Capacity planning for Forefront UAG DirectAccess with SP1
Before you install Forefront Unified Access Gateway (UAG) DirectAccess with Service Pack 1 (SP1), it is recommended that you review this topic to ensure that your hardware is sufficient for your deployment. The hardware requirements for servers running Forefront UAG DirectAccess vary, and are dependent on the number of concurrent users and the Forefront UAG DirectAccess deployment scenario. It is recommended to use Windows Server 2008 R2 Service Pack 1 and Windows 7 Service Pack 1.
In any scenario, the number of concurrent users that can connect to the Forefront UAG DirectAccess server is reduced by using:
Smart card authentication.
Network Access Protection (NAP).
Force tunneling.
Additional infrastructure servers.
Note
Deploying a Forefront UAG array with additional Forefront UAG DirectAccess servers decreases the number of concurrent users that can connect to a particular server in an array, but provides an overall increase in the number of concurrent users that can connect to the Forefront UAG DirectAccess servers throughout the array. Using an external load balancer should be considered in order to improve performance.
All measurements used in this topic assume a ratio of Teredo transition technology (70%) to IP-HTTPS (30%). If the ratio of users using Teredo/IP-HTTPS changes, this will affect the performance. For example, for the default deployment described in this topic, 2000 users are supported if 100% of the users use Teredo, versus 1300 users if all the users use IP-HTTPS.
The performance was tested using simulated DirectAccess clients, as follows:
The DirectAccess clients simulated connections from outside of the corporation to a server within the corporation.
The DirectAccess clients simulated a data transfer rate with an upload-download ratio of approximately 1:9. The total client transfer rates (upload and download) used during testing are listed.
Each DirectAccess client transferred data for a set duration and then disconnected from the internal server and the Forefront UAG DirectAccess server.
The DirectAccess clients were configured to connect to the internal server at a client connection rate of one client every 2 seconds. A client connection rate higher than this value might decrease the number of concurrent users that can connect to Forefront UAG DirectAccess.
The scenarios described are examples and the values are representative only.
Forefront UAG DirectAccess deployment scenarios
The following sections detail the hardware that was used to test the performance capabilities for various Forefront UAG DirectAccess scenarios.
Forefront UAG DirectAccess default deployment
Table 1 lists the hardware that was used to test the performance capabilities of the default deployment of Forefront UAG DirectAccess
Table 1: Forefront UAG DirectAccess server performance and hardware requirements for default deployment scenario
| Users 1,2 | 900 | 2000 | 2300 | 3200 |
|---|---|---|---|---|
Processors/Cores |
1/8 |
2/16 |
1/12 |
2/24 |
Processor Type 3 |
Intel Xeon L5520, 2.26 GHz with Intel Hyper-Threading Technology enabled |
Intel Xeon X5560, 2.26 GHz with Intel Hyper-Threading Technology enabled |
Intel Xeon X5670, 2.93 GHz with Intel Hyper-Threading Technology enabled |
Intel Xeon X5670, 2.93 GHz with Intel Hyper-Threading Technology enabled |
Memory - GB |
16 |
16 |
16 |
16 |
Network Interface 4 |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Receive Side Scaling Queues |
