Distributing the Authentication Load – A follow up on my previous post
Yesterday I published this post about an issue that caused TMG stop to respond and I want to clarify one key point here: TMG didn’t stop because was not able to handle the load, let’s be clear on that. Maybe it was not clear for some readers that don’t know about how TMG works, but the issue here was that the DC was not able to handle the gigantic amount of authentication request on the time speed that TMG was sending the requests and waiting for an answer. As a result of that TMG’s backlog started to grow and caused this behavior. Its plain simple: DC was not sized to handle that amount of authentication request. Again, not a TMG issue.
Couple of things can be done to avoid that those incidents don’t fully affect your environment. Here are some key tips (nothing new, but maybe you missed):
· Don’t create rules allowing ALL OUTBOND TRAFFIC as Protocol. This may cause issues as I explained in this post.
· Make sure to use Internet Explorer 7 or higher to take advantage of Kerberos, which will distributed the authentication load among the DCs. Back in 2008 I wrote this article that explains in details all the advantages of using Kerberos for Proxy authentication.
By using those practices you offload the authentication request to go from TMG to the DC and leave this task for the workstation (again read this article for more info), which dramatically impact the backlog (by lowering the utilization). Last but not least I want to say that it’s all about sizing: if the environment was sized to receive 20 x 100, it will have a negative impact if you see 2000 x 100. There is no magic here, in this case TMG was correctly sized, but as a secure firewall it couldn’t allow traffic to pass through without waiting for the DC to reply back saying that that request comes from a valid user, therefore it will fail safe and block the traffic from traversing the networks.
BTW, for those of you that still believe that Hardware Firewall is better, I will let you with the wise words of my friend Tom Shinder about this old discussion: Tom Shinder on “Hardware” Firewalls.