Determining Hardware Requirements for VPN
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Use the following guidelines when determining network hardware requirements for your VPN design:
For interfaces on the public network, use network adapters capable of IPSec hardware offload.
Assuming that you have a 10/100 Ethernet infrastructure, set all devices to 100 Mbps Full Duplex.
Connect interfaces on the private network directly to a high-capacity switch that also connects the data servers and routers that remote access clients will access frequently.
Use the following guidelines when determining CPU requirements for your VPN design:
Processing inbound and outbound packets requires CPU cycles. By increasing the available processing power, you can increase throughput.
Doubling the speed of a single processor is more effective than doubling the number of processors.
In the case of multiprocessor platforms, binding one CPU to each network adapter can increase the efficiency of interrupt handling, freeing cycles and shrinking the performance gap between the use of a large number of less powerful CPUs and a few faster, more expensive CPUs.
Use the following guidelines when determining the RAM needed for VPN servers:
Each active connection consumes a small block of nonpageable memory (approximately 40 KB). If you do not need to handle more than 1,000 concurrent calls from remote access users, 512 MB of RAM is adequate.
If you require the capacity to handle more than 1,000 concurrent calls, for every 1,000 concurrent calls provide an extra 128 MB of RAM over recommended RAM capacity for the server, plus a base of 128 MB more for remote access and related services.
For example, for a dedicated remote access server that will support as many as 2,000 simultaneous VPN calls, if the recommended RAM capacity for Windows Server 2003 is 256 MB, provide 768 MB of RAM:
256 MB + (128 MB * 2) + (128 MB * 2)
Performing Capacity Planning
The two greatest potential performance constraints in your remote access server solution are the number of simultaneous connections and the overall data throughput.
The number of simultaneous connections that a VPN server can support is determined by the available nonpaged pool memory as well as other factors, such as the use of data compression. With compression, each connection uses more nonpaged pool memory and requires more processing. Turning off compression can improve performance.
The processing power that is available to a VPN server determines the server’s data throughput capacity. Tunneling protocols also have an impact on data throughput. PPTP connections require less processing power than L2TP/IPSec connections do; however, L2TP/IPSec connections are the most secure. You can mitigate the impact of L2TP/IPSec on processing power by using IPSec hardware offload.