8/8 |
8/8 |
6/6 |
6/65 |
Number of Infrastructure Servers |
50 |
50 |
50 |
50 |
Client establishment rate – clients per second |
0.5 |
0.5 |
0.5 |
0.5 |
Client data transfer rate – megabits per second (Mbps) |
0.1 |
0.1 |
0.1 |
0.1 |
Maximum bandwidth supported on internal network adapter – Mbps |
75 |
200 |
220 |
300 |
Network Access Protection |
No |
No |
No |
No |
Smartcard |
No |
No |
No |
No |
Note
1 The number of users is the maximum number of concurrent users serviced by a single Forefront UAG DirectAccess server.
2 During testing, all users connected to the internal network through the Forefront UAG DirectAccess server using NAT64. You can increase performance if you reduce the percentage of users connecting to resources using NAT64 and increase the percentage connecting to resources using ISATAP. For example, 50 percent of users connect to resources using NAT64 and 50 percent connect to resources using ISATAP. 3 The Intel Xeon L5520, 2.26 GHz with Intel Hyper-Threading Technology is a minimum requirement to service the number of users in this table. 4 A network adapter that uses Receive Side Scaling Queues can improve performance by more than 25 percent compared with the same adapter when not using Receive Side Scaling Queues. 5 Configure the external Receive Side Scaling Queues to point to the first six cores, and the internal Receive Side Scaling Queues to point to the remaining six cores.Forefront UAG DirectAccess Management Only Deployment
Table 2 lists the hardware that was used to test the performance capabilities of the management only deployment of Forefront UAG DirectAccess. The Forefront UAG DirectAccess - Management Only option uses Forefront UAG DirectAccess only for the management of client machines. This typically has a lower bandwidth requirement for each client.
Table 2: Forefront UAG DirectAccess server performance and hardware requirements for management only deployment scenario
| Users 1,2 | 1800 | 4000 | 4500 | 5500 |
|---|---|---|---|---|
Processors/Cores |
1/8 |
2/16 |
1/12 |
2/24 |
Processor Type 3 |
Intel Xeon L5520, 2.26 GHz with Intel Hyper-Threading Technology enabled |
Intel Xeon X5560, 2.26 GHz with Intel Hyper-Threading Technology enabled |
Intel Xeon X5670, 2.93 GHz with Intel Hyper-Threading Technology enabled |
Intel Xeon X5670, 2.93 GHz with Intel Hyper-Threading Technology enabled |
Memory - GB |
16 |
16 |
16 |
16 |
Network Interface 4 |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Receive Side Scaling Queues |
8/8 |
8/8 |
6/6 |
6/65 |
Number of Infrastructure Servers |
50 |
50 |
50 |
50 |
Client establishment rate – clients per second |
0.5 |
0.5 |
0.5 |
0.5 |
Client data transfer rate – megabits per second (Mbps) |
0.02 |
0.02 |
0.02 |
0.02 |
Maximum bandwidth supported on internal network adapter – Mbps |
30 |
70 |
90 |
110 |
Network Access Protection |
No |
No |
No |
No |
Smartcard |
No |
No |
No |
No |
Note
1 The number of users is the maximum number of concurrent users serviced by a single Forefront UAG DirectAccess server.
2 During testing, all users connected to the internal network through the Forefront UAG DirectAccess server using NAT64. You can increase performance if you reduce the percentage of users connecting to resources using NAT64 and increase the percentage connecting to resources using ISATAP. For example, 50 percent of users connect to resources using NAT64 and 50 percent connect to resources using ISATAP. 3 The Intel Xeon L5520, 2.26 GHz with Intel Hyper-Threading Technology is a minimum requirement to service the number of users in this table. 4 A network adapter that uses Receive Side Scaling Queues can improve performance by more than 25 percent compared with the same adapter when not using Receive Side Scaling Queues. 5 Configure the external Receive Side Scaling Queues to point to the first six cores, and the internal Receive Side Scaling Queues to point to the remaining six cores.Forefront UAG DirectAccess one-time password (OTP) deployment
Table 3 lists the hardware that was used to test the performance capabilities of the One-time Password (OTP) deployment of Forefront UAG DirectAccess.
Table 3: Forefront UAG DirectAccess server performance and hardware requirements for OTP deployment scenario (assuming no authentication failures)
| Users 1,2 | 900 | 2000 | 2300 | 3200 |
|---|---|---|---|---|
Processors/Cores |
1/8 |
2/16 |
1/12 |
2/24 |
Processor Type 3 |
Intel Xeon L5520, 2.26 GHz with Intel Hyper-Threading Technology enabled |
Intel Xeon X5560, 2.26 GHz with Intel Hyper-Threading Technology enabled |
Intel Xeon X5670, 2.93 GHz with Intel Hyper-Threading Technology enabled |
Intel Xeon X5670, 2.93 GHz with Intel Hyper-Threading Technology enabled |
Memory - GB |
16 |
16 |
16 |
16 |
Network Interface 4 |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Receive Side Scaling Queues |
