Microsoft Internet Security and Acceleration Server 2000 in Education Deployment Kit

 

Chapter 2

Accelerating the Web Browsing Experience with ISA Server 2000

 

 

 

 

 

 

 

 

 

Dr. Thomas W Shinder

Debra L. Shinder

December 2003

Table of Contents

How Web Caching Works. 4

Standalone Web Caching Servers and Caching Arrays. 8

Placing a Web Caching Server on the Campus Network. 11

ISA Server 2000 Front-end Firewall Topology. 11

ISA Server 2000 Back-end Firewall Topology. 12

ISA Server 2000 Front-end and Back-end Firewalls. 15

ISA Server 2000 Application Layer Filtering Web Proxy in the Perimeter Network. 16

Installing a Unihomed (single-NIC) Standalone Web Caching Server 18

Installing a Caching Array. 32

Configuring Web Caching Options. 72

Customizing Web Caching Options with Web Routing Rules. 80

Summary. 96

 

 


Internet bandwidth is consumed by a variety of Internet application protocols. The most popular application layer protocol used to access Internet resources is the HTTP protocol, used to access resources on the World Wide Web. Although bandwidth costs on a per-kilobyte or per-megabyte basis have come down over the years, the amount of bandwidth consumed by users on the campus network increases year after year. HTTP connections to Internet resources not only lead to costly increases in bandwidth costs, it also reduces the amount of bandwidth available on the Internet link for other important protocols and applications, such as SMTP, POP3 and VPN.

 

ISA Server 2000 can help reduce overall bandwidth usage and cost by caching Web content on the ISA Server 2000 Web caching server. Not only is ISA Server 2000 a powerful application layer firewall, it is also a robust Web caching server. Web caching servers hold content accessed by users and serve the same content to the same or other users who later make a request for the same resources. Another benefit from Web caching is that the user’s Web browsing experience is improved because content can be returned to users from the Web caching server on the high speed campus network instead of from distant Web servers.

 

In this document, we will discuss the following subjects that will aid you in accelerating campus users’ Web browsing experience and potentially help reduce overall bandwidth utilization:

 

  • How Web caching works
  • Standalone Web caching servers and caching arrays
  • How to Place a Web caching server on the campus network

 


How Web Caching Works

The Web plays a large role in the Internet use of school, college and university network users – in many cases, more so than for those in the corporate world. Because the Web is so heavily used for research by both faculty members and students, fast access to often-used Web sites is a big issue that campus network administrators must address. Web caching is a way to reduce waiting times and increase the satisfaction of users who depend on Web content to do their work.

 

The goal of Web caching is to bring Web content closer to users. The term “closer” refers not so much to location as to the speed at which the content can be returned to the user making the request. A typical Internet connection has a top data transfer rate of 1.5Mbps (T-1) to 45Mbps (T-3), whereas a typical local area network connection speed is 100Mbps to 1000Mbps. Even slow Ethernet provides a speed of 10Mbps, considerably faster than a T-1. Thus, if the content requested by the user on the campus network can be placed on a server on the campus network, then that content can be returned to the user much more quickly than content located on an Internet server. Internet content copied to and held on a local server is called cached content. Cached content can be returned to the user more quickly, and more reliably, than content located on a machine located at a remote location on the Internet.

 

The ISA Server 2000 Web caching mechanism works in different ways, depending on whether or not the content is already located in the ISA Server 2000 Web cache. Figure A shows the sequence of events when a host on the campus network requests content not already contained in the ISA Server 2000 Web cache:

 

  1. The user sends a request for content located on an Internet Web server. This request is forwarded to the ISA Server 2000 Web Proxy server.
  2. The ISA Server 2000 Web Proxy server checks to see if it has the content contained in cache. If the content is not in cache, or if the content has expired (i.e., the header information in the content indicates that it should no longer be served from a Web cache), then the ISA Server 2000 Web Proxy server forwards the request to the Web Server on the Internet.
  3. The Web server on the Internet returns the information requested.
  4. The ISA Server 2000 Web Proxy server places the information in its in-memory Web cache. ISA Server 2000 uses an in-memory Web cache to store the most popular and frequently requested content. This allows the ISA Server 2000 Web Proxy server to return the popular content more quickly to the users on the internal network.
  5. After placing the Web content in the in-memory cache, the ISA Server 2000 Web Proxy server returns the content to the user who requested it.
  6. After a period of time, the ISA Server 2000 Web Proxy server will copy the contents of the in-memory cache to the disk based cache. If the content turns out not to be popular, the in-memory cache will flush the content and the only copy of the content on the ISA server will be in the disk based cache.

 


Figure A

 

Figure B shows the series of events when a second host on the internal network makes a request for the same Web content before the content is flushed from the in-memory cache:

 

  1. The host on the internal network sends the request to the ISA Server 2000 Web Proxy server.
  2. The ISA Server 2000 Web Proxy server checks to see if it has cached this content and whether the content has expired. If the content is still valid, the ISA server retrieves the content from the in-memory cache.
  3. The content that is retrieved from cache is returned to the user who requested it.

 


Figure B

 

Figure C demonstrates the series of events when the user requests the same content but the content has been flushed from the in-memory cache:

 

  1. The Web client computer sends the request to the ISA Server 2000 Web Proxy server. The ISA Server 2000 Web Proxy server checks to see if it has the Web content in its disk cache and whether that content is still valid.
  2. The ISA Server 2000 Web Proxy server determines that it has the content and retrieves the content from the disk-based cache.
  3. The ISA Server 2000 Web Proxy server places the content in the in-memory cache.
  4. The content is retrieved from the in-memory cache and returned to the Web proxy client on the campus network.

 


Figure C

 

Web caching improves significantly as the number of users accessing the Internet through the cache increases.

 

*       Note:

For more details on how ISA Server 2000 Web caching works, please refer to the ISA Server 2000 Software Development Kit article How ISA Server Caching Works http://msdn.microsoft.com/library/default.asp?url=/library/en-us/isa/isaabout_7s8j.asp 


Standalone Web Caching Servers and Caching Arrays

Standalone ISA Server 2000 Web caching servers are not members of a caching array. The standalone Web caching server always handles the requests sent to it. A request may be served directly from cache, or the ISA server may need to retrieve the content from the Internet Web server before returning the information to the requesting host.

 

ISA Server 2000 caching arrays use the Cache Array Routing Protocol (CARP). CARP enables servers in the array to split or balance the load of retrieving and caching Web content among themselves. The CARP algorithm can assign URLs to individual servers within the caching array. Each Web caching server in the array is responsible for a percentage of the total URL space. Content for any specific URL is always stored on the Web server responsible for that URL; the content is not duplicated on any other member of the array.

 

There are two ways that requests for Web content can be obtained from a caching array:

 

·         The request can be routed by the array

·         The client can determine on its own which array member is responsible for the URL and contact that array member directly

 

Figure D displays what happens when content is routed within the array. This is what happens when the client is not configured with the ISA Server 2000 autoconfiguration script:

 

  1. The Web client on the campus network sends a request for Web content to the ISA Server 2000 Web Proxy server. This is the Web Proxy server that the Web client has been specifically configured to contact.
  2. The Web Proxy server to which the client sent the request determines that another member of the array is responsible for the URL. The request is forwarded to the other array member.
  3. The second Web Proxy server checks to see if it has a valid version of the Web content in cache. If the second Web Proxy server determines that it does not have a valid version of the Web content, it requests the content from the Internet Web server.
  4. The Internet Web server returns the Web content to the second Web Proxy server
  5. The Web content is placed in the in-memory Web cache on the second Web Proxy server.
  6. The second Web proxy server returns the content to the first Web Proxy server.
  7. The first Web proxy server (the one that received the request from the Web Proxy client), returns the requested Web content to the Web proxy client machine on the campus network. Note that the first Web Proxy server does not cache this content because it is not responsible for the requested URL.

 


Figure D

 

 

Figure E shows what happens when a Web Proxy client is configured to use the autoconfiguration script. The autoconfiguration script enables the Web client to determine which array member is responsible for a specific URL and the forward the request directly to that server regardless of the server the Web client is configured to use. The Web Proxy client can do this because the autoconfiguration script contains a list of the names of caching array servers and the algorithm used to determine which server is responsible for a requested URL.

 

  1. The Web client sends a request to the ISA Server 2000 Web Proxy server responsible for the URL. The client is configured with the autoconfiguration script and so is able to determine in advance which Web Proxy server is responsible for the URL.
  2. The Web proxy server checks to see if it is responsible for the URL. If the Web Proxy server is responsible for the URL, it checks to see if it has a valid version of the requested Web content. If the Web Proxy server does not have a valid version of the Web content, it sends a request to the Internet Web server.
  3. The Internet Web server returns the content to the Web Proxy server.
  4. The Web Proxy server places the content in its in-memory cache.
  5. The Web Proxy server forwards the content in cache to the requesting client.
  6. Web content in the in-memory cache is placed in the disk cache after a period of time. The content may be purged from the in-memory cache if the caching algorithm determines that it is not popular enough to be kept in memory.

 

 


Figure E


Placing a Web Caching Server on the Campus Network

Web caching ISA Server 2000 machines can be dedicated Web caching servers or part of an integrated ISA Server 2000 firewall and Web caching server. This provides educational institutions a great deal of flexibility when considering where to place the ISA Server 2000 Web caching server on the campus network.

 

There are several popular topologies for an ISA Server 2000 Web caching server:

 

·         ISA Server 2000 Front-end Firewall Topology

·         ISA Server 2000 Back-end Firewall Topology

·         ISA Server 2000 Front-end and Back-end Firewalls

·         ISA Server 2000 Application Layer Filtering Web Proxy in the Perimeter Network

ISA Server 2000 Front-end Firewall Topology

Small educational institutions that do not already have a large investment in a current firewall infrastructure may prefer to make the ISA Server 2000 firewall a front-end firewall. The front-end firewall has two network interfaces: a network interface on the campus network and a network interface directly connected to the Internet. All communications that come into and out of the campus network must go through the ISA Server and are exposed to ISA Server 2000’s deep application layer inspection.

 

The advantages of this configuration include:

 

  • All communications into and out of the campus network are exposed to firewall policy
  • You only need to learn how to configure the ISA Server 2000 firewall software; this avoids the potential for firewall misconfiguration when multiple vendor firewalls are used
  • All inbound and outbound access can be controlled on a granular user or group basis. Users only access the content and servers you want them to access, based on rules you configure
  • This configuration is easy to set up and maintain

 

 

 

 

ISA Server 2000 Back-end Firewall Topology

Educational institutions that already have an existing firewall infrastructure may prefer to leave the current firewalls in place and put the ISA Server 2000 firewall behind the current firewalls. This topology allows third party firewalls to provide high speed packet filtering (stateful filtering) before forwarding the remaining packets to the application aware ISA Server 2000 firewall. The network between the third party front-end firewalls and the ISA Server firewall is a perimeter network where publicly accessible servers and services can be placed.

 

Each third-party packet filtering firewall has two network interfaces: an interface directly connected to the Internet and an interface connected to a perimeter network between the third-party packet filtering firewalls and the ISA Server 2000 application layer aware firewall. The ISA Server 2000 firewall also has two interfaces: an interface on the perimeter network and an interface on the protected internal campus LAN.

 

Advantages of this configuration include:

 

  • Educational institutions do not need to perform a major redesign of their current firewall infrastructures
  • Third party hardware-based firewalls can perform high-speed packet filtering. This offloads the packet filtering overhead from the ISA Server 2000 firewall and increases the resources available on the ISA Server 2000 firewall to perform deep application layer inspection
  • Resources located on the campus network are protected by the ISA Server 2000 firewall’s enhanced application layer inspection mechanisms
  • Granular inbound and outbound access control can be done on a user/group basis

The figure below shows the topology of the ISA Server 2000 back-end firewall topology.

 


ISA Server 2000 Front-end and Back-end Firewalls

The ISA Server 2000 front-end and back-end firewall configuration uses two ISA Server 2000 computers, one as the Internet edge firewall and the other as the corporate LAN edge firewall. The front-end ISA Server 2000 firewall has an interface directly connected to the Internet and an interface on the perimeter network between the firewalls. The back-end ISA Server 2000 firewall has an interface on the perimeter network and an interface on the protected campus LAN.

