Reflection Security Proxy Server Performance Factors

  • 7022346
  • 09-Aug-2001
  • 13-Mar-2018

Environment

Reflection for the Web 2014 (All Editions except Limited)
Reflection for the Web 2011 (All Editions except Standard)
Reflection for the Web 2008 (All Editions except Standard)
Reflection Security Gateway 2014 (except Limited Edition)

Situation

This technical note describes hardware, software, and environment factors that affect the performance of the Reflection for the Web or Reflection Security Gateway security proxy server.

Resolution

Overview of Recommendations

The following specifications are recommended for 12,000, 6000, and 2000 concurrent and active connections:

System Specification
12,000 connections (concurrent and active)
6000 connections (concurrent and active)
2000 connections (concurrent and active)
Speed of Processors
3.0 GHz or faster
2.33 GHz or faster
2.33 GHz or faster
Number of Processors (or Cores)
4 or more
2 or more
2 or more
Amount of RAM
8 GB or more
4 GB or more
4 GB or more
Java Virtual Machine (JVM) Heap Size
3840 MB
1920 MB
512 MB
Java Runtime Environment (JRE)
64-bit
(requires a 64-bit OS)

64-bit
(requires a 64-bit OS)

32-bit (See Java Runtime Environment below)
File descriptors (UNIX/Linux)
42,000
21,000
7,000

Performance factors are described in the following sections, in order of relative importance:

Number of Processors (or Cores)

The proxy server is a thread-intensive application. Each connection to the proxy spawns two threads. Therefore, a system with more processors (or cores) will perform better than a similar system with fewer processors. Generally speaking, one should favor more processors (or cores) over processor speed.

Processor Speed

Processor speed is an important factor that affects security proxy server performance. As a general rule, a faster processor will perform operations more quickly. The two most processor-intensive operations that the security proxy server performs are establishing new connections and encrypting and decrypting data.

System RAM Available

Each connection requires memory, and more connections can be made with more memory. More RAM installed on the machine means less paging to disk and better overall performance. A minimum of four gigabytes (4 GB) of RAM is recommended.

Virtual Memory Available

A 32-bit JRE provides the ability to run up to 2000 concurrent and active sessions. This limitation is imposed by the amount of virtual memory available to 32-bit applications, which is 2 GB per process.

A 64-bit JRE running on a 64-bit OS provides considerably more virtual memory and thus provides the ability to run up to 6000 concurrent and active sessions.

Java Heap Size

A 64-bit JRE with a maximum heap size of 3840 megabytes (MB) can support 12,000 concurrent connections.

A 64-bit JRE with a maximum heap size of 1536 MB can support 6000 concurrent connections.

The Reflection installer will install and configure the proxy server to use a server JVM. By default, the server JVM will allocate a heap space that is equal to one quarter the size of physical memory. For example, if a computer has 8 GB of physical memory, then the server JVM will allocate a maximum heap size of 2 GB. To increase the heap allocation, use the JVM command-line options -Xms and -Xmx, which can be set in the SecurityProxy.vmoptions file, located in <Security Proxy installation directory>\bin.

For example, to support 12,000 connections, use a text editor to open the file named …\ReflectionServer\securityproxy\bin\SecurityProxy.vmoptions and add (or edit) the following lines to this file:

-Xms4480m
-Xmx4480m

Java Runtime Environment

The Java Runtime Environment (JRE) on the server can be a significant factor in performance; generally the newer the JRE, the better the performance. More current versions of the JRE include improvements such as better memory handling, HotSpot technology, improved speed, and the ability to support an increased number of sessions. Several companies provide JREs, including Sun, IBM, and Oracle. Performance varies from one product to another.

Java 1.6 or higher is recommended.

Note: A 64-bit JRE running on a 64-bit operating system provides significant performance gains, as described in the previous section.

If the proxy server automated installer is used, the Oracle JRE version is installed as follows:

Proxy Server Version
JRE Version
Reflection for the Web 2104 – 12.0
1.7.0_25
Reflection Security Gateway 2014 – 12.0
1.7.0_25
Reflection for the Web 2011– 11.0
1.6.0_24
Reflection for the Web 2008 R3 –10.2
1.6.0_21
Reflection for the Web 2008 R2 –10.1
1.6
Reflection for the Web 2008 R1 – 10.0
1.6
Reflection for the Web 9.x
1.6

Maximizing the Number of Connections in Reflection for the Web 2008

On Microsoft Windows, to maximize the number of connections, start the proxy server using the batch file:

<installation directory>\bin\SecurityProxy.bat ../conf/server.properties

Starting the proxy server using the installed Start menu shortcut or Windows Service limits the number of potential concurrent connections to approximately 650-700. (The installed Start menu shortcut command limits maximum Java heap size at 64 MB, and the installed Windows Service sets a non-default Java thread stack size of 1024 KB.)

Number of Concurrent Connections

It has been demonstrated through considerable stress testing that the proxy server can maintain 12,000 concurrent and active connections with heavy payloads, as long as the above system requirements are met and a 64-bit JRE is used. When a 32-bit JRE is used, the proxy server can handle only 2000 concurrent and active connections due to the memory constraints imposed by 32-bit architecture.

Operating System

Generally speaking, slightly better performance was observed on a Linux-based system with respect to time taken to establish connections and data transmission rates.

Server Dedication

A dedicated proxy server will perform better than a server that performs multiple functions. For example, if the server acts as a web server, a mail server, or as a host, in addition to acting as a proxy server, performance for all concurrent functions will be affected.

Cipher Suites and Key Lengths

The Reflection Security Proxy Server uses two distinct cipher algorithms to establish and secure an SSL/TLS connection. A public key algorithm (DSA or RSA) is used during the connection process to authenticate the server and exchange shared-secret (symmetric) keys for the secure connection. The Data Encryption Standard (DES) key is used in data encryption and decryption. Consider both when examining Reflection Security Proxy Server performance.

Key Lengths Used for Authentication

A longer DSA or RSA public key will slow the initial connection speed but may be suitable when security is a primary concern. RSA or DSA keys can be configured for 512-bit, 768-bit, 1024-bit, or 2048-bit.

Cipher Suites Used for Data Encryption/Decryption

The cipher suites used in session data encryption/decryption can dramatically affect the connection speed once the connection is established. DES 56-bit encryption has been shown to be approximately three times faster than triple DES (168-bit encryption), but is also significantly less secure.

AES (Advanced Encryption Standard) may increase performance significantly over 3DES, and is also considered more secure. Reflection for the Web supports AES 256-bit (RSA or DSA) and AES 128-bit (RSA or DSA).

Number of Available Ports

It may be necessary to increase the number of ports made available by the operating system.

On Windows Server 2003 platforms, the default number of ephemeral ports is 5000. To increase this value, refer to this article: http://msdn.microsoft.com/en-us/library/aa560610(v=bts.20).aspx.

On UNIX and Linux systems, the default number of file descriptors (and thus ports) available to a process can be low (in the hundreds). To increase this value, see KB 7022460.

Additional Information

Legacy KB ID

This article was originally published as Attachmate Technical Note 1557.