again: VIPs (High) 200 + Full Timers (Medium) 100 + Part Timers (Low 50) = 350 VIPs (High) 200/350 = 0.57 Full Timers (Medium) 100/350 = 0.29 Part Timers (Low) 50/350 = 0.14 The assigned bandwidth to each priority is: VIPs (High) - Active - (0.57)(100K) = 57K Full Timers (Medium) - Active - (0.29)(100K) = 29K Part Timers (Low) - Active - (.014)(100K) = 14K You can see how the amount of bandwidth assigned to EACH PRIORITY changes depending on which priorities are active. Note that bandwidth is apportioned based on Bandwidth Priorities. You might have several rules that are assigned to the High Bandwidth Priority. All the connections assigned the High Bandwidth Priority will share the same *pool of bandwidth* currently assigned to the High Bandwidth Priority. And as you can see, the amount of bandwidth assigned to a particular priority varies based on which priorities have active connections at the moment. It is impossible to predict in advance how much bandwidth will be assigned for a certain type of connection at any point in time because you cannot predict which bandwidth priorities will be activated. How much bandwidth would be assigned to the Part Timers groups if no connections were active from users in the VIPs or Full Timers groups? VIPs (High) - Inactive - (0)(100K) = 0K Full Timers (Medium) - Inactive - (0)(100K) = 0K Part Timers (Low) - Active - (1.0)(100K) = 100K Since both the VIPs (High) and Full Timers (Medium) groups do not have active connections, their associated Bandwidth Priorities will not be activated. In this case, all the available bandwidth on the external interface of the ISA Server is assigned to the Part Timers group and its associated Low Bandwidth Priority. Now that you understand how ISA Server dynamically allocates bandwidth based on which priorities are active, let's get to the kicker! Look at the following example where all three bandwidth priorities are active: VIPs (High) - Active - (0.57)(100K) = 57K Full Timers (Medium) - Active - (0.29)(100K) = 29K Part Timers (Low) - Active - (.014)(100K) = 14K Imagine the following utilization pattern: VIPs (High) - using 55K of their allocated 57K Full Timers (Medium) - using 8K of their allocated 29K Part Timers (Low) - using 6K of their allocated 14K What do you think will happen if another member of the VIPs group establishes a connection to the Internet via the ISA Server and needs about 16K for a streaming media presentation? What will happen is that he will be able to use the remaining 2K allocated to the High Bandwidth Priority, and then he'll have to fight it out with the other connections assigned to the pool of bandwidth assigned to the High Bandwidth Priority. You might think, from reading the Help File, that the new VIP connection would be able to commandeer the unused bandwidth from the other Bandwidth Priorities, but it is not true, from what I can tell. In fact, if there were idle connections on the Medium and Low Priority bandwidth pools, the VIP guys would all still have to compete for the 57K that is allocated to them! 4. Creating Bandwidth Rules Creating Bandwidth Rules is a lot easier than understanding them. To create a Bandwidth Rule, you need to do two things: . Create a Bandwidth Priority . Create a Bandwidth Rule using a Bandwidth Priority Perform the following steps to create a Bandwidth Priority: 1. Open the ISA Management console and expand your server or array name, then expand the Policy Elements node. 2. Right click the Bandwidth Priorities node, point to New and then click Bandwidth Priority. 3. Type in a Name, a Description, and an Outbound and Inbound value between 1 and 200 for the priority. Click OK. Perform the following steps to create a Bandwidth Rule: 1. Open the ISA Management console, expand your server or array and right click on the Bandwidth Rules node. Point to New and click on Rule. 2. On the Welcome page, type in a name for the rule and click Next. 3. On the Protocols page, select which protocol you want the rule to apply to, and then click Next. 4. On the Schedule page, select when you want the Rule to apply, and then click Next. 5. On the Client Type page, decide who you want this rule to apply to. If you select Specific Computers or Specific users and groups, then the next page will allow you to select the Client Address Set or a User or Group. Click Next. 6. On the Destination Sets page, select a destination that the rule should apply to, and then click Next. 7. On the Contents page, select which content this rule should apply to, then click Next. 8. On the Bandwidth Priority page, select the Custom option, then select the Bandwidth Priority that should apply to the rule. Click Next. 9. On the last page of the Wizard, review your selections and click Finish. The rule appears in the right pane of the Wizard. Note that the rules are prioritized, with the rules higher on the list applied first. For example, if a user has multiple rules that apply to a particular connection, the rule higher on the list will be applied. So carefully consider how you order your Bandwidth Rules. 