Object
Counter
Trigger
Meaning
General Recommendation
Memory
Pages/sec
0
Normal
PhysicalDisk(*)
Disk Transfers/sec
average > 100
Bad
Logging creates too much I/O for a single disk to handle. This may happen in extreme cases of high load when using Microsoft SQL Server or (MSDE) logging
Disk Reads/sec
Between 20%-40%
There is another process other than Wspsrv.exe writing to the disk. If disk transfers per second exceeds its maximum, identify this process (either by monitoring \Process(*)\I/O Write Operations/sec or using some other I/O tracing tool) and eliminate it.
Disk Read Bytes/sec
> 20 Kb
Suspicious
Verify whether there is another process reading from the disk.
Avg. Disk Bytes/Read
>20 kb
Same as above
See note[1]
See note
Avg. Disk Queue Length
> 2 x Number of spindles
Potential Disk Bottleneck
ISA Server Firewall Packet Engine
ReInject Available IRPs[2]
0[3]
Expect to have always 5 on this value, 0 for a long time means that ISA is running out of reinjection threads
Active Connections
Depends on the scenario[4]
An increased tendency in slope may indicate a network misconfiguration. (RST packets are dropped by some router.) Or, may indicate a DoS attack. (TCP connections that are never closed with RST or FIN.)
ISA Server Web Proxy
Average Milliseconds/request
> 30,000
Check filters and filter configurations for performance intensive options that may be disabled or relaxed. For example, a Web filter performing virus scanning could be configured not to scan some content types, such as images or text files that are not harmful from a security view.
Replace MSDE logging with text logging.
Review policy and check whether it is possible to use stateful filtering instead of application filtering for traffic that is considered harmless.
Bytes/sec
<100 bytes
May indicate an attack. Trace network activity and look for irregular traffic patterns. If not an attack, check network for possible misconfigurations.
Dropped Packets/sec
> 100
Indicates either a network misconfiguration or an attack. Use the ISA Server log to identify the actual condition.
TCP Established Connections/sec
<75% for connections / sec
The difference between TCP Established Connections/sec and Connections/sec accounts for other protocols (UDP, ICMP, GRE or other raw IP protocols) and unfinished TCP SYN handshakes, indicating the possibility of a TCP SYN attack.
ISA Server Firewall Service
Accepting TCP Connections
>10
May indicate an attack from Firewall clients or congestion on the Internal network.
Backlogged Packets
> 10
Verify connectivity with DC and make sure name resolution is working
Worker Threads
> 400
Large number of worker threads means that something is wrong with external services (DNS or Active Directory) or an attack is occurring. The number does not go down after it is raised.
Pending DNS Resolutions
Ideal
Pending TCP connections
ISA Server Web proxy
Memory pool for HTTP requests (%)
<30%
30% for an extended period is a trigger for problems or possible scale-out
Process(wspsrv)
Pool Nonpaged Bytes
>175MB
Potential need to scale-out
Private Bytes
>1.8GB
This should not remain above 1.8GB for any extended period. If it does, this is a potential scale trigger. If all other ISA performance aspects are within normal or heavy use ranges, then this may be normal
Cache Hit Ratio for Last 10K Requests (%)
<5%
Consider disabling the cache since it appears that is not being used.
Current Direct Fetches Average Milliseconds/request
> 10,000 (10 seconds)
May indicate WAN network connectivity problems or misconfiguration.
Current Cache Fetches Average Milliseconds/request
>300
May indicates that disk transfers are higher than capacity. For more information, see \PhysicalDisk(*)\Disk Transfers/sec.
Requests/sec
See note[5]
ISA Server Cache
Memory Cache Allocated Space (KB)
See note[6]
-
\ISA Server Cache
Memory Usage Ratio Percent (%)
See note[7]
Disk URL Retrieve Rate (URL/sec)
See note[8]
Processor(*)
% Processor Time
> 80
% DPC Time
>40%
% User Time
>70%
High % User Time may indicate ISA Server misconfiguration.
Network Interface(*)
Packets/sec
May indicate an attack. Trace network activity and look for irregular traffic patterns. If not an attack, check network for possible misconfiguration.
Bytes Received/sec
>80%
Verify network card driver, get netmon traces to verify potential suspicious packets
Bytes Sent/sec
>90%
Note1: For authentication scenarios we recommend installing the hotfix http://support.microsoft.com/kb/928576 in order to have this new set of counters available. We can’t trigger anything with those counters, but we should have a session on the report that expose those number in order to give an overview of the authentication.
Note2: Feel free to inherit counters from the OS perspective based on PAL templates, mainly on the following areas: physical disk, memory, network and processor.
Note3: If any counter on the OS side raises the alert of using /3GB we need to raise a red flag. We don’t recommend /3GB on ISA at all.
Note4: To analyze TMG performance use the TMG PAL Template.
[1] A 10,000 RPM disk can do 100 maximum, and a 15,000 RPM disk can do 150 maximum. If a disk is used only for ISA Server Web caching, and this counter is greater than the maximum, expect slow responses from ISA Server Web Proxy.
[2] Need to be added manually via registry, see http://technet.microsoft.com/en-us/library/ff432667.aspx for more info
[3] Although 0 is the worst case, we should flag as warning any value below or equals to 2. The trick of this counter is that you can’t rely on average, for example: if you have during 5 seconds the value 0, this means that ISA stopped answering requests for 5 seconds. So we should always raise an alert on the final PAL report when this value is below 2, even if it is for only 2 seconds.
[4] For application filtering scenarios, expect up to 30,000, suspect if more. For stateful filtering with IP routing enabled, expect up to 100,000. Suspect if more.
[5] Client Bytes Sent/sec divided by Requests/sec provides a measure of average response size, which should be no more than 20 KB.
[6] When cache is full, it should be between 50% to 100% of total memory cache size.
[7] In reverse caching, this can be made high (above 50%). In forward caching, it is generally less than 50%. For Forward Web Proxy scenario. In reverse caching, try to increase the size of the memory cache if less than 50%.
[8] Depends on hit ratio. High (as compared to disk retrieve rate) in forward caching, low in reverse. (Bytes Retrieved Rate) / (URL Retrieve Rate) = Bytes/URL, which should be up to 20 KB under normal conditions. Suspect otherwise.