Object

Counter

Trigger

Meaning

General Recommendation

Memory

Pages/sec

0

Normal

 

PhysicalDisk(*)

Disk Transfers/sec

average > 100

Bad

Logging creates too much I/O for a single disk to handle. This may happen in extreme cases of high load when using Microsoft SQL Server or (MSDE) logging

PhysicalDisk(*)

Disk Reads/sec

Between 20%-40%

Normal

There is another process other than Wspsrv.exe writing to the disk. If disk transfers per second exceeds its maximum, identify this process (either by monitoring \Process(*)\I/O Write Operations/sec or using some other I/O tracing tool) and eliminate it.

PhysicalDisk(*)

Disk Read Bytes/sec

> 20 Kb

Suspicious

Verify whether there is another process reading from the disk.

PhysicalDisk(*)

Avg. Disk Bytes/Read

>20 kb

Suspicious

Same as above

PhysicalDisk(*)

Disk Transfers/sec

See note[1]

See note

Same as above

PhysicalDisk(*)

Avg. Disk Queue Length

> 2 x Number of spindles

Bad

Potential Disk Bottleneck

ISA Server Firewall Packet Engine

ReInject Available IRPs[2]

0[3]

Bad

Expect to have always 5 on this value, 0 for a long time means that ISA is running out of reinjection threads

ISA Server Firewall Packet Engine

Active Connections

Depends on the scenario[4]

See note

An increased tendency in slope may indicate a network misconfiguration. (RST packets are dropped by some router.) Or, may indicate a DoS attack. (TCP connections that are never closed with RST or FIN.)

ISA Server Web Proxy

 

Average Milliseconds/request

> 30,000

Bad

Check filters and filter configurations for performance intensive options that may be disabled or relaxed. For example, a Web filter performing virus scanning could be configured not to scan some content types, such as images or text files that are not harmful from a security view.

 

Replace MSDE logging with text logging.

 

Review policy and check whether it is possible to use stateful filtering instead of application filtering for traffic that is considered harmless.

 

ISA Server Firewall Packet Engine

Bytes/sec

<100 bytes

Suspicious

May indicate an attack. Trace network activity and look for irregular traffic patterns. If not an attack, check network for possible misconfigurations.

ISA Server Firewall Packet Engine

Dropped Packets/sec

> 100

Suspicious

Indicates either a network misconfiguration or an attack. Use the ISA Server log to identify the actual condition.

ISA Server Firewall Packet Engine

TCP Established Connections/sec

<75% for connections / sec

Suspicious

The difference between TCP Established Connections/sec and Connections/sec accounts for other protocols (UDP, ICMP, GRE or other raw IP protocols) and unfinished TCP SYN handshakes, indicating the possibility of a TCP SYN attack.

ISA Server Firewall Service

Accepting TCP Connections

>10

Bad

May indicate an attack from Firewall clients or congestion on the Internal network.

ISA Server Firewall Packet Engine

Backlogged Packets

> 10

Bad

Verify connectivity with DC and make sure name resolution is working

ISA Server Firewall Service

Worker Threads

> 400

Bad

Large number of worker threads means that something is wrong with external services (DNS or Active Directory) or an attack is occurring. The number does not go down after it is raised.

ISA Server Firewall Service

Pending DNS Resolutions

0

Ideal

 

ISA Server Firewall Service

Pending TCP connections

0

Ideal

 

ISA Server Web proxy

Memory pool for HTTP requests (%)

<30%

Bad

30% for an extended period is a trigger for problems or possible scale-out

Process(wspsrv)

Pool Nonpaged Bytes

>175MB

Suspicious

Potential need to scale-out

Process(wspsrv)

Private Bytes

>1.8GB

Suspicious

This should not remain above 1.8GB for any extended period.  If it does, this is a potential scale trigger.  If all other ISA performance aspects are within normal or heavy use ranges, then this may be normal

ISA Server Web Proxy

Cache Hit Ratio for Last 10K Requests (%)

<5%

Suspicious

Consider disabling the cache since it appears that is not being used.

ISA Server Web Proxy

Current Direct Fetches Average Milliseconds/request

> 10,000 (10 seconds)

Suspicious

May indicate WAN network connectivity problems or misconfiguration.

ISA Server Web Proxy

Current Cache Fetches Average Milliseconds/request

>300

Suspicious

May indicates that disk transfers are higher than capacity. For more information, see \PhysicalDisk(*)\Disk Transfers/sec.

ISA Server Web Proxy

Requests/sec

See note[5]

Suspicious

 

ISA Server Cache

Memory Cache Allocated Space (KB)

See note[6]

-

 

\ISA Server Cache

Memory Usage Ratio Percent (%)

See note[7]

-

 

\ISA Server Cache

Disk URL Retrieve Rate (URL/sec)

See note[8]

-

 

Processor(*)

% Processor Time

> 80

Bad

 

Processor(*)

% DPC Time

>40%

Bad

 

Processor(*)

% User Time

>70%

Bad

High % User Time may indicate ISA Server misconfiguration.

Network Interface(*)

Packets/sec

<100 bytes

Suspicious

May indicate an attack. Trace network activity and look for irregular traffic patterns. If not an attack, check network for possible misconfiguration.

Network Interface(*)

Bytes Received/sec

>80%

Bad

Verify network card driver, get netmon traces to verify potential suspicious packets

Network Interface(*)

Bytes Sent/sec

>90%

Bad

Same as above

 

Note1: For authentication scenarios we recommend installing the hotfix http://support.microsoft.com/kb/928576 in order to have this new set of counters available. We can’t trigger anything with those counters, but we should have a session on the report that expose those number in order to give an overview of the authentication.

Note2: Feel free to inherit counters from the OS perspective based on PAL templates, mainly on the following areas: physical disk, memory, network and processor. 

Note3: If any counter on the OS side raises the alert of using /3GB we need to raise a red flag. We don’t recommend /3GB on ISA at all.

 

Note4: To analyze TMG performance use the TMG PAL Template.

 

 

 



[1] A 10,000 RPM disk can do 100 maximum, and a 15,000 RPM disk can do 150 maximum. If a disk is used only for ISA Server Web caching, and this counter is greater than the maximum, expect slow responses from ISA Server Web Proxy.

[2] Need to be added manually via registry, see http://technet.microsoft.com/en-us/library/ff432667.aspx for more info

[3] Although 0 is the worst case, we should flag as warning any value below or equals to 2. The trick of this counter is that you can’t rely on average, for example: if you have during 5 seconds the value 0, this means that ISA stopped answering requests for 5 seconds. So we should always raise an alert on the final PAL report when this value is below 2, even if it is for only 2 seconds.

[4] For application filtering scenarios, expect up to 30,000, suspect if more. For stateful filtering with IP routing enabled, expect up to 100,000. Suspect if more.

[5] Client Bytes Sent/sec divided by Requests/sec provides a measure of average response size, which should be no more than 20 KB.

[6] When cache is full, it should be between 50% to 100% of total memory cache size.

[7] In reverse caching, this can be made high (above 50%). In forward caching, it is generally less than 50%. For Forward Web Proxy scenario. In reverse caching, try to increase the size of the memory cache if less than 50%.

[8] Depends on hit ratio. High (as compared to disk retrieve rate) in forward caching, low in reverse. (Bytes Retrieved Rate) / (URL Retrieve Rate) = Bytes/URL, which should be up to 20 KB under normal conditions. Suspect otherwise.