Before you install Forefront Unified Access Gateway (UAG) DirectAccess, it is recommended that you review this topic to ensure that your hardware is sufficient for your deployment.
The hardware requirements for servers running Forefront UAG DirectAccess vary, and are dependent on the number of concurrent users and the Forefront UAG DirectAccess configuration.
In any scenario, the number of concurrent users that can connect to the Forefront UAG DirectAccess server are reduced by using:
- Smart card authentication.
- Network Access Protection (NAP).
- More infrastructure servers.
Note:Using additional Forefront UAG DirectAccess servers decreases the number of concurrent users that can connect to a particular server in an array, but provides an overall increase in the number of concurrent users that can connect to the Forefront UAG DirectAccess servers throughout the array.
Table 1 lists the hardware that was used to test the performance capabilities of Forefront UAG DirectAccess. The performance was tested using simulated DirectAccess clients, as follows:
- The DirectAccess clients simulated
connections from outside of the corporation to a server within the
corporation.
- The DirectAccess clients simulated a data
transfer rate with an upload-download ratio of approximately 1:9.
The total client transfer rates (upload and download) used during
testing are listed in Table 1.
- Each DirectAccess client transferred data for
a set duration and then disconnected from the internal server and
the Forefront UAG DirectAccess server.
- The DirectAccess clients were configured to
connect to the internal server at a client connection rate of one
client every 2 seconds. A client connection rate higher than
this value might decrease the number of concurrent users that can
connect to Forefront UAG DirectAccess.
Table 1: Forefront UAG DirectAccess server performance and hardware requirements for common deployment scenarios
| Default Forefront UAG DirectAccess Deployment | Forefront UAG DirectAccess - Management Only5 | |
|---|---|---|
|
Users 1,2 |
2300 |
4000 |
|
CPU 3 |
2 quad-core processors For example, 2 Intel Xeon L5520, 2.26 GHz with Intel Hyper-Threading Technology enabled |
2 quad-core processors For example, 2 Intel Xeon L5520, 2.26 GHz with Intel Hyper-Threading Technology enabled |
|
Memory - GB |
16 |
16 |
|
Network Interface 4 |
Gigabit Ethernet with Receive Side Scaling Queue capability |
Gigabit Ethernet with Receive Side Scaling Queue capability |
|
Receive Side Scaling Queues |
8 |
8 |
|
Number of Infrastructure Servers |
50 |
50 |
|
Client establishment rate – clients per second |
0.5 |
0.5 |
|
Client data transfer rate – megabits per second (Mbps) |
0.1 |
0.02 |
|
Maximum bandwidth supported on internal network adapter – Mbps |
230 |
80 |
|
Network Access Protection |
No |
No |
|
Smartcard |
No |
No |
| Note: |
|---|
| 1 The number of users is the maximum number of concurrent users serviced by a single Forefront UAG DirectAccess server.2 During testing, all users connected to the internal network through the Forefront UAG DirectAccess server using NAT64. You can increase performance if you reduce the percentage of users connecting to resources using NAT64 and increase the percentage connecting to resources using ISATAP. For example, 50 percent of users connect to resources using NAT64 and 50 percent connect to resources using ISATAP.3 The Intel Xeon L5520, 2.26 GHz with Intel Hyper-Threading Technology is a minimum requirement to service the number of users in this table.4 A network adapter that uses Receive Side Scaling Queues can improve performance by more than 25 percent compared with the same adapter when not using Receive Side Scaling Queues.5 The Forefront UAG DirectAccess - Management Only option uses Forefront UAG DirectAccess only for the management of client machines. This typically has a lower bandwidth requirement for each client. |
Table 2 lists the number of users supported by Forefront UAG DirectAccess for large deployments using network load balancing (NLB) when using separate physical servers. Each of the servers contains the hardware described in Table 1.
Table 2: Forefront UAG DirectAccess server performance with NLB
| Number of computers | Physical array with NLB | Physical array with NLB |
|---|---|---|
|
Default Forefront UAG DirectAccess Deployment |
Forefront UAG DirectAccess - Management Only |
|
|
1 |
2300 |
4000 |
|
2 |
3800 |
6600 |
Table 3 lists the number of users supported by Forefront UAG DirectAccess for large deployments using NLB when using an array of virtual machines hosted on a single physical server. The server contains the hardware described in Table 1.
