- 1. Overview
- 2. Let's create a shaping rule
- 3. Another shaping rule
- 4. Let's create a quota rule
- 5. Testing the created Shaping and Quota rules
- 6. Client-side monitoring utility
- 7. Modifying the Traffic Counters on the fly from the Quota Counters Panel
- 8. The Download Managers cannot exhaust the bandwidth anymore
- 9. Conclusion
1. Overview
ISA 2006 Firewall http://www.microsoft.com/isaserver/default.mspx comes
with a lot of nice features by default. But, like everything and
everybody, it's not perfect. Unfortunetely it does not come with an
integrated bandwidth manager.
As we have seen in a previous article
http://www.carbonwind.net/ISA/HTTPSig/HTTPSig3.htm, without having a
bandwidth manager installed on ISA can easily lead to an improper
Internet bandwidth distribution among the users. Wasteful traffic can
exhaust the Internet bandwidth and work related traffic will suffer.
Unauthorized installations of download managers for example can
seriously affect work related traffic(long delays, timeouts...).
That's why you should always allow only needed traffic to needed destinations.
A nice feature of ISA is the ability to authenticate users based on their Active Directory accounts.
So it will be nice to have a bandwidth manager that integrates with ISA
and is able to control/limit bandwidth using Active Directory Groups
And Users in addition to machine based control(using IP addresses). In
this way the shaping and qouta rules will "follow" the users(the users
can use any domain computer on the network). Whatever machine the users
will use, they will be able to benefit from the bandwidth alocated to
them and ISA will be able to control/limit it accordingly. The quality
of the bandwidth per work related traffic alocated per user/groups will
be constant, thus increasing work productivity. Non-work
related(non-priority) traffic is limited, thus Internet connection costs
are reduced.
Let's imagine the bellow situation(reduced and simplified).
User X is working with an application that connects him/her to a remote
server. Another user Y is killing his/her time and surfs on the
Internet, starts a couple of downloads and so on. Due to the "activity"
of user Y, user X will not have a fixed, constant bandwidth allocated,
although he/she is working at an important project. User X may
experience spikes, delays and timeouts when using the needed
application. These lead to frustration and thus to poor work
productivity.
The solution will be to provide user X with a constant channel for
his/her duties while limiting the bandwidth for non-work related
activity(like the one of user Y). The shaping of the channel should be
made per destination and per protocol.
In addition, it is very important to have a live picture of all users
and their connections through ISA including a chart with the bandwidth
utilization. And the ability to immediately disconnect offending users.
A powerful bandwidth manager should be able to do all these. Obviously a
powerful bandwidth manager with plenty of options can help in many
other situations.
In this article we will take a look at the current version of Bandwidth
Splitter Link .http://www.bsplitter.com. As writing this article the
version is 1.21.
Bandwidth Splitter allows free-of-charge use with up to 10 clients. So
you have the chance to see it in action yourself before placing an
order. I've said it before and I can't stress enough how important is to
have access to a trial version of a software in order to be able to
see if it's actually good enough for you and if it does what its vendor
promises. The difference with Bandwidth Splitter is the fact that if
you have only a few clients(up to 10) you can use it for free. See
Figure1.
Figure1: Bandwidth Splitter License
Bandwidth Splitter impresses from the start because it's nicely integrated with ISA and with ISA's management console. See
Figure2.
Figure2: Bandwidth Splitter Integrated with ISA's Management Console
Also for remote administration, you can install only the administrative
component of Bandwidth Splitter on remote computers with ISA Server
management console installed.
An amazing fact about Bandwidth Splitter is how easy is to use. I was able to start managing the bandwidth in a second.
With Bandwidth Splitter you can manage the traffic of HTTP, HTTPS and
FTP connections (for web proxy clients) and TCP/UDP connections (for
SecureNAT clients, Firewall Clients and DMZ servers). Also you can
manage the traffic of published servers.
With Bandwidth Splitter you create shaping and quota rules.
Shaping rules can be described as speed limitation rules. You can
restrict the maximum speed for connections for individual users, user
groups or IP address(per Networks, Subnets, individual computers,
Computer Sets, URL Sets or Domain Name sets).
Quota rules restrict the amount of traffic that a specific user, a
group of users, a host or a group of hosts may transfer within a period
of time. Note that the quota rules will apply only when the source IP
address is not in External Network and the destination IP address
belongs to the External Network. If you have a server on an ISA DMZ and
you are connecting say from the Internal network you cannot have a
quota rule for these connections.
