Home > ISA 2006 Enterprise, ISA 2006 General, ISA 2006 Standard, Websense Content Filtering > ISA 2006 with Integrated Websense and the /3GB Switch

ISA 2006 with Integrated Websense and the /3GB Switch

September 15, 2009

The /3GB boot.ini switch is perhaps the most misunderstood Windows tuning parameter there is. If you are not familiar with this switch, enabling it allows user mode processes to address 3GB of virtual memory instead of the usual 2GB. It does this at the expense of valuable kernel memory, however. The ISA firewall relies heavily on kernel memory (fweng.sys is the heart of the firewall core and runs in kernel mode) and cutting it in half can dramatically affect stability and performance by reducing the amount of available Paged and Non-paged Pool memory and reducing the maximum number of System Page Table Entries (PTEs). It has been well documented that the use of the /3GB boot.ini switch can cause serious issues, and in fact the ISA Best Practices Analyzer complains when it finds this switch in use.


Applications must be configured to take advantage of this additional memory made available by the /3GB switch. You can verify which applications are configured in this manner by using the dumpbin.exe utility that is included with Microsoft Visual C++ and specifying the /HEADERS parameter. Websense has enabled this functionality for some of their core services, and by looking at the headers for eimserver.exe version we can see that this image does indeed support large address space.



Websense is now optionally recommending that the /3GB switch be enabled when applying certain hotfixes. If you have Websense components installed on the ISA firewall itself I would strongly dissuade you from enabling the /3GB switch. If you are experiencing memory related issues with Websense services on your ISA firewall, add additional RAM. If memory related issues persist, remove all Websense services other than the filtering plug-in and place them on a separate system outside of the ISA firewall. You can then safely enable the /3GB switch on that system.

  1. September 16, 2009 at 1:08 am

    Good advice; I have the /3GB switch battle with many customers who are used to other applications like Exchange.

    TBH running ISA with more than 2GB memory is often unnecessary. If you need a large proxy RAM cache, then maybe, but for most deployments 2GB is more than enough (I appreciate other apps may have their own RAM requirements which will boost this need).

    If you use the ISA Server Capacity planner, it will often not even go above 1GB and will prefer to scale out servers as opposed to adding more RAM to a single server…



  2. September 16, 2009 at 12:02 pm

    I agree…2GB RAM is more than sufficient in most cases. Additional RAM is often required for third-party integrated services such as content filtering and gateway anti-virus. Specifically, Websense content filtering v7.x now has a minimum hardware requirement of 4GB RAM.

  1. No trackbacks yet.
Comments are closed.