- Overview
 - Let's create a shaping rule
 - Another shaping rule
 - Let's create a quota rule
 - Testing the created Shaping and Quota rules
 - Client-side monitoring utility
 - Modifying the Traffic Counters on the fly from the Quota Counters Panel
 - The Download Managers cannot exhaust the bandwidth anymore
 - Conclusion

As we have seen in a previous article , without having a bandwidth manager installed on ISA can easily lead to an improper Internet bandwidth distribution among the users. Wasteful traffic can exhaust the Internet bandwidth and work related traffic will suffer. Unauthorized installations of download managers for example can seriously affect work related traffic(long delays, timeouts...).

That's why you should always allow only needed traffic to needed destinations.

A nice feature of ISA is the ability to authenticate users based on their Active Directory accounts.

So it will be nice to have a bandwidth manager that integrates with ISA and is able to control/limit bandwidth using Active Directory Groups And Users in addition to machine based control(using IP addresses). In this way the shaping and qouta rules will "follow" the users(the users can use any domain computer on the network). Whatever machine the users will use, they will be able to benefit from the bandwidth alocated to them and ISA will be able to control/limit it accordingly. The quality of the bandwidth per work related traffic alocated per user/groups will be constant, thus increasing work productivity. Non-work related(non-priority) traffic is limited, thus Internet connection costs are reduced.

Let's imagine the bellow situation(reduced and simplified).

User X is working with an application that connects him/her to a remote server. Another user Y is killing his/her time and surfs on the Internet, starts a couple of downloads and so on. Due to the "activity" of user Y, user X will not have a fixed, constant bandwidth allocated, although he/she is working at an important project. User X may experience spikes, delays and timeouts when using the needed application. These lead to frustration and thus to poor work productivity.

The solution will be to provide user X with a constant channel for his/her duties while limiting the bandwidth for non-work related activity(like the one of user Y). The shaping of the channel should be made per destination and per protocol.

In addition, it is very important to have a live picture of all users and their connections through ISA including a chart with the bandwidth utilization. And the ability to immediately disconnect offending users.

A powerful bandwidth manager should be able to do all these. Obviously a powerful bandwidth manager with plenty of options can help in many other situations.

In this article we will take a look at the current version of Bandwidth Splitter. As writing this article the version is 1.21.

Bandwidth Splitter allows free-of-charge use with up to 10 clients. So you have the chance to see it in action yourself before placing an order. I've said it before and I can't stress enough how important is to have access to a trial version of a software in order to be able to see if it's actually good enough for you and if it does what its vendor promises. The difference with Bandwidth Splitter is the fact that if you have only a few clients(up to 10) you can use it for free. See Figure1.

Figure1: Bandwidth Splitter License

Bandwidth Splitter impresses from the start because it's nicely integrated with ISA and with ISA's management console. See Figure2.

Figure2: Bandwidth Splitter Integrated with ISA's Management Console

Also for remote administration, you can install only the administrative component of Bandwidth Splitter on remote computers with ISA Server management console installed.

An amazing fact about Bandwidth Splitter is how easy is to use. I was able to start managing the bandwidth in a second.

With Bandwidth Splitter you can manage the traffic of HTTP, HTTPS and FTP connections (for web proxy clients) and TCP/UDP connections (for SecureNAT clients, Firewall Clients and DMZ servers). Also you can manage the traffic of published servers.

With Bandwidth Splitter you create shaping and quota rules.

Shaping rules can be described as speed limitation rules. You can restrict the maximum speed for connections for individual users, user groups or IP address(per Networks, Subnets, individual computers, Computer Sets, URL Sets or Domain Name sets).

Quota rules restrict the amount of traffic that a specific user, a group of users, a host or a group of hosts may transfer within a period of time. Note that the quota rules will apply only when the source IP address is not in External Network and the destination IP address belongs to the External Network. If you have a server on an ISA DMZ and you are connecting say from the Internal network you cannot have a quota rule for these connections.