If you have an ISA DMZ, and the routing relationship between this DMZ
and the External network is set to "route", and using access rules for
example, you can apply shaping and quota rules for machines from this
DMZ(control connections coming from the External Network) by checking
"Treat connections from External network as accepted/inbound". This
option is a little confusing until you start making some quick tests.
See
Figure3.
Figure3: "Treat connections from External network as accepted/inbound"
Bandwidth Splitter uses entities of ISA Server for both shaping and
quota rules. This is quite handy because eliminates the administrative
overhead of creating separate entities within Bandwidth Splitter's
administration interface.
For shaping rules you can use ISA entities within the following fields:
- the "Destinations" field can can contain: Networks, Subnets, Address
Ranges, individual computers, Computer Sets, URL Sets or Domain Name
sets, see
Figure4.
Figure4: Bandwidth Splitter Shaping Rule "Destinations" Field
- the "Applies to IP addresses" field can can contain: Networks,
Subnets, Address Ranges, individual computers or Computer Sets, see
Figure5.
Figure5: Bandwidth Splitter Shaping Rule "Applies to IP addresses" Field
- the "Applies to User Sets" field can contain the Users Sets defined on ISA, see
Figure6.
The option to control the speed limit per User Sets provides more
power and more flexibility. It represents a big plus for Bandwidth
Splitter.
Figure6: Bandwidth Splitter Shaping Rule "Applies to User Sets" Field
- the "Schedule" field can contain the Schedules defined on ISA, see
Figure7. However, ISA Schedules are not very flexible, you cannot define a schedule from say, 14:30-14:45, only from 14:00-15:00.
Figure7: Bandwidth Splitter Shaping Rule "Schedule" Field
For quota rules you can use ISA entities within the following fields:
- the "Applies to IP addresses" field can can contain: Networks,
Subnets, Address Ranges, individual computers, Computer Sets, URL Sets
or Domain Name sets with the observation that the quota rules will apply
only when the source IP address is not in External Network and the
destination IP address belongs to the External Network. See
Figure8.
Figure8: Bandwidth Splitter Quota Rule "Applies to IP addresses" Field
- the "Applies to User Sets " field can contain the Users Sets defined on ISA. See
Figure9.
The ability to assign a traffic quota per User Sets provides more
power and more flexibility. It represents another big plus for
Bandwidth Splitter.
Figure9: Bandwidth Splitter Quota Rule "Applies to User Sets" Field
Bandwidth Splitter comes with a real-time monitoring feature. You can
view the activity of all clients accessing Internet through ISA
Server(the IP address of each client, the user name, the number of
connections and so on). See
Figure10.
Figure10: Bandwidth Splitter Live Monitoring
If you are using quota rules you can visualize the traffic counter and the amount of remaining traffic. See
Figure11.
Figure11: Bandwidth Splitter Quota Counters
However you can only look, you do not have an option to disconnect an user.
Another minus for Bandwidth Splitter is the fact you cannot apply
shaping rules based on protocols. By default all TCP and UDP protocols
are shaped.
An interesting and very useful feature of Bandwidth Splitter is the
fact that you can specify what's happening in case some connections do
not match any shaping and/or quota rule. By default, "Do not filter
connections" is selected, thus these connections are excluded from
processing. As said before, exclusion occurs only when both types of
rules are not found. If you select "Deny connections" instead of "Do not
filter connections" then such connections will be denied. Therefore
you have to carefully define your shaping and quota rules if you want
to use this setting. See
Figure12 (the Advanced tab of the general options of Bandwidth Splitter).
Figure12: Action to Take When No Rules Found
2. Let's create a shaping rule
Let's create a shaping rule. I have created a test access rule on ISA
allowing FTP, HTTP and HTTPS from Internal to External for All
Authenticated Users. Thus this rules requires authentication. See
Figure13.
Figure13: ISA Internet Access Rule
Actually to apply a Bandwidth Splitter rule to users or user groups you
need authentication on ISA's rule(only Web Proxy Clients or/and
Firewall Clients can authenticate).
What I want to accomplish: to allocate a constant bandwidth to a group
of users for their work duties and each invidual user belonging to this
group to have a fixed and constant bandwidth allocated. The group of
users is called "RegularUsers".
To accomplish all these I will create a shaping rule for work required
destinations. Work required destinations include Computer Sets, URL
Sets and Domain Name sets. They have been already created because you
cannot create new destinations(ISA's entities) on the fly from
Bandwidth Splitter's wizard.
Start the wizard for creating a new shaping rule. See
Figure14.
Figure14: New Bandwidth Splitter Shaping Rule
Enter a name for this rule. See
Figure15.
