A Bandwidth Manager for ISA 2006 Firewall : Bandwidth Splitter
- 1. Overview
- 2. Let's create a shaping rule
- 3. Another shaping rule
- 4. Let's create a quota rule
- 5. Testing the created Shaping and Quota rules
- 6. Client-side monitoring utility
- 7. Modifying the Traffic Counters on the fly from the Quota Counters Panel
- 8. The Download Managers cannot exhaust the bandwidth anymore
- 9. Conclusion
ISA 2006 Firewall comes with a lot of nice features by default. But, like everything and everybody, it's not perfect. Unfortunetely it does not come with an integrated bandwidth manager.
As we have seen in a previous article, without having a bandwidth manager installed on ISA can easily lead to an improper Internet bandwidth distribution among the users. Wasteful traffic can exhaust the Internet bandwidth and work related traffic will suffer. Unauthorized installations of download managers for example can seriously affect work related traffic(long delays, timeouts...).
That's why you should always allow only needed traffic to needed destinations.
A nice feature of ISA is the ability to authenticate users based on their Active Directory accounts.
So it will be nice to have a bandwidth manager that integrates with ISA and is able to control/limit bandwidth using Active Directory Groups And Users in addition to machine based control(using IP addresses). In this way the shaping and qouta rules will "follow" the users(the users can use any domain computer on the network). Whatever machine the users will use, they will be able to benefit from the bandwidth alocated to them and ISA will be able to control/limit it accordingly. The quality of the bandwidth per work related traffic alocated per user/groups will be constant, thus increasing work productivity. Non-work related(non-priority) traffic is limited, thus Internet connection costs are reduced.
Let's imagine the bellow situation(reduced and simplified).
User X is working with an application that connects him/her to a remote server. Another user Y is killing his/her time and surfs on the Internet, starts a couple of downloads and so on. Due to the "activity" of user Y, user X will not have a fixed, constant bandwidth allocated, although he/she is working at an important project. User X may experience spikes, delays and timeouts when using the needed application. These lead to frustration and thus to poor work productivity.
The solution will be to provide user X with a constant channel for his/her duties while limiting the bandwidth for non-work related activity(like the one of user Y). The shaping of the channel should be made per destination and per protocol.
In addition, it is very important to have a live picture of all users and their connections through ISA including a chart with the bandwidth utilization. And the ability to immediately disconnect offending users.
A powerful bandwidth manager should be able to do all these. Obviously a powerful bandwidth manager with plenty of options can help in many other situations.
In this article we will take a look at the current version of Bandwidth Splitter. As writing this article the version is 1.21.
Bandwidth Splitter allows free-of-charge use with up to 10 clients. So you have the chance to see it in action yourself before placing an order. I've said it before and I can't stress enough how important is to have access to a trial version of a software in order to be able to see if it's actually good enough for you and if it does what its vendor promises. The difference with Bandwidth Splitter is the fact that if you have only a few clients(up to 10) you can use it for free. See Figure1.
Figure1: Bandwidth Splitter License
Bandwidth Splitter impresses from the start because it's nicely integrated with ISA and with ISA's management console. See Figure2.
Figure2: Bandwidth Splitter Integrated with ISA's Management Console
Also for remote administration, you can install only the administrative component of Bandwidth Splitter on remote computers with ISA Server management console installed.
An amazing fact about Bandwidth Splitter is how easy is to use. I was able to start managing the bandwidth in a second.
With Bandwidth Splitter you can manage the traffic of HTTP, HTTPS and FTP connections (for web proxy clients) and TCP/UDP connections (for SecureNAT clients, Firewall Clients and DMZ servers). Also you can manage the traffic of published servers.
With Bandwidth Splitter you create shaping and quota rules.
Shaping rules can be described as speed limitation rules. You can restrict the maximum speed for connections for individual users, user groups or IP address(per Networks, Subnets, individual computers, Computer Sets, URL Sets or Domain Name sets).
Quota rules restrict the amount of traffic that a specific user, a group of users, a host or a group of hosts may transfer within a period of time. Note that the quota rules will apply only when the source IP address is not in External Network and the destination IP address belongs to the External Network. If you have a server on an ISA DMZ and you are connecting say from the Internal network you cannot have a quota rule for these connections.