If you have an ISA DMZ, and the routing relationship between this DMZ and the External network is set to "route", and using access rules for example, you can apply shaping and quota rules for machines from this DMZ(control connections coming from the External Network) by checking "Treat connections from External network as accepted/inbound". This option is a little confusing until you start making some quick tests. See Figure3.

Figure3: "Treat connections from External network as accepted/inbound"

Bandwidth Splitter uses entities of ISA Server for both shaping and quota rules. This is quite handy because eliminates the administrative overhead of creating separate entities within Bandwidth Splitter's administration interface.

For shaping rules you can use ISA entities within the following fields:

- the "Destinations" field can can contain: Networks, Subnets, Address Ranges, individual computers, Computer Sets, URL Sets or Domain Name sets, see Figure4.

Figure4: Bandwidth Splitter Shaping Rule "Destinations" Field

- the "Applies to IP addresses" field can can contain: Networks, Subnets, Address Ranges, individual computers or Computer Sets, see Figure5.

Figure5: Bandwidth Splitter Shaping Rule "Applies to IP addresses" Field

- the "Applies to User Sets" field can contain the Users Sets defined on ISA, see Figure6. The option to control the speed limit per User Sets provides more power and more flexibility. It represents a big plus for Bandwidth Splitter.

Figure6: Bandwidth Splitter Shaping Rule "Applies to User Sets" Field

- the "Schedule" field can contain the Schedules defined on ISA, see Figure7. However, ISA Schedules are not very flexible, you cannot define a schedule from say, 14:30-14:45, only from 14:00-15:00.

Figure7: Bandwidth Splitter Shaping Rule "Schedule" Field

For quota rules you can use ISA entities within the following fields:

- the "Applies to IP addresses" field can can contain: Networks, Subnets, Address Ranges, individual computers, Computer Sets, URL Sets or Domain Name sets with the observation that the quota rules will apply only when the source IP address is not in External Network and the destination IP address belongs to the External Network. See Figure8.

Figure8: Bandwidth Splitter Quota Rule "Applies to IP addresses" Field

- the "Applies to User Sets " field can contain the Users Sets defined on ISA. See Figure9. The ability to assign a traffic quota per User Sets provides more power and more flexibility. It represents another big plus for Bandwidth Splitter.

Figure9: Bandwidth Splitter Quota Rule "Applies to User Sets" Field

Bandwidth Splitter comes with a real-time monitoring feature. You can view the activity of all clients accessing Internet through ISA Server(the IP address of each client, the user name, the number of connections and so on). See Figure10.

Figure10: Bandwidth Splitter Live Monitoring

If you are using quota rules you can visualize the traffic counter and the amount of remaining traffic. See Figure11.

Figure11: Bandwidth Splitter Quota Counters

However you can only look, you do not have an option to disconnect an user.

Another minus for Bandwidth Splitter is the fact you cannot apply shaping rules based on protocols. By default all TCP and UDP protocols are shaped.

An interesting and very useful feature of Bandwidth Splitter is the fact that you can specify what's happening in case some connections do not match any shaping and/or quota rule. By default, "Do not filter connections" is selected, thus these connections are excluded from processing. As said before, exclusion occurs only when both types of rules are not found. If you select "Deny connections" instead of "Do not filter connections" then such connections will be denied. Therefore you have to carefully define your shaping and quota rules if you want to use this setting. See Figure12 (the Advanced tab of the general options of Bandwidth Splitter).

Figure12: Action to Take When No Rules Found

Figure13: ISA Internet Access Rule

Actually to apply a Bandwidth Splitter rule to users or user groups you need authentication on ISA's rule(only Web Proxy Clients or/and Firewall Clients can authenticate).

What I want to accomplish: to allocate a constant bandwidth to a group of users for their work duties and each invidual user belonging to this group to have a fixed and constant bandwidth allocated. The group of users is called "RegularUsers".

To accomplish all these I will create a shaping rule for work required destinations. Work required destinations include Computer Sets, URL Sets and Domain Name sets. They have been already created because you cannot create new destinations(ISA's entities) on the fly from Bandwidth Splitter's wizard.

