+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 22
Enterprise Software Thread, why is my isa server such a dog? in Technical; We have an ISA server, which we call isa2. It has run for about 4 years in a MS virtual ...
  1. #1

    Oaktech's Avatar
    Join Date
    Jul 2011
    Location
    Bournemouth
    Posts
    2,776
    Thank Post
    764
    Thanked 541 Times in 424 Posts
    Rep Power
    259

    why is my isa server such a dog?

    We have an ISA server, which we call isa2. It has run for about 4 years in a MS virtual pc on top of our physical isa1 server. the isa 2 is our unfiltered server for slt and us.

    It started going down hill a while ago, we stopped being able to tsc it directly, it got really laggy and was using 100% cpu a lot of the time.

    In our infinite wisdom we decided to migrate it from its ms vpc home to a vmware esxi host, which went swimmingly, and it was up and running in no time - but despite a doubling in available memory and the addition of another cpu core it is still using 100% cpu.

    We are not using SQL logging, but there is an isa instance of sql desktop consuming between 12 and 88% cpu contstantly, and the wspsrv firewall consuming pretty much whatever sql is not consuming, creating a 100% cpu condition, 100% of the time!

    We've applied all the hotfixes and service packs and supportability packs to it with very little change.

    WHAT IS WRONG WITH MY [DERP] ISA!

    We have just decided to use TMG instead, we have read the guide, exported the info from ISA, created a new VMware host on the appropriate IP and i'm just waiting for the ISO to download.

    Have I just condemned myself?

  2. #2

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180
    TMG is undoubtably better... just make sure that you don't install it on 2008R2 because it doesn't work.

  3. Thanks to Ric_ from:

    Oaktech (26th October 2012)

  4. #3

    Oaktech's Avatar
    Join Date
    Jul 2011
    Location
    Bournemouth
    Posts
    2,776
    Thank Post
    764
    Thanked 541 Times in 424 Posts
    Rep Power
    259
    Quote Originally Posted by Ric_ View Post
    TMG is undoubtably better... just make sure that you don't install it on 2008R2 because it doesn't work.
    Oh [insert deity] REALLY i don't have 2008, only r2 in my downloads from msvlc. what doesn't work about it?

    Le Edit: it appears that it does work, http://blogs.technet.com/b/isablog/a...08-r2-sp1.aspx but only the latest version of TMG, which I think is what i'm downloading.
    Last edited by Oaktech; 26th October 2012 at 03:51 PM.

  5. #4

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180
    We run many TMGs (7 or 8 I think at the moment) and those that people installed on 2008R2 went badly wrong and needed a re-build... @Domino could explain better. A quick gGoogle looks like some issues have been fixed but you can quickly see a lot of people having issues. 2008 isn't a a big download and it definitely works - not sure why you don't have it in MVLS mind.

  6. #5

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,057
    Thank Post
    853
    Thanked 2,670 Times in 2,267 Posts
    Blog Entries
    9
    Rep Power
    768
    Have you looked at the scheduled tasks on the VM to see if it is parsing the logs for previous days, it commits the test details to the SQL database on a schedule, if it stuffs up there it will choke the system. If you have no use for those logs then kill the scheduled tasks. You can also look through your rules to make sure that they do not log an instance to the database every time a rule is hit which is the default system.

    Other options are exporting the config then uninstalling ISA, reinstalling then reimporting the system.\

    Comparatively I have used TMG on a 2008 server with 3-4GB or RAM and 2-4 CPUs, 2008 R2 with much more resources (don't even try unless they have made massie progress in the last six months) with the same amount of RAM or ISA under 2003 R2 with 1500 MB or RAM and no issues in comparison other than the VPN host dies on reboot issue.

    Your system may differ as ironically it seemed to have issues with Hyper-V but I personally would not trust it (TMG).

  7. Thanks to SYNACK from:

    Oaktech (26th October 2012)

  8. #6
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,192
    Thank Post
    134
    Thanked 340 Times in 287 Posts
    Rep Power
    84
    Quote Originally Posted by Ric_ View Post
    TMG is undoubtably better... just make sure that you don't install it on 2008R2 because it doesn't work.
    TMG with web filter, firewall and VPN works fine for us on Server 2008 R2 - all latest updates/patches ect

  9. #7

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,057
    Thank Post
    853
    Thanked 2,670 Times in 2,267 Posts
    Blog Entries
    9
    Rep Power
    768
    Quote Originally Posted by jamesfed View Post
    TMG with web filter, firewall and VPN works fine for us on Server 2008 R2 - all latest updates/patches ect
    Under Hyper-V, ESXi or native?

  10. #8
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,192
    Thank Post
    134
    Thanked 340 Times in 287 Posts
    Rep Power
    84
    Quote Originally Posted by SYNACK View Post
    Under Hyper-V, ESXi or native?
    Hyper-V - 4 vprocs, startup RAM is 2GB with the ablity to burst to 8GB and 4 NICs.

    Looks after a school of ~150 web browsing students with ease.

