recommended configuration, a Proxy host can typically support up to 7,000 users and a Security Token Service (STS) host can typically support up to 15,000 users.
You can add further Proxy and STS hosts to support more users and to provide high availability. For a production environment, we recommend that you deploy an additional proxy host and STS host to provide high availability and protect against a single host failure. For example a company with 20,000 users would typically deploy 4 Proxy hosts (20,000/7,000 +1) and 3 STS hosts (20,000/15,000 +1).
NOTE: If you are not proxying any applications, including the Cloud Access Manager portal, the number of Proxy hosts should match the number of STS hosts.
One Identity Cloud Access Manager contains a reverse proxy to provide Single Sign-On (SSO) to web applications that do not support federation, for example basic, NT LAN Manager (NTLM), header and form authentication. The reverse proxy is also used to allow secure access to internal web applications from the Internet. When you access a proxied application, all communication between the web browser and the application goes through the proxy for the entire session, not only for the authentication. For a production environment, we recommend that each proxy host has 9GB of physical memory and 8 processor cores across 2 CPU.
A single proxy host can handle up to 12,000 concurrent connections. Modern web browsers typically use between 6 and 8 persistent HTTP connections when accessing an application. But during idle periods, such as when a user is reading, they will often reduce the number of connections to just a single connection, or even close all connections until the next user interaction. The browser can use each connection to send multiple HTTP requests to the application. The proxy will close a connection after either processing 100 HTTP requests, or after the connection has been idle for 60 seconds. The browser will establish a new connection the next time it needs to make an HTTP request. So, depending on the application you want to proxy, a single Proxy host will be able to support between 1,500 users (12,000/8) and 12,000 users. Our recommended maximum of 7,000 is an average of the two. To support up to 12,000 concurrent connections, you must configure the proxy host to increase the number of persistent HTTP connections that it can support. This in turn requires greater memory allocation for the proxy. See below for further information on how to do this.
proxy host has 9GB of physical memory, with 6GB of this memory allocated to the Java virtual machine (JVM) used by the proxy.
NOTE: These figures are intended as guidelines. Different operating systems may require more or less RAM to be allocated to them to function effectively. For instance, 8GB RAM may be sufficient for a proxy running on Windows Server Core OS with 6 GB allocated to the JVM heap.
4. You must restart the proxy service for this setting to take effect. To restart the proxy service, click the General tab and then click Restart.
NOTE: Memory consumption of the proxy can exceed the amount allocated to the JVM heap. This is because Java allocates memory to other processes, such as a stack for each thread. Therefore, it is not unusual for the total memory used by the proxy to exceed the value allocated to the JVM heap by up to 10%.
For a production environment, the recommended default settings described below allow each proxy host to handle up to 12,000 concurrent, persistent HTTP connections.
To increase the number of concurrent HTTP connections.
Perform the following steps on the proxy host.
2. Next to the modified maxThreads parameter, insert a new parameter disableKeepAlivePercentage="99" as shown in the example below:
/>
The following example will allow approximately 12,000 persistent HTTP connections. Run this command from a command prompt as an administrator. It is recommended to reboot after taking these steps.
netsh int ipv4 set dynamicport tcp start=40000 num=25000
You can see how many what the dynamic ports are currently set to with this command: netsh int ipv4 show dynamicport tcp
We recommend the following minimum disk space requirements are observed. For further information on installation requirements, please refer to the document entitled One Identity Cloud Access Manager Installation Guide.
Table 1. Disk space requirements
Hardware | Requirement | Host |
Disk Space | 25GB | Proxy host. |
Disk Space | 50GB | STS host (Security Analytics Engine not operational) |
Disk Space | 50GB | STS host (Security Analytics Engine operational) |
NOTE: These recommended disk space values are intended as a general guideline. We suggest that you monitor disk space usage on all your servers to account for usage changes that occur, such as expanding log files (For example, from other applications such as IIS), a life time of Windows updates and system backup data.
For a production environment, we recommend that each Security Token Service (STS) host has 8GB of physical memory and 8 processor cores across 2 cpu.
CPU and memory usage varies between the different authentication methods. Our stress testing has shown a single STS host can support between 12,000 and 18,000 users authenticating over a 30 minute period. Our recommended maximum of 15,000 is an average of the two. No special configuration is required on the STS hosts to support this number of users.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center