average > 100
Logging creates too much I/O for a single disk to handle. This may happen in extreme cases of high load when using Microsoft SQL Server or (MSDE) logging
There is another process other than Wspsrv.exe writing to the disk. If disk transfers per second exceeds its maximum, identify this process (either by monitoring \Process(*)\I/O Write Operations/sec
or using some other I/O tracing tool) and eliminate it.
Disk Read Bytes/sec
> 20 Kb
Verify whether there is another process reading from the disk.
Avg. Disk Bytes/Read
Same as above
Avg. Disk Queue Length
> 2 x Number of spindles
Potential Disk Bottleneck
ISA Server Firewall Packet Engine
ReInject Available IRPs
Expect to have always 5 on this value, 0 for a long time means that ISA is running out of reinjection threads
Depends on the scenario
An increased tendency in slope may indicate a network misconfiguration. (RST packets are dropped by some router.) Or, may indicate a DoS attack. (TCP connections that are never closed with RST
ISA Server Web Proxy
Check filters and filter configurations for performance intensive options that may be disabled or relaxed. For example, a Web filter performing virus scanning could be configured not to scan some
content types, such as images or text files that are not harmful from a security view.
Replace MSDE logging with text logging.
Review policy and check whether it is possible to use stateful filtering instead of application filtering for traffic that is considered harmless.
May indicate an attack. Trace network activity and look for irregular traffic patterns. If not an attack, check network for possible misconfigurations.
Indicates either a network misconfiguration or an attack. Use the ISA Server log to identify the actual condition.
TCP Established Connections/sec
<75% for connections / sec
The difference between TCP Established Connections/sec and Connections/sec accounts for other protocols (UDP, ICMP, GRE or other raw IP protocols) and unfinished TCP SYN handshakes, indicating
the possibility of a TCP SYN attack.
ISA Server Firewall Service
Accepting TCP Connections
May indicate an attack from Firewall clients or congestion on the Internal network.
Verify connectivity with DC and make sure name resolution is working
Large number of worker threads means that something is wrong with external services (DNS or Active Directory) or an attack is occurring. The number does not go down after it is raised.
Pending DNS Resolutions
Pending TCP connections
ISA Server Web proxy
Memory pool for HTTP requests (%)
30% for an extended period is a trigger for problems or possible scale-out
Pool Nonpaged Bytes
Potential need to scale-out
This should not remain above 1.8GB for any extended period. If it does, this is a potential scale trigger. If all other ISA performance aspects are within normal or heavy use ranges, then this
may be normal
ISA Server Web Proxy
Cache Hit Ratio for Last 10K Requests (%)
Consider disabling the cache since it appears that is not being used.
Current Direct Fetches Average Milliseconds/request
> 10,000 (10 seconds)
May indicate WAN network connectivity problems or misconfiguration.
Current Cache Fetches Average Milliseconds/request
May indicates that disk transfers are higher than capacity. For more information, see \PhysicalDisk(*)\Disk Transfers/sec.
ISA Server Cache
Memory Cache Allocated Space (KB)
\ISA Server Cache
Memory Usage Ratio Percent (%)
Disk URL Retrieve Rate (URL/sec)
% Processor Time
% DPC Time
% User Time
High % User Time may indicate ISA Server misconfiguration.
May indicate an attack. Trace network activity and look for irregular traffic patterns. If not an attack, check network for possible misconfiguration.
Verify network card driver, get netmon traces to verify potential suspicious packets
Note1: For authentication scenarios we recommend installing the hotfix
in order to have this new set of counters available. We can’t trigger anything with those counters, but we should have a session on the report that expose those number in order to give an overview of the authentication.
Note2: Feel free to inherit counters from the OS perspective based on
PAL templates, mainly on the following areas: physical disk, memory, network and processor.
Note3: If any counter on the OS side raises the alert of using /3GB we need to raise a red flag. We don’t recommend /3GB on ISA at all.
Note4: To analyze TMG performance use the
TMG PAL Template.
 A 10,000 RPM disk can do 100 maximum, and a 15,000 RPM disk can do 150 maximum. If a disk is
used only for ISA Server Web caching, and this counter is greater than the maximum, expect slow responses from ISA Server Web Proxy.
 Need to be added manually via registry, see
http://technet.microsoft.com/en-us/library/ff432667.aspx for more info
 Although 0 is the worst case, we should flag as warning any value below or equals to 2. The trick
of this counter is that you can’t rely on average, for example: if you have during 5 seconds the value 0, this means that ISA stopped answering requests for 5 seconds. So we should always raise an alert on the final PAL report when this value is below 2, even
if it is for only 2 seconds.
 For application filtering scenarios, expect up to 30,000, suspect if more. For stateful filtering
with IP routing enabled, expect up to 100,000. Suspect if more.
 Client Bytes Sent/sec divided by Requests/sec provides a measure of average response size, which
should be no more than 20 KB.
 When cache is full, it should be between 50% to 100% of total memory cache size.
 In reverse caching, this can be made high (above 50%). In forward caching, it is generally less
than 50%. For Forward Web Proxy scenario. In reverse caching, try to increase the size of the memory cache if less than 50%.
 Depends on hit ratio. High (as compared to disk retrieve rate) in forward caching, low in reverse.
(Bytes Retrieved Rate) / (URL Retrieve Rate) = Bytes/URL, which should be up to 20 KB under normal conditions. Suspect otherwise.