Performance of Blue Coat BCAAA agent for authentication

A common question in the Blue Coat forums is about the server specification for the BCAAA and how many users can be supported. While I am not sure sure about the performance that Blue Coat recommends I can tell you my experiences.

I understand that according to Microsoft the Domain Controller should be able to handle 6000 parallel authentication requests, so presumably Microsoft can handle the authentication performance.

Small to Medium Site

I would say that for up to 1000 users, a Pentium 4 (any type), with 512MB RAM running Windows XP is more than enough. I recommend using VMware (the free version) so that you can use the snapshot features to perform upgrades and to give you a simple roll back plan.

You should have at least two machines for high availability. You will not notice any CPU use, and memory will hardly be used.

Large to Very Large

I have used the BCAAA in a very large site with more than 50000 users in a global network, with multiple AD trees, distributed across many servers. A very large MS AD site indeed. We had the BCAAA agent installed on two Quad Core Xeon with 2GB RAM with Server 2003 Standard in separate data centers and at full load I did not see the CPU move above 3 percent. I think that even then it was the virus software causing the load.

Observations

From what I determine, BCAAA is a proxy software agent that receives the authentication request from the ProxySG and then uses a Windows Authentication API to verify the credentials. If successful, it sends back a success message, if not a it sends failure message. It doesn’t need a lot of CPU or memory to do this and it is very fast.

Most importantly, it is fully compliant with NTLM authentication, so it provides a transparent authentication to the user. Whereas, when you use AD authentication, every element of a web page will needs authentication and Windows does not allow caching of such a request (at least without some configuration). Therefore almost every Blue Coat ProxySG installation will use the BCAAA agent for authentication.

About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus

You can contact Greg via the site contact page.

  • Jack_reyner

    hi my name is Jack, i want to ask you something.
    is BCAAA consume much CPU and Memory on Windows server 2008 ? cause I have problem on high CPU on windows 2008.

    thanks

    • http://etherealmind.com Greg Ferro

      No, It uses next to nothing. You have a problem and probably need to contact support. You could try reinstalling – Windows does get confused and need fixing.

Subscribe For Weekly Updates by Email

Get a Weekly Summary of Latest Articles and Posts to your Email Inbox Every Sunday

Thanks for signing up. Look for the email from MailChimp & make sure you confirm your email address. You may need to check your spam or gmail settings to be sure of receiving the email.

Note: You can unsubscribe at any time using the link at the bottom of every email.