5.Testing and Troubleshooting Bandwidth Rules How do you know if your Bandwidth Rules are working? There's nothing in the ISA Management console that will tell you if a Bandwidth Priority is active or inactive. What you need to do is create a Performance console that has the Bandwidth Priority performance objects. When you open the Performance console, click the Add Counters button. In the Add Counters dialog box, select the ISA Server Bandwidth Control Performance Object. You'll see the following counters: . Actual inbound bandwidth . Actual outbound bandwidth . Assigned Connections . Assigned outbound bandwidth . Assigned inbound bandwidth Select all the counters and select all instances of the counters. After adding the counters, click the Close button in the Add Counters dialog box. In the Performance console, change the view to report view. Now you can view all the bandwidth priorities, their connection status, how much bandwidth is assigned to each priority, and how much bandwidth is used by each priority. While the performance monitor allows you to see information about the various Bandwidth Priorities, it does not provide any information about what rules actually triggered a particular priority. To the best of my knowledge, there is no way to determine what rules are active. Hopefully this will be fixed in the next version of ISA Server. What if all your counters show zero? It probably means that your bandwidth rules are not doing anything. Make sure you have enabled Bandwidth Control. Right click on the Bandwidth Rules node in the left pane of the ISA Management console and click Properties. Place a checkmark in the Enable bandwidth Control checkbox, then put an Effective bandwidth value for your connection in the Effective bandwidth (Kbit/Sec) text box. You should restart the server after making these changes. What if your counters still show all zeros after enabling bandwidth control? You may need the hotfix isahf55.exe. You can obtain this from Microsoft PSS. Tell them that your bandwidth controls don't work and they'll give it to you. You can also wait for ISA Server Service Pack 1. A particularly disconcerting behavior of Bandwidth Rules and Priorities is that they have a bad habit of dropping off. For example, on every ISA Server I've ever enabled bandwidth control on, NNTP related bandwidth rules end up disappearing. For a variable period of time the NNTP bandwidth rules work and their associated priority shows active in the Performance console. Then, for no apparent reason, NNTP will no long appear to activate a Bandwidth Priority. There's no way that I know to determine whether the Bandwidth Priority is active and not showing up in the Performance console, or if the Rule has just stopped working. Sometimes you can fix this problem by removing the priority and the rule, and then recreating both of them. Sometimes you have to uninstall and reinstall ISA Server to get it working again. Hopefully, this problem will be fixed in Service Pack 1. You should be careful about user/group and client address set assignments. For example, suppose you create a bandwidth rule that applies only to Domain Admins for HTTP connections. If a user belongs to another group and tries to make an HTTP connection, he might not be able to make it! The matching rules used by ISA Server for Bandwidth Rules isn't described anywhere, so be sure to test your Rules thoroughly before putting them into production. Summary Bandwidth Rules are a powerful tool that you can use to control the relative amount of bandwidth assigned to particular types of connections. Bandwidth Rules are based on Bandwidth Priorities. Carefully consider the bandwidth requirements of your organization priority to implementing Bandwidth Rules. After you create your Bandwidth Rules, make sure you monitor them for several days using the ISA Management console. For more information on Bandwidth Rules and Bandwidth Priorities, check out our book "Configuring ISA Server 2000: Creating Firewalls with Windows 2000" at =ttp://www.amazon.com/exec/obidos/ASIN/1928994296/ref%3Dnosim/searchbyis bn/102-4416068-7222551. ADVERTISEMENT FIREWALL SECURITY: FREE TRIAL from WebTrends WebTrends'Firewall Suite captures every action across your firewall. This award-winning software identifies and reports on critical security events, provides immediate alerts and more than 200 reports for IT managers and security professionals. Firewall Suite supports more than 35 leading firewall and proxy servers, including Cisco and Check Point.. Download it now: http://www.isaserver.org/pages/WebTrends.htm <http://www.isaserver.org/pages/WebTrends.htm> 2 .ISAServer.org Learning Zone articles of Interest We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer articles: Understanding how ISA Server Clients use DNS