If you perform any sort of Windows troubleshooting at all, no doubt you have used some of Mark Russinovich’s wonderful Sysinternals Utilities Suite. If not, you are seriously missing out on some valuable diagnostic tools! I use Process Explorer and Process Monitor on an almost daily basis, as I am sure many of you do as well. Other than attending one of Mark’s or David Solomon’s TechEd presentations, training for these tools has been limited. The good news is that soon Microsoft will be releasing the Windows Systernals Administrator’s Reference. This book will be a definite must have for anyone serious about performing diagnostics on the Windows platform. It is available now for pre-order on Amazon.com, so be sure and order your copy today. I did!
The /3GB boot.ini switch is perhaps the most misunderstood Windows tuning parameter there is. If you are not familiar with this switch, enabling it allows user mode processes to address 3GB of virtual memory instead of the usual 2GB. It does this at the expense of valuable kernel memory, however. The ISA firewall relies heavily on kernel memory (fweng.sys is the heart of the firewall core and runs in kernel mode) and cutting it in half can dramatically affect stability and performance by reducing the amount of available Paged and Non-paged Pool memory and reducing the maximum number of System Page Table Entries (PTEs). It has been well documented that the use of the /3GB boot.ini switch can cause serious issues, and in fact the ISA Best Practices Analyzer complains when it finds this switch in use.
Applications must be configured to take advantage of this additional memory made available by the /3GB switch. You can verify which applications are configured in this manner by using the dumpbin.exe utility that is included with Microsoft Visual C++ and specifying the /HEADERS parameter. Websense has enabled this functionality for some of their core services, and by looking at the headers for eimserver.exe version 188.8.131.524 we can see that this image does indeed support large address space.
Websense is now optionally recommending that the /3GB switch be enabled when applying certain hotfixes. If you have Websense components installed on the ISA firewall itself I would strongly dissuade you from enabling the /3GB switch. If you are experiencing memory related issues with Websense services on your ISA firewall, add additional RAM. If memory related issues persist, remove all Websense services other than the filtering plug-in and place them on a separate system outside of the ISA firewall. You can then safely enable the /3GB switch on that system.