If you have an ISA DMZ, and the routing relationship between this DMZ and the External network is set to "route", and using access rules for example, you can apply shaping and quota rules for machines from this DMZ(control connections coming from the External Network) by checking "Treat connections from External network as accepted/inbound". This option is a little confusing until you start making some quick tests. See Figure3.
Figure3: "Treat connections from External network as accepted/inbound"
Bandwidth Splitter uses entities of ISA Server for both shaping and quota rules. This is quite handy because eliminates the administrative overhead of creating separate entities within Bandwidth Splitter's administration interface.
For shaping rules you can use ISA entities within the following fields:
- the "Destinations" field can can contain: Networks, Subnets, Address Ranges, individual computers, Computer Sets, URL Sets or Domain Name sets, see Figure4.
Figure4: Bandwidth Splitter Shaping Rule "Destinations" Field
- the "Applies to IP addresses" field can can contain: Networks, Subnets, Address Ranges, individual computers or Computer Sets, see Figure5.
Figure5: Bandwidth Splitter Shaping Rule "Applies to IP addresses" Field
- the "Applies to User Sets" field can contain the Users Sets defined on ISA, see Figure6. The option to control the speed limit per User Sets provides more power and more flexibility. It represents a big plus for Bandwidth Splitter.
Figure6: Bandwidth Splitter Shaping Rule "Applies to User Sets" Field
- the "Schedule" field can contain the Schedules defined on ISA, see Figure7. However, ISA Schedules are not very flexible, you cannot define a schedule from say, 14:30-14:45, only from 14:00-15:00.
Figure7: Bandwidth Splitter Shaping Rule "Schedule" Field
For quota rules you can use ISA entities within the following fields:
- the "Applies to IP addresses" field can can contain: Networks, Subnets, Address Ranges, individual computers, Computer Sets, URL Sets or Domain Name sets with the observation that the quota rules will apply only when the source IP address is not in External Network and the destination IP address belongs to the External Network. See Figure8.
Figure8: Bandwidth Splitter Quota Rule "Applies to IP addresses" Field
- the "Applies to User Sets " field can contain the Users Sets defined on ISA. See Figure9. The ability to assign a traffic quota per User Sets provides more power and more flexibility. It represents another big plus for Bandwidth Splitter.
Figure9: Bandwidth Splitter Quota Rule "Applies to User Sets" Field
Bandwidth Splitter comes with a real-time monitoring feature. You can view the activity of all clients accessing Internet through ISA Server(the IP address of each client, the user name, the number of connections and so on). See Figure10.
Figure10: Bandwidth Splitter Live Monitoring
If you are using quota rules you can visualize the traffic counter and the amount of remaining traffic. See Figure11.
Figure11: Bandwidth Splitter Quota Counters
However you can only look, you do not have an option to disconnect an user.
Another minus for Bandwidth Splitter is the fact you cannot apply shaping rules based on protocols. By default all TCP and UDP protocols are shaped.
An interesting and very useful feature of Bandwidth Splitter is the fact that you can specify what's happening in case some connections do not match any shaping and/or quota rule. By default, "Do not filter connections" is selected, thus these connections are excluded from processing. As said before, exclusion occurs only when both types of rules are not found. If you select "Deny connections" instead of "Do not filter connections" then such connections will be denied. Therefore you have to carefully define your shaping and quota rules if you want to use this setting. See Figure12 (the Advanced tab of the general options of Bandwidth Splitter).
Figure12: Action to Take When No Rules Found
2. Let's create a shaping rule
Let's create a shaping rule. I have created a test access rule on ISA allowing FTP, HTTP and HTTPS from Internal to External for All Authenticated Users. Thus this rules requires authentication. See Figure13.
Figure13: ISA Internet Access Rule
Actually to apply a Bandwidth Splitter rule to users or user groups you need authentication on ISA's rule(only Web Proxy Clients or/and Firewall Clients can authenticate).
What I want to accomplish: to allocate a constant bandwidth to a group of users for their work duties and each invidual user belonging to this group to have a fixed and constant bandwidth allocated. The group of users is called "RegularUsers".