Start the wizard for creating a new shaping rule. See Figure14.

Figure14: New Bandwidth Splitter Shaping Rule

Enter a name for this rule. See Figure15.

Figure15: Bandwidth Splitter Shaping Rule Name

Click Next.

Apply this rule to the "RegularUsers" Users Set. See Figure16.

Figure16: Bandwidth Splitter Shaping Rule "Applies to Regular Users" Users Set

Click Next.

As said before the "Destinations" field will contain a Computer Set(populated with remote servers IP addresses), an URL Set and a Domain Name set. The last two ones include for example links to various online documentation and support sites. See Figure17.

Figure17: Bandwidth Splitter Shaping Rule "Work-Related Destinations"

Click Next.

The Schedule for this shaping rule is set to Always. I want the working users to benefit from this bandwidth all the time(working hours, extra hours...). See Figure18.

Figure18: Bandwidth Splitter Shaping Rule "Schedule"

You can create an ISA schedule for your company's work hours for example if you want to. See Figure19.

Figure19: ISA New Work Schedule

Click Next.

Now you need to specify bandwidth limits for this shaping rule. I have choosed as the shaping mode the sum of incoming and outgoing traffic and set a limit of 160 kbps. You can shape separately incoming and outgoing traffic, shape incoming traffic only or shape outgoing traffic only. See Figure20.

Figure20: Bandwidth Splitter Shaping Rule Specify the Bandwidth Limits

Also here you can decide if you shape or not cached web content and if you want to enable or not HTTP Boost.

So what does this HTTP Boost ?

According to the manual, HTTP Boost mode lets you accelerate web surfing. It will make surfing much more comfortable due to these accelerations. You can select a content type set for which the HTTP Boost mode will be used on the Advanced tab of the general options of Bandwidth Splitter, in the HTTP Boost content type set list. See Figure21.

Figure21: Bandwidth Splitter "HTTP Boost"

When enabling HTTP Boost, you are allowing a new speed limit for a certain amount of time for a certain content type. So, temporarily, a user who has been inactive for a certain minimum period of time, will be able to access the specified content type at a speed higher than the main speed limit value. By default, the content types for which HTTP Boost applies(only if you check the "Enable HTTP Boost" checkbox on your shaping rule), are text and HTML content, images, JavaScript and Flash animation. As can be seen from Figure21, you can specify other content types if you want. If you do not check the "Enable HTTP Boost" checkbox on your shaping rule, HTTP Boost is disabled. Enabling HTTP Boost for work-related destinations can be very useful.

Next you have the chance to limit the number of concurrent connections. See Figure22.

Figure22: Bandwidth Splitter Shaping Rule Limit No. of Concurrent Connections

This setting is kinda confusing. What type of concurrent connections ?

Some quick tests show that this limit applies to both TCP and UDP connections send to all destinations. It's not a limit that applies to connections made per destination, it applies globally. When a user is browsing and he/she will exceed the number of concurrent connections allowed, and error page will appear. See Figure23.

Figure23: Bandwidth Splitter Default "Too many connections" Error Page

This error page(along with other error pages like "Access not allowed" or "Traffic quota limit reached") can be customised.

Click Next.

A very important and useful setting appears. You can assign the specified 160 kbps bandwidth individually to each user or distribute this bandwidth between users. See Figure24.

Figure24: Bandwidth Splitter Shaping Rule "Shaping Type"

As intended I had assigned the specified 160 kbps bandwidth individually to each user.

The other option to distribute the bandwidth between users lets you do this distribution statically or dynamically.

For example, if the RegularUsers group contains 4 active users and Static bandwidth distribution is checked, then their individual speed limit will be 160 / 4 = 40 kbits/s. This can lead to a waste in bandwidth because two users can only require at a certain moment only 20 kbits/s and 30 kbits/s respectively. However, Static bandwidth distribution may guarantee, when there is no free/unused bandwidth available, an equal distribution(40 kbits/s per user) among active users of the total allocated bandwidth(per group 160 kbits/s).