8/8 |
8/8 |
6/6 |
6/65 |
Number of Infrastructure Servers |
50 |
50 |
50 |
50 |
Client establishment rate – clients per second |
0.5 |
0.5 |
0.5 |
0.5 |
Client data transfer rate – megabits per second (Mbps) |
0.1 |
0.1 |
0.1 |
0.1 |
Maximum bandwidth supported on internal network adapter – Mbps |
75 |
200 |
220 |
300 |
Network Access Protection |
No |
No |
No |
No |
Smartcard |
No |
No |
No |
No |
OTP |
Yes |
Yes |
Yes |
Yes |
Note
1 The number of users is the maximum number of concurrent users serviced by a single Forefront UAG DirectAccess server.
2 During testing, all users connected to the internal network through the Forefront UAG DirectAccess server using NAT64. You can increase performance if you reduce the percentage of users connecting to resources using NAT64 and increase the percentage connecting to resources using ISATAP. For example, 50 percent of users connect to resources using NAT64 and 50 percent connect to resources using ISATAP. 3 The Intel Xeon L5520, 2.26 GHz with Intel Hyper-Threading Technology is a minimum requirement to service the number of users in this table. 4 A network adapter that uses Receive Side Scaling Queues can improve performance by more than 25 percent compared with the same adapter when not using Receive Side Scaling Queues. 5 Configure the external Receive Side Scaling Queues to point to the first six cores, and the internal Receive Side Scaling Queues to point to the remaining six cores.Table 4 lists the performance degradation for the OTP deployment depending on the failed/successful authentication ratio and the transition technology used (Teredo/IP-HTTPs).
Table 4: Forefront UAG DirectAccess server performance with OTP with failed authentication (with IP-HTTPS)
| Authentication Ratio | Performance Degradation in Active Users |
|---|---|
No failed authentications |
0% |
Failed/successful authentication ratio 1-1 |
24% |
Failed/successful authentication ratio 2-1 |
49% |
Failed/successful authentication ratio 5-1 |
75% |
Failed/successful authentication ratio 10-1 |
86% |
Forefront UAG DirectAccess Deployment with NAP Integration
Table 5 lists the hardware that was used to test the performance capabilities of the deployment of Forefront UAG DirectAccess with NAP integration.
Table 5: Forefront UAG DirectAccess server performance and hardware requirements for NAP integration deployment scenario
| Users 1,2 | 850 | 1900 | 2100 | 3000 |
|---|---|---|---|---|
Processors/Cores |
1/8 |
2/16 |
1/12 |
2/24 |
Processor Type 3 |
Intel Xeon L5520, 2.26 GHz with Intel Hyper-Threading Technology enabled |
Intel Xeon X5560, 2.26 GHz with Intel Hyper-Threading Technology enabled |
Intel Xeon X5670, 2.93 GHz with Intel Hyper-Threading Technology enabled |
Intel Xeon X5670, 2.93 GHz with Intel Hyper-Threading Technology enabled |
Memory - GB |
16 |
16 |
16 |
16 |
Network Interface 4 |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Receive Side Scaling Queues |