To accomplish all these I will create a shaping rule for work required destinations. Work required destinations include Computer Sets, URL Sets and Domain Name sets. They have been already created because you cannot create new destinations(ISA's entities) on the fly from Bandwidth Splitter's wizard.
Start the wizard for creating a new shaping rule. See Figure14.
Figure14: New Bandwidth Splitter Shaping Rule
Enter a name for this rule. See Figure15.
Figure15: Bandwidth Splitter Shaping Rule Name
Apply this rule to the "RegularUsers" Users Set. See Figure16.
Figure16: Bandwidth Splitter Shaping Rule "Applies to Regular Users" Users Set
As said before the "Destinations" field will contain a Computer Set(populated with remote servers IP addresses), an URL Set and a Domain Name set. The last two ones include for example links to various online documentation and support sites. See Figure17.
Figure17: Bandwidth Splitter Shaping Rule "Work-Related Destinations"
The Schedule for this shaping rule is set to Always. I want the working users to benefit from this bandwidth all the time(working hours, extra hours...). See Figure18.
Figure18: Bandwidth Splitter Shaping Rule "Schedule"
You can create an ISA schedule for your company's work hours for example if you want to. See Figure19.
Figure19: ISA New Work Schedule
Now you need to specify bandwidth limits for this shaping rule. I have choosed as the shaping mode the sum of incoming and outgoing traffic and set a limit of 160 kbps. You can shape separately incoming and outgoing traffic, shape incoming traffic only or shape outgoing traffic only. See Figure20.
Figure20: Bandwidth Splitter Shaping Rule Specify the Bandwidth Limits
Also here you can decide if you shape or not cached web content and if you want to enable or not HTTP Boost.
So what does this HTTP Boost ?
According to the manual, HTTP Boost mode lets you accelerate web surfing. It will make surfing much more comfortable due to these accelerations. You can select a content type set for which the HTTP Boost mode will be used on the Advanced tab of the general options of Bandwidth Splitter, in the HTTP Boost content type set list. See Figure21.
Figure21: Bandwidth Splitter "HTTP Boost"
Next you have the chance to limit the number of concurrent connections. See Figure22.
Figure22: Bandwidth Splitter Shaping Rule Limit No. of Concurrent Connections
This setting is kinda confusing. What type of concurrent connections ?
Some quick tests show that this limit applies to both TCP and UDP connections send to all destinations. It's not a limit that applies to connections made per destination, it applies globally. When a user is browsing and he/she will exceed the number of concurrent connections allowed, and error page will appear. See Figure23.
Figure23: Bandwidth Splitter Default "Too many connections" Error Page
This error page(along with other error pages like "Access not allowed" or "Traffic quota limit reached") can be customised.
A very important and useful setting appears. You can assign the specified 160 kbps bandwidth individually to each user or distribute this bandwidth between users. See Figure24.
Figure24: Bandwidth Splitter Shaping Rule "Shaping Type"
As intended I had assigned the specified 160 kbps bandwidth individually to each user.
The other option to distribute the bandwidth between users lets you do this distribution statically or dynamically.
For example, if the RegularUsers group contains 4 active users and Static bandwidth distribution is checked, then their individual speed limit will be 160 / 4 = 40 kbits/s. This can lead to a waste in bandwidth because two users can only require at a certain moment only 20 kbits/s and 30 kbits/s respectively. However, Static bandwidth distribution may guarantee, when there is no free/unused bandwidth available, an equal distribution(40 kbits/s per user) among active users of the total allocated bandwidth(per group 160 kbits/s).
If Static bandwidth distribution is unchecked, then this unused bandwidth can be distributed between the other two users which at that certain moment may need more bandwidth. The downside of this, according to the manual, is that when there is no free/unused bandwidth, the users who have more connections or better links to the servers could have precedence over the rest users.
We can configure Extra Parameters for our work shaping rule. See Figure25.
Figure25: Bandwidth Splitter Shaping Rule "Extra Parameters"
I will check the "Don't count traffic on account of traffic quota" checkbox because I will also define later a quota rule for these users and I do not want to impose a limit on allowed work related traffic. I only want to impose a limit on non-work traffic related. If users exceed this limit, they can continue their work, only non-work traffic related being blocked.
Review your shaping rule settings and click Finish. See Figure26.
Figure26: Bandwidth Splitter Shaping Rule Click Finish
Apply the changes.
