Professional Documents
Culture Documents
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 1
PROXYSG PERFORMANCE
WEBCAST
PAUL KAO
Director Product Management
paul.kao@bluecoat.com
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 2
AGENDA
ProxySG Overview
• Architecture (SGOS, CW, SW, Policy checkpoints)
• System resources/metrics
Performance Model
Factors Impacting Performance
• Authentication, ICAP, Policy, SSL, misc.
Critical Resource Monitoring
• CPU, Memory, CW, network
Troubleshooting Performance Problems
• Baseline, CPU monitor, Policy trace, Sysinfo
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 3
PROXYSG OVERVIEW
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 5
SGOS ARCHITECTURE
Retrieval Worker (RW) – Pipeline and keeps the content of the cache fresh
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 6
POLICY CHECKPOINTS
server_url.domain=
client.address=
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 11
FACTORS IMPACTING PERFORMANCE
1. Client
2. Network deployment
3. Authentication mode
8. Policy
9. SSL
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 12
PERFORMANCE FACTORS
1. CLIENT
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 13
1. CLIENT SIDE
S500-
S200-10 S200-20 S200-30 S200-40 S400-20 S400-30 S400-40 S500-10
20
Users 400 1,200 2,600 5,000 6,000 14,000 25,000 30,000 50,000
Max CW 2,000 6,000 13,000 25,000 30,000 70,000 125,000 150,000 250,000
Examples:
• Financial trader, 50 conns per user
• Kiosk, 1 connection per user
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 14
PERFORMANCE FACTORS
2. NETWORK DEPLOYMENT
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 15
2. NETWORK DEPLOYMENT
Network 101
• Link/duplex settings
WCCP
• GRE vs L2
• Set MTU appropriately to avoid fragmentation with GRE
Physically Inline (bridging)
• Good for smaller sites
• Larger sites with significant non web (bypass) traffic that can
consume network resources
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 16
PERFORMANCE FACTORS
3. AUTHENTICATION MODE
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 17
3. AUTHENTICATION
Evaluated at CI
Choice of Authentication mode can impact performance
• Explicit proxy with NTLM: SG issues a 407 challenge for each
connection
• IP Surrogate: After initial authentication, will use authentication cache
• Kerberos: credentials validated without need to contact DC
NTLM does not scale well
• NTLM credential cannot be cached, and must be validated by DC
• Default Windows configuration processes only one request at a time
via Schannel
• Exacerbated by latency and load on DC (SG-DC or SG-BCAA-DC)
Kerberos preferred for scalability
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 18
PERFORMANCE FACTORS
4. DNS, CONTENT FILTERING
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 19
4. DNS, CONTENT FILTER
DNS
• Not a high consumer of CPU, but can be cause of latency
• If external DNS servers are slow/overloaded, Proxy will amplify the
problem
• Use caution for policies/logging that trigger RDNS lookups
Content Filtering (evaluated at Client In)
• BCWF
– Efficient categorization for high performance
– Settings for lower memory footprint appliances
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 20
PERFORMANCE FACTORS
5. ICAP REQMOD (DLP)
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 21
5. ICAP GENERAL & ICAP REQMOD
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 23
6. ICAP RESPMOD
(CONTENT ANALYSIS)
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 24
PERFORMANCE FACTORS
7. SYSTEM SERVICES
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 25
7. SYSTEM SERVICES
Access logging
• Log entry written when connection is complete
• A few percent overhead when enabled
• Obviously more overhead if multiple log facilities in use
Health Checks
SNMP
Attack Detection
Failover, SGRP (VRRP)
Connection Forwarding
Scripts, polling of local policy
Snapshots, Debug logs
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 26
PERFORMANCE FACTORS
8. POLICY
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 27
8. POLICY AND CPU
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 29
9. SSL INTERCEPT
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 30
CERTIFICATE EMULATION STATISTICS