Figure15: Bandwidth Splitter Shaping Rule Name
Click Next.
Apply this rule to the "RegularUsers" Users Set. See
Figure16.
Figure16: Bandwidth Splitter Shaping Rule "Applies to Regular Users" Users Set
Click Next.
As said before the "Destinations" field will contain a Computer
Set(populated with remote servers IP addresses), an URL Set and a Domain
Name set. The last two ones include for example links to various
online documentation and support sites. See
Figure17.
Figure17: Bandwidth Splitter Shaping Rule "Work-Related Destinations"
Click Next.
The Schedule for this shaping rule is set to Always. I want the working
users to benefit from this bandwidth all the time(working hours, extra
hours...). See
Figure18.
Figure18: Bandwidth Splitter Shaping Rule "Schedule"
You can create an ISA schedule for your company's work hours for example if you want to. See
Figure19.
Figure19: ISA New Work Schedule
Click Next.
Now you need to specify bandwidth limits for this shaping rule. I have
choosed as the shaping mode the sum of incoming and outgoing traffic
and set a limit of 160 kbps. You can shape separately incoming and
outgoing traffic, shape incoming traffic only or shape outgoing traffic
only. See
Figure20.
Figure20: Bandwidth Splitter Shaping Rule Specify the Bandwidth Limits
Also here you can decide if you shape or not cached web content and if you want to enable or not HTTP Boost.
So what does this HTTP Boost ?
According to the manual, HTTP Boost mode lets you accelerate web
surfing. It will make surfing much more comfortable due to these
accelerations. You can select a content type set for which the HTTP
Boost mode will be used on the Advanced tab of the general options of
Bandwidth Splitter, in the HTTP Boost content type set list. See
Figure21.
Figure21: Bandwidth Splitter "HTTP Boost"
When enabling HTTP Boost, you are allowing a new speed limit for a
certain amount of time for a certain content type. So, temporarily, a
user who has been inactive for a certain minimum period of time, will be
able to access the specified content type at a speed higher than the
main speed limit value. By default, the content types for which HTTP
Boost applies(only if you check the "Enable HTTP Boost" checkbox on your
shaping rule), are text and HTML content, images, JavaScript and Flash
animation. As can be seen from
Figure21, you can
specify other content types if you want. If you do not check the "Enable
HTTP Boost" checkbox on your shaping rule, HTTP Boost is disabled.
Enabling HTTP Boost for work-related destinations can be very useful.
Next you have the chance to limit the number of concurrent connections. See
Figure22.
Figure22: Bandwidth Splitter Shaping Rule Limit No. of Concurrent Connections
This setting is kinda confusing. What type of concurrent connections ?
Some quick tests show that this limit applies to both TCP and UDP
connections send to all destinations. It's not a limit that applies to
connections made per destination, it applies globally. When a user is
browsing and he/she will exceed the number of concurrent connections
allowed, and error page will appear. See
Figure23.
Figure23: Bandwidth Splitter Default "Too many connections" Error Page
This error page(along with other error pages like "Access not allowed" or "Traffic quota limit reached") can be customised.
Click Next.
A very important and useful setting appears. You can assign the
specified 160 kbps bandwidth individually to each user or distribute
this bandwidth between users. See
Figure24.
Figure24: Bandwidth Splitter Shaping Rule "Shaping Type"
As intended I had assigned the specified 160 kbps bandwidth individually to each user.
The other option to distribute the bandwidth between users lets you do this distribution statically or dynamically.
For example, if the RegularUsers group contains 4 active users and
Static bandwidth distribution is checked, then their individual speed
limit will be 160 / 4 = 40 kbits/s. This can lead to a waste in
bandwidth because two users can only require at a certain moment only 20
kbits/s and 30 kbits/s respectively. However, Static bandwidth
distribution may guarantee, when there is no free/unused bandwidth
available, an equal distribution(40 kbits/s per user) among active users
of the total allocated bandwidth(per group 160 kbits/s).
If Static bandwidth distribution is unchecked, then this unused
bandwidth can be distributed between the other two users which at that
certain moment may need more bandwidth. The downside of this, according
to the manual, is that when there is no free/unused bandwidth, the
users who have more connections or better links to the servers could
have precedence over the rest users.
Click Next.
We can configure Extra Parameters for our work shaping rule. See
Figure25.
Figure25: Bandwidth Splitter Shaping Rule "Extra Parameters"
I will check the "Don't count traffic on account of traffic quota"
checkbox because I will also define later a quota rule for these users
and I do not want to impose a limit on allowed work related traffic. I
only want to impose a limit on non-work traffic related. If users exceed
this limit, they can continue their work, only non-work traffic
related being blocked.