8/8 |
8/8 |
6/6 |
6/65 |
Number of Infrastructure Servers |
50 |
50 |
50 |
50 |
Client establishment rate – clients per second |
0.5 |
0.5 |
0.5 |
0.5 |
Client data transfer rate – megabits per second (Mbps) |
0.1 |
0.1 |
0.1 |
0.1 |
Maximum bandwidth supported on internal network adapter – Mbps |
70 |
180 |
200 |
280 |
Network Access Protection |
Yes |
Yes |
Yes |
Yes |
Smartcard |
No |
No |
No |
No |
Note
1 The number of users is the maximum number of concurrent users serviced by a single Forefront UAG DirectAccess server.
2 During testing, all users connected to the internal network through the Forefront UAG DirectAccess server using NAT64. You can increase performance if you reduce the percentage of users connecting to resources using NAT64 and increase the percentage connecting to resources using ISATAP. For example, 50 percent of users connect to resources using NAT64 and 50 percent connect to resources using ISATAP. 3 The Intel Xeon L5520, 2.26 GHz with Intel Hyper-Threading Technology is a minimum requirement to service the number of users in this table. 4 A network adapter that uses Receive Side Scaling Queues can improve performance by more than 25 percent compared with the same adapter when not using Receive Side Scaling Queues. 5 Configure the external Receive Side Scaling Queues to point to the first six cores, and the internal Receive Side Scaling Queues to point to the remaining six cores.Forefront UAG DirectAccess Deployment with Force Tunneling
Table 6 lists the hardware that was used to test the performance capabilities of the deployment of Forefront UAG DirectAccess with force tunneling.
Table 6: Forefront UAG DirectAccess server performance and hardware requirements for force tunneling deployment scenario
| Users 1,2 | 900 | 2000 | 2300 | 3200 |
|---|---|---|---|---|
Processors/Cores |
1/8 |
2/16 |
1/12 |
2/24 |
Processor Type 3 |
Intel Xeon L5520, 2.26 GHz with Intel Hyper-Threading Technology enabled |
Intel Xeon X5560, 2.26 GHz with Intel Hyper-Threading Technology enabled |
Intel Xeon X5670, 2.93 GHz with Intel Hyper-Threading Technology enabled |
Intel Xeon X5670, 2.93 GHz with Intel Hyper-Threading Technology enabled |
Memory - GB |
16 |
16 |
16 |
16 |
Network Interface 4 |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Receive Side Scaling Queues |
8/8 |
8/8 |
6/6 |
6/65 |
Number of Infrastructure Servers |
50 |
50 |
50 |
50 |
Client establishment rate – clients per second |
0.5 |
0.5 |
0.5 |
0.5 |
Client data transfer rate – megabits per second (Mbps) |
0.1 |
0.1 |
0.1 |
0.1 |
Maximum bandwidth supported on internal network adapter – Mbps |
75 |
200 |
220 |
300 |
Network Access Protection |
No |
No |
No |
No |
Smartcard |
No |
No |
No |
No |
Force Tunneling 6 |
Yes |
Yes |
Yes |
Yes |
Note
1 The number of users is the maximum number of concurrent users serviced by a single Forefront UAG DirectAccess server.
2 During testing, all users connected to the internal network through the Forefront UAG DirectAccess server using NAT64. You can increase performance if you reduce the percentage of users connecting to resources using NAT64 and increase the percentage connecting to resources using ISATAP. For example, 50 percent of users connect to resources using NAT64 and 50 percent connect to resources using ISATAP. 3 The Intel Xeon L5520, 2.26 GHz with Intel Hyper-Threading Technology is a minimum requirement to service the number of users in this table. 4 A network adapter that uses Receive Side Scaling Queues can improve performance by more than 25 percent compared with the same adapter when not using Receive Side Scaling Queues. 5 Configure the external Receive Side Scaling Queues to point to the first six cores, and the internal Receive Side Scaling Queues to point to the remaining six cores. 6 When Force Tunneling is enabled, traffic is sent using the IP-HTTPS protocol. Performance is degraded by 50% of the number of users accessing external sites, that is, the scenarios are suitable for up to 50% fewer users. For example, for the scenario with 2000 users, if all users access external sites with Force Tunneling enabled, 1000 concurrent users are supported.Forefront UAG DirectAccess with NLB
Table 7 lists the number of users supported by Forefront UAG DirectAccess for large deployments using network load balancing (NLB) when using separate physical servers. Each of the servers contains the hardware described in Table 1.
Table 7: Forefront UAG DirectAccess server performance with NLB
| Number of computers | Physical array with NLB | Physical array with NLB | Physical array with NLB | Physical array with NLB | Physical array with NLB |
|---|---|---|---|---|---|
Default Forefront UAG DirectAccess Deployment |
Forefront UAG DirectAccess - Management Only |
Forefront UAG DirectAccess - OTP |
Forefront UAG DirectAccess - NAP Integration |
Forefront UAG DirectAccess – Force Tunneling |
|
1 |
2000 |
3500 |
2000 |
1800 |
2000 |
2 |
3200 |
5600 |
3200 |
2880 |
3200 |
Table 8 lists the number of users supported by Forefront UAG DirectAccess for large deployments using NLB when using an array of virtual machines hosted on a single physical server. The server contains the hardware described in Table 1.