(SG6.5.5.1)
Certificate Emulation
SPS51 Total certificates emulated 2,264
SPS52 Total RSA 2048 bit key certificates emulated 2,250
SPS53 Current cached emulated server certificates 1,078
SPS54 Total emulated server certificates added to cache 1,390
SPS55 Total emulated server certificates removed from cache due to timeout 0
SPS56 Total emulated server certificates removed from cache due to maxsize 0
SPS57 Total emulated server certificates removed from cache due to signature mismatch 312
SPS58 Total emulated server certificates removed from cache due to config changes 0
SPS59 Total emulated server certificates add to cache failures 874
SPS61 Total server certificate cache successful lookups 42,109
SPS62 Total proxy certificates emulated 5
SPS63 Total certificate emulation failures 0
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 34
WILDCARD CERTIFICATE RESOLUTION
VPM
$(x-rs-certificate-serial-number)
$(x-rs-certificate-valid-from)$
(x-rs-certificate-valid-to)
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 35
CRITICAL RESOURCE MONITORING &
TROUBLESHOOTING PERFORMANCE
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 36
CRITICAL RESOURCE MONITORING
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 39
TROUBLESHOOTING PERFORMANCE
HIGH CPU
Data collection
• Enable CPU monitor
• Create and enable 5 min snapshots
• Don’t change the existing daily or hourly snapshot values
Is high CPU constant, randomly spiking or just at peak busy
hour?
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 40
TROUBLESHOOTING PERFORMANCE
HIGH CPU EXAMPLE 1
CPU 0 97%
Policy evaluation - HTTP 81%
HTTP and FTP 5%
Object Store 5%
Access Logging 2%
Miscellaneous 1%
CPU 1 94%
Policy evaluation - HTTP 75%
TCPIP 11%
HTTP and FTP 5%
DNS service 1%
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 41
TROUBLESHOOTING PERFORMANCE
HIGH CPU EXAMPLE 2
Example-2 >>>> CPU is high in Object Store System had hard time to read or
write anything to disk.
CPU Monitor Indicate problem with Disk.
CPU 0 100%
Object Store 98%
ce_admin 97%
Access Logging 1%
CPU 1 19%
TCPIP 8%
tcpip 7%
HTTP and FTP 6%
http 1%
kernel 1%
Policy evaluation - HTTP 3%
policy_enforcement 1%
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 42
TROUBLESHOOTING PERFORMANCE
HIGH CPU EXAMPLE 3
Data collection
• May require multiple rounds of troubleshooting (PCAP & Sysinfo snapshots)
– Easiest to target specific client or server to test
– May need to test with different configurations and capture with different filter to
narrow down the issue
• Important to analyze Snapshots.
– Check if resource load are high (e.g. CPU, memory, HTTP worker and etc.)
– Check on any priority 1 events & health check occurred during the time of the issue.
– Check on the trend of the issue (how frequent it occurs and any correlation with other
components or stats)
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 46
SUMMARY
ProxySG Architecture
• Appliance resources, CW limit
Performance Model
Factors Impacting Performance
• ICAP (built into sizing model/guide)
• Policy (sky is the limit)
• SSL (SSL traffic mix amount of SSL decryption)
Resource and Health Monitoring
• Critical resource monitoring
• Health monitoring
Troubleshooting
• Importance of establishing a performance baseline
• Tools to troubleshoot performance
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 47
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 48
THANK YOU FOR JOINING TODAY!
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 49
BLUE COAT CUSTOMER FORUMS
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 51
Questions?
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 52
PROXYSG PERFORMANCE WEBCAST
QUESTIONS
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 53
PROXYSG PERFORMANCE WEBCAST
QUESTIONS
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 54
PROXYSG PERFORMANCE WEBCAST
QUESTIONS
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 55
PROXYSG PERFORMANCE WEBCAST
QUESTIONS
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 56
PROXYSG PERFORMANCE WEBCAST
QUESTIONS
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 58
PROXYSG PERFORMANCE WEBCAST
QUESTIONS
Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 59