ISA Server, the 3GB switch, PAE and AWE

  • Article

Short version

Does ISA Server benefit from /3GB, PAE or AWE?

/3GB: No. While it may help the firewall service, it reduces the amount of NPP available from 256MB to 128MB and reduces the System PTE’s for the kernel and the ISA driver. Therefore, the /3GB switch does not really increase the amount of connections ISA can support.

PAE: A bit. While the firewall service doesn't benefit from PAE directly, it can provide more physical memory to other processes on the machine, namely MSDE.

AWE: No. An application has to be specifically written to take advantage of this mechanism and ISA is not written this way.

Long version

ISA Server is a 32-bit application running on a 32-bit OS. Like all 32-bit applications, it is subject to 2 separate limitations:

Limitation 1: The 32bit OS can only use 4GB of physical memory.

The solution for this is Physical Address Extension (PAE). PAE allows the processor to access physical memory with 36 bits addresses, which allows for up to 64GB of physical memory.

Limitation 2: Each 32-bit process can only have 4GB of virtual address space.

Here there is no clear solution, only some partial mitigations:

Mitigation 1: /3GB

By default, each process gets a 4GB virtual address space, divided into 2GB for the process' use and 2GB for the kernel (shared between all processes on the machine). In highly-loaded ISA Servers, the ISA firewall service (wspsrv.exe) can exhaust its 2GB of address space and fail. One way to mitigate that is to use the /3GB switch to change this division into 3GB for the process and 1GB for the kernel. However, this just moves the address space shortage into the shared kernel memory. When the kernel only has 1GB of address space, its non-paged memory pool (NPP) is smaller (128MB from 256MB). The Windows kernel (including the ISA driver, fweng.sys) needs NPP, and may fail if this resource gets exhausted. For this reason, it is not recommended to use /3GB on ISA Server machines.

Mitigation 2: Splitting the application into multiple processes

In theory, a 32-bit application could benefit from PAE if it operates as multiple processes. Then, each process would get its own 2GB of address space, and with PAE this address space could be mapped into physical memory. Unfortunately, the ISA Firewall service is a single process, so there's no direct benefit here. Note that there are always other processes on the machine, and PAE means that their address space can be mapped directly to physical memory. So these other processes - namely MSDE - can still benefit somewhat from PAE. 3rd-party ISA plug-ins also operate within the memory space allocated to the firewall service, so they cannot take advantage of PAE.

Mitigation 3: Address Windowing Extensions (AWE)

In theory, a 32-bit application could use more than 2GB of memory using AWE. However, this requires special programming of the application itself - basically, the application would have its own memory manager. A few applications do that - SQL Server for one. Unfortunately, ISA Server does not support AWE.

 

P.S. The next version of ISA Server, TMG server (currently in beta), is a 64-bit application running on 64-bit OS. Therefore, the above limitations will be irrelevant for it.

 

Author:

  • Jonathan Barner, TMG Customer Satisfaction team

Technical Reviewers:

  • Jim Harrison, Program Manager, FF Edge CS
  • Thomas Detzner, Escalation Engineer, Microsoft CSS Forefront Edge Team