Security Proxy: Prerequisites and System Requirements
The Security Proxy Add-On requires a separate license. The Security Proxy requirements are in addition to the MSS Minimum System Requirements.
Before installing the Security Proxy, verify that:
the Management and Security Server automated installer is available. (The Security Proxy can be installed along with MSS or by itself later.)
the Security Proxy activation file (
activation.security_proxy-12.8.<n>.jaw) is available.
We recommend installing the latest activation files to ensure that all product features are correctly enabled. For example, when you upgrade Management and Security Server to 12.8.5, be sure to upgrade the Security Proxy to 12.8.5.
the Performance and Scaling Requirements are addressed.
Performance and Scaling Requirements
The Security Proxy Server’s performance is affected by the hardware, software, and environmental factors. Follow these guidelines for best performance.
We recommend these specifications for up to 6000 concurrent and active connections.
|up to 6000 connections (concurrent and active)
|Speed of processors
|2.7 GHz or faster
|Number of processors (or cores)
|4 or more
|4 GB or more
|Java Virtual Machine (JVM) heap size
|File descriptors (Linux/UNIX)
- Number of Available Ports and Descriptors
- Number of Concurrent Connections
- Operating System
- Server Dedication
- Key Lengths and Cipher Suites
System Specification - Details
Speed of Processors
As a general rule, a faster processor performs operations more quickly. The two most processor-intensive operations performed by the Security Proxy server are establishing new connections and encrypting and decrypting data.
Number of Processors (or Cores)
The Security Proxy server is a thread-intensive application. Each connection to the Security Proxy spawns two threads. A system with more processors (or cores) will perform better than one with fewer processors.
Each connection requires memory, and more connections can be made with more memory. More RAM installed on the machine means less paging to disk and better overall performance. A minimum of four gigabytes (4 GB) RAM is recommended.
Java Heap Size
A 64-bit JRE with a heap size of 3 GB can support 6000 concurrent connections.
The installer will install and configure the Security Proxy server to use a server JVM. By default, the server JVM will allocate a heap space that is equal to one quarter the size of physical memory. For example, if a computer has 8 GB of physical memory, then the server JVM will allocate a maximum heap size of 2 GB. To increase the heap allocation, use the JVM command-line options -Xms and -Xmx, which can be set in the
MssSecurityProxy.vmoptions file, located in
<Security Proxy installation directory>\bin.
For example, to support 6,000 connections, use a text editor to open the file named
…\MSS\securityproxy\bin\SecurityProxy.vmoptions and add (or edit) the following lines to this file:
Additional Specifications - Details
Number of Available Ports and Descriptors
You may need to increase the number of ports or file descriptors made available by the operating system.
Windows Server -ports
The default number of ephemeral ports is 5000. Use these commands to show or change the number of ports.
To print the number of ports available:
netsh int ipv4 show dynamicportrange tcp
To change the number of available ports:
netsh int ipv4 set dynamicport tcp start=10000 num=6000
Linux or UNIX - descriptors
The default number of file descriptors (and thus ports) available to a process can be low (in the hundreds).
Each security proxy server needs approximately 20 file descriptors, and each connection uses two file descriptors. To determine the number of file descriptors required, use this formula:
number of descriptors = 20 + (<connections> * 2)
<connections> represents the maximum number of concurrent connections the Security Proxy server may receive. Note: The permitted number of concurrent sessions is governed by your product license.
20 + (6000 connections * 2) = 12020 descriptors
To increase the number of descriptors:
As a user with root privileges, open the command shell that launches the Security Proxy server. This shell should be the same one used to configure the Security Proxy server.
At the command line, enter:
ulimit –n <descriptors>
<descriptors>represents the integer number of descriptors needed to support the Security Proxy connections.
ulimitcommand syntax may vary depending on your shell. For more information about using the command, refer to your OS documentation or man pages.
- The shell inherits the default limit from the kernel variable
rlim_fd_curvalue set in the
/etc/system file. The maximum number of descriptors that can be set (“hard limit”) is governed by the kernel variable
Number of Concurrent Connections
Through considerable stress testing, it has been demonstrated that the Security Proxy server can maintain 6,000 concurrent and active connections with heavy payloads, as long as the Security Proxy: Prerequisites and System Requirements are met and a 64-bit JRE is used.
Slightly better performance was observed on a Linux-based system with respect to time taken to establish connections and data transmission rates.
A dedicated Security Proxy server will perform better than a server that performs multiple functions. For example, if the server acts as a web server, a mail server, or as a host, in addition to acting as a Security Proxy server, performance for all concurrent functions will be affected.
Key Lengths and Cipher Suites
The Security Proxy server uses two distinct cipher algorithms to establish and secure a TLS connection. A public key algorithm (DSA or RSA) is used during the connection process to authenticate the server and exchange shared-secret (symmetric) keys for the secure connection.
Key Lengths Used for Authentication
A longer DSA or RSA public key will slow the initial connection speed but may be suitable when security is a primary concern. Open the Security Proxy Wizard to view or modify the key length.
Cipher Suites Used for Data Encryption/Decryption
The cipher suites used in session data encryption/decryption can dramatically affect the connection speed once the connection is established. The default cipher suite is RSA with 128-bit AES SHA-1.
Use the Security Proxy Wizard (Proxies > Modify) to select different cipher suites.