Click Next.
Review your shaping rule settings and click Finish. See
Figure26.
Figure26: Bandwidth Splitter Shaping Rule Click Finish
Apply the changes.
3. Another shaping rule
Next I will create another shaping rule for this group of users. This
rule is inteded to limit the speed to non-work related destinations.
Users are allowed to browse certain web sites. To keep it simple, for
this test, The "Destinations" field will contain the "External
Network". See
Figure27.
Figure27: Bandwidth Splitter Shaping Rule "External Destinations"
I have choosed as the shaping mode the sum of incoming and outgoing
traffic and set a limit of 400 kbps. It's a higher speed limit because I
want to dynamically distribute this bandwidth between active users.
See
Figure28 and
Figure29.
Figure28: Bandwidth Splitter Shape Total Traffic
Figure29: Bandwidth Splitter Dynamically Distribute Bandwidth Between Active Users
This time the "Don't count traffic on account of traffic quota"
checkbox will be unchecked because there will be a quota rule for this
kind of traffic for these users. See
Figure30.
Figure30: Bandwidth Splitter Shaping Rule "Extra Parameters"
Review your settings and click Finish. See
Figure31.
Figure31: Bandwidth Splitter Shaping Rule Click Finish
Apply the changes.
And by now we have two shaping rules. See
Figure32.
Figure32: Bandwidth Splitter Two Shaping Rules
4. Let's create a quota rule
As I mentioned before, I want to create a quota rule to limit per day
the amount of non-work related traffic. Please remember that I have
checked the "Don't count traffic on account of traffic quota" on the
work-related shaping rule, thus work traffic will be unaffected by this
quota rule. Also you may create a shaping rule for destinations needed
for various updates, rule for which the traffic counter will not apply
too. So let's create a quota rule. See
Figure33.
Figure33: Bandwidth New Quota Rule
Enter a name for this quota rule. See
Figure34.
Figure34: Bandwidth New Quota Rule Name
Click Next.
As said before this quota rule will apply to the "RegularUsers" User Set. See
Figure35.
Figure35: Bandwidth New Quota Rule "Applies To"
Click Next.
Now you can specify the traffic qouta for this rule.
I have selected to limit the sum of incoming and outgoing traffic. You
can also limit separately incoming and outgoing traffic, limit incoming
traffic only or limit outgoing traffic only.
The traffic amount allowed by this rule was set to 50 MB.
This quota rule will not apply to cached web content.
I want to start a 50 BM traffic counter for each active user of the
"RegularUsers" group. This counter will be reset daily. You can reset
this counter weekly, monthly or never. If the user does not consume the
entire amount of traffic allowed, the remainder can be transferred to
the next period. See
Figure36.
Figure36: Bandwidth New Quota Rule "Specify Traffic Quota For This Rule"
As said before, a traffic counter will be started for each active user
of the "RegularUsers" group. When this counter reaches zero, all
connections of the client are terminated. If the user is browsing after
this moment, the user will receive a message that the allowed traffic
quota has been reached. See
Figure37. As mentioned before, this error page can be customised.
Figure37: Bandwidth Splitter "Traffic Quota Limit Reached" Error Page
Click Next.
And here is the option I was talking about, to start a traffic counter
for each user. Or if you want, you can assign this quota rule to the
entire group. See
Figure38.
Figure38: Bandwidth Splitter New Quota Rule, Quota Type
Click Next.
Review your settings and click Finish. See
Figure39.
Figure39: Bandwidth Splitter New Quota Rule Click Finish
Apply the changes.
And now we have a quota rule in place. See
Figure40.
Figure40: Bandwidth Splitter A Quota Rule
5. Testing the created Shaping and Quota rules
Time to see the shaping and quota rules in action.
In
Figure41 we can view two users accesing
work-related destinations, thus the work-related shaping rule is used.
Both have allocated a 160 kbps channel as intended. But, as said before,
from this monitoring panel, we cannot simply right-click one of these
users and disconnect him/her if we want to. We can only look. And there
are plenty of useful fields to look at.
Figure41: Bandwidth Splitter Live Monitoring Work Related Destinations
In
Figure42 we can quickly see the traffic counter.
Since they are accessing work-related destinations, the quota rules does
not apply and the counters for both users are almost intact(if they
access some work-related web pages, some adds might modify a little bit
these counters).
Figure42: Bandwidth Splitter Quota Counters
In
Figure43 we can view two users accesing non-work
related destinations, thus the non-work related shaping rule is used.
