Summary
This article provides guidance on the ICA traffic scalability and loading limits of Citric Secure Gateway 3.0. The information in this document was collected through testing of the product and can be used as a reasonable benchmark for assessing load limits during pilot trials but should not be considered definitive.
Background
This section describes what Secure Gateway ICA tests were conducted and why, defines the test environment, and describes the two Secure Gateway 3.0 deployment scenarios.
Performance and scalability sizing tests are an important step for determining the maximum number of ICA sessions that can successfully travel through the Secure Gateway to a Citrix Presentation Server 4.0 farm with acceptable performance.
You must consider two client load limits when planning a Secure Gateway deployment. The first is the maximum number of concurrent connections that a Secure Gateway server will route while still allowing a reasonable and usable response from the ICA sessions. The second is the connections per second test to determine the performance of the Secure Gateway server during peak logon periods. Because of the overhead associated with establishing an SSL connection, the number of logons per second that the Secure Gateway 3.0 environment could handle is quite different than the number of logons that a Presentation Server environment could handle alone.
Note: These tests refer to ICA traffic only.
Definition of User Load
User Load is the user activity used for testing the system. Testing shows that the average user would generate traffic at 16 KBits per second; of which 60 percent would be active sessions and the remaining 40 percent would be idle sessions.
Recommendations
Concurrent Connections
For the basic deployment scenario with session reliability, the maximum user sessions that the Secure Gateway server would be able to route with the given hardware is about 1000 concurrent connections. This will still allow a reasonable and usable response from the individual ICA sessions.
For the most secure scenario with session reliability, the maximum user sessions with the given hardware that the Secure Gateway server would be able to route is about 850 concurrent connections, after which the individual ICA sessions experience performance degradation.
Note: Different hardware specifications give different results.
Average Session Latency
Basic Deployment Scenario |
Most Secure Scenario | |||
User Connections |
CPU Usage (%) |
Latency (ms) |
CPU Usage (%) |
Latency (ms) |
100 |
41.11 |
10.91 |
55.23 |
15.22 |
250 |
75.26 |
15.7 |
81.47 |
17.37 |
500 |
80.53 |
16.65 |
83.56 |
17.69 |
750 |
84.62 |
16.14 |
86.42 |
19.74 |
1000 |
89.12 |
18.12 |
NA |
NA |
Maximum Session Latency
Basic Deployment Scenario |
Most Secure Scenario | |||
User Connections |
CPU Usage (%) |
Latency (ms) |
CPU Usage (%) |
Latency (ms) |
100 |
70.40 |
550 |
88.54 |
575 |
250 |
88.35 |
495 |
95.42 |
602 |
500 |
92.78 |
473 |
91.70 |
574 |
750 |
94.35 |
515 |
98.65 |
572 |
1000 |
98.45 |
725 |
NA |
NA |
Connections Per Second
For the basic deployment scenario with session reliability, the maximum connections per second that the Secure Gateway server would be able process is around 20 connections per second. For the most secure scenario with session reliability, the maximum connections per second that the Secure Gateway server would be able to process is around 18 connections per second.
Test Environment and Setup
The basic deployment scenario consisted of a single hop with a single secure Secure Gateway server and a single secure Web Interface server. Only the links between the clients and the Secure Gateway, and the clients and the Web Interface servers, are encrypted. The Web Interface is deployed parallel to the Secure Gateway server. Session Reliability was enabled.
The most secure deployment scenario consisted of a gateway server, proxy server, and a single secure Web Interface server. Links between the clients and gateway server, gateway server and proxy server, clients and Web Interface server, and between the proxy server and the ticketing service (STA) are encrypted. Session Reliability was enabled.
Secure Gateway Hardware: | |
System: |
Compaq Proliant DL360 |
Processor: |
Dual 2.8 GHz P4 with hyper threading enabled |
RAM: |
1 GB |
Hard Drive: |
Compaq SCSI Wide Ultra2 – 34 GB |
SCSI Controller Info: |
Smart Array 5i |
Video Controller: |
ATI RAGE XL PCI Video Controller |
Network Card: |
2 – HPNC7781 Gigabit Ethernet NICs – 1 NIC disabled |
Operating System: |
Microsoft Windows Server 2003, Enterprise Edition |
Monitoring Performance and Collecting Data
This section details of how the data was gathered during testing of Secure Gateway 3.0 and the test results.
Monitoring Performance
A number of tools can be used to test the operation and performance of the Secure Gateway server. The most useful of these tools is Microsoft Windows System Monitor (Perfmon). This section describes what counters to use and how to make the measurements.
