locked
Anyone ever max out your DirectAccess server? RRS feed

  • Question

  • There's a good chance I will.  Problem is, I'm having a hard time giving answers to server scaling questions asked by management.  That's because I'm reading potentially conflicting information...

    What I suspect is most official is in this technet write-up: http://technet.microsoft.com/en-us/library/gg502561.aspx  What I see here seems to indicate about 2300 concurrent users per physical server and about 760 on a virtual machine.  Obviously I'm sure it varies with hardware.

    I also found more optimistic numbers here, but they may not just apply to DA: http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/6bb77ae6-172a-4c62-915b-3f0e41f2d49e

    Another thing I wonder about is that on that first link, they show more users per server in a manage-out-only config.  I'm just the opposite, an access-in-only config.  And in a "split tunnel" mode.  I have to wonder if that boosts my number over the 2300/760 a bit.  Everything seems so murky that I think I'm going to take the approach of "we should really start with a small (2 servers, management is going to want them to be VMs) deployment, see how things are looking as we add users, and grow as needed.  The risk in doing that is management might see it as an open-ended blank check type of thing...

    Does anyone have any experience with scaling DA in a large environment?




    Thursday, April 14, 2011 2:13 PM

Answers

  • Thanks for the good discussion Jim! It's always great to get another perspective. Of course this is all my personal opinion, and I work for hardware appliance manufacturer so I admit my bias, though I would feel the same way in any circumstance :)

    I agree that the risk may be minimal for a "vulnerability leap" between a parent and child, but there is the potential for it. I have been on the receiving end of such a vulnerability, though it was a few years and a few versions ago, and it wasn't a pretty day. Infamous is probably the right word for it.

    By dedicating a virtual platform for the edge purpose I meant dedicating a whole parent/child system to the edge. Even within the percentage of companies that will allow virtual machines on the edge of their network, I bet the percentage of those companies that will allow a single parent to host internal child VMs and external child VMs at the same time is a much lower number. Thus there would probably be a virtual parent for internal servers, and a separate virtual parent for edge servers.

    I certainly think that the performance numbers are relevant to UAG. Have you seen the cost of a UAG server license? Needing 3x the amount of virtual machines that you would hardware is going to be cost prohibitive in many places. Also, large deployments are going to quickly run out of native UAG load balancing capability and need to invest in a hardware load balancer as well to be able to distribute their many users across a larger number of server instances.

    I completely agree that simply "turning on" another virtual or steel machine for any application is never that simple. I was just addressing a point made previously that virtual somehow makes expanding UAG easier...I don't feel that it does.

    Thanks again!

    • Marked as answer by Erez Benari Wednesday, May 4, 2011 11:44 PM
    Friday, April 22, 2011 3:05 PM

All replies

  • The trouble with numbers is that your users are going to be accomplishing different things. I'll try not to sound like a sales pitch :) but a user running Outlook and file shares is going to consume less bandwidth and CPU cycles than a user with 20 applications open. Because of that, we "tag" our appliances here at IVO with heavy usage numbers. We have appliances that range from 25 users up to 5,000 users, and in interesting modular unit that allows you to expand a single hardware device to 30,000 users. You could go much higher with load balancing, of course. These numbers are all based on heavy usage and in most environments the number of users can actually be higher than the rating without bumping into resource limits.

    Of course I work at IVO, so factor that in as you will. I will point out that we are the only company in the world that offers encryption chipset hardware built into the mainboard of our appliances, which is a huge benefit in this area.

    I also feel like I should say that running virtual machines on the edge of any network is risky in my opinion. Here's something I wrote up a while ago pointing out some vulnerabilities and my general feelings on the subject: http://www.ivonetworks.com/news/?p=16

    Thursday, April 14, 2011 2:27 PM
  • I agree with you, but unfortunately I work for a large public university that's making huge cuts in IT as state funding is dropping.  That means, as you can probably imagine, that almost any request for pysical hardware goes over like a fart in church these days.

    Strategically, I have to at least start out virtual, and if issues arise I can make the case for physical hardware on what will then be an already established service.


    Thursday, April 21, 2011 7:02 PM
  • Virtual machines are no less secure than physical machines if you design the virtualisation layer properly. This may be a useful document to review: http://technet.microsoft.com/en-us/library/cc891502.aspx

    VMs are also easier to scale up and down as needed...as seen by the MS figures, VMs will have a bigger hit on your overall throughput of users than physcial, but you gain in flexibility and agility.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, April 21, 2011 11:08 PM
  • I have to respectfully disagree :)

    Virtual machines always retain a parent/child relationship, and those "extra channels" make any vulnerability in any of the system involved a big deal. A risk in the parent or even one of the children can easily turn into a risk for the other virtual machines being hosed on the same platform. Unless of course you are dedicating a virtual platform for this edge purpose, but then what's the point of using a virtual machine if you're dedicating hardware anyway?