Both share the 400 kbps channel as intended. If more users start
accessing non-work related destinations, the available speed to each one
will decrease, so it will be better for them to get back to work.
Figure43: Bandwidth Splitter Live Monitoring Non-Work Related Destinations
In
Figure44 we can notice that the remaining amount of available traffic starts to shrink.
Figure44: Bandwidth Splitter Quota Counters
6. Client-side monitoring utility
Bandwidth Splitter has a client-side monitoring utility, so users can check their traffic quota counter.
This utility can be found usually in "
C:\Program Files\Microsoft ISA Server\Bandwidth Splitter\BMonitor".
Do not enable file sharing on ISA Firewall itself. Microsoft has
removed the FWC share from ISA 2006(FWC share present on ISA 2004). ISA
machine is not a file server. Put this utility on a dedicated
file-sharing server if you do not distribute it yourself on the users'
machines. Installation is not required, you just need to copy the
utility and the help file.
Also during the installation of Bandwidth Splitter on ISA, you will be
asked if you want to enable clients to use this utility because you
need an access rule on ISA. Bandwidth Splitter listens for connections
of client-side monitoring utilities on TCP port 15000. See
Figure45 and
Figure46.
Figure45: ISA Access Rule for Bandwidth Splitter Client-Side Monitoring Utility
Figure46: ISA, Protocol for Bandwidth Splitter Client-Side Monitoring Utility
In
Figure47 we can see this client-side monitoring
utility. It's very useful since users are aware of the traffic
remainder, so they can back-off when they approach the imposed limit.
Figure47: Bandwidth Splitter Client-Side Monitoring Utility
This utility has some settings, so users can customise it a little bit.
It can be configured to be launched at startup, with a proxy server,
manually specify credentials, set the level of transparency etc. See
Figure48.
Figure48: Bandwidth Splitter Client-Side Monitoring Utility Settings
7. Modifying the Traffic Counters on the fly from the Quota Counters Panel
If an user reaches the quota limit, we can easily spot that within the Quota Counters. See
Figure49.
Figure49: Bandwidth Splitter Quota Counters, Quota Reached
As opposed to the Live Monitoring panel, here we can interact with the
current quota counters, we can manually modify them or delete them.
This is very useful for rewarding or punishing a user or to simply force
some limits on a specific day for a specific user(s) without the need
to modify/add a quota rule. See
Figure50 and
Figure51.
Figure50: Bandwidth Splitter Manually Delete a Traffic Counter
Figure51: Bandwidth Splitter Manually Modify a Traffic Counter
8. The Download Managers cannot exhaust the bandwidth anymore
Remember the download managers Link ::: http://www.carbonwind.net/ISA/HTTPSig/HTTPSig3.htm discussion ?
Now while Diana is working, she has a fix and stable 160 kbps channel
alocated. Johnny on the other side is wasting time and plays with his
favourite download manager. In a desperate attempt to maximize his
bandwidth, Johnny has put, say, Free Download Manager Link ::
http://www.freedownloadmanager.org/ in a customised Heavy Mode. See
Figure52.
Figure52: Free Download Manager "Heavy Mode"
This would mean that Johnny will create up to 10 connections per one server in order to speed up his downloads.
However this would not help him to bypass the 400 kbps shared limit
imposed to non-related destinations. Also, Diana will be unaffected by
the waste traffic generated by Johnny, and will benefit from her 160
kbps channel alocated for work-related destinations. These things are
clearly shown in
Figure53.
Figure53: Live Monitoring Both Non-Work and Work Related Destinations
While Bandwidth Splitter does not prevent Johnny to create 10
connections per one server, Johnny cannot bypass the 400 kbps shared
limit imposed to non-related traffic and also he will soon reach his
quota limit if he continues like this. So he will have to back-off.
Also his joy about fully benefiting from the 400 kbps channel would not
last since other users will become active, and Johnny will have to
share this 400 kbps channel with them.
Thus all the waste traffic will be concentrated within this 400 kbps
channel. And users have individual traffic quotas for non-work related
traffic.
Without Bandwidth Splitter in place, Johnny and other wasteful users
could easily exhaust the Internet bandwidth. Now waste traffic is
limited, and work-related traffic has priority.
9. Conclusion
As can be seen, with Bandwidth Splitter, with a couple of mouse touches, Internet bandwidth can be rationally distributed.
Bandwidth Splitter is a powerful bandwidth manager for ISA 2004/2006
Server that comes with a lot of useful bandwidth management features and
is also very easy to use. It lacks however the ability to control
bandwidth per protocol(as currently writing this article).
