The Security Proxy Server’s performance is affected by the hardware, software, and environmental factors. Follow these guidelines for best performance.
We recommend these specifications for up to 6000 concurrent and active connections.
Table 7-1 Recommended Specifications for Security Proxy servers
|
System Specification |
up to 6000 connections (concurrent and active) |
|---|---|
|
2.7 GHz or faster |
|
|
4 or more |
|
|
4 GB or more |
|
|
3 GB |
|
|
Use a current 64-bit JRE |
|
|
21,000 |
Additional specifications
As a general rule, a faster processor performs operations more quickly. The two most processor-intensive operations performed by the Security Proxy server are establishing new connections and encrypting and decrypting data.
The Security Proxy server is a thread-intensive application. Each connection to the Security Proxy spawns two threads. A system with more processors (or cores) will perform better than one with fewer processors.
Each connection requires memory, and more connections can be made with more memory. More RAM installed on the machine means less paging to disk and better overall performance. A minimum of four gigabytes (4 GB) RAM is recommended.
A 64-bit JRE with a heap size of 3 GB can support 6000 concurrent connections.
The installer will install and configure the Security Proxy server to use a server JVM. By default, the server JVM will allocate a heap space that is equal to one quarter the size of physical memory. For example, if a computer has 8 GB of physical memory, then the server JVM will allocate a maximum heap size of 2 GB. To increase the heap allocation, use the JVM command-line options -Xms and -Xmx, which can be set in the MssSecurityProxy.vmoptions file, located in <Security Proxy installation directory>\bin.
For example, to support 6,000 connections, use a text editor to open the file named …\MSS\securityproxy\bin\SecurityProxy.vmoptions and add (or edit) the following lines to this file:
-Xms3g
-Xmx3g
Use a current JRE. In general, newer JREs provide better performance with more efficient memory handling, HotSpot technology, improved speed, and the ability to support an increased number of sessions. Several companies provide JREs, and performance varies from one product to another.
You may need to increase the number of ports or file descriptors made available by the operating system.
The default number of ephemeral ports is 5000. Use these commands to show or change the number of ports.
To print the number of ports available:
netsh int ipv4 show dynamicportrange tcp
To change the number of available ports:
netsh int ipv4 set dynamicport tcp start=10000 num=6000
The default number of file descriptors (and thus ports) available to a process can be low (in the hundreds).
Each security proxy server needs approximately 20 file descriptors, and each connection uses two file descriptors. To determine the number of file descriptors required, use this formula:
number of descriptors = 20 + (<connections> * 2)
where <connections> represents the maximum number of concurrent connections the Security Proxy server may receive. Note: The permitted number of concurrent sessions is governed by your product license.
For example: 20 + (6000 connections * 2) = 12020 descriptors
To increase the number of descriptors:
As a user with root privileges, open the command shell that launches the Security Proxy server. This shell should be the same one used to configure the Security Proxy server.
At the command line, enter:
ulimit –n <descriptors>
where <descriptors> represents the integer number of descriptors needed to support the Security Proxy connections.
NOTE:
The ulimit command syntax may vary depending on your shell. For more information about using the command, refer to your OS documentation or man pages.
The shell inherits the default limit from the kernel variable rlim_fd_cur value set in the /etc/system file. The maximum number of descriptors that can be set (“hard limit”) is governed by the kernel variable rlim_fd_max.
Through considerable stress testing, it has been demonstrated that the Security Proxy server can maintain 6,000 concurrent and active connections with heavy payloads, as long as the Prerequisites and System Requirements are met and a 64-bit JRE is used.
Slightly better performance was observed on a Linux-based system with respect to time taken to establish connections and data transmission rates.
A dedicated Security Proxy server will perform better than a server that performs multiple functions. For example, if the server acts as a web server, a mail server, or as a host, in addition to acting as a Security Proxy server, performance for all concurrent functions will be affected.
The Security Proxy server uses two distinct cipher algorithms to establish and secure a TLS connection. A public key algorithm (DSA or RSA) is used during the connection process to authenticate the server and exchange shared-secret (symmetric) keys for the secure connection.
A longer DSA or RSA public key will slow the initial connection speed but may be suitable when security is a primary concern. Open the Security Proxy Wizard to view or modify the key length.
The cipher suites used in session data encryption/decryption can dramatically affect the connection speed once the connection is established. The default cipher suite is RSA with 128-bit AES SHA-1.
Use the Security Proxy Wizard (Proxies > Modify) to select different cipher suites.
Related topics