http://www.isaserver.org/authors/magalhaes/tutorials/Understanding_how_i sa_server_clients_use_dns.htm <http://www.isaserver.org/authors/magalhaes/tutorials/Understanding_how_ isa_server_clients_use_dns.htm> Publishing Multiple Web Sites http://www.isaserver.org/shinder/tutorials/publishing_multiple_web_sites .htm <http://www.isaserver.org/shinder/tutorials/publishing_multiple_web_site s.htm> Quick Reference Guide to Configuring ISA Server Interfaces - Part 1: Configuring the Internal Interface http://www.isaserver.org/shinder/tutorials/quick_reference_guide_to_conf iguring_isa_server_interfaces_part_1.htm <http://www.isaserver.org/shinder/tutorials/quick_reference_guide_to_con figuring_isa_server_interfaces_part_1.htm> How to Enable ISA Server Logging to an Oracle Server http://www.isaserver.org/pages/tutorials/enable_isa_server_logging_to_or acle_server.htm <http://www.isaserver.org/pages/tutorials/enable_isa_server_logging_to_o racle_server.htm> ISA Clients - Part 1: General ISA Server Configuration http://www.isaserver.org/authors/harrison/tutoials/isa-clients-part1.htm <http://www.isaserver.org/authors/harrison/tutoials/isa-clients-part1.ht m> ISA Clients - Part 2: SecureNAT and Web Proxy Clients http://www.isaserver.org/authors/harrison/tutoials/isa-clients-part2.htm <http://www.isaserver.org/authors/harrison/tutoials/isa-clients-part2.ht m> 3 . Q Articles of the Month Just copy and paste the line under the title into your browser and Go! Only the First Web Site is Returned Using Web Publishing for Multiple Sites mskb <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291427&id=2914 27&SD=MSKB> Q291427 How to Set Up Yahoo Messenger to Use Only Integrated Authentication on Your ISA Server Computer mskb <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q309347&id=3093 47&SD=MSKB> Q309347 Windows Update May Not Work in Windows XP If an Authenticating Web Proxy is Used mskb <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q312955&id=3129 55&SD=MSKB> Q312955 ISA Firewall Client Shows Connection to Server Name Instead of IP Address mskb <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q312391&id=3123 91&SD=MSKB> Q312391 ADVERTISEMENT LANguard Content Filtering & Anti-Virus for ISA Server 2000 LANguard for ISA Server provides content checking and anti-virus of HTTP and FTP downloads and browsing. LANguard will check inbound traffic for viruses, malicious scripts and objectionable material. It also permits quarantining of downloads for approval. In addition, LANguard content filtering allows you to set up rules that can stop unproductive use of the Internet at the workplace. Download your Evaluation version today! http://www.gfisoftware.com/stats/adentry.asp?adv=40 <http://www.gfisoftware.com/stats/adentry.asp?adv=40&loc=16> &loc=16 4. Mailing List Post of the Month Looking for SSL certificates and you don't want to use the Microsoft Certificate Server? Mike Carlson has the answer! " http://www.freessl.com <http://www.freessl.com> Free SSL certificates good for 1 year. After the first year you have to pay. I have been using one for months with OWA and SSL and it works fine. I can provide more details if you want on how to implement the certificate if you have enver done so. There is nothing special with the FreeSSL certificate though. Also, do not use the Web Server publishing rules to publish SSL, use the Server Publishing Rule and select HTTPS protocol. I could not get it to work with the Web Server Publishing" 5. Web Boards Post of the Month** Having problems with the remote MMC ISA Management console? Dionh may have the answer: "OK here's how you fix it. On the isa server: Start->Run> dcomcnfg.exe Go to the "Default Security" tab. Edit "Default Access Permissions". Now you can ADD the "Administrators Group". Note this is the group and not the account. (untested) Or, REMOVE ALL the users. (tested) Including the INTERACTIVE & SYSTEM accounts. This resets the default permissions. Just one other thing, you NEED to reboot the isa server. Should now work fine. Remember you also need to add the user to the local isa server Administrator group, as in the on line help." 6. ISA Server Link of the Week Craig Nelson has put together a fantastic white paper on how to create site to site VPN links using Windows 2000 RRAS and ISA Server. You'll find the answer to many of your questions in this paper. http://www.microsoft.com/isaserver/techinfo/development/2000/avanadevpn. asp <http://www.microsoft.com/isaserver/techinfo/development/2000/avanadevpn .asp> 7. Ask Dr. Tom QUESTION: This question comes from Brian Hampson: "I have installed the admin snapin for ISA on my workstation, and can view sessions etc. I can configure reports to run on my ISA server, and they work well. The only problem is that I have to view them _ON_ the server. What do I need to do to make that part work remotely in the admin snap-in. Help! Thanks" Answer: Hi Brian - bad news for you. You can only view