  11. #9

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,057
    Thank Post
    853
    Thanked 2,670 Times in 2,267 Posts
    Blog Entries
    9
    Rep Power
    768
    Quote Originally Posted by jamesfed View Post
    Hyper-V - 4 vprocs, startup RAM is 2GB with the ablity to burst to 8GB and 4 NICs.

    Looks after a school of ~150 web browsing students with ease.
    Wow, maybe they have finally fixed it, we had about a hundred stations running through it (many more pupils) and it lost a good 25-30% of the packets, simply stopped responding for minutes at a time, chewed 4+ GB of RAM. Dropped All connections on VPN connection from outside, stopped responding to internal users while serving external ones fine. Twenty minute boot times, Hyper-V client component failure thanks to the dodgy firewall rules, failure to apply rules for local and remote RDP etc. etc. I'd get RSI/OOS if I listed all the faults, and that was with SP1 Rollup 3 along with insane levels of diagnostics including a 2GB wireshark packet capture to try an find out what its problem was.

  12. #10
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,192
    Thank Post
    134
    Thanked 340 Times in 287 Posts
    Rep Power
    84
    Quote Originally Posted by SYNACK View Post
    Wow, maybe they have finally fixed it, we had about a hundred stations running through it (many more pupils) and it lost a good 25-30% of the packets, simply stopped responding for minutes at a time, chewed 4+ GB of RAM. Dropped All connections on VPN connection from outside, stopped responding to internal users while serving external ones fine. Twenty minute boot times, Hyper-V client component failure thanks to the dodgy firewall rules, failure to apply rules for local and remote RDP etc. etc. I'd get RSI/OOS if I listed all the faults, and that was with SP1 Rollup 3 along with insane levels of diagnostics including a 2GB wireshark packet capture to try an find out what its problem was.
    Weird one there! We've been running for at least a year and a half since our LEA decided to let us free on our own web filter - worked out cheaper than the 800 they were asking for with Netsweeper.

  13. #11

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,057
    Thank Post
    853
    Thanked 2,670 Times in 2,267 Posts
    Blog Entries
    9
    Rep Power
    768
    Quote Originally Posted by jamesfed View Post
    Weird one there! We've been running for at least a year and a half since our LEA decided to let us free on our own web filter - worked out cheaper than the 800 they were asking for with Netsweeper.
    Don't get me wrong, ISA was good and TMG was too on some deployments but there was a reason they discontinued TMG about a month after they released it, even they can't figure out what it is doing when it goes wrong. UAG and basic Server 2012 are the new standards, TMG is a horror movie for many that will never get a sequel. I thing it was @Domino that tried TMG as an upgrade to ISA in a large corp setting and ditched it entirely for a separate solution given the amount of problems it caused them.

    It is a great product if it works for you but if not either downgrade or go to a different product to save your budget and sanity.

  14. #12
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,192
    Thank Post
    134
    Thanked 340 Times in 287 Posts
    Rep Power
    84
    Only let down for me is no more web filtering from Microsoft we pay just 320 for the WHOLE school a year - find me a filter that is cheaper than that. (Yes others maybe more advanced (Smoothwall) but it keeps out 99% of what we don't want).

  15. #13

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,057
    Thank Post
    853
    Thanked 2,670 Times in 2,267 Posts
    Blog Entries
    9
    Rep Power
    768
    Quote Originally Posted by jamesfed View Post
    Only let down for me is no more web filtering from Microsoft we pay just 320 for the WHOLE school a year - find me a filter that is cheaper than that. (Yes others maybe more advanced (Smoothwall) but it keeps out 99% of what we don't want).
    Stage direction: Pulls cable from primary network feed.
    SYNACK: filtered 100% of badness in one go

    The filtering is quite good

  16. #14
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,192
    Thank Post
    134
    Thanked 340 Times in 287 Posts
    Rep Power
    84
    Quote Originally Posted by SYNACK View Post
    Stage direction: Pulls cable from primary network feed.
    SYNACK: filtered 100% of badness in one go

    The filtering is quite good
    But how will people get onto the interwebs!

  17. #15

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,057
    Thank Post
    853
    Thanked 2,670 Times in 2,267 Posts
    Blog Entries
    9
    Rep Power
    768
    Quote Originally Posted by jamesfed View Post
    But how will people get onto the interwebs!
    Stage direction: Add A record for www.google.com;www.google.co.uk, point to local intranet server
    SYNACK: Alakazam!!! the internet works

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. why is my car heater not working??
    By Admiral208 in forum General Chat
    Replies: 26
    Last Post: 6th January 2011, 12:28 PM
  2. Why is my laptop so hot?
    By rad in forum General Chat
    Replies: 1
    Last Post: 2nd October 2010, 03:49 PM
  3. Why is there a Server 2008 32bit?
    By Nick_Parker in forum Windows Server 2008
    Replies: 6
    Last Post: 3rd June 2008, 03:07 PM
  4. Mommy, why is there a server in the house?
    By russdev in forum Jokes/Interweb Things
    Replies: 10
    Last Post: 17th January 2008, 05:15 PM
  5. Why is my backup taking so long??
    By maniac in forum Hardware
    Replies: 4
    Last Post: 27th November 2007, 11:06 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •