Environment
Reflection for the Web 2011 (All Editions except Standard)
Reflection for the Web 2008 (All Editions except Standard)
Reflection Security Gateway 2014 (except Limited Edition)
Situation
Resolution
Overview of Recommendations
The following specifications are recommended for 12,000, 6000, and 2000 concurrent and active connections:
| System Specification |
12,000 connections (concurrent and active) |
6000 connections (concurrent and active) |
2000 connections (concurrent and active) |
| Speed of Processors |
3.0 GHz or faster |
2.33 GHz or faster |
2.33 GHz or faster |
| Number of Processors (or Cores) |
4 or more |
2 or more |
2 or more |
| Amount of RAM |
8 GB or more |
4 GB or more |
4 GB or more |
| Java Virtual Machine (JVM) Heap Size |
3840 MB |
1920 MB |
512 MB |
| Java Runtime Environment (JRE) |
64-bit (requires a 64-bit OS) |
64-bit (requires a 64-bit OS) |
32-bit (See Java Runtime Environment below) |
| File descriptors (UNIX/Linux) |
42,000 |
21,000 |
7,000 |
Performance factors are described in the following sections, in order of relative importance:
Processor Speed
System RAM Available
Virtual Memory Available
Java Heap Size
Java Runtime Environment
Number of Concurrent Connections
Operating System
Server Dedication
Cipher Suites and Key Lengths
Number of Available Ports
Number of Processors (or Cores)
The proxy server is a thread-intensive application. Each connection to the proxy spawns two threads. Therefore, a system with more processors (or cores) will perform better than a similar system with fewer processors. Generally speaking, one should favor more processors (or cores) over processor speed.
Processor Speed
Processor speed is an important factor that affects security proxy server performance. As a general rule, a faster processor will perform operations more quickly. The two most processor-intensive operations that the security proxy server performs are establishing new connections and encrypting and decrypting data.
System RAM Available
Each connection requires memory, and more connections can be made with more memory. More RAM installed on the machine means less paging to disk and better overall performance. A minimum of four gigabytes (4 GB) of RAM is recommended.
Virtual Memory Available
A 32-bit JRE provides the ability to run up to 2000 concurrent and active sessions. This limitation is imposed by the amount of virtual memory available to 32-bit applications, which is 2 GB per process.
A 64-bit JRE running on a 64-bit OS provides considerably more virtual memory and thus provides the ability to run up to 6000 concurrent and active sessions.
Java Heap Size
A 64-bit JRE with a maximum heap size of 3840 megabytes (MB) can support 12,000 concurrent connections.
A 64-bit JRE with a maximum heap size of 1536 MB can support 6000 concurrent connections.
The Reflection installer will install and configure the proxy server to use a server JVM. By default, the server JVM will allocate a heap space that is equal to one quarter the size of physical memory. For example, if a computer has 8 GB of physical memory, then the server JVM will allocate a maximum heap size of 2 GB. To increase the heap allocation, use the JVM command-line options -Xms and -Xmx, which can be set in the SecurityProxy.vmoptions file, located in <Security Proxy installation directory>\bin.
For example, to support 12,000 connections, use a text editor to open the file named …\ReflectionServer\securityproxy\bin\SecurityProxy.vmoptions and add (or edit) the following lines to this file:
-Xms4480m-Xmx4480mJava Runtime Environment
The Java Runtime Environment (JRE) on the server can be a significant factor in performance; generally the newer the JRE, the better the performance. More current versions of the JRE include improvements such as better memory handling, HotSpot technology, improved speed, and the ability to support an increased number of sessions. Several companies provide JREs, including Sun, IBM, and Oracle. Performance varies from one product to another.
Java 1.6 or higher is recommended.
Note: A 64-bit JRE running on a 64-bit operating system provides significant performance gains, as described in the previous section.
If the proxy server automated installer is used, the Oracle JRE version is installed as follows:
| Proxy Server Version |
JRE Version |
| Reflection for the Web 2104 – 12.0 |
1.7.0_25 |
| Reflection Security Gateway 2014 – 12.0 |
1.7.0_25 |
| Reflection for the Web 2011– 11.0 |
1.6.0_24 |
| Reflection for the Web 2008 R3 –10.2 |
1.6.0_21 |
| Reflection for the Web 2008 R2 –10.1 |
1.6 |
| Reflection for the Web 2008 R1 – 10.0 |
1.6 |
| Reflection for the Web 9.x |
1.6 |
Maximizing the Number of Connections in Reflection for the Web 2008
On Microsoft Windows, to maximize the number of connections, start the proxy server using the batch file:
<installation directory>\bin\SecurityProxy.bat ../conf/server.propertiesStarting the proxy server using the installed Start menu shortcut or Windows Service limits the number of potential concurrent connections to approximately 650-700. (The installed Start menu shortcut command limits maximum Java heap size at 64 MB, and the installed Windows Service sets a non-default Java thread stack size of 1024 KB.)
Number of Concurrent Connections
It has been demonstrated through considerable stress testing that the proxy server can maintain 12,000 concurrent and active connections with heavy payloads, as long as the above system requirements are met and a 64-bit JRE is used. When a 32-bit JRE is used, the proxy server can handle only 2000 concurrent and active connections due to the memory constraints imposed by 32-bit architecture.
Operating System
Generally speaking, slightly better performance was observed on a Linux-based system with respect to time taken to establish connections and data transmission rates.
Server Dedication
A dedicated proxy server will perform better than a server that performs multiple functions. For example, if the server acts as a web server, a mail server, or as a host, in addition to acting as a proxy server, performance for all concurrent functions will be affected.
Cipher Suites and Key Lengths
The Reflection Security Proxy Server uses two distinct cipher algorithms to establish and secure an SSL/TLS connection. A public key algorithm (DSA or RSA) is used during the connection process to authenticate the server and exchange shared-secret (symmetric) keys for the secure connection. The Data Encryption Standard (DES) key is used in data encryption and decryption. Consider both when examining Reflection Security Proxy Server performance.
Key Lengths Used for Authentication
A longer DSA or RSA public key will slow the initial connection speed but may be suitable when security is a primary concern. RSA or DSA keys can be configured for 512-bit, 768-bit, 1024-bit, or 2048-bit.
Cipher Suites Used for Data Encryption/Decryption
The cipher suites used in session data encryption/decryption can dramatically affect the connection speed once the connection is established. DES 56-bit encryption has been shown to be approximately three times faster than triple DES (168-bit encryption), but is also significantly less secure.
AES (Advanced Encryption Standard) may increase performance significantly over 3DES, and is also considered more secure. Reflection for the Web supports AES 256-bit (RSA or DSA) and AES 128-bit (RSA or DSA).
Number of Available Ports
It may be necessary to increase the number of ports made available by the operating system.
On Windows Server 2003 platforms, the default number of ephemeral ports is 5000. To increase this value, refer to this article: http://msdn.microsoft.com/en-us/library/aa560610(v=bts.20).aspx.
On UNIX and Linux systems, the default number of file descriptors (and thus ports) available to a process can be low (in the hundreds). To increase this value, see KB 7022460.