• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Lengthy Apply Of Settings

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> Lengthy Apply Of Settings Page: [1]
Login
Message << Older Topic   Newer Topic >>
Lengthy Apply Of Settings - 12.Sep.2009 7:40:59 PM   
ModernAge

 

Posts: 37
Joined: 30.Jan.2008
Status: offline
Running ISA Server 2006 w/SP1 and latest updates. This runs on a Windows 2003 Standard Server with SP2 and latest updates. Hardware is Dual 3.0GHz Zeon Processors with 3GB of RAM. I have about 5 SecureNAT clients and 10 Firewall Clients.

Anytime I make a change applying my firewall policy it can take as many as 25 minutes and suck all the RAM out of the system.

I don't have many rules but I do have some URL sets I use to block the firewall clients from certain sites. I aquired the sites to block from a free location.

I'm just wondering if I'm taking the right approach to configuring the URL sets and/or if the application of policy is going to take this long under these circumstances. What can I do to streamline this or is this amount of time expected?

My setup is simply a 3-leg with a public perimeter network. Right now I have nothing on the permiter network.

Dave
Post #: 1
RE: Lengthy Apply Of Settings - 12.Sep.2009 10:32:44 PM   
DEVLAVI

 

Posts: 115
Joined: 16.Jul.2009
From: Bangalore, India
Status: offline
Hi Dave,

quote:

Hardware is Dual 3.0GHz Zeon Processors with 3GB of RAM. I have about 5 SecureNAT clients and 10 Firewall Clients.


Beefy hardware to handle request from a bunch of 15-20  clients.

Hmmm.

quote:

Anytime I make a change applying my firewall policy it can take as many as 25 minutes and suck all the RAM out of the system.


Run the ISA BPA tool and see if that points to anythimg.
http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en

HTH,
Dev

_____________________________

Vasu Dev,
Network Administrator

"Abnormal is so common, it's practically normal."

(in reply to ModernAge)
Post #: 2
RE: Lengthy Apply Of Settings - 13.Sep.2009 6:32:05 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: ModernAge

Running ISA Server 2006 w/SP1 and latest updates. This runs on a Windows 2003 Standard Server with SP2 and latest updates. Hardware is Dual 3.0GHz Zeon Processors with 3GB of RAM. I have about 5 SecureNAT clients and 10 Firewall Clients.

Anytime I make a change applying my firewall policy it can take as many as 25 minutes and suck all the RAM out of the system.

I don't have many rules but I do have some URL sets I use to block the firewall clients from certain sites. I aquired the sites to block from a free location.

I'm just wondering if I'm taking the right approach to configuring the URL sets and/or if the application of policy is going to take this long under these circumstances. What can I do to streamline this or is this amount of time expected?

My setup is simply a 3-leg with a public perimeter network. Right now I have nothing on the permiter network.

Dave


Large URL sets can have a big effect on apply times, especially when they contain large numbers of invidiual entries like blacklists etc.

I would move to something a little more optimised like a 3rd party solution - WebSense or similar maybe?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to ModernAge)
Post #: 3
RE: Lengthy Apply Of Settings - 15.Sep.2009 7:17:43 PM   
ModernAge

 

Posts: 37
Joined: 30.Jan.2008
Status: offline
Well I know WebSense and GFI are out there but this is running at home just for me to familiarize myself so I don't mind the long time as long as it is something expected rather than completely unheard of.

The blacklist I'm using is available for so cheap I don't mind using it.

One question, is there a way to script/schedule a Firewall Policy refresh outside of the management console on the ISA server itself?

I'd like to write a script to export the firewall policy and apply policy daily if possible.

(in reply to Jason Jones)
Post #: 4
RE: Lengthy Apply Of Settings - 16.Sep.2009 5:28:57 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
This should help with the daily backup:

http://forums.isaserver.org/m_2002089114/mpage_1/key_backup/tm.htm#2002089116

I'm sure you could use a similar script for the "apply" bit...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to ModernAge)
Post #: 5
RE: Lengthy Apply Of Settings - 17.Sep.2009 7:54:56 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Winfrasoft has a good backup application for ISA firewalls and firewall arrays too.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> Lengthy Apply Of Settings Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts