DirectAcess Performance - Server 2016


  • We are running a DirectAcess multi-site deployment on Server 2016 running on top of VMWare 6.5 with all the latest updates.

    All clients are Windows 10 with IPHTTPS.  The problem is, we feel like we're not getting the performance that we should be (and have gotten in the past).

    Our Internet connection is 1000 megabit / 1000 megabit and we have tested at a remote location with 450 megabit Internet.  We can only seem to pull about 10-11 megabits/second on the remote client.  We're pretty sure we've seen 30 megabit plus in the past and we can't narrow down where the bottleneck is.  I have seen other threads where people are stuck at like 355 kilobytes / second.  Ours is definitely doing faster than that, but I'm not sure if what we're seeing is typical of a DA deployment. Does anyone have any numbers for reference as to what they see on a remote client?

    We're tried pulling down updates from an SCCM server or doing a file transfer from our internal file server - each seems to be limited about the same.  We've made a firewall rule to disable all deep packet inspection on the data destined to DA server and it hasn't helped.  We have a Palo Alto firewall.  Any help or performance data would be appreciated.

    Thank you.
    Monday, March 26, 2018 7:19 PM

  • - is that 1000/1000 seen in DA server´s nic too? What is the handshake speed there? Do you have WAN nic directly in internet or behind NAT?

    - is all Server´s DA services green in status?

    - About SCCM patches, just a hint - let computers download patches from internet, only allowing updates from SCCM. It has such option.

    - You didn´t enable force tunneling, didn´t you? :)

    Tuesday, March 27, 2018 6:11 PM
  • The DA servers have 10 gigabit + to our network through the VM cluster. We did a VM to VM transfer speed test the other day and got 8 gigabit+ between 2 of the Server 2016 VMs with IPERF.  Speedtests to the Internet show no issues either - we can pretty much max out the connection from either of those servers.

    Everything is green on the DA servers.

    The servers are NAT'd.  We only do IPHTTPS so didn't want to mess with having directly exposed interfaces on the servers, although I'm wondering if that might be part of the performance problem.  We've tried to turn off all deep packet inspection on the rules for the DA traffic to eliminate the Palo Alto as the issue.

    We could definitely do that with the updates.  I'm not as concerned about updates as I am Task Sequences.  We're hoping to let students do their own Win 10 upgrades from like 1607 --> 1709 at home so they aren't consuming classtime.  I know we could do pre-download task sequence content, but it would be nice to increase the performance of this to the point where it doesn't matter how we configure it

    We aren't doing force tunneling - although we were originally tempted to do that as a filtering solution until we found that you can't really do that for Internet traffic through DA.

    I'm mainly just curious if anyone can share what type of speeds they're getting remotely to know if we need to keep looking for ways to improve or if we're simply getting all that can be expected already.

    Tuesday, March 27, 2018 9:12 PM