<

Common Ways to Address Performance Issues for Microsoft TMG, UAG and ISA 2006

Published on
16,885 Points
6,585 Views
3 Endorsements
Last Modified:
Awarded
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of these items are directly caused by TMG / UAG / ISA.

A.) Make sure your TMG / UAG / ISA is up to date
As some of the problems are fixed with service packs or rollup packages, download the latest service pack and rollup package for your product.
This article is based on the following Updates:

TMG 2010: Service Pack 2 - Rollup Package 2 (Build 7.0.9193.540)
http://support.microsoft.com/kb/2689195

UAG 2010 Service Pack 2 (Build 4.0.2095.10000)
http://www.microsoft.com/en-us/download/details.aspx?id=30459

ISA 2006 Service Pack 1 + Security Fixes (Build 5723.514)
http://www.microsoft.com/de-de/download/details.aspx?id=17536
http://www.microsoft.com/de-de/download/details.aspx?id=3211
http://www.microsoft.com/de-de/download/details.aspx?id=12115

Read the installation instructions and preconditions for these updates! There are some special procedures especially if load balanced as well as they are not necessarily cumulative. As TMG is also part of UAG, both updates may be relevant.

Save all the time the configuration before you update.

B.) Verify correct NIC settings

NIC Settings INTERNAL:
IP, Network Mask from internal network
DNS: Internal DNS Servers
Default Gateway: Empty

The following enhanced settings should be ENABLED:
File and Printer Sharing
Client for Microsoft Networks
Register this connection’s address in DNS
NetBios over TCP/IP (or set to default)

NIC Settings EXTERNAL:
IP, Network Mask from external network
Default Gateway: IP Address from the external Router
DNS: Empty

The following enhanced settings should be DISABLED:
File and Printer Sharing
Client for Microsoft Networks
Register this connection’s address in DNS
NetBios over TCP/IP (or set to default)

If you use a Windows NLB Load Balancer, the setting should not be changed.

C.) NIC Binding Order
Goto
-      Network and Sharing Center
-      Network Connection
-      Select Advanced – Advanced settings from the menu.

Make sure your LAN connection is the first in the list.
You can use this dialog also to enable / disable “File and Printer Sharing” and “Client for Windows Networks” on the NICs

D.) NIC Drivers and Driver Settings
Dependent on your operating system and the clients you use to connect to TMG, there may be several settings, which may influence performance. As long as the same operating system platforms (i.e. Win 2008 R2 / Win7) are communication to each other, the setting can be usually be left, as they are by default. If older operating systems are connected to newer ones, there are some settings which can be changed to get better performance.

It is recommended to change such settings via group policies to be able to revert them back, if older clients leave the network.

To see the related settings, you type at command prompt:
netsh int ip show global
netsh int tcp show global

The affected settings are
Task offload
Receive-Side Scaling State
Chimney Offload
NetDMA State

To see the actual status, you can use i.e.
netsh int ip show offload
netstat -nt

Details about these settings can be found here:
http://support.microsoft.com/kb/951037/en-us
http://msdn.microsoft.com/en-us/library/ff565746.aspx

A more general Article about network performance tuning:
http://msdn.microsoft.com/en-us/library/dd722838(v=bts.10).aspx

Some or all of these settings can also be enabled or disabled by the NIC driver settings.
To make the settings work, they have to be enabled under windows, in the driver settings, on both machines which communicating to each other.

NOTE: If you use a virtual machine for your TMG, you may also have a look here, as some settings should be set different on virtual machines.
http://msdn.microsoft.com/en-us/library/dd722835(BTS.10).aspx

E.) Network Speed Settings
Beside the settings above, in some cases the speed setting in the NIC drive can produce issues. Usually, the drivers try to autonegotiate the speed between the two ports, but this sometimes fails due to several reasons.

Sometimes it is just a try to set the NIC driver speed to a fixed speed, which corresponds to the speed of the correspondent port (i.e. a switch). If your switch supports 100Mbit /full duplex, then it is a try to set the same setting in the NIC driver properties.

Sometimes such issues are solved by newer drivers.

F.) TMG and High Speed Networks
Microsoft published a fix with Service Pack1 / Rollup2 fixing some issues with high speed traffic.
The fix and description can be found here:
http://support.microsoft.com/kb/2452980/en-us

According to this article, there are two possible steps to do.
Raising the values for
HKEY_LOCAL_MACHINE\system\currentControlSet\Services\W3Proxy\Parameters\
MaxPendingSendsToClient
MaxPendingSendsToServer

Defaults are 4 before the Rollup, and 16 after the Rollup.

Run the script as described in the article to raise the tcp buffer value.

G.) The Physical Aspects
Before you play around with any settings, you should be aware that there are just some physical aspects connected with connection speeds.
There is a direct connection between latency (ping / tracert), the TCP window size and the maximum transfer speed.
If you recognize a latency of 20ms, that means, that each TCP window need this time to be transferred. 20ms = 50 windows per second.
So if a window size has a size of 64KB, you can transfer 50 of such packets (50 x 64KB = 3,2 MB/s or 25,6 MBits/s.
If you see lower throughputs, you may have to increase the TCP window size to get the full bandwidth.

H.) Hard Disk Performance
Keep in mind that also hard disks can interfere with TMG performance, as used for logging and caching. Especially if SAN storage is used, heavy load on the SAN can also influence the performance of TMG.

I.) Be Patient
Whenever you change something in TM, give TMG to apply correctly the changes.
Dependend from the change, you have either
- to kill existing client sessions (Sessions Tab)
- restart the firewall services

As sessions are closed, when the user don't use them for a while, it happens after a while from alone. But other setting, like listener or changes to the IP configuration need a restart of the firewall services. So see, what connections are open or on which ports TMG / UAG / ISA is listening, type at command promt
netstat -a -n -p tcp

So, if you don't see what you expect to see, restart fireall service or just reboot the machine.
3
Comment
Author:Bembi
  • 2
2 Comments
 
 

Administrative Comment

by:Keith Alabaster
Thanks for your efforts in pulling the article together which is now set to published.

Keith_Alabaster
Page Editor
0
 
 

Administrative Comment

by:Keith Alabaster
Experts Exchange Approved status awarded for the article Bembi.

Well done!

Cheers

Keith
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Join & Write a Comment

Discover the basics of using Outlook 2016 from office 365.
This is Part-2 of Learning to use the Power of Mailwasher Pro so if you haven't watched Part-1 yet, I urge you to do so before watching this video. Click this link to watch Part-1 (https://www.experts-exchange.com/videos/56638/Learn-to-use-the-POWER…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month