Appendix A: Selected Interoperability Test Results
As ISA Server 2004 proceeded through its rigorous testing process, performance data was obtained. Selected data is shown in the following sections. Note that this data was collected based on the test environment configuration detailed in this document.
Robustness Testing
Robustness testing was performed as follows:
- A robustness matrix was used to document the results.
- The tool TTCP was used to generate data sent through the VPN tunnel.
- The tool TTCP was used to generate data sent unencrypted between the two workstations.
- The amounts of data sent were:
- 100.00 megabytes (MB)
- 500.00 MB
- 1.00 gigabytes (GB)
- The transit times and average bandwidth usage numbers were calculated using built-in transit and bandwidth measurement tools in TTCP and verified through the use of built-in Microsoft Windows network monitoring tools on the workstations.
- Packet loss was calculated through tools in TTCP, the default firewall logs, and through the use of built-in Microsoft Windows network monitoring tools.
- For simultaneous connections, the internal networks were modified to be unique on all the third-party gateways. A VPN site-to-site tunnel was configured on the ISA Server 2004 device corresponding to each third-party gateway and protected unique network.
ISA Server 2004 Initiating the Connection
The following table compares the third-party gateway connections.
ISA Server 2004 Gateway | Cisco | Checkpoint | NetScreen | Linksys | Sonic | |
---|---|---|---|---|---|---|
Tunnel Parameters |
|
|
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Certificate based authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Certificate based authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Preshared Secret authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Certificate based authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
Data Transfer using TTCP (see bullet point above) |
|
|
100 MB 43.00 Mbps 44.30 Mbps 44.88 Mbps Ave: 44.06 Mbps 500 MB 45.31 Mbps 44.98 Mbps 46.01 Mbps Ave: 44.43 Mbps 1 GB 45.34 Mbps 45.68 Mbps 45.74 Mbps Ave: 45.57 Mbps |
100 MB 22.96 Mbps 22.92 Mbps 23.03 Mbps Ave: 22.97 Mbps 500 MB 22.70 Mbps 22.79 Mbps 22.68 Mbps Ave: 22.72 Mbps 1 GB 22.54 Mbps 22.74 Mbps 22.75 Mbps Ave: 22.68 Mbps |
100 MB 4.58 Mbps 4.59 Mbps 4.57 Mbps Ave: 4.58 Mbps 500 MB 4.60 Mbps 4.58 Mbps 4.60 Mbps Ave: 4.60 Mbps 1 GB 4.58 Mbps 4.58 Mbps 4.59 Mbps Ave: 4.58 Mbps |
100 MB 17.56 Mbps 17.57 Mbps 17.49 Mbps Ave: 17.54 Mbps 500 MB 17.55 Mbps 17.55 Mbps 17.54 Mbps Ave: 17.55 Mbps 1 GB 17.57 Mbps 17.56 Mbps 17.51 Mbps Ave: 17.55 Mbps |
Connection Issues or Problems |
|
The maximum supported VPN bandwidth is 4 Mbps. |
N/A |
N/A |
The WAN interface of the Linksys device will only support 10 Mbps. |
The maximum supported VPN bandwidth is 25 Mbps. |
Third-Party Gateway Initiating the Connection
Cisco | Checkpoint | NetScreen | Linksys | Sonic | ISA Server 2004 Gateway | |
---|---|---|---|---|---|---|
Tunnel Parameters |
|
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Certificate based authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Certificate based authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Preshared Secret authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Certificate based authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
|
Data Transfer using TTCP |
|
100 MB: 34.61 Mbps 36.16 Mbps 36.46 Mbps Ave: 35.74 Mbps 500 MB 37.28 Mbps 36.91 Mbps 37.63 Mbps Ave: 37.27 Mbps 1 GB 37.31 Mbps 37.74 Mbps 37.21 Mbps Ave: 37.42 Mbps |
100 MB: 21.30 Mbps 21.50 Mbps 21.54 Mbps Ave: 21.45 Mbps 500 MB 21.49 Mbps 21.38 Mbps 21.47 Mbps Ave: 21.45 Mbps 1 GB 21.42 Mbps 21.44 Mbps 21.49 Mbps Ave: 21.45 Mbps |
100 MB 5.31 Mbps 5.33 Mbps 5.33 Mbps Ave: 5.32 Mbps 500 MB 5.32 Mbps 5.34 Mbps 5.33 Mbps Ave: 5.33 Mbps 1 GB 5.33 Mbps 5.33 Mbps 5.34 Mbps Ave: 5.33 Mbps |
100 MB 17.45 Mbps 22.92 Mbps 23.03 Mbps Ave: 22.97 Mbps 500 MB 22.70 Mbps 22.79 Mbps 22.68 Mbps Ave: 22.72 Mbps 1 GB 22.54 Mbps 22.74 Mbps 22.75 Mbps Ave: 22.68 Mbps |
|
Connection Issues or Problems |
The maximum supported VPN bandwidth is 4 Mbps. |
N/A |
The maximum supported VPN bandwidth is 25 Mbps. |
The WAN interface of the Linksys device will only support 10 Mbps. |
The maximum supported VPN bandwidth is 25 Mbps. |
|
Performance Testing:
The performance testing was performed as follows:
- A performance matrix was used to document the results that follow.
