For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

J_46981's avatar
J_46981
Icon for Nimbostratus rankNimbostratus
Jul 26, 2007

BigIP fronting IIS 6.0 w ASP.NET

More of an inquiry to confirm some suspicions I have, but am having difficulty proving to the IIS management team.

 

 

I have 2 IIS/ASP.NET appservers behind BigIP in a round-robin config. I am seeing some issues with performance for the sites and was investigating configurations on the the app server that may be getting in the way.

 

 

I came across the property for my machine.config. Now that limits the amount of concurrent connections any single machine can have to the App Server. Makes sure no one can flood the server, yadda yadda.

 

 

Now MS sets it low by default, 2 I believe. Now for a raw server 2 connections per asset may be enough for a small workgroup without showing any perf loss. Now put that server behind BigIP and my hypothesis is that because BigIP masks the consumers IP and IIS only sees the BigIP "client" IP. Thus you would only be able to have two connections open for any amount of clients since they all look like BigIP.

 

 

Now I am far from a BigIP expert, but if anyone has any official recommendations from F5 on tuning ASP.NET behind BigIP it would be greatly appreciated.

 

 

I have the MS recommendations for tuning [http://support.microsoft.com/kb/821268], but would love to see a whitepaper from BigIP as it will really help us make the case to have that machine setting changed.

 

 

J
config
design

5 Replies

  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Jul 26, 2007
    Not sure how helpful I can be since I am not an ASP expert, but in general, to LTM, ASP webserver just looks like any other webserver, so standard webserver load balancing optimizations would in order:

     

     

    SNAT is not required, so if you want to limit by unique IP, you can set the webserver default route to the LTM floating self-IP and disable SNAT to preserve the true client IP.

     

     

    OneConnect will pool connections on the backend, using keepalive connections for multiple requests. With the default mask, connections will be shared among all clients, substantially reducing the number of server-side connections.

     

     

    Depending on your LTM version and traffic profile, you may want to tune the tcp profile for LAN traffic as detailed here: Click here

     

     

    HTH

     

    /deb

     

     

    (If you find additional settings that are useful, please post back and I will start a new page specific to ASP server load balancing.)

     

  • Simon_Wright_85's avatar
    Simon_Wright_85
    Icon for Nimbostratus rankNimbostratus
    Jul 27, 2007
    Its possible to raise the number of connections higher than 2 and the following article from MS explains this a bit more. Its also worth noting that the number of connections is per AppDomain and not per physical webserver so depending on how your application is setup this may not be a problem.

     

     

    http://support.microsoft.com/default.aspx/kb/821268

     

     

    I would agree with Deb and try a OneConnect profile which may help.

     

     

    Cheers

     

     

    Simon
  • J_46981's avatar
    J_46981
    Icon for Nimbostratus rankNimbostratus
    Jul 27, 2007
    Thanks Simon and Deb for your thoughts. I have seen the MS article which we are using to help justify the default configuration change, but as that relates to a direct Client-Server route it doesn't take into account the Big-IP middle-man how I read it. The limit by the AppDomain does alleviate some of the issue as you note, but since some of our applications are implemented as virtual directories of the root virtual application I believe they share the same appdomain [could be wrong].

     

     

    I will raise the configuration question to our team about the best practices for a web server profile. Preserving the client IP will be helpful in a couple places as it not only does not squeeze the connection pool in ASP.NET due to the SNAP single IP, but it also doesn't require a customized ISAPI filter to understand the X-Forward-For which our Web team has been wary to integrate.

     

     

    Deb is there a whitepaper on general web server load balancing that I could point our config team toward? To the point of a related IIS/ASP.NET Best practices guide, if the hypothesis is true and someone using SNAT for their IIS servers could be significantly impacting performance as the maxconnection won't scale with clients as it is designed since IIS only "sees" one client/virtual application. We are still working on proof of this hypothesis, but if I do prove it out I will post back and maybe an addendum to the generic web server configuration best practices.
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Jul 28, 2007
    I found these docs specific to IIS:

     

     

    IIS Optimization Solution Brief

     

    http://www.f5.com/solutions/sb/pdfs/iis_sb.pdf (Click here)

     

     

    IIS Deployment Guide http://www.f5.com/solutions/deployment/iis_bigip9_dg.html (Click here)

     

     

    The solution brief is high level, and specifically calls out compression, caching, and TCPExpress (the optimized tcp profile I mentioned earlier).

     

     

    The deployment guide contains the configuration details.

     

     

    HTH

     

    /deb
  • J_46981's avatar
    J_46981
    Icon for Nimbostratus rankNimbostratus
    Jul 30, 2007
    Appreciate all of the follow-up Deb.

     

     

    I will give this a read and hopefully this will help make the case of a IIS config change to our web management org.

     

     

    Thanks again,

     

     

    Justin