I'll detail my exact setup below, but general recommendations for a better web-browsing experience will be useful. A nice checklist of things to try would be great!
I have 600 users on a single site with an 8MB leased line. I get a lot of moans about the performance of "the internet" (ie web-browsing). What recommendations do the community have for speeding things up without just throwing more bandwidth at it? I expect I will end up buying some more, but good management tips are always valuable.
My setup is this: Cisco PIX (515E) firewall on the edge of the network. It's just doing some basic NAT, and opening up a handful of ports to various bastion hosts (aka DMZ servers).
The DMZ is just a switch that the servers are plugged into.
ISA 2006 Enterprise array (two servers) connecting DMZ to the internal LAN, with WebSense Web Security filtering HTTP traffic so users can't look at porn or waste bandwidth on YouTube during working hours.
I've done a few things - I've just switched my internal DNS over to use root hints, which halved DNS query latency from 500ms to 250ms. Well worth doing.
I'm trying to cache more aggressively, but so much more of the internet is AJAXy and doesn't cache very well as compared to five years ago. Plus the 70GB of cache which felt like a lot a few years ago really isn't any more. I'm getting about 45% cache hits by number of requests, but only about 22% by size, ie larger objects are less likely to be cached.
Latency seems to be part of the problem. Is that attributable to the bandwidth problem, or are there things I can look at to try to reduce latency even on heavily-loaded bandwidth?
So, this was asked a loong time ago, but I'll chime in nevertheless.
You're already doing most of what there is to do. There are a few more things to try, but with 600 people using this, maybe it's just time to pay for more bandwidth?
Thoughts:
First off, what does your bandwith usage look like? I can't remember if those old PIX firewalls had a good statistics section, or if that came with the ASA line. If not, your other firewalls can help you. Are you using all of your 6 MBit in longer periods?
Does all that content filtering slow browsing down? Try tracerouting / pinging to a couple of well known websites from the DMZ, and see what the RTT looks like. Then try connecting via HTTP from the inside LAN, and look at latency (using something like Charles or YSlow). "Time to first byte" on new HTTP connections for static content should average just above 1.5x RTT (due to the 3-way TCP/IP handshake, and RTT already being "2-way"). Are the content filters slowing you down?
If you're maxed out on bitrate, your content filtering isn't slow, and you're already blocking "non-productive" sites like Youtube (and your colleagues aren't just finding a way around this), then I only see buying more capacity or living with it...