The scope of this document is to outline what you can do with ISA routing rules. I will not be showing you a step by step configuration of each of the functionalities of routing rules in this tutorial.
Routing rules are part of the Network Configuration module of ISA and enable you perform various operations described below when configured correctly. This type of tool is very useful in the majority of organizations, especially when you need specific URL’s or web requests redirected to an upstream ISA server or to a server in a different physical location, this maybe at one of your company branches which may lie closer to the web resource, speeding up internet access.
Please note: routing rules sometimes have issues working if your LAT (local address table) is miss configured.
Routing rules allow the following to happen.
Web resources can be retrieved directly from a specified destination.
The specified request can be sent to an upstream server, ether an ISA server or a MS proxy 2 server.
The request can be redirected to an alternate site.
Routing rules may apply to both inbound and outbound Web requests. Using routing rules can be very valuable in a scenario where you have more than one ISA server connected to the internet and one of the lines to the internet keeps going down, or is inconsistent in service. In some organizations 24 hour internet access is vital. ISA Server can use a backup route when the main route to the internet is down.
When you set this up using routing rules ISA Server keeps polling the upstream server that is specified as the primary route at regular intervals to see if the route is up. If the main internet route goes down, the requests are forwarded to upstream ISA server. Pass authentication is sometimes required by the upstream server. These credentials are used by the upstream server to validate the downstream server.
Please Note: Routing rules are available in all modes of installation except for the firewall mode.
What do you do if you have no leased lines?
In some organizations a permanent connection to the internet is not necessary and dialup is the alternative used, as the cost of a leased line is much higher than just dialing up to the internet for a few minutes a day. ISA server can be configured to use a dial-up entry to service the ISA server client requests.
A scenario can also occur where you only have one site and all your users use one ISA server or array to connect to the internet and then the line goes down. ISA can be configured to dialup to the internet and then to disconnect once the line comes back up. This method is called dial on demand and is used extensively in smaller organizations as a backup route to the internet.
Please Note: when the ISA server dials up to the Internet the line speed will differ to the leased line speed if you have not matched the bandwidth with the appropriate number of modems, DSL, ISDN or which ever dial up method you use to dial up to the internet. It is a good idea to test this as you can easily oversubscribe users to your ISA server when this scenario occurs and the bandwidth on your 56k modem can be crushed by 4000 users trying to access their internet based e-mail accounts.
Caching and routing of caching and bridging.
Caching can also be routed using ISA, the ISA Server determines how the requests are routed, ISA Server first checks if a valid copy of the object exists in the cache. If the object is valid the TTL (time to live) has not expired. ISA can be configured to route an object request if a no valid object or if no object exists in the cache. Routing rules can also be configured so that no objects are cached.
The diagram above displays where Cache routing can be configured within the routing rules option.
Bridging can be configured to occur when traffic is routed outbound to an upstream server, ISA enhances it by using a (SSL Secure Sockets Layer) bridging feature. ISA lets you configure if the requests should be HTTP or SSL requests and the protocol conversion is made for what ever protocol type you select. Client side certificates can also be used to authenticate.
Routing Rules processing order
The first routing rule is processed first (not the default rule).
If the request matches the configuration specified by the rule, the request is routed, redirected, and cached respectively.
The next rule is processed if the request does not slot into the previous rule.
The default routing rule is processed last.
Please note: the default routing rule can be configured, but you cannot delete it.
Routing requests from Firewall and SecureNAT clients
For ISA Firewall clients, you should configure Firewall, chaining this determines how requests should be routed.
The diagram above displays where firewall chaining is configured. (Right click Network configuration)
Requests from ISA Firewall clients can be routes directly to the Internet or to an upstream proxy server or an ISA server. Password authentication can also be enabled so that the upstream server can validate the downstream server.
Summary: Routing rules should be used in environments that need high availability to the internet and where uptime is critical. This document has been setup to outline the tool so that you know what component of ISA to use when trying to achieve routing. I know this article will clarify a lot of grey area that you might have had about routing rules.