Microsoft Windows System Monitor (Secure Gateway)
Installation of the Secure Gateway Service creates a set of performance counters that are accessable through Perfmon. These counters are available when the Secure Gateway service is started. The following counters are available for the Secure Gateway Service:
Secure Gateway
Bytes/Sec from Client
Bytes/Sec to Client
CGP Active Connections
CGP Bytes/Sec from Client
CGP Bytes/Sec to Client
CGP Kilobytes from Client
CGP Kilobytes to Client
CGP Peak Bytes/Sec from Client
CGP Peak Bytes/Sec to Client
CGP Successful Connections
Client Connect Time: Average (in ms)
Client Connect Time: Longest (in ms)
Connections/Second
Connections/Second: Peak
Connections: Peak Active
Connections: Pending
Connections: Total Active
Connections: Total Successful
Failed Backend Connections
Failed Connections: Client Timed Out
Failed Connections: General Client Error
Failed Connections: SSL Client Handshake Error
Failed Connections: Total Client
HTTP/S Active Connections
HTTP/S Bytes/Sec from Client
HTTP/S Bytes/Sec to Client
HTTP/S Kilobytes from Client
HTTP/S Kilobytes to Client
HTTP/S Peak Bytes/Sec from Client
HTTP/S Peak Bytes/Sec to Client
HTTP/S Successful Connections
Kilobytes from Client
Kilobytes to Client
Peak Bytes/Sec from Client
Peak Bytes/Sec to Client
SOCKS Active Connections
SOCKS Bytes/Sec from Client
SOCKS Bytes/Sec to Client
SOCKS Kilobytes from Client
SOCKS Kilobytes to Client
SOCKS Peak Bytes/Sec from Client
SOCKS Peak Bytes/Sec to Client
SOCKS Successful Connections
SSL Handshake Time: Average (in ms)
SSL Handshake Time: Longest (in ms)
SSL Handshakes/Sec
SSL Handshakes/Sec: Peak
SSL Handshakes: Pending
SSL Handshakes: Total
To use the Windows Performance Console to generate performance graphs and logs to monitor performance of Secure Gateway server:
1. Open the Secure Gateway Management Console in the tree view,
2. Select Secure Gateway Performance Statistics.
3. If the Secure Gateway counters are not visible, click Add to access the Performance Object list box.
4. Select Secure Gateway in the Performance Object drop down list.
5. Click All Counters, then click Add.
6. Close the Add Counter dialog.
7. To view a report about Secure Gateway performance counters, click View Report.
The following counters available for the STA:
Secure Ticket Authority
STA Bad Data Request Count
STA Bad Refresh Request Count
STA Bad Ticket Request Count
STA Count of Active Tickets
STA Good Data Request Count
STA Good Refresh Request Count
STA Good Ticket Request Count
STA Peak All Request Rate
STA Peak Data Request Rate
STA Peak Refresh Request Rate
STA Peak Ticket Request Rate
STA Ticket Timeout Count
Microsoft Windows System Monitor (CPU)
In addition to the Secure Gateway Service counters, also measure processor usage values. The charting function in Perfmon was used to measure processor usage. An explanation of how this counter was averaged is described below.
To add this counter to Perfmon:
1. Open the Secure Gateway Management Console.
2. In the tree view, select Secure Gateway Performance Statistics.
3. Click Add, to access the Performance Object list box. Select Processor.
4. Select % Processor Time, select _Total in the Instances list, and click Add.
5. Close the Add Counter dialog.
6. In the Perfmon dialog click View Chart. A performance chart for the selected counter is displayed.
Windows System Monitor Counters (Presentation Server)
You can capture Latency data using Perfmon counters available for the Windows Presentation Server. Access these counters from Perfmon.
The counters of interest for measuring latency are the ICA session performance counters. These counters become available only after the session is established. Ensure that the application you use to measure latency is open and running.
To view performance counters:
1. Select Start > Programs > Administrative Tools > Performance.
2. In the tree view, select System Monitor.
3. On the Perfmon toolbar, click View Chart. .
4. On the Perfmon toolbar, click Add. The Add Counter dialog will appear.
5. Select ICA Session Performance from the Performance object list.
6. In the Select Counters list, select Latency – Session Average.
7. In the instances list, select the application session (for example, Notepad) that will be used to test latency.
8. Click Add, and then click Close. This gives you the average latency measured over the life of the session. This counter is updated at mouse clicks and movements or at timed intervals.
Performance Logging
When launched from Start > Programs > Administrative Tools > Performance, Perfmon logs performance data over longer periods. This is useful for capturing data and gathering peaks and averages. Perfmon can also send alerts and messages. Microsoft Knowledge Base Article 248345 describes this process.
Ongoing Monitoring
As with all mission critical systems, Secure Gateway 3.0 deployments should be monitored on an ongoing basis. Periodically check the CPU Load versus Active Session Count to ensure that user trends, user loads, network traffic, and so on, are not unduly affecting Secure Gateway operation or the user experience. There are a number of commercial Perfmon add-ons and monitoring tools which allow automatic monitoring of performance counters. These tools can be utilized to observe load factors on the Secure Gateway servers over a period of time. This will lead to a better understanding of the usage patterns for a particular deployment and also alert you to events such as system overload or failure.