 

The advantages of this configuration include:

 

  • A single firewall system; this reduces the training overhead and the probability of a configuration error
  • Sophisticated application layer filtering protecting hosts on the perimeter network and the internal, core campus network
  • You can leverage Web Proxy chaining and firewall chaining to significantly increase access control from perimeter network servers and users on the internal network. This prevents attackers from using compromised servers on the perimeter network  as a launch point for outbound attacks from the perimeter network
  • Granular outbound user/group based access control for hosts on both the campus network and the perimeter network
  • Excellent support for highly secure VPN passthrough, allowing access to protected resources on the campus network

 

*       Note:

Please see kit doc Protecting Departmental/Student LAN segments with ISA Server 2000 for more information about Web proxy and Firewall chaining.

 

The figure below shows the topology for the ISA Server 2000 front-end back-end firewall configuration.

 

ISA Server 2000 Application Layer Filtering Web Proxy in the Perimeter Network

Some educational institutions already have an existing firewall infrastructure that includes front-end and back-end firewalls. These campuses have a large investment in their current firewall infrastructures and prefer to leave them intact. You can still leverage ISA Server 2000’s application layer filtering features by making the ISA Server an application layer filtering proxy. This ISA Server 2000 proxy can be placed on the perimeter network between the front-end and back-end third party packet filtering firewalls or you can place the ISA Server 2000 application layer proxy on the internal campus network.

 

Advantages of the application layer filtering proxy configuration include:

 

  • The ability to leave the current firewall infrastructure intact; you can “drop in” the ISA Server 2000 application layer filtering proxy virtually anywhere
  • The third party front-end and back-end packet filtering firewalls can pass packets at high speed while allowing ISA Server 2000 to provide a very high level of security for communications passed through its application layer inspection mechanisms
  • A hardened ISA Server 2000 proxy can be placed on the perimeter network segment to reduce the attack surface
  • In reverse Web Proxy scenarios, the ISA Server 2000 application layer filtering proxy can forward user credentials across the back-end firewall to pre-authenticate remote users

 


The figure below shows the topology of the application layer filtering proxy configuration.

 

 

 

 


Installing a Unihomed (single-NIC) Standalone Web Caching Server

Many education institutions have an existing firewall infrastructure and they are more interested in taking advantage of ISA Server 2000’s Web caching capabilities rather than its firewall functionality. If this is your situation, you can put the ISA Server 2000 Web caching server anywhere in the network and it does not need to be in the outbound or inbound path for all traffic. You can use a single NIC (unihomed) ISA Server 2000 Web Proxy server installed in cache mode and gain all the benefits the ISA Server 2000 Web caching server has to offer.

 

In the following walkthrough, we will go through the steps required to install ISA Server 2000 on a Windows Server 2003 machine that has a single network card. This machine can be placed on the internal network, or on a DMZ segment between firewalls that you already have in place.

 

Perform the following steps to install ISA Server 2000 on a unihomed Windows Server 2003 computer:

 

  1. Double click the ISAAutorun.exe file to open the initial ISA Server 2000 installation and features page. Click the Install ISA Server icon.

 

 


  1. Click Continue in the ISA 2000 dialog box warning you that ISA Server 2000 requires Service Pack 1 and other updates.

 

 


  1. Click Continue on the Welcome to the Microsoft ISA Server installation program page.

 

 


  1. Enter your CD key on the CD key page and click OK.

 

 


  1. Write down your Product ID as it appears on the Product ID page. Click OK.

 

 


  1. Click I Agree on the EULA page.

 

 


  1. Click the Full Installation icon on the installation type page. Note that you can change the location of the ISA Server 2000 program installation from the default (which is the Program Files folder on the boot partition. You may want to install ISA Server 2000 on a drive other than the one on which your operating system is installed if you expect very large log files and you wish to use the built in reporting function included with ISA Server 2000. The reason for this is that ISA Server 2000 will only create reports if the log files are located in the default installation location.

 

 


  1. Click Yes on the page informing you that the ISA Server Schema was not found in the Active Directory.

 

 


  1. Select the Cache mode option on the ISA Server 2000 mode type page. Click Continue.

 

 


  1. On the cache drive page, select an NTFS formatted drive on which to store the ISA Server 2000 Web page disk cache. Type the size of the cache file on that drive in the Cache size (MB) text box.

