Before deploying ISA Server, estimate your Internet connectivity requirements. Use the following sections as guidelines for planning the size and type of your servers, and whether to deploy them as an array. Figure 5.8 shows the process for designing for high availability.
Figure 5.8: Designing for High Availability
The flowchart in Figure 5.9 outlines the capacity planning process for ISA Server.
Figure 5.9: ISA Server Capacity Planning Process
Use the following guidelines for capacity planning:
Ensure the minimum hardware requirements deploying ISA Server are met.
Decide whether to install ISA Server as a firewall. If yes, ensure that the minimum firewall requirements are met.
Decide whether or not to install ISA Server as a Web cache server. If yes, ensure that the minimum hardware requirements are met.
The following list describes the minimum hardware requirements for installing ISA Server:
A computer with a 300 megahertz (MHz) or higher Pentium 11-compatible CPU.
The computer must be running either a member of the Windows 2000 Server family, or a member of the Windows Server 2003 family. If you are installing ISA Server on a computer running Windows Server 2003, you must also install ISA Server SP1.
Note | Using the latest service pack is always recommended. |
256 megabytes (MB) of memory.
20 MB of available hard disk space.
A network adapter to communicate with the internal network.
One local hard disk partition that is formatted with the NTFS file system.
To implement the array and enterprise-level policy configuration, you must also run Active Directory.
If you are using ISA Server in firewall or integrated mode, two network adapters are required.
If your ISA Server is also supporting other services, such as e-mail or Web services, additional resources might be required.
Use Table 5.3 to determine the type of computers to use and whether you require an array.
Hits per Second | Minimum Hardware Required | RAM |
---|---|---|
Less than 500 | One computer, Pentium II, 300 MHz processor | 256 MB |
500 to 900 | One computer, Pentium III, 550 MHz processor | 256MB |
More than 900 | One computer, Pentium III, 550 MHz processor, for each 800 hits per second increment | 256 MB per server |
Note | You can also use Performance Monitor to identify bottlenecks and determine whether to add more servers. |
If multiple computers are required to handle the network load, consider setting up an array of ISA Server-based computers. Arrays allow Web cache routing across a group of ISA Server-based computers. For more information, see "Configuring ISA Server in an Array" later in this chapter.
Table 5.4 lists hardware requirements and network connections based on expected throughput for firewall clients accessing content on the Internet.
Throughput Requirements | Minimum Hardware Required | Internet Connection Type |
---|---|---|
36 Kilobits per second (Kbps) to 1 Megabits per second (Mbps) | One computer, Pentium II, 300 MHz processor | POTS modem, cable modem, or xDSL |
384 Kbps to 1.5 Megabits per second (Mbps) | One computer, Pentium II, 300 MHz processor | T1 |
3 Mbps - 44 Mbps | One computer, Pentium III, 550 MHz processor | T3 or faster |
More than 44 Mbps | One computer, Pentium III, 550 MHz, for each 50 MB/second required | OC3 or faster |
You can deploy ISA Server as a forward-caching server, which maintains a centralized cache of frequently-requested Internet content. In this case, consider how many users might access the Internet.
Table 5.5 lists the hardware requirements for using ISA Server in forward cache mode.
Internet Users | Minimum Hardware Required | RAM | Disk Space for Caching |
---|---|---|---|
Up to 500 | One computer, Pentium II, 300 MHz processor | 256 MB | 2-4 Gigabytes (GB) |
500-1,000 | One computer, two Pentium III, 550 MHz processors | 256 MB | 10 GB |
More than 1,000 | Two computers, Pentium III, 550 MHz processors | 256 MB for each server | 10 GB for each server |
If your user-base exceeds 1,000 users, you can use hardware with faster processors and more memory, or you can add more ISA Server installations.
You can deploy ISA Server as a reverse-caching server to fulfill Web requests from the Internet to your network. For example, you might place an ISA Server computer between the Internet and an organization's Web server that is hosting a commercial Web business or providing access to business partners. In that case, you need to consider how often external clients might request content from the publishing servers.
Table 5.6 lists hardware requirements for ISA Server in reverse cache mode, based on the number of hits per second from Internet users.
Hits Per Second | Minimum Hardware Required |
---|---|
Fewer than 100 | One computer, Pentium II, 300 MHz processor |
101 to 250 | One computer, Pentium III, 450 MHz processor |
More than 250 | One computer, Pentium III, 550 MHz processor for each 250 hits per second. You can use Performance Monitor to determine bottlenecks, and then add more servers or more powerful hardware, as necessary. |
Memory requirements depend on the size of the cacheable content that you are publishing, and the working set of the content. Ideally, all cacheable content should fit into the available memory. By default, the ISA Web Proxy service uses half of the available server memory for RAM caching. For example, if the Web site you are publishing has 250 MB of cacheable content, then your ISA server computer should have at least twice this much available RAM before the Web Proxy service starts.
In some cases, you need to decide whether to add an additional ISA Server-based computer or to improve the performance of the existing computer by adding an additional processor. Each option has different advantages.
When you add a new computer and create an array of ISA Server-based computers, you set up a fault-tolerant system. If one computer fails, the other continues to function. On the other hand, adding a computer means that you have to purchase and manage additional hardware and any software that is installed on the computer.
When designing for scalability, consider differences between Microsoft Internet Security and Acceleration (ISA) Server Standard Edition and Microsoft Internet Security and Acceleration (ISA) Server Enterprise Edition, such as:
ISA Server Standard Edition supports only a single computer configuration, and therefore, cannot be used in an array.
ISA Server Enterprise Edition can be configured either in a single computer configuration or in an array.
Computers running ISA Server Enterprise Edition can be grouped together in arrays. An array is a group of ISA Server-based computers used to perform Web cache routing. Arrays allow a group of ISA Server-based computers to be treated and managed as a single, logical entity. An array installation also provides increased performance and bandwidth savings. Grouping your ISA Server-based computers in an array allows your client requests to be distributed among multiple servers, thereby improving response time for clients.
All the servers in an array share a common configuration. This saves management time because the array is configured once and the configuration is applied to all the servers in the array. Furthermore, you can apply an enterprise policy to an array. This allows centralized management for all the arrays in the enterprise. A unique array policy can be applied to each array in the enterprise.
It is recommended that you consider installing ISA Server as an array even if there is only one server. The advantages to this include the ability to easily add an additional server to the array in the future and the ability to use the advanced array management features.
Note | All array members must be in the same domain and in the same site. |
Table 5.7 compares ISA Server features as a stand-alone server and in an array configuration.
ISA Server Stand-Alone Server | ISA Server Array |
---|---|
Can be installed in a Windows NT 4.0 domain. | Requires Active Directory. |
Cannot use array or enterprise policies. | Uses both enterprise- and array-level policies. |
Installs from either ISA Server Standard or ISA Server Enterprise Edition. | Installs from ISA Server Enterprise Edition only. |
Firewall and Web proxy clients can achieve fault tolerance when two or more computers running ISA Server are used together with a Domain Name System (DNS) server.
You can use DNS to assign the same name to all the ISA Server-based computers in a cluster. With this configuration, when a client requests an object from the ISA Server-based computer specifying the DNS name, the DNS server resolves the name to one of the computers running ISA Server in the array in a round robin fashion. This increases fault tolerance through redundancy and improves performance through the use of multiple computers answering client requests.
Note | For DNS round robin to work for an ISA array, the duplicated resource records must all use the array name. |
Figure 5.10 shows the DNS server receiving a request from the clients and forwarding the request to the computers running ISA Server in a round-robin configuration.
Figure 5.10: DNS Round Robin