3. Another shaping rule
Next I will create another shaping rule for this group of users. This rule is inteded to limit the speed to non-work related destinations. Users are allowed to browse certain web sites. To keep it simple, for this test, The "Destinations" field will contain the "External Network". SeeFigure27.
Figure27: Bandwidth Splitter Shaping Rule "External Destinations"
I have choosed as the shaping mode the sum of incoming and outgoing traffic and set a limit of 400 kbps. It's a higher speed limit because I want to dynamically distribute this bandwidth between active users. See Figure28 and Figure29.
Figure28: Bandwidth Splitter Shape Total Traffic
Figure29: Bandwidth Splitter Dynamically Distribute Bandwidth Between Active Users
This time the "Don't count traffic on account of traffic quota" checkbox will be unchecked because there will be a quota rule for this kind of traffic for these users. See Figure30.
Figure30: Bandwidth Splitter Shaping Rule "Extra Parameters"
Review your settings and click Finish. See Figure31.
Figure31: Bandwidth Splitter Shaping Rule Click Finish
Apply the changes.
And by now we have two shaping rules. See Figure32.
Figure32: Bandwidth Splitter Two Shaping Rules
4. Let's create a quota rule
As I mentioned before, I want to create a quota rule to limit per day the amount of non-work related traffic. Please remember that I have checked the "Don't count traffic on account of traffic quota" on the work-related shaping rule, thus work traffic will be unaffected by this quota rule. Also you may create a shaping rule for destinations needed for various updates, rule for which the traffic counter will not apply too. So let's create a quota rule. See Figure33.
Figure33: Bandwidth New Quota Rule
Enter a name for this quota rule. See Figure34.
Figure34: Bandwidth New Quota Rule Name
As said before this quota rule will apply to the "RegularUsers" User Set. See Figure35.
Figure35: Bandwidth New Quota Rule "Applies To"
Now you can specify the traffic qouta for this rule.
I have selected to limit the sum of incoming and outgoing traffic. You can also limit separately incoming and outgoing traffic, limit incoming traffic only or limit outgoing traffic only.
The traffic amount allowed by this rule was set to 50 MB.
This quota rule will not apply to cached web content.
I want to start a 50 BM traffic counter for each active user of the "RegularUsers" group. This counter will be reset daily. You can reset this counter weekly, monthly or never. If the user does not consume the entire amount of traffic allowed, the remainder can be transferred to the next period. See Figure36.
Figure36: Bandwidth New Quota Rule "Specify Traffic Quota For This Rule"
As said before, a traffic counter will be started for each active user of the "RegularUsers" group. When this counter reaches zero, all connections of the client are terminated. If the user is browsing after this moment, the user will receive a message that the allowed traffic quota has been reached. See Figure37. As mentioned before, this error page can be customised.
Figure37: Bandwidth Splitter "Traffic Quota Limit Reached" Error Page
And here is the option I was talking about, to start a traffic counter for each user. Or if you want, you can assign this quota rule to the entire group. See Figure38.
Figure38: Bandwidth Splitter New Quota Rule, Quota Type
Review your settings and click Finish. See Figure39.
Figure39: Bandwidth Splitter New Quota Rule Click Finish
Apply the changes.
And now we have a quota rule in place. See Figure40.
Figure40: Bandwidth Splitter A Quota Rule
5. Testing the created Shaping and Quota rules
Time to see the shaping and quota rules in action.
In Figure41 we can view two users accesing work-related destinations, thus the work-related shaping rule is used. Both have allocated a 160 kbps channel as intended. But, as said before, from this monitoring panel, we cannot simply right-click one of these users and disconnect him/her if we want to. We can only look. And there are plenty of useful fields to look at.
Figure41: Bandwidth Splitter Live Monitoring Work Related Destinations
In Figure42 we can quickly see the traffic counter. Since they are accessing work-related destinations, the quota rules does not apply and the counters for both users are almost intact(if they access some work-related web pages, some adds might modify a little bit these counters).
Figure42: Bandwidth Splitter Quota Counters
In Figure43 we can view two users accesing non-work related destinations, thus the non-work related shaping rule is used. Both share the 400 kbps channel as intended. If more users start accessing non-work related destinations, the available speed to each one will decrease, so it will be better for them to get back to work.
