Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
907
Views
5
Helpful
4
Replies

When to use CSA Network Shim?

dfreemire
Level 1
Level 1

‎08-31-2006 02:08 PM - edited ‎03-10-2019 03:11 AM

I'm in a trial by fire installing CSA 5.1 on Win servers for my enterprise.

So far the only info that I've found on this subject is that the Shim:

-Installs by default

-Requires a server reboot on install

-May introduce datacom latency

-Is not required on "protected" servers

So, here are a few questions:

-What would be the latency impact on heavily used SQL cluster server?

(MS WinServ2k3 on HP Blade w/Gig network adapters)

-What is "protected"?

-Any server behind firewall?

-Including in the DMZ?

-Any server that receives no incoming Internet connections?

-Any server that never connects to Internet nodes (in either direction)?

-Any server that has no nic cards installed? (I wanted to get at least one right)

What experience/advice does anyone have on this subject?

Thanks,

Scott

Labels:
0 Helpful
4 Replies 4

dfreemire
Level 1
Level 1

‎09-01-2006 11:59 AM

Ok, I've done deeper searches on this forum and discovered that people say that the Network Shim was permanently enabled in CSA 5.0 forward. I guess that question is answered.

I still would like to know if anyone has seen Windows Server performance issues when installing CSA Agent in Test Mode.

Thanks,

Scott

0 Helpful

tsteger1
Level 8
Level 8
In response to dfreemire

‎09-02-2006 04:52 PM

Yes I've seen performance hits when servers are high traffic, dual NIC and have lots of rules enabled. The trick is to find out what the server does and tune the rules so they have the smallest impact.

Even though it is in test mode, it still has to process the rules as if it were in protect mode.

If these are limited service servers you could try some of the canned groups (clone them and test with the clones) to determine what the optimal setup is.

You could also approach it from from the other angle which is use only those policies that protect what you feel is the greatest risk and ignore the rest. That way the server is only processing rules you care about and can spend the rest of it's power doing it's job.

BTW, there is a way to disable the network shim with a registry mod but I don't believe it's encouraged or supported.

Tom S

dfreemire
Level 1
Level 1
In response to tsteger1

‎09-03-2006 05:50 PM

Thank you very much for the information. I'm going to work on this. So far I don't have a complete grip on changing rules for just one host - but I should get it down shortly.

-Scott F.

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to dfreemire

‎09-03-2006 02:33 AM

Hi .. I had issues with CSA 4.5 on TEST MODE . On this version the installation of Network shim was optional and so after experiencing several performance issues with many servers running FTP, HTTP, and exchange I ended up creating a new package without the Network Shim and re-deploying again. The performance problems went away afterwards. I would have suggested unistalling the Network shim but I was not aware that version 5.0 does not give you the option of not installing it .. :-(

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card