Table 3: Forefront UAG DirectAccess server performance with NLB on a virtual array
| Number of virtual machines | Virtual array with NLB |
|---|---|
|
Default Forefront UAG DirectAccess Deployment |
|
|
1 |
760 |
|
2 |
1250 |
|
3 |
1560 |
For information about deploying Forefront UAG DirectAccess with NLB, see Configuring NLB for a Forefront UAG DirectAccess array.
The following sections provide guidance on how to properly provision and configure your server hardware according to your deployment:
- Server hardware
design
- Processor
considerations
- Network adapter
considerations
- Redundancy
recommendations
Server hardware design
Design your server hardware according to current and future requirements to prepare for growth. You might want to consider adding processors, or adding memory with a capacity of at least two or three times your estimated requirements. Note that due to the rapid evolvement of hardware technology, within a relatively short period of time, upgrade options might not be available for your server platform. This could pose a serious problem if future demands require you to increase system performance; for example, in the event that you need additional processors.
Processor considerations
Be sure to select a supported processor, and to consider the processor performance recommendations.
Selecting a supported processor
Forefront UAG DirectAccess is only supported in production environments when it is installed on a computer with x64-compatible processors that is running the Windows Server 2008 R2 operating system.
You can select processors from Intel that support Intel Hyper-Threading Technology, or others that meet similar performance levels.
Regardless of which processor you select, it is recommended that you use a server product listed in the Windows Server Catalog (http://go.microsoft.com/fwlink/?LinkId=64547).
Processor performance recommendations
Forefront UAG DirectAccess benefits significantly when running on multi-core and multithreaded processors. The performance benefit for Forefront UAG DirectAccess from multi-core technology depends upon the specific processor that is used. Multi-core processors are an attractive option for Forefront UAG DirectAccess servers based on price and performance.
The processor usage on a server should maintain a load of no more than 70 percent during peak working hours. This percentage level allows for periods of extreme load. If the processor usage is consistently greater than 75 percent, processor performance is considered a bottleneck.
The following factors directly affect the performance of the CPU in a server:
- The processor clock speed.
- The number of processors.
- The number of cores per processor (quad core
processors provide a better price/performance ratio than dual core
processors).
- Hyper-Threading—When Hyper-Threading is
enabled on a processor, the number of supported users can increase
by up to 20 percent.
For performance, selecting the fastest processor available within your budget yields the best results. Forefront UAG DirectAccess can fully use multiple processors, and using servers with more processors improves performance.
Network adapter considerations
Receive Side Scaling Queue
Use network adaptors with Receive Side Scaling Queue capability, a technology that enables packet receive-processing to scale with the number of available computer processors. This allows the Windows Networking subsystem to take advantage of multi-core and many core processor architectures.
You can enable Receive Side Scaling (RSS) on the Advanced tab of the adapter property sheet. If your adapter does not support RSS, the RSS setting is not displayed.
The Receive Side Scaling Queues setting allocates queue space to buffer transactions between the network adapter and CPU(s).
The following table shows the number of users that are supported on the hardware described in Table 1, when RSSQ is used and when RSSQ is not used.
| Scenario | Number of users without RSSQ | Number of users with RSSQ | Percentage improvement in capacity when using RSSQ |
|---|---|---|---|
|
Default Forefront UAG DirectAccess Deployment |
1650 |
2300 |
28 |
|
Forefront UAG DirectAccess - Management Only |
3000 |
4000 |
33 |
Redundancy recommendations
Deploying an array
It is recommended that you deploy an array of Forefront UAG computers for redundancy. After determining the number of computers your deployment requires, add at least one more computer for redundancy. This will allow your deployment to continue working at optimal performance levels during a computer failure or other required maintenance.
Load balancing
Deploying a Forefront UAG array requires a load balancing mechanism: Network Load Balancing (NLB), or a hardware load balancer.