[技术分享 - TMG 篇] 20100824 - 1, VPN 不要做蜗牛!
TMG 的 VPN 为何如此缓慢?
曾经有位客户反映,自从 ISA 升级到 TMG 之后,VPN 仍然能正常拨入,但是访问内网的资源却比原来慢很多,比如内网的 HTTP 网站、内网的网络共享。
这时您可以尝试以下步骤,看能否改善访问内网资源慢的问题。
1. 在 TMG 的所有网卡是增加一个键值“TcpAckFrequency=1”,来减小 TMG 回 ACK 的时延
参考:
- Slow network performance occurs if you copy files to a domain controller that is running Windows 2000 or Windows Server 2003: https://support.microsoft.com/default.aspx?scid=kb;EN-US;321098
- New registry entry for controlling the TCP Acknowledgment (ACK) behavior in Windows XP and in Windows Server 2003: https://support.microsoft.com/kb/328890/en-us
2. 关闭 Windows 2008 SNP 特性,然后重启服务器
netsh int tcp set global chimney=disabled
netsh int tcp set global rss=disabled
Set DWORD Value “EnableTCPA=0” under “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters”
参考:
- Information about the TCP Chimney Offload, Receive Side Scaling, and Network Direct Memory Access features in Windows Server 2008: https://support.microsoft.com/default.aspx?scid=kb;EN-US;951037
3. 关闭网卡的 TCP Checksum offloading 检测
1) Click Start , click Run , type regedit , and then click OK .
2) Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
3) In the details pane, make sure that the DisableTaskOffload registry entry exists. If this entry does not exist, add the entry. To do this, follow these steps:
a.On the Edit menu, point to New , and then click DWORD Value
b.Type DisableTaskOffload .
4) Double-Click DisableTaskOffload , type 1 , and then click OK .
5) Exit Registry Editor, and then restart the server.
参考:
- You experience intermittent communication failure between computers that are running Windows XP or Windows Server 2003: https://support.microsoft.com/kb/904946/en-us
4. 检查 TMG 的配置中是否勾选”Block IP fragment”,如果是,取消它
参考:
- Configuring IP preferences: https://technet.microsoft.com/en-us/library/cc995315.aspx
5. 取消 http 的 Web proxy Filter 的绑定,如果取消绑定,TMG 的 Web 筛选功能失效 (这一步请慎用)
James Yi
微软安全支持专家