reports at the local ISA Management console at the ISA Server itself. There are a number of issues and limitations associated with the remote MMC ISA Management console. I *highly* recommend that you use Terminal Services to manage the ISA Server. When you use Terminal Services to manage the ISA Server, you have full access to all the ISA Server Management console features. Someone I know had many problems getting the VPN Wizards to work. The problem didn't make any sense until he told me that he was using the remote MMC console. The problem is that there is no way to run the VPN Wizard, which depends on RRAS at the ISA Server, using the remote MMC console. QUESTION: This question comes from Paul Paraschivescu: "I want to send you a comment about your article: 'Publishing a web site using ISA server'. You said that it's impossible to publish a web on port 80 on ISA server. In fact it is possible. All you have to do is to set default web to listen on port 80 only on internal card and to disable Socket Pooling. You can do this by running a script. See Q238131 about how to do this. I tried this and everything work fine." Answer: Hi Paul - You are correct! In order to publish a Web site on Port 80 of the internal interface of the ISA Server, you must first disable socket pooling. The reason for this is that if you have configured an Incoming Web Requests Listener to listen on Port 80 on the external interface, then the listener will use that port and the requests will not be forwarded to Port 80 on the internal interface. But when socket pooling is disabled, the listener will be able to accept the requests and forward them to the internal interface. One other thing to watch out for is that the ISA Server is not publishing Autodiscovery information on Port 80 of the internal interface. You can change the Autodiscovery publishing port to another port number, but you will not be able to use DNS for your wpad entries. QUESTION: This question comes from Dave Harriger: I used your OWA article originally. From the DMZ using the external address of the ISA server, I can successfully access OWA. Our destination set points to the external address on the ISA server. Our ISP has setup a zone file which directs a url to a 65.x.x.x address. Within our outside firewall ( PIX ) we have this address redirected to an external address on the ISA server allowing both SMTP and HTTP access. We receive the 403 error from the ISA server when attempting to access OWA from the internet. Any other ideas would be appreciated. Thanks, Dave Answer: Hi Dave - You bring up a very common issue. If you followed the instructions in the article, things should work. But one thing you didn't do was create a Destination Set based on a Fully Qualified Domain Name (FQDN). You must use FQDNs in your Destination Sets. At this time, using IP addresses in your Destination Sets will causes some unpredictable results. This should be fixed with ISA Server Service Pack 1. 8. ISA Server Guru of the Month - Jeremy Cooke This month's ISA Server guru Jeremy Cooke. Jeremy, who goes by the name of Jez on the ISAserver.org mailing list and Web boards, has contributed a number of helpful posts on how to manage virtually every aspect of ISA Server. His contributions and answers have all been top notch. For these reasons, we bestow upon Jeremy the honor of ISA Server Guru of the month. Copyright(c) isaserver.org December 2001 - All Rights Reserved Disclaimer: We are not responsible for anything good or bad that might happen to your systems based on the advise given herein. You must test and retest the configuration options suggested in this newsletter and validate and confirm for yourself that they work as you intend. ISAserver.org is in no way affiliated with Microsoft Corp. Copyright (c) 2001. All rights reserved. Read our online <http://www.isaserver.org/pages/privacy.htm> privacy statement. _____ Powered by List Builder Click <http://lb.bcentral.com/ex/manage/subscriberprefs?customerid=13143&subid =F0B496253D4859C9&msgnum=5> here to change or remove your subscription Hope this helps... Stefaan -----Original Message----- From: Yoes K [mailto:yoes_isaserver@xxxxxxxxx] Sent: vrijdag 4 januari 2002 0:54 To: [ISAserver.org Discussion List] Subject: [isalist] Re: bandwith rules effectifity ?? http://www.ISAserver.org I don't get u'r meaning... please give me some explanation --- Souko souko <ssouko@xxxxxxxxxxx> wrote: > http://www.ISAserver.org > > > Hi, > > Bandwidth rules don't slice your bandwidth into > seperate channels. What > happens is that if you have a client with inbound 50 > he will receive the > full bandwidth if there are no other requests. If > another requests comes in > he will share the bandwidth halfways etc. > > I think the rule is > > (client rule) 50/ 50=1 (100%) > if another client comes > (client rule) 50/ 50+50=0.5 (50%) > > But this is just a guess. > > __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')