Skip to content

Security Proxy: Prerequisites and System Requirements

The Security Proxy Add-On requires a separate license. Before installing the Security Proxy, verify that:

  • the Management and Security Server automated installer is available. (The Security Proxy can be installed along with MSS or by itself later.)

  • the Security Proxy activation file (activation.security_proxy-12.8.<n>.jaw) is available.

    Note

    We recommend installing the latest activation files to ensure that all product features are correctly enabled. For example, when you upgrade Management and Security Server to version 12.8 be sure to upgrade the Security Proxy to version 12.8.

  • the server is running JRE 8. (An OpenJDK is installed by the automated installer.)

  • the Performance and Scaling Requirements are addressed.

Performance and Scaling Requirements

The Security Proxy Server’s performance is affected by the hardware, software, and environmental factors. Follow these guidelines for best performance.

We recommend these specifications for up to 6000 concurrent and active connections.

System Specification up to 6000 connections (concurrent and active)
Speed of processors 2.7 GHz or faster
Number of processors (or cores) 4 or more
System RAM 4 GB or more
Java Virtual Machine (JVM) heap size 3 GB
Java Runtime Environment (JRE) Use a current 64-bit JRE
File descriptors (Linux/UNIX) 21,000

Additional specifications

System Specification - Details

Speed of Processors

As a general rule, a faster processor performs operations more quickly. The two most processor-intensive operations performed by the Security Proxy server are establishing new connections and encrypting and decrypting data.

Number of Processors (or Cores)

The Security Proxy server is a thread-intensive application. Each connection to the Security Proxy spawns two threads. A system with more processors (or cores) will perform better than one with fewer processors.

System RAM

Each connection requires memory, and more connections can be made with more memory. More RAM installed on the machine means less paging to disk and better overall performance. A minimum of four gigabytes (4 GB) RAM is recommended.

Java Heap Size

A 64-bit JRE with a heap size of 3 GB can support 6000 concurrent connections.

The installer will install and configure the Security Proxy server to use a server JVM. By default, the server JVM will allocate a heap space that is equal to one quarter the size of physical memory. For example, if a computer has 8 GB of physical memory, then the server JVM will allocate a maximum heap size of 2 GB. To increase the heap allocation, use the JVM command-line options -Xms and -Xmx, which can be set in the MssSecurityProxy.vmoptions file, located in <Security Proxy installation directory>\bin.

For example, to support 6,000 connections, use a text editor to open the file named …\MSS\securityproxy\bin\SecurityProxy.vmoptions and add (or edit) the following lines to this file:

-Xms3g
-Xmx3g

Additional Specifications - Details

Java Runtime Environment (JRE)

Use a current JRE. In general, newer JREs provide better performance with more efficient memory handling, HotSpot technology, improved speed, and the ability to support an increased number of sessions. Several companies provide JREs, and performance varies from one product to another.

Number of Available Ports and Descriptors

You may need to increase the number of ports or file descriptors made available by the operating system.

Windows Server -ports

The default number of ephemeral ports is 5000. Use these commands to show or change the number of ports.

  • To print the number of ports available:

    netsh int ipv4 show dynamicportrange tcp

  • To change the number of available ports:

    netsh int ipv4 set dynamicport tcp start=10000 num=6000

Linux or UNIX - descriptors

The default number of file descriptors (and thus ports) available to a process can be low (in the hundreds).

Each security proxy server needs approximately 20 file descriptors, and each connection uses two file descriptors. To determine the number of file descriptors required, use this formula:

number of descriptors = 20 + (<connections> * 2)

where <connections> represents the maximum number of concurrent connections the Security Proxy server may receive. Note: The permitted number of concurrent sessions is governed by your product license.

For example: 20 + (6000 connections * 2) = 12020 descriptors

To increase the number of descriptors:

  1. As a user with root privileges, open the command shell that launches the Security Proxy server. This shell should be the same one used to configure the Security Proxy server.

  2. At the command line, enter:

    ulimit –n <descriptors>

    where <descriptors> represents the integer number of descriptors needed to support the Security Proxy connections.

Note

  • The ulimit command syntax may vary depending on your shell. For more information about using the command, refer to your OS documentation or man pages.
  • The shell inherits the default limit from the kernel variable rlim_fd_cur value set in the /etc/ system file. The maximum number of descriptors that can be set (“hard limit”) is governed by the kernel variable rlim_fd_max.

Number of Concurrent Connections

Through considerable stress testing, it has been demonstrated that the Security Proxy server can maintain 6,000 concurrent and active connections with heavy payloads, as long as the Security Proxy: Prerequisites and System Requirements are met and a 64-bit JRE is used.

Operating System

Slightly better performance was observed on a Linux-based system with respect to time taken to establish connections and data transmission rates.

Server Dedication

A dedicated Security Proxy server will perform better than a server that performs multiple functions. For example, if the server acts as a web server, a mail server, or as a host, in addition to acting as a Security Proxy server, performance for all concurrent functions will be affected.

Key Lengths and Cipher Suites

The Security Proxy server uses two distinct cipher algorithms to establish and secure a TLS connection. A public key algorithm (DSA or RSA) is used during the connection process to authenticate the server and exchange shared-secret (symmetric) keys for the secure connection.

Key Lengths Used for Authentication

A longer DSA or RSA public key will slow the initial connection speed but may be suitable when security is a primary concern. Open the Security Proxy Wizard to view or modify the key length.

Cipher Suites Used for Data Encryption/Decryption

The cipher suites used in session data encryption/decryption can dramatically affect the connection speed once the connection is established. The default cipher suite is RSA with 128-bit AES SHA-1.

Use the Security Proxy Wizard (Proxies > Modify) to select different cipher suites.

More information