Appendix A: Selected Interoperability Test Results

  • Article

As ISA Server 2004 proceeded through its rigorous testing process, performance data was obtained. Selected data is shown in the following sections. Note that this data was collected based on the test environment configuration detailed in this document.

Robustness Testing

Robustness testing was performed as follows:

  • A robustness matrix was used to document the results.
  • The tool TTCP was used to generate data sent through the VPN tunnel.
  • The tool TTCP was used to generate data sent unencrypted between the two workstations.
  • The amounts of data sent were:
    • 100.00 megabytes (MB)
    • 500.00 MB
    • 1.00 gigabytes (GB)
  • The transit times and average bandwidth usage numbers were calculated using built-in transit and bandwidth measurement tools in TTCP and verified through the use of built-in Microsoft Windows network monitoring tools on the workstations.
  • Packet loss was calculated through tools in TTCP, the default firewall logs, and through the use of built-in Microsoft Windows network monitoring tools.
  • For simultaneous connections, the internal networks were modified to be unique on all the third-party gateways. A VPN site-to-site tunnel was configured on the ISA Server 2004 device corresponding to each third-party gateway and protected unique network.

ISA Server 2004 Initiating the Connection

The following table compares the third-party gateway connections.

  ISA Server 2004 Gateway Cisco Checkpoint NetScreen Linksys Sonic

Tunnel Parameters

 

 

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Certificate based authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Certificate based authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Preshared Secret authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Certificate based authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

Data Transfer using TTCP (see bullet point above)

 

 

100 MB

43.00 Mbps

44.30 Mbps

44.88 Mbps

Ave: 44.06 Mbps

500 MB

45.31 Mbps

44.98 Mbps

46.01 Mbps

Ave: 44.43 Mbps

1 GB

45.34 Mbps

45.68 Mbps

45.74 Mbps

Ave: 45.57 Mbps

100 MB

22.96 Mbps

22.92 Mbps

23.03 Mbps

Ave: 22.97 Mbps

500 MB

22.70 Mbps

22.79 Mbps

22.68 Mbps

Ave: 22.72 Mbps

1 GB

22.54 Mbps

22.74 Mbps

22.75 Mbps

Ave: 22.68 Mbps

100 MB

4.58 Mbps

4.59 Mbps

4.57 Mbps

Ave: 4.58 Mbps

500 MB

4.60 Mbps

4.58 Mbps

4.60 Mbps

Ave: 4.60 Mbps

1 GB

4.58 Mbps

4.58 Mbps

4.59 Mbps

Ave: 4.58 Mbps

100 MB

17.56 Mbps

17.57 Mbps

17.49 Mbps

Ave: 17.54 Mbps

500 MB

17.55 Mbps

17.55 Mbps

17.54 Mbps

Ave: 17.55 Mbps

1 GB

17.57 Mbps

17.56 Mbps

17.51 Mbps

Ave: 17.55 Mbps

Connection Issues or Problems

 

The maximum supported VPN bandwidth is 4 Mbps.

N/A

N/A

The WAN interface of the Linksys device will only support 10 Mbps.

The maximum supported VPN bandwidth is 25 Mbps.

Third-Party Gateway Initiating the Connection

  Cisco Checkpoint NetScreen Linksys Sonic ISA Server 2004 Gateway

Tunnel Parameters

 

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Certificate based authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Certificate based authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Preshared Secret authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Certificate based authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

 

Data Transfer using TTCP

 