- The tool TTCP was used to generate data sent through the VPN tunnel.
- The amounts of data sent were:
- 50.00 MB
- 20.02 MB
- 10.01 MB
- The transit times and average bandwidth usages numbers were calculated using built-in transit and bandwidth measurement tools in TTCP and verified through the use of built-in Microsoft Windows network monitoring tools on the workstations.
- For the High Bandwidth tests (>100 Mbps), the lab setup was not modified from the previous test
- For the Medium Bandwidth tests (>10 Mbps), the lab was modified by replacing the Enforcer device with a Cisco 2600 series router. The router’s interfaces were set to 10 Mbps Full-Duplex and configured to allow UDP port 500 and ESP traffic.
- For the Low Bandwidth tests (>1.5 Mbps), the lab was modified by using the rate-limit command on the Cisco router. The interfaces were configured to only allow a maximum of 1.5 Mbps.
- For the Simultaneous Low Bandwidth connections, the router was left in place using the rate-limit command to allow a maximum of 1.5 Mbps. The internal networks were modified to be unique on all the third-party gateways. A VPN site-to-site tunnel was configured on the ISA Server 2004 device corresponding to each third-party gateway and protected unique network.
ISA Server 2004 Initiating the Connection
ISA Server 2004 Gateway | Cisco | Checkpoint | NetScreen | Linksys | Sonic | |
---|---|---|---|---|---|---|
Tunnel Parameters |
|
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Certificate based authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Certificate based authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Certificate based authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Preshared Secret authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Certificate based authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
Low bandwidth Test < 1.5 Mbps |
|
10 MB Ave: 58.59 s @ 1.37 Mbps 20 MB Ave: 113.95 s @ 1.41 Mbps 50 MB 281.69 s @ 1.42 Mbps |
10 MB Ave: 72.54 s @ 1.11 Mbps 20 MB Ave: 159.51 s @ 1.01 Mbps 50 MB 377.36 s @ 1.06 Mbps |
10 MB Ave: 69.01 s @ 1.16 Mbps 20 MB Ave: 139.89 s @ 1.14 Mbps 50 MB 347.83 s @ 1.15 Mbps |
10 MB Ave: 74.38 s @ 1.08 Mbps 20 MB Ave: 137.99 s @ 1.16 Mbps 50 MB 347.11 s @ 1.15 Mbps |
10 MB Ave: 65.33 s @ 1.23 Mbps 20 MB Ave: 124.75 s @ 1.28 Mbps 50 MB 310.08 s @ 1.29 Mbps |
Medium Bandwidth Test < 10 Mbps |
|
|
10 MB Ave: 9.83 s @ 8.14 Mbps 20 MB Ave: 17.96 s @ 8.92 Mbps 50 MB 44.51 s @ 8.99 Mbps |
10 MB Ave: 10.33 s @ 7.75 Mbps 20 MB Ave: 18.73 s @ 8.55 Mbps 50 MB 47.96 s @ 8.35 Mbps |
10 MB Ave: 17.45 s @ 4.58 Mbps 20 MB Ave: 34.88 s @ 4.59 Mbps 50 MB 87.28 s @ 4.58 Mbps |
