Requirements and limitations

This article provides a reference for hardware and system environment requirements. It covers recommended instance profiles for on-premises and cloud deployments, highlights key performance and hardware considerations, and details supported administration browsers and TLS versions.

Treat all values as baselines—actual capacity and compatibility depend on your workload, enabled features, and ongoing changes in browser technology.

Hardware requirements

The following table summarizes hardware requirements for common instance sizing profiles, ranging from demo systems to large-scale production setups. These profiles apply equally to on-premises installations and to cloud deployments:

Profile

Minimum requirements

Minimum (for demo purposes)
Up to 5 HTTPS sessions

  • 1 vCPU
  • 8 GB RAM
  • 1 network interface
  • 10 GB storage space

Small
Up to 1000 HTTPS sessions

  • 2 vCPUs
  • 8 GB RAM
  • 10 GB swap
  • 2 network interfaces
  • 80 GB storage space

Medium
Up to 9000 HTTPS sessions

  • 8 vCPUs
  • 32 GB RAM
  • 24 GB swap
  • 2 network interfaces
  • 200 GB storage space

Large
Up to 40000 HTTPS sessions

  • 16 vCPUs
  • 64 GB RAM
  • 24 GB swap
  • 2 network interfaces
  • 200 GB storage space

Storage recommendations

SSD vs. HDD

In environments with high traffic rates and local reporting enabled, at least one log message per request is written to the disk, creating a high number of IOPS. Therefore, we recommend the use of SSD-based storage over HDDs in these setups.

RAM

Airlock Gateway automatically tunes the scalability settings for critical system components depending on the amount of installed RAM. The scalability settings are tuned for systems with up to 256 GB of installed RAM.

 
Info

Servers that have even more installed RAM are tuned like servers that have exactly the mentioned amount of installed RAM. This means that most performance metrics will not improve anymore. The maximum number of requests per second and the maximum number of concurrent connections will stay on a similar level.

Performance considerations

With modern hardware, the Airlock Gateway is capable of answering several thousand HTTP requests per second. However, the actual performance depends heavily on the protected applications and the activated Airlock Gateway functions.

  • Airlock Anomaly Shield enabled.
  • URL encryption and content rewriting can easily double the CPU load.
  • Long-running requests, WebSockets and NTLM-passthrough connections reduces the number of requests that can be handled with the same hardware.

Performance numbers are based on a number of assumptions. The most important are:

  • The average application response time is 200 ms.
  • 10 HTTP requests per minute and user on average.
  • Complex Airlock Gateway features are enabled, e.g., HTML Rewriting, General Response Rewriting, Deny Rules.

Also, a large number of mappings can be a limiting factor, even though is not technically limited by the Airlock Gateway Configuration Center.

Airlock Gateway has been tested with up to:

  • 1000 mappings
  • 300 virtual hosts
  • 300 back-end groups

  • We recommend not to exceed these limits to avoid slow response time and memory issues in the Configuration Center or the Security Gate process.

The average system load should be low to medium. Increase hardware or set up an additional Airlock Gateway before slow reactions, timeouts, or instabilities can occur.

 
Info

When dealing with a large number of mappings:

  • Use Dynamic back-end group selection to reduce the complexity of your configuration and to significantly reduce the number of mappings in the Airlock Gateway Configuration Center.

If java.lang.OutOfMemoryError occur in the Configuration Center or the Airlock Gateway Management Agent due to large configurations:

Supported browsers

The Airlock Gateway Configuration Center officially supports the following browsers:

  • Chrome stable channel
  • Firefox ESR
  • Edge Chromium

The listed browsers are tested in the versions officially supported by the respective vendor at the time of the Airlock Gateway release. Other modern browsers might also work but are not tested.

 
Info

Note that due to constant browser technology development, browser compatibility is subject to change without notice.

Supported TLS versions

The following table shows which TLS versions are available and enabled by default for front-side connections for the corresponding gateway version.

Available TLS version

Enabled TLS version by default

TLS 1.3

TLS 1.2

TLS 1.1

TLS 1.0

TLS 1.3

TLS 1.2

See also Mozilla security recommendations for TLS ciphers for information on legacy TLS support and backward compatibility considerations.

 
Functional limitation

By using a hardware security module (HSM) with Airlock Gateway, the number of available TLS protocols can be lower, compared to the table above. If you use custom settings, you will also not automatically benefit from optimizations in future Airlock Gateway updates.

We recommend using the default TLS settings of Airlock Gateway for an optimal balance between security and compatibility.