Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

When to use CSA Network Shim?

I'm in a trial by fire installing CSA 5.1 on Win servers for my enterprise.

So far the only info that I've found on this subject is that the Shim:

-Installs by default

-Requires a server reboot on install

-May introduce datacom latency

-Is not required on "protected" servers

So, here are a few questions:

-What would be the latency impact on heavily used SQL cluster server?

(MS WinServ2k3 on HP Blade w/Gig network adapters)

-What is "protected"?

-Any server behind firewall?

-Including in the DMZ?

-Any server that receives no incoming Internet connections?

-Any server that never connects to Internet nodes (in either direction)?

-Any server that has no nic cards installed? (I wanted to get at least one right)

What experience/advice does anyone have on this subject?



New Member

Re: When to use CSA Network Shim?

Ok, I've done deeper searches on this forum and discovered that people say that the Network Shim was permanently enabled in CSA 5.0 forward. I guess that question is answered.

I still would like to know if anyone has seen Windows Server performance issues when installing CSA Agent in Test Mode.




Re: When to use CSA Network Shim?

Yes I've seen performance hits when servers are high traffic, dual NIC and have lots of rules enabled. The trick is to find out what the server does and tune the rules so they have the smallest impact.

Even though it is in test mode, it still has to process the rules as if it were in protect mode.

If these are limited service servers you could try some of the canned groups (clone them and test with the clones) to determine what the optimal setup is.

You could also approach it from from the other angle which is use only those policies that protect what you feel is the greatest risk and ignore the rest. That way the server is only processing rules you care about and can spend the rest of it's power doing it's job.

BTW, there is a way to disable the network shim with a registry mod but I don't believe it's encouraged or supported.

Tom S

New Member

Re: When to use CSA Network Shim?

Thank you very much for the information. I'm going to work on this. So far I don't have a complete grip on changing rules for just one host - but I should get it down shortly.

-Scott F.

Re: When to use CSA Network Shim?

Hi .. I had issues with CSA 4.5 on TEST MODE . On this version the installation of Network shim was optional and so after experiencing several performance issues with many servers running FTP, HTTP, and exchange I ended up creating a new package without the Network Shim and re-deploying again. The performance problems went away afterwards. I would have suggested unistalling the Network shim but I was not aware that version 5.0 does not give you the option of not installing it .. :-(

CreatePlease login to create content