Table 8: Forefront UAG DirectAccess server performance with NLB on a virtual array
| Number of virtual machines | Virtual array with NLB |
|---|---|
Default Forefront UAG DirectAccess Deployment |
|
1 |
760 |
2 |
1250 |
3 |
1560 |
For information about deploying Forefront UAG DirectAccess with NLB, see Configuring NLB for a Forefront UAG DirectAccess array.
Provisioning and Configuring Server Hardware
The following sections provide guidance on how to properly provision and configure your server hardware according to your deployment:
Server hardware design
Design your server hardware according to current and future requirements to prepare for growth. You might want to consider adding processors, or adding memory with a capacity of at least two or three times your estimated requirements. Note that due to the rapid evolvement of hardware technology, within a relatively short period of time, upgrade options might not be available for your server platform. This could pose a serious problem if future demands require you to increase system performance; for example, in the event that you need additional processors.
Processor considerations
Be sure to select a supported processor, and to consider the processor performance recommendations.
Selecting a supported processor
Forefront UAG DirectAccess is only supported in production environments when it is installed on a computer with x64-compatible processors that is running the Windows Server 2008 R2 operating system.
You can select processors from Intel that support Intel Hyper-Threading Technology, or others that meet similar performance levels.
Regardless of which processor you select, it is recommended that you use a server product listed in the Windows Server Catalog (https://go.microsoft.com/fwlink/?LinkId=64547).
Processor performance recommendations
Forefront UAG DirectAccess benefits significantly when running on multi-core and multithreaded processors. The performance benefit for Forefront UAG DirectAccess from multi-core technology depends upon the specific processor that is used. Multi-core processors are an attractive option for Forefront UAG DirectAccess servers based on price and performance.
The processor usage on a server should maintain a load of no more than 70 percent during peak working hours. This percentage level allows for periods of extreme load. If the processor usage is consistently greater than 75 percent, processor performance is considered a bottleneck.
The following factors directly affect the performance of the CPU in a server:
The processor clock speed.
The number of processors.
The number of cores per processor (quad core processors provide a better price/performance ratio than dual core processors).
Hyper-Threading—When Hyper-Threading is enabled on a processor, the number of supported users can increase by up to 20 percent.
For performance, selecting the fastest processor available within your budget yields the best results. Forefront UAG DirectAccess can fully use multiple processors, and using servers with more processors improves performance.
Network adapter considerations
Receive Side Scaling Queue
Use network adapters with Receive Side Scaling Queue capability, a technology that enables packet receive-processing to scale with the number of available computer processors. This allows the Windows Networking subsystem to take advantage of multi-core and many core processor architectures.
You can enable Receive Side Scaling (RSS) on the Advanced tab of the adapter property sheet. If your adapter does not support RSS, the RSS setting is not displayed.
The Receive Side Scaling Queues setting allocates queue space to buffer transactions between the network adapter and CPU(s).
The following table shows the number of users that are supported on the hardware described in Table 1 and in Table 2, when RSSQ is used and when RSSQ is not used.
| Scenario | Number of users without RSSQ | Number of users with RSSQ | Percentage improvement in capacity when using RSSQ |
|---|---|---|---|
Default Forefront UAG DirectAccess Deployment |
1650 |
2300 |
28 |
Forefront UAG DirectAccess - Management Only |
3000 |
4000 |
33 |
Redundancy recommendations
Deploying an array
It is recommended that you deploy an array of Forefront UAG computers for redundancy. After determining the number of computers your deployment requires, add at least one more computer for redundancy. This will allow your deployment to continue working at optimal performance levels during a computer failure or other required maintenance.
Load balancing
Deploying a Forefront UAG array requires a load balancing mechanism: Network Load Balancing (NLB), or a hardware load balancer.