10 MB Ave: 9.98 s @ 8.02 Mbps 20 MB Ave: 18.79 s @ 8.52 Mbps 50 MB 46.41 s @ 8.62 Mbps |
High Bandwidth Test < 100 Mbps |
|
|
10 MB Ave: 1.81 s @ 44.21 Mbps 20 MB Ave: 3.62 s @ 44.25 Mbps 50 MB 9.02 s @ 44.36 Mbps |
10 MB Ave: 3.49 s @ 22.91 Mbps 20 MB Ave: 6.97 s @ 22.96 Mbps 50 MB 17.45 s @ 22.92 Mbps |
N/A |
10 MB Ave: 4.62 s @ 17.32 Mbps 20 MB Ave: 9.12 s @ 17.55 Mbps 50 MB 22.83 s @ 17.51 Mbps |
Connection Issues or Problems |
|
The maximum supported VPN bandwidth is 4 Mbps. |
N/A |
N/A |
The WAN interface of the Linksys device will only support 10 Mbps. |
The maximum supported VPN bandwidth is 25 Mbps. |
Third-Party Gateway Initiating the Connection
Cisco | Checkpoint | NetScreen | Linksys | Sonic | ISA Server 2004 Gateway | |
---|---|---|---|---|---|---|
Tunnel Parameters |
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Certificate based authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Certificate based authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Certificate based authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Preshared Secret authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
Phase 1: Main Mode 3DES SHA-1 MODP Group2 for DH SA Life of 28,800 Sec Certificate based authentication Phase 2: 3DES SHA-1 PFS & MODP Group 2 for DH SA Life of 3600 Sec. |
|
Low bandwidth Test < 1.5 Mbps |
10 MB Ave: 59.27 s @ 1.35 Mbps 20 MB Ave: 115.95 s @ 1.38 Mbps 50 MB 284.14 s @ 1.41 Mbps |
10 MB Ave: 68.58 s @ 1.17 Mbps 20 MB Ave: 133.60 s @ 1.20 Mbps 50 MB 128.03 s @ 1.22 Mbps |
10 MB Ave: 67.09 s @ 1.19 Mbps 20 MB Ave: 136.01 s @ 1.18 Mbps 50 MB 324.96 s @ 1.23 Mbps |
10 MB Ave: 69.85 s @ 1.15 Mbps 20 MB Ave: 135.09 s @ 1.19 Mbps 50 MB 330.58 s @ 1.21 Mbps |
10 MB Ave: 68.27 s @ 1.17 Mbps 20 MB Ave: 133.94 s @ 1.20 Mbps 50 MB 129.93 s @ 1.21 Mbps |
|
Medium Bandwidth Test < 10 Mbps |
|
10 MB Ave: 9.75 s @ 8.21 Mbps 20 MB Ave: 19.28 s @ 8.31 Mbps 50 MB 47.58 s @ 8.38 Mbps |
10 MB Ave: 9.34 s @ 8.51 Mbps 20 MB Ave: 19.11 s @ 8.38 Mbps 50 MB 47.22 s @ 8.46 Mbps |
10 MB Ave: 15.01 s @ 5.33 Mbps 20 MB Ave: 30.07 s @ 5.33 Mbps 50 MB 75.05 s @ 5.33 Mbps |
10 MB Ave: 9.72 s @ 8.22 Mbps 20 MB Ave: 19.24 s @ 8.32 Mbps 50 MB 48.29 s @ 8.28 Mbps |
|
High Bandwidth Test < 100 Mbps |
|
10 MB Ave: 2.12 s @ 37.79 Mbps 20 MB Ave: 4.23 s @ 37.83 Mbps 50 MB 10.58 s @ 37.81 Mbps |
10 MB Ave: 3.75 s @ 21.35 Mbps 20 MB Ave: 7.47 s @ 21.46 Mbps 50 MB 18.66 s @ 21.45 Mbps |
Not applicable |
10 MB Ave: 3.52 s @ 22.78 Mbps 20 MB Ave: 6.99 s @ 22.93 Mbps 50 MB 17.55 s @ 22.81 Mbps |
|
Connection Issues or Problems |
The maximum supported VPN bandwidth is 4 Mbps. |
N/A |
N/A |
The WAN interface of the Linksys device will only support 10 Mbps. |
The maximum supported VPN bandwidth is 25 Mbps. |
|