    And of course as you have seen in the links you take a huge hit on performance.

    I have spoken with hundreds of people about UAG and DirectAccess, and I have yet to come across a single person willing to virtualize a production instance of UAG. Proof-of-concept, sure, but not production. Expanding isn't necessarily easier, either. You can't simply turn on another instance of the same virtual machine. You have to take all of the same configuration steps that you did when prepping your first box. One kicker is that it is not supported to change the hostname of a UAG machine after UAG has been initialized, so your new virtual machine that you are turning on to expand would have to be an image taken before UAG was even installed. So you really don't come out any time ahead except for the operating system install.

    This is all just my two cents based on my own experiences and conversations so far.

    Friday, April 22, 2011 11:05 AM
  • Don't get me wrong, I think virtualization is great, just not for the edge of the network.

    @RossJG, I love your analogy for how well a request for hardware goes over there. Pretty rare that "LOL" truly means what it stands for, but that comment did it for me! :)

    Friday, April 22, 2011 1:16 PM
  • Jordan,

    I would point out that your concerns seem juuuuuust a bit overstated.

    ..to address your points:

    1. "A risk in the parent or even one of the children can easily turn into a risk for the other virtual machines being hosed on the same platform."  Niether result is literally true.  If your concern is that VM deployments provides for easier spread of malware than it would for "real steel", this may have some merit if the malware author discovers some vulnerability in the hypervisor or integration components (VMWare Tools) and he can exploit the child OS via that path.  Like any other malware, this will only be a threat to one hypervisor version.  By default, no modern hypervisor creates this sort of communication path and for the IC, the path is so small as to create a significant challenge for the PONI *.
    2. "Unless of course you are dedicating a virtual platform for this edge purpose"  There is no such thing (at least not yet).  All modern hypervisors include some form of on-parent management that ranges from a pared-down form of Linux (VMWare ESX) to Windows core (Hyper-V).  Even then, this won't help alleviate the "parent-to-child threat" to which you allude in #1.
    3. "you take a huge hit on performance" While it's true that there is no 1:1 perf mapping between real steel and VM (silly to assume this anyway, IMHO), to assume that you incur a "huge hit" suggests that the deployment planning wasn't execute properly; if at all.  Regardless, this point is not relevant to UAG or any edge deployment specifically.
    4. "You can't simply turn on another instance of the same virtual machine."  This point is relevant to any application.  Build a "real steel" Exchange server and try to duplicate it as you describe.  Your efforts will fail.  This has nothing to do with virtualization or edge deployments.

    Don't get me wrong - if you don't feel that you can comfortably justify virtualizing your edge deployments, then don't do it.  It's your deployment and you have to feel good about what you do (if you like to sleep, anyway <VBG>).  I know of plenty of real-life virtual (yes; VMWare, too) deployments for UAG and TMG that leave their owners sleeping like all-day drunks.

    Jim

     

    *PONI: Person Of Nefarious Intent


    Jim Harrison Forefront Edge CS
    Friday, April 22, 2011 2:02 PM
  • Thanks for the good discussion Jim! It's always great to get another perspective. Of course this is all my personal opinion, and I work for hardware appliance manufacturer so I admit my bias, though I would feel the same way in any circumstance :)

    I agree that the risk may be minimal for a "vulnerability leap" between a parent and child, but there is the potential for it. I have been on the receiving end of such a vulnerability, though it was a few years and a few versions ago, and it wasn't a pretty day. Infamous is probably the right word for it.

    By dedicating a virtual platform for the edge purpose I meant dedicating a whole parent/child system to the edge. Even within the percentage of companies that will allow virtual machines on the edge of their network, I bet the percentage of those companies that will allow a single parent to host internal child VMs and external child VMs at the same time is a much lower number. Thus there would probably be a virtual parent for internal servers, and a separate virtual parent for edge servers.

    I certainly think that the performance numbers are relevant to UAG. Have you seen the cost of a UAG server license? Needing 3x the amount of virtual machines that you would hardware is going to be cost prohibitive in many places. Also, large deployments are going to quickly run out of native UAG load balancing capability and need to invest in a hardware load balancer as well to be able to distribute their many users across a larger number of server instances.

    I completely agree that simply "turning on" another virtual or steel machine for any application is never that simple. I was just addressing a point made previously that virtual somehow makes expanding UAG easier...I don't feel that it does.

    Thanks again!

    • Marked as answer by Erez Benari Wednesday, May 4, 2011 11:44 PM
    Friday, April 22, 2011 3:05 PM