Just been working on our ISA infrastructure. We have 2 ISA servers, 1 for staff, and 1 for students. Main reason for the separate servers is that each ‘group’ have to go through a different upstream proxy server. (Bit of a pain, but that’s what we have to do.)
Simple task this morning, block a couple of sites and add a new HTTP signature in for blocking. Open up the ISA Management console and off we go.
Upon opening, I was greeted with a dozen rules and a number of separate filters. I knew that ISA performance had been suffering recently, but not really had the time to do anything about it. It looks like over time, as requirements have changed and extra sites and services needed restricting or allowing, the design of the firewall rules, and web chaining rules had become one giant mess.
Taking the opportunity of a bit of time for once, took all of the rules, deleted them and started from scratch. Managed to get 14 rules down to 3. Took a look at the web chaining rules, and reorganised them into a more logical order. Traffic is all now told to attempt to go direct to the source instead of the upstream proxy. Previously, all traffic was directed to the upstream proxy, and then told to go direct if it didn’t match a rule. (I think that makes sense!).
Other than making the whole configuration simpler (always a good feature), the re-design has had two positive side effects that weren’t planned for. ISA performance has improved by around 50%. Request times are taking half a s long to process as they were before. Also, YouTube has started working!! Something in the configuration was stopping YouTube from loading and playing videos, but in the mess of rules, we could not determine what the problem was.
Today I have determined that every so often, you need to really challenge an existing design to ensure that it is as simple, and as functional as it needs to be.