Articles | Authors | Books | Certification | Discussion List | Events | FAQs | Gaming | Hardware | Links | Message Boards | Newsletter | RSS Feed | Shinder Section | Software
Site Search 
  

Articles & Tutorials
Certification
Configuration - Alt. Products & Platforms
Configuration - General
Configuration - Security
General
General Guides and Articles
Installation & Planning
Miscellaneous
Non-ISAserver.org Tutorials
Publishing
Authors
Books
Hardware
Links
Message Boards
Newsletter Signup
RSS Feed
Software
Featured Product
Featured Book

Order today
Amazon.com
TechGenix Sites

Exchange Server

Networking

Network Security

Network Software Directory

Faxing Solutions
 

ISAserver.org Newsletter of December 19th 2001


Sponsored by: GFI Software Ltd. & WebTrends

ISAserver.org Newsletter
December, 2001

In this issue:

Welcome to the Isaserver.org newsletter! Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org


1. Feature: Working with ISA Server Bandwidth Rules

By Thomas W Shinder, M.D., MCSE, etc.

  1. What are ISA Server Bandwidth Rules?
  2. What the Help File Says About Bandwidth Rules
  3. What Bandwidth Rules Actually Do (from what I can tell)
  4. Creating Bandwidth Rules
  5. Testing and Troubleshooting Bandwidth Rules
  6. Summary

1. What are ISA Server Bandwidth Rules?

Bandwidth Priorities and Bandwidth Rules are some of the least understood features of ISA Server. ‘Shaping’ inbound and outbound traffic can be done by using Bandwidth Rules. Bandwidth Rules allows you to control the amount of available bandwidth assigned to a type of connection. The ‘type’ of connection is defined by the bandwidth rule, and the Bandwidth Priority determines that amount of bandwidth assigned to the connection type.

It’s important to know that Bandwidth Rules do not allow you to assign an absolute amount of bandwidth to a particular connection. A lot of people ask if they can control that amount of bandwidth used for downloading MP3s. For example, they want to limit the amount of bandwidth for MP3 downloaders to about 3K. While this would be nice, at this time it’s not possible to exert this kind of fine tuned bandwidth control using ISA Server Bandwidth Rules.

Even though you cannot exert absolute control over bandwidth in this way, we’ve found Bandwidth Rules to be very helpful in reducing the amount of bandwidth assigned to spurious applications while at the same time guaranteeing that bandwidth is reserved for business critical applications.

2. What the Help File Says About Bandwidth Rules

What do Bandwidth Rules actually do? I think there might be a lot of confusion on this issue because of how they’re explained in the Help File:

“Bandwidth rules determine what connection gets priority over another. Microsoft Internet Security and Acceleration (ISA) Server bandwidth control does not limit how much bandwidth can be used. Rather, it informs the Windows 2000 quality of service (QoS) packet scheduling service how to prioritize network connections. Any connection that does not have an associated bandwidth rule will get a default scheduling priority. On the other hand, any connection with an associated bandwidth rule will be scheduled ahead of default scheduled connections.”

From reading this description, you get the impression that QoS is a major player in determining how Bandwidth Rules work. However, one of the fixes for broken Bandwidth Rules is to disable QoS on the network interfaces! I’d like to say I had an explanation for this, but at this time, it remains an Unresolved ISA Server Mystery.

Let’s add a bit more confusion to the mix. Examine this excerpt from the Help File:

“For example, imagine that you create a bandwidth rule called VIP that uses a bandwidth priority called Maximum, which sets outbound and inbound bandwidth to the maximum rate of 200. The bandwidth rule might allow a client set that includes all senior executives and specifies all protocols, any content, and at any time.

In the scenario, it is assumed that the network is fairly congested and only a limited amount of bandwidth remains. When two requests arrive, one from two senior executives and one from any other employee, the VIP bandwidth will be split between the two requests from the senior executives and the remaining bandwidth will be allocated to the other employee.”