If Static bandwidth distribution is unchecked, then this unused bandwidth can be distributed between the other two users which at that certain moment may need more bandwidth. The downside of this, according to the manual, is that when there is no free/unused bandwidth, the users who have more connections or better links to the servers could have precedence over the rest users.

Click Next.

We can configure Extra Parameters for our work shaping rule. See Figure25.

Figure25: Bandwidth Splitter Shaping Rule "Extra Parameters"

I will check the "Don't count traffic on account of traffic quota" checkbox because I will also define later a quota rule for these users and I do not want to impose a limit on allowed work related traffic. I only want to impose a limit on non-work traffic related. If users exceed this limit, they can continue their work, only non-work traffic related being blocked.

Click Next.

Review your shaping rule settings and click Finish. See Figure26.

Figure26: Bandwidth Splitter Shaping Rule Click Finish

Apply the changes.

Figure27: Bandwidth Splitter Shaping Rule "External Destinations"

I have choosed as the shaping mode the sum of incoming and outgoing traffic and set a limit of 400 kbps. It's a higher speed limit because I want to dynamically distribute this bandwidth between active users. See Figure28 and Figure29.

Figure28: Bandwidth Splitter Shape Total Traffic

Figure29: Bandwidth Splitter Dynamically Distribute Bandwidth Between Active Users

This time the "Don't count traffic on account of traffic quota" checkbox will be unchecked because there will be a quota rule for this kind of traffic for these users. See Figure30.

Figure30: Bandwidth Splitter Shaping Rule "Extra Parameters"

Review your settings and click Finish. See Figure31.

Figure31: Bandwidth Splitter Shaping Rule Click Finish

Apply the changes.

And by now we have two shaping rules. See Figure32.

Figure32: Bandwidth Splitter Two Shaping Rules

Figure33: Bandwidth New Quota Rule

Enter a name for this quota rule. See Figure34.

Figure34: Bandwidth New Quota Rule Name

Click Next.

As said before this quota rule will apply to the "RegularUsers" User Set. See Figure35.

Figure35: Bandwidth New Quota Rule "Applies To"

Click Next.

Now you can specify the traffic qouta for this rule.

I have selected to limit the sum of incoming and outgoing traffic. You can also limit separately incoming and outgoing traffic, limit incoming traffic only or limit outgoing traffic only.

The traffic amount allowed by this rule was set to 50 MB.

This quota rule will not apply to cached web content.

I want to start a 50 BM traffic counter for each active user of the "RegularUsers" group. This counter will be reset daily. You can reset this counter weekly, monthly or never. If the user does not consume the entire amount of traffic allowed, the remainder can be transferred to the next period. See Figure36.

Figure36: Bandwidth New Quota Rule "Specify Traffic Quota For This Rule"

As said before, a traffic counter will be started for each active user of the "RegularUsers" group. When this counter reaches zero, all connections of the client are terminated. If the user is browsing after this moment, the user will receive a message that the allowed traffic quota has been reached. See Figure37. As mentioned before, this error page can be customised.

Figure37: Bandwidth Splitter "Traffic Quota Limit Reached" Error Page

Click Next.

And here is the option I was talking about, to start a traffic counter for each user. Or if you want, you can assign this quota rule to the entire group. See Figure38.

Figure38: Bandwidth Splitter New Quota Rule, Quota Type

Click Next.

Review your settings and click Finish. See Figure39.

Figure39: Bandwidth Splitter New Quota Rule Click Finish

Apply the changes.

And now we have a quota rule in place. See Figure40.

Figure40: Bandwidth Splitter A Quota Rule

In Figure41 we can view two users accesing work-related destinations, thus the work-related shaping rule is used. Both have allocated a 160 kbps channel as intended. But, as said before, from this monitoring panel, we cannot simply right-click one of these users and disconnect him/her if we want to. We can only look. And there are plenty of useful fields to look at.

Figure41: Bandwidth Splitter Live Monitoring Work Related Destinations

In Figure42 we can quickly see the traffic counter. Since they are accessing work-related destinations, the quota rules does not apply and the counters for both users are almost intact(if they access some work-related web pages, some adds might modify a little bit these counters).

