Bandwidth always seems to be in short supply. You try to stay ahead of the game by ordering faster connections, but less than a week after you install the new connection, users once again clamor for more bandwidth.
You might find you don’t have a bandwidth problem at all. Suppose that after analyzing the traffic patterns on the external connection, you find that SMTP and HTTP traffic consumes far less bandwidth than you suspected. What you thought was a bandwidth shortage was actually a situation caused by a handful of users soaking up available bandwidth with NNTP, FTP, and MP3 downloads.
The problem you face is that management allows users to access these bandwidth-sucking protocols. Your challenge is to allow users access to these protocols, while retaining enough bandwidth for the real work of the organization. ISA Server can help you in your war against bandwidth hogs.
ISA Server allows you to create bandwidth rules, which can be used to shape the traffic on the external interface of the ISA Server. By using bandwidth rules, you can assign particular connections a higher priority over the available bandwidth. You can even assign different priorities to different groups using the same protocol.
To create bandwidth rules, you need to perform the following tasks:
- Create policy elements to support your bandwidth rules.
- Create bandwidth priorities.
- Create bandwidth rules using policy elements.
In this Daily Drill Down, we’ll go over how to create ISA Server bandwidth rules and see how they actually control bandwidth.
Create supporting policy elements
ISA Server access controls are based on policies. Access policies are implemented as a series of rules. In order to create rules, you first have to create policy elements.
Bandwidth rules are able to take advantage of the following policy elements:
- Protocol definitions
- Destination sets
- Client address sets (also users and groups)
- Content groups
- Bandwidth priorities
Each of these policy elements can be used to configure and customize your bandwidth rules.
ISA Server uses protocol definitions to define UDP and TCP protocols. Protocol definitions consist of protocol (TCP or UDP), an incoming port, and an outgoing port. Protocol rules are the foundation of inbound and outbound access control.
For example, if you want to allow internal users access to HTTP and FTP content on the Internet, there must be protocol definitions to support these protocols. ISA Server comes with over 80 predefined protocol definitions.
Destination sets are the cornerstone of controlling access based on the location of content. Destination sets contain one or more machines or domains. By using destination sets, you can control which sites users are able to access.
For example, if you want to deny access to the aol.com domain, you can create a destination set that includes the entry “*.aol.com”. Destination sets support wildcard entries that allow you to control access to an entire domain. Once a destination set is created, you can create a site and content rule to deny access to that domain.
Schedules allow you to control access based on the time of day or the day of the week. ISA Server comes with two built-in schedules: Work Hours and Weekends. You can create your own schedules to meet the specific requirements of your own company.
Client address sets
Client address sets are collections of IP addresses. They can consist of entire subnets or just a single computer. Client address sets are useful for controlling access when the clients are not able to authenticate with the ISA Server.
Suppose you have some Mac clients on your internal network and you need to control access to NNTP content. The Firewall Client software must be installed in order to control access based on user or group membership. Since this software can only be installed on Microsoft operating systems, you will not be able to control Mac client access based on user or group membership. You must use client address sets to control access for these non-Microsoft clients.
Content groups allow you to control access to various types of content via HTTP. For example, you might want to limit MP3 file access to certain user groups. You can use the built-in Audio content group to control access to MP3s, or you can create your own content group that is dedicated to this file format.
Bandwidth priorities allow you to define what portion of the available bandwidth is available to a certain type of connection. A bandwidth priority allows you to apportion a percentage of the available bandwidth for inbound and outbound traffic. Once the bandwidth priority is created, it can be applied to a rule to control traffic based on protocol, destination, schedule, client address set, or HTTP content.
Let’s take a closer look at bandwidth priorities and how to create them.
Create bandwidth priorities
To create a new bandwidth priority, perform the following steps:
- Open the ISA Management console, expand your server or array, and then expand the Policy Elements node. Right-click on Bandwidth Priorities and selectNew |Bandwidth Priority.
- The New Bandwidth Priority dialog box (Figure A) will appear. Type in the name of the priority and a description. For outbound and inbound bandwidths, you can enter a number between 1 and 200. These numbers are used as relative weightings. Note that you cannot control bandwidth by assigning hard-coded amounts of bandwidth.
- Click OK.
After the bandwidth priority is created, you can use it in a bandwidth rule.
|Creating a New Bandwidth Priority|
Create bandwidth rules
You create bandwidth rules to control the flow of inbound and outbound traffic. Perform the following steps to create a bandwidth rule:
- Open the ISA Management console, expand your server or array, and right-click on the Bandwidth Rules node in the left pane. Select New | Rule.
- On the Welcome To The New Bandwidth Rule Wizard page, type in the name of the rule. In this example, we want to control the allocation of bandwidth to all FTP accesses, so we’ll call this rule FTP.
- On the Protocols page (Figure B), click the down arrow in the Apply This Rule To drop-down box and select the Selected Protocols option. In the Protocols list, select the FTP protocol. After making your protocol(s) selection, click the Show Only Selected Protocols check box so that you can easily view which protocols are included in the rule. Click Next.
- On the Schedule page (Figure C), you can select a schedule for application of this bandwidth rule. In this example, we always want the rule applied, so we’ll select the Always option and click Next.
- On the Client Type page (Figure D), you’ll decide to which clients this rule will be applied. In this example, we want the rule applied to everyone, so we’ll select the Any Request option and click Next.
- On the Destination Sets page (Figure E), you’ll decide which destinations this rule should be applied to. In this example, we want to control the amount of bandwidth used to download content from the Internet. We’ll select All External Destinations and click Next.
- On the Content Groups page (Figure F), you’ll choose which content should be subjected to this bandwidth rule. In this example, we want all file types to be controlled by this bandwidth rule, so we’ll select All Content Groups and click Next.
- On the Bandwidth Priority page (Figure G), you’ll select which bandwidth priority you want to apply to the rule. In this example, we’ll apply the High Priority we created earlier and click Next.
- On the last page of the wizard, you can review your selections and then click Finish.
|Selecting a Protocol|
|Selecting a Schedule|
|Selecting the Client Type|
|Selecting the Destination|
|Selecting a Content Group|
|Selecting the Bandwidth Priority|
After creating bandwidth rules, you can use the built-in ISA Server Counter Objects in the Performance console to see your rules in action. Figure H shows real-time bandwidth allocations to the Default, High, and Very High Bandwidth Priorities.
|Viewing the ISA Server Bandwidth Control Counters|
Total available bandwidth is divided into bandwidth “pools” based on active priorities. If a connection matching conditions in a bandwidth rule activates a priority, a portion of that available bandwidth is assigned to that priority. The amount of total bandwidth assigned to a particular priority is determined by which priorities are active at any given time.
Note that even though a connection may have a very high priority, it cannot take bandwidth from a lower priority that is active. For example, if 6 Kbps is assigned to a high priority and only 3 Kbps is assigned to a low priority connection, the high priority bandwidth pool can be saturated while there is still available bandwidth in the low priority pool. The only difference between the high and the low priorities is that a larger percentage of the total bandwidth is assigned to the high priority connections. The percentage is determined by the relative values of the active priorities.
In this Daily Drill Down, I covered the specifics of creating bandwidth rules to control traffic on the external interface of the ISA Server. Bandwidth rules are based on policy elements, the most important of which are bandwidth priorities. Once the bandwidth rules are configured, available bandwidth is allocated based on which bandwidth priorities are activated by a connection. Bandwidth priorities cannot be used to limit the absolute amount of bandwidth assigned to connections.