This makes it sound like Bandwidth Rules are able to look at the type of connection requests (as defined by Bandwidth Rules and Bandwidth Priorities) and then dynamically assign bandwidth to the higher priority connection. For example, if you have a 100K connection to the Internet and only 10K remains unused, you might think that the remaining 10K will be dynamically allocated to the VIP group. The problem with this (from my experiences) is that this is not true! Instead, it depends on the amount of bandwidth already assigned to VIP group.

3.What Bandwidth Rules Actually Do (from what I can tell)

Bandwidth Rules depend on Bandwidth Priorities. You can configure Bandwidth Priorities in the Policy Elements sections of the ISA Management Console. Bandwidth Priorities are configured for:

  • Direction: inbound and outbound
  • Value between 0-200

Inbound and outbound bandwidth for a particular priority is assigned a value between 0 and 200 (inclusive). For example, you might create the following Bandwidth Priorities:

High – Inbound 200 Outbound 100
Medium – Inbound 100 Outbound 50
Low – Inbound 50 Outbound 25

These Bandwidth Priorities can be assigned to protocols, users/groups, destinations, content types or time of day.

Imagine that we have three groups of users: VIPs, Full Timers and Part Timers. We might configure Bandwidth Rules for these groups in the following way (all examples take into account inbound bandwidth only, to make things a bit simpler):

VIPs – High
Full Timers – Medium
Part Timers – Low

Now, imagine that we have a mythical 100K connection to the Internet. What would happen if just VIPs had active connections to the Internet?

VIPs (High) – Active – 100K
Full Timers (Medium) – Inactive – 0K
Part Timers (Low) – Inactive – 0K

Since only VIPs are connected to the Internet, all the available bandwidth is assigned to members of the VIPs group. So far, so good. Now, what would happen if a member of the Part Timers groups established a connection to the Internet through the ISA Server?

VIPs – Active – 67K
Full Timers – Active – 33K
Part Timers – Inactive – 0K

The amount of bandwidth assigned to the VIPs has dropped from 100K to 67K. The reason for this is that bandwidth is apportioned based on the relative values of the Bandwidth Priorities that are active at the time.

In this case, when VIPs Rule and the Full Timers Rule are invoked, they activate the High and Medium Bandwidth Priorities. The bandwidth assigned to each group is based on the relative values of their bandwidth priorities.

So, we can determine how much bandwidth each group is assigned by adding the values of the active bandwidth priorities together, and then divide each bandwidth priority by the total. Then, multiple the result by the total amount of bandwidth available to the connection.

The process is shown below:

VIPs (High) 200 + Full Timers (Medium) 100 = 300
VIPs (High) 200/300 = 0.67
Full Timers (Medium) 100/300 = 0.33

Assigned bandwidth:
VIPs (High) = (0.67)(100K) = 67K
Full Timers (Medium) = (0.33)(100K) = 33K

What would happen if all three groups had active connections to the Internet via the ISA Server? Let’s go through the calculations again:

VIPs (High) 200 + Full Timers (Medium) 100 + Part Timers (Low 50) = 350
VIPs (High) 200/350 = 0.57
Full Timers (Medium) 100/350 = 0.29
Part Timers (Low) 50/350 = 0.14

The assigned bandwidth to each priority is:

VIPs (High) – Active – (0.57)(100K) = 57K
Full Timers (Medium) – Active – (0.29)(100K) = 29K
Part Timers (Low) – Active – (.014)(100K) = 14K

You can see how the amount of bandwidth assigned to EACH PRIORITY changes depending on which priorities are active. Note that bandwidth is apportioned based on Bandwidth Priorities. You might have several rules that are assigned to the High Bandwidth Priority. All the connections assigned the High Bandwidth Priority will share the same *pool of bandwidth* currently assigned to the High Bandwidth Priority.

And as you can see, the amount of bandwidth assigned to a particular priority varies based on which priorities have active connections at the moment. It is impossible to predict in advance how much bandwidth will be assigned for a certain type of connection at any point in time because you cannot predict which bandwidth priorities will be activated.

How much bandwidth would be assigned to the Part Timers groups if no connections were active from users in the VIPs or Full Timers groups?