100 MB:

34.61 Mbps

36.16 Mbps

36.46 Mbps

Ave: 35.74 Mbps

500 MB

37.28 Mbps

36.91 Mbps

37.63 Mbps

Ave: 37.27 Mbps

1 GB

37.31 Mbps

37.74 Mbps

37.21 Mbps

Ave: 37.42 Mbps

100 MB:

21.30 Mbps

21.50 Mbps

21.54 Mbps

Ave: 21.45 Mbps

500 MB

21.49 Mbps

21.38 Mbps

21.47 Mbps

Ave: 21.45 Mbps

1 GB

21.42 Mbps

21.44 Mbps

21.49 Mbps

Ave: 21.45 Mbps

100 MB

5.31 Mbps

5.33 Mbps

5.33 Mbps

Ave: 5.32 Mbps

500 MB

5.32 Mbps

5.34 Mbps

5.33 Mbps

Ave: 5.33 Mbps

1 GB

5.33 Mbps

5.33 Mbps

5.34 Mbps

Ave: 5.33 Mbps

100 MB

17.45 Mbps

22.92 Mbps

23.03 Mbps

Ave: 22.97 Mbps

500 MB

22.70 Mbps

22.79 Mbps

22.68 Mbps

Ave: 22.72 Mbps

1 GB

22.54 Mbps

22.74 Mbps

22.75 Mbps

Ave: 22.68 Mbps

 

Connection Issues or Problems

The maximum supported VPN bandwidth is 4 Mbps.

N/A

The maximum supported VPN bandwidth is 25 Mbps.

The WAN interface of the Linksys device will only support 10 Mbps.

The maximum supported VPN bandwidth is 25 Mbps.

 

Performance Testing:

The performance testing was performed as follows:

  • A performance matrix was used to document the results that follow.
  • The tool TTCP was used to generate data sent through the VPN tunnel.
  • The amounts of data sent were:
    • 50.00 MB
    • 20.02 MB
    • 10.01 MB
  • The transit times and average bandwidth usages numbers were calculated using built-in transit and bandwidth measurement tools in TTCP and verified through the use of built-in Microsoft Windows network monitoring tools on the workstations.
  • For the High Bandwidth tests (>100 Mbps), the lab setup was not modified from the previous test
  • For the Medium Bandwidth tests (>10 Mbps), the lab was modified by replacing the Enforcer device with a Cisco 2600 series router. The router’s interfaces were set to 10 Mbps Full-Duplex and configured to allow UDP port 500 and ESP traffic.
  • For the Low Bandwidth tests (>1.5 Mbps), the lab was modified by using the rate-limit command on the Cisco router. The interfaces were configured to only allow a maximum of 1.5 Mbps.
  • For the Simultaneous Low Bandwidth connections, the router was left in place using the rate-limit command to allow a maximum of 1.5 Mbps. The internal networks were modified to be unique on all the third-party gateways. A VPN site-to-site tunnel was configured on the ISA Server 2004 device corresponding to each third-party gateway and protected unique network.

ISA Server 2004 Initiating the Connection

  ISA Server 2004 Gateway Cisco Checkpoint NetScreen Linksys Sonic

Tunnel Parameters

 

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Certificate based authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Certificate based authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Certificate based authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Preshared Secret authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Certificate based authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

Low bandwidth Test < 1.5 Mbps

 

10 MB

Ave:

58.59 s @

1.37 Mbps

20 MB

Ave:

113.95 s @

1.41 Mbps

50 MB

281.69 s @

1.42 Mbps

10 MB

Ave:

72.54 s @

1.11 Mbps

20 MB

Ave:

159.51 s @

1.01 Mbps

50 MB

377.36 s @

1.06 Mbps

10 MB

Ave:

69.01 s @

1.16 Mbps

20 MB

Ave:

139.89 s @

1.14 Mbps

50 MB

347.83 s @

1.15 Mbps

10 MB

Ave:

74.38 s @

1.08 Mbps

20 MB

Ave:

137.99 s @

1.16 Mbps

50 MB

347.11 s @

1.15 Mbps

10 MB

Ave:

65.33 s @

1.23 Mbps

20 MB

Ave:

124.75 s @

1.28 Mbps

50 MB

310.08 s @

1.29 Mbps

Medium Bandwidth Test < 10 Mbps

 

 

10 MB

Ave:

9.83 s @

8.14 Mbps

20 MB

Ave:

17.96 s @

8.92 Mbps

50 MB

44.51 s @

8.99 Mbps

10 MB

Ave:

10.33 s @

7.75 Mbps

20 MB

Ave:

18.73 s @

8.55 Mbps

50 MB

47.96 s @

8.35 Mbps

10 MB

Ave:

17.45 s @

4.58 Mbps

20 MB

Ave:

34.88 s @

4.59 Mbps

50 MB

87.28 s @

4.58 Mbps

10 MB

Ave:

9.98 s @

8.02 Mbps

20 MB

Ave:

18.79 s @

8.52 Mbps

50 MB

46.41 s @

8.62 Mbps

High Bandwidth Test < 100 Mbps

 

 

10 MB

Ave:

1.81 s @

44.21 Mbps

20 MB

Ave:

3.62 s @

44.25 Mbps

50 MB

9.02 s @

44.36 Mbps

10 MB

Ave:

3.49 s @

22.91 Mbps

20 MB

Ave:

6.97 s @

22.96 Mbps

50 MB

17.45 s @

22.92 Mbps

N/A

10 MB

Ave:

4.62 s @

17.32 Mbps

20 MB

Ave:

9.12 s @

17.55 Mbps

50 MB

22.83 s @

17.51 Mbps

Connection Issues or Problems

 

The maximum supported VPN bandwidth is 4 Mbps.

N/A

N/A

The WAN interface of the Linksys device will only support 10 Mbps.

The maximum supported VPN bandwidth is 25 Mbps.

Third-Party Gateway Initiating the Connection

  Cisco Checkpoint NetScreen Linksys Sonic ISA Server 2004 Gateway

Tunnel Parameters

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Certificate based authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Certificate based authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Certificate based authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Preshared Secret authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

Phase 1:

Main Mode

3DES

SHA-1

MODP Group2 for DH

SA Life of 28,800 Sec

Certificate based authentication

Phase 2:

3DES

SHA-1

PFS & MODP Group 2 for DH

SA Life of 3600 Sec.

 

Low bandwidth Test < 1.5 Mbps

10 MB

Ave:

59.27 s @

1.35 Mbps

20 MB

Ave:

115.95 s @

1.38 Mbps

50 MB

284.14 s @

1.41 Mbps

10 MB

Ave:

68.58 s @

1.17 Mbps

20 MB

Ave:

133.60 s @

1.20 Mbps

50 MB

128.03 s @

1.22 Mbps

10 MB

Ave:

67.09 s @

1.19 Mbps

20 MB

Ave:

136.01 s @

1.18 Mbps

50 MB

324.96 s @

1.23 Mbps

10 MB

Ave:

69.85 s @

1.15 Mbps

20 MB

Ave:

135.09 s @

1.19 Mbps

50 MB

330.58 s @

1.21 Mbps

10 MB

Ave:

68.27 s @

1.17 Mbps

20 MB

Ave:

133.94 s @

1.20 Mbps

50 MB

129.93 s @

1.21 Mbps

 

Medium Bandwidth Test < 10 Mbps

 

10 MB

Ave:

9.75 s @

8.21 Mbps

20 MB

Ave:

19.28 s @

8.31 Mbps

50 MB

47.58 s @

8.38 Mbps

10 MB

Ave:

9.34 s @

8.51 Mbps

20 MB

Ave:

19.11 s @

8.38 Mbps

50 MB

47.22 s @

8.46 Mbps

10 MB

Ave:

15.01 s @

5.33 Mbps

20 MB

Ave:

30.07 s @

5.33 Mbps

50 MB

75.05 s @

5.33 Mbps

10 MB

Ave:

9.72 s @

8.22 Mbps

20 MB

Ave:

19.24 s @

8.32 Mbps

50 MB

48.29 s @

8.28 Mbps

 

High Bandwidth Test < 100 Mbps

 

10 MB

Ave:

2.12 s @

37.79 Mbps

20 MB

Ave:

4.23 s @

37.83 Mbps

50 MB

10.58 s @

37.81 Mbps

10 MB

Ave:

3.75 s @

21.35 Mbps

20 MB

Ave:

7.47 s @

21.46 Mbps

50 MB

18.66 s @

21.45 Mbps

Not applicable

10 MB

Ave:

3.52 s @

22.78 Mbps

20 MB

Ave:

6.99 s @

22.93 Mbps

50 MB

17.55 s @

22.81 Mbps

 

Connection Issues or Problems

The maximum supported VPN bandwidth is 4 Mbps.

N/A

N/A

The WAN interface of the Linksys device will only support 10 Mbps.

The maximum supported VPN bandwidth is 25 Mbps.