Figure42: Bandwidth Splitter Quota Counters

In Figure43 we can view two users accesing non-work related destinations, thus the non-work related shaping rule is used. Both share the 400 kbps channel as intended. If more users start accessing non-work related destinations, the available speed to each one will decrease, so it will be better for them to get back to work.

Figure43: Bandwidth Splitter Live Monitoring Non-Work Related Destinations

In Figure44 we can notice that the remaining amount of available traffic starts to shrink.

Figure44: Bandwidth Splitter Quota Counters

This utility can be found usually in "C:\Program Files\Microsoft ISA Server\Bandwidth Splitter\BMonitor". Do not enable file sharing on ISA Firewall itself. Microsoft has removed the FWC share from ISA 2006(FWC share present on ISA 2004). ISA machine is not a file server. Put this utility on a dedicated file-sharing server if you do not distribute it yourself on the users' machines. Installation is not required, you just need to copy the utility and the help file.

Also during the installation of Bandwidth Splitter on ISA, you will be asked if you want to enable clients to use this utility because you need an access rule on ISA. Bandwidth Splitter listens for connections of client-side monitoring utilities on TCP port 15000. See Figure45 and Figure46.

Figure45: ISA Access Rule for Bandwidth Splitter Client-Side Monitoring Utility

Figure46: ISA, Protocol for Bandwidth Splitter Client-Side Monitoring Utility

In Figure47 we can see this client-side monitoring utility. It's very useful since users are aware of the traffic remainder, so they can back-off when they approach the imposed limit.

Figure47: Bandwidth Splitter Client-Side Monitoring Utility

This utility has some settings, so users can customise it a little bit. It can be configured to be launched at startup, with a proxy server, manually specify credentials, set the level of transparency etc. See Figure48.

Figure48: Bandwidth Splitter Client-Side Monitoring Utility Settings

Figure49: Bandwidth Splitter Quota Counters, Quota Reached

As opposed to the Live Monitoring panel, here we can interact with the current quota counters, we can manually modify them or delete them. This is very useful for rewarding or punishing a user or to simply force some limits on a specific day for a specific user(s) without the need to modify/add a quota rule. See Figure50 and Figure51.

Figure50: Bandwidth Splitter Manually Delete a Traffic Counter

Figure51: Bandwidth Splitter Manually Modify a Traffic Counter

Now while Diana is working, she has a fix and stable 160 kbps channel alocated. Johnny on the other side is wasting time and plays with his favourite download manager. In a desperate attempt to maximize his bandwidth, Johnny has put, say, Free Download Manager in a customised Heavy Mode. See Figure52.

Figure52: Free Download Manager "Heavy Mode"

This would mean that Johnny will create up to 10 connections per one server in order to speed up his downloads.

However this would not help him to bypass the 400 kbps shared limit imposed to non-related destinations. Also, Diana will be unaffected by the waste traffic generated by Johnny, and will benefit from her 160 kbps channel alocated for work-related destinations. These things are clearly shown in Figure53.

Figure53: Live Monitoring Both Non-Work and Work Related Destinations

While Bandwidth Splitter does not prevent Johnny to create 10 connections per one server, Johnny cannot bypass the 400 kbps shared limit imposed to non-related traffic and also he will soon reach his quota limit if he continues like this. So he will have to back-off.

Also his joy about fully benefiting from the 400 kbps channel would not last since other users will become active, and Johnny will have to share this 400 kbps channel with them.

Thus all the waste traffic will be concentrated within this 400 kbps channel. And users have individual traffic quotas for non-work related traffic.

Without Bandwidth Splitter in place, Johnny and other wasteful users could easily exhaust the Internet bandwidth. Now waste traffic is limited, and work-related traffic has priority.

Bandwidth Splitter is a powerful bandwidth manager for ISA 2004/2006 Server that comes with a lot of useful bandwidth management features and is also very easy to use. It lacks however the ability to control bandwidth per protocol(as currently writing this article).