VIPs (High) – Inactive – (0)(100K) = 0K
Full Timers (Medium) – Inactive – (0)(100K) = 0K
Part Timers (Low) – Active – (1.0)(100K) = 100K

Since both the VIPs (High) and Full Timers (Medium) groups do not have active connections, their associated Bandwidth Priorities will not be activated. In this case, all the available bandwidth on the external interface of the ISA Server is assigned to the Part Timers group and its associated Low Bandwidth Priority.

Now that you understand how ISA Server dynamically allocates bandwidth based on which priorities are active, let’s get to the kicker! Look at the following example where all three bandwidth priorities are active:

VIPs (High) – Active – (0.57)(100K) = 57K
Full Timers (Medium) – Active – (0.29)(100K) = 29K
Part Timers (Low) – Active – (.014)(100K) = 14K

Imagine the following utilization pattern:

VIPs (High) – using 55K of their allocated 57K
Full Timers (Medium) – using 8K of their allocated 29K
Part Timers (Low) – using 6K of their allocated 14K

What do you think will happen if another member of the VIPs group establishes a connection to the Internet via the ISA Server and needs about 16K for a streaming media presentation?

What will happen is that he will be able to use the remaining 2K allocated to the High Bandwidth Priority, and then he’ll have to fight it out with the other connections assigned to the pool of bandwidth assigned to the High Bandwidth Priority.

You might think, from reading the Help File, that the new VIP connection would be able to commandeer the unused bandwidth from the other Bandwidth Priorities, but it is not true, from what I can tell. In fact, if there were idle connections on the Medium and Low Priority bandwidth pools, the VIP guys would all still have to compete for the 57K that is allocated to them!

4. Creating Bandwidth Rules

Creating Bandwidth Rules is a lot easier than understanding them. To create a Bandwidth Rule, you need to do two things:

  • Create a Bandwidth Priority
  • Create a Bandwidth Rule using a Bandwidth Priority

Perform the following steps to create a Bandwidth Priority:

  1. Open the ISA Management console and expand your server or array name, then expand the Policy Elements node.
  2. Right click the Bandwidth Priorities node, point to New and then click Bandwidth Priority.
  3. Type in a Name, a Description, and an Outbound and Inbound value between 1 and 200 for the priority. Click OK.

Perform the following steps to create a Bandwidth Rule:

  1. Open the ISA Management console, expand your server or array and right click on the Bandwidth Rules node. Point to New and click on Rule.
  2. On the Welcome page, type in a name for the rule and click Next.
  3. On the Protocols page, select which protocol you want the rule to apply to, and then click Next.
  4. On the Schedule page, select when you want the Rule to apply, and then click Next.
  5. On the Client Type page, decide who you want this rule to apply to. If you select Specific Computers or Specific users and groups, then the next page will allow you to select the Client Address Set or a User or Group. Click Next.
  6. On the Destination Sets page, select a destination that the rule should apply to, and then click Next.
  7. On the Contents page, select which content this rule should apply to, then click Next.
  8. On the Bandwidth Priority page, select the Custom option, then select the Bandwidth Priority that should apply to the rule. Click Next.
  9. On the last page of the Wizard, review your selections and click Finish.

The rule appears in the right pane of the Wizard. Note that the rules are prioritized, with the rules higher on the list applied first. For example, if a user has multiple rules that apply to a particular connection, the rule higher on the list will be applied. So carefully consider how you order your Bandwidth Rules.

5.Testing and Troubleshooting Bandwidth Rules

How do you know if your Bandwidth Rules are working? There’s nothing in the ISA Management console that will tell you if a Bandwidth Priority is active or inactive. What you need to do is create a Performance console that has the Bandwidth Priority performance objects.

When you open the Performance console, click the Add Counters button. In the Add Counters dialog box, select the ISA Server Bandwidth Control Performance Object. You’ll see the following counters:

Actual inbound bandwidth

  • Actual outbound bandwidth
  • Assigned Connections
  • Assigned outbound bandwidth
  • Assigned inbound bandwidth

Select all the counters and select all instances of the counters. After adding the counters, click the Close button in the Add Counters dialog box. In the Performance console, change the view to report view. Now you can view all the bandwidth priorities, their connection status, how much bandwidth is assigned to each priority, and how