For a production environment, the recommended default settings described below allow each proxy host to handle up to 12,000 concurrent, persistent HTTP connections.
To increase the number of concurrent HTTP connections
Perform the following steps on the proxy host.
12200. The file contains multiple connectors; only the connector for port 443 should be updated. The connectors for ports 80 and 8553 can remain at the default value of 200.
disableKeepAlivePercentage="99"as shown in the example below. This will allow 99% of the threads to be used for persistent connections, keeping 1% in reserve to process a single request per connection to help maintain availability during busy periods when all 12,000 persistent connections are in use.
Connector protocol="HTTP/1.1" port="443" maxThreads="12200" disableKeepAlivePercentage="99"
netshcommand to increase the dynamic ports range, please refer to http://en.wikipedia.org/wiki/Ephemeral_port for further information.
netsh int ipv4 set dynamicport tcp start=40000 num=25000
For a production environment, we recommend that each Security Token Service (STS) host has 8GB of physical memory and 8 processor cores. For example, two quad core processors giving a total of 8 cores spread over two processors.
CPU and memory usage varies between the different authentication methods. Our stress testing has shown a single STS host can support between 12,000 and 18,000 users authenticating over a 30 minute period. Our recommended maximum of 15,000 is an average of the two. No special configuration is required on the STS hosts to support this number of users.
When you have added an application to Cloud Access Manager, you can make sure that users only access the application using Cloud Access Manager. This may be required if you are using Cloud Access Manager to enforce strong authentication for the application, or want to use Cloud Access Manager’s auditing features to monitor application usage. The procedure described below is only required for non-federated applications, that is, those not using SAML or WS-Federation.
|NOTE: To prevent direct access to an application, we recommend that you use the firewall on the application’s host. For example, you need to update the HTTP/HTTPS firewall rules to only allow access from the internal IP addresses of the Cloud Access Manager proxy hosts.|
To configure the Windows Firewall to prevent direct access to the application
Perform the following steps on the application’s host.
|NOTE: If the application is installed on multiple hosts, repeat these steps on each host running the application.|
Select the Scope tab.
When you have updated the firewall configuration on each host running the application, verify that users can still access the application using Cloud Access Manager.
|NOTE: If the host running the application contains multiple applications and you do not wish to prevent direct access to all of them, you can configure the Web Server to restrict access to the proxy hosts on a per application basis. Please refer to http://support.microsoft.com/kb/324066 for instructions on how to configure IIS to use the IP Address and Domain Restrictions feature.|