Figure43: Bandwidth Splitter Live Monitoring Non-Work Related Destinations
In Figure44 we can notice that the remaining amount of available traffic starts to shrink.
Figure44: Bandwidth Splitter Quota Counters
6. Client-side monitoring utility
Bandwidth Splitter has a client-side monitoring utility, so users can check their traffic quota counter.
This utility can be found usually in "C:\Program Files\Microsoft ISA Server\Bandwidth Splitter\BMonitor". Do not enable file sharing on ISA Firewall itself. Microsoft has removed the FWC share from ISA 2006(FWC share present on ISA 2004). ISA machine is not a file server. Put this utility on a dedicated file-sharing server if you do not distribute it yourself on the users' machines. Installation is not required, you just need to copy the utility and the help file.
Also during the installation of Bandwidth Splitter on ISA, you will be asked if you want to enable clients to use this utility because you need an access rule on ISA. Bandwidth Splitter listens for connections of client-side monitoring utilities on TCP port 15000. See Figure45 andFigure46.
Figure45: ISA Access Rule for Bandwidth Splitter Client-Side Monitoring Utility
Figure46: ISA, Protocol for Bandwidth Splitter Client-Side Monitoring Utility
In Figure47 we can see this client-side monitoring utility. It's very useful since users are aware of the traffic remainder, so they can back-off when they approach the imposed limit.
Figure47: Bandwidth Splitter Client-Side Monitoring Utility
This utility has some settings, so users can customise it a little bit. It can be configured to be launched at startup, with a proxy server, manually specify credentials, set the level of transparency etc. See Figure48.
Figure48: Bandwidth Splitter Client-Side Monitoring Utility Settings
7. Modifying the Traffic Counters on the fly from the Quota Counters Panel
If an user reaches the quota limit, we can easily spot that within the Quota Counters. SeeFigure49.
Figure49: Bandwidth Splitter Quota Counters, Quota Reached
As opposed to the Live Monitoring panel, here we can interact with the current quota counters, we can manually modify them or delete them. This is very useful for rewarding or punishing a user or to simply force some limits on a specific day for a specific user(s) without the need to modify/add a quota rule. See Figure50 and Figure51.
Figure50: Bandwidth Splitter Manually Delete a Traffic Counter
Figure51: Bandwidth Splitter Manually Modify a Traffic Counter
8. The Download Managers cannot exhaust the bandwidth anymore
Remember the download managers discussion ?
Now while Diana is working, she has a fix and stable 160 kbps channel alocated. Johnny on the other side is wasting time and plays with his favourite download manager. In a desperate attempt to maximize his bandwidth, Johnny has put, say, Free Download Manager in a customised Heavy Mode. See Figure52.
Figure52: Free Download Manager "Heavy Mode"
This would mean that Johnny will create up to 10 connections per one server in order to speed up his downloads.
However this would not help him to bypass the 400 kbps shared limit imposed to non-related destinations. Also, Diana will be unaffected by the waste traffic generated by Johnny, and will benefit from her 160 kbps channel alocated for work-related destinations. These things are clearly shown in Figure53.
Figure53: Live Monitoring Both Non-Work and Work Related Destinations
While Bandwidth Splitter does not prevent Johnny to create 10 connections per one server, Johnny cannot bypass the 400 kbps shared limit imposed to non-related traffic and also he will soon reach his quota limit if he continues like this. So he will have to back-off.
Also his joy about fully benefiting from the 400 kbps channel would not last since other users will become active, and Johnny will have to share this 400 kbps channel with them.
Thus all the waste traffic will be concentrated within this 400 kbps channel. And users have individual traffic quotas for non-work related traffic.
Without Bandwidth Splitter in place, Johnny and other wasteful users could easily exhaust the Internet bandwidth. Now waste traffic is limited, and work-related traffic has priority.
As can be seen, with Bandwidth Splitter, with a couple of mouse touches, Internet bandwidth can be rationally distributed.
Bandwidth Splitter is a powerful bandwidth manager for ISA 2004/2006 Server that comes with a lot of useful bandwidth management features and is also very easy to use. It lacks however the ability to control bandwidth per protocol(as currently writing this article).