 

The cache size is based on the number of users you expect to connect to the Internet through the Web Proxy server. A good rule of thumb is that you should start with a file of 100 MB and increase the size 1-5 MB/user. The size of the cache should be based on the type of content you expect to host, and the amount of memory installed on the ISA Server 2000 Web caching server. In an ideal environment, the entire cache can be stored in memory to provide the best performance. An ideal cache size can only be ascertained after performing an ISA Server 2000 performance analysis using ISA Server 2000 Performance counters in the System Monitor.

 

*       Note:

There is a great deal of excellent information on how to optimize your Web caching server’s cache size in the article ISA Server Performance Best Practices at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/isa/isaprfbp.asp 

 

 


  1. Click OK in the dialog box informing you that you have selected to install the SMTP Message Screener and that the SMTP service is not installed on the machine. You will not see this dialog box if the SMTP service is installed on the ISA Server 2000 Web caching server. This dialog box is a result of selecting the Full installation option.

 

*       Note:

For more information on the SMTP Message Screener and how to use it as part of your multilevel email protection plan, please refer to the ISA Server 2000 Exchange 2000/2003 Deployment Kit at http://isaserver.org/news/exchangekit.html 

 

 


  1. Remove the checkmark from the Start ISA Server Getting Started Wizard dialog box. Click OK.

 

 


  1. Click OK in the dialog box informing you that the setup has completed successfully. Note that a balloon pops up from the system tray information you that ISA Server 2000 will cause Windows to become unstable. Click the close button (the “X”) to dismiss this warning.

 

 


  1. Click OK in the dialog box warning you that setup has failed to start one or more services.

 

 

  1. You will need to install ISA Server 2000 Service Pack 1 and ISA Server 2000 Hotfix 255 before you can run ISA Server 2000 on Windows Server 2003. Please refer to the article Installing ISA Server 2000 on Windows Server 2003 at http://www.tacteam.net/isaserverorg/exchangekit/2003installisa/2003installisa.htm for details on installing ISA Server 2000 on Windows Server 2003 machines.

 

*       Note:

There are a number of security hotfixes that should be applied to the Windows Server 2003 and ISA Server 2000 software. You can use the Windows Update site or the Software Update Service (SUS) to update the operating system. Please visit the Microsoft ISA Server 2000 Web site at http://www.microsoft.com/isaserver/downloads/default.asp for updates that should be applied to the ISA Server 2000 software.

 


Installing a Caching Array

There is not a great deal of information available on the installation and configuration of caching arrays. This is unfortunate because caching arrays can significantly improve the Web browsing experience of a large number of users on the campus network. In addition, the configuration of all the members of an array is stored in the Active Directory and can be automatically assigned to each new machine added to the array. This conserves a great deal of administrative effort when installing new ISA Server 2000 Web caching servers.

 

The following steps are required to install an ISA Server 2000 caching array:

 

·         Initialize the Active Directory to support caching arrays

·         Install ISA Server 2000 and create the array

·         Join the second machine to the array

 

 

The first step is to initialize the Active Directory. Perform the following steps on the ARRAY1 computer:

 

1.       Double click on the ISAAutorun.exe file to open the ISA Server 2000 installation and features page. Double click the Run ISA Server Enterprise Initialization icon.

 

 

2.       Click Yes on the ISA Server Enterprise Initialization Tool dialog box informing you that the ISA Server schema will be installed to the Active Directory.

 

 

3.       In the ISA Enterprise Initialization  dialog box, you have several options:

 

Use array policy only

This option applies the access policy to all machines in the array. When changes to access and caching policy are made on one machine of the array, the changes are replicated automatically to all other machines belonging to the same array. Only access and caching policies created for the array are applied, in contrast to enterprise policy and array policy configurations.

Use this enterprise policy

Enterprise policy is applied to all machines that are assigned the same enterprise policy. The enterprise policy is stored in the Active Directory and is separate from any policies that you set for machines belonging to any particular array. A single enterprise policy can be applied to multiple arrays. You have the option to apply only enterprise policy, or a combination of enterprise policy and array policy. When you enable both enterprise and array policy, the array policy rules will only be applied when they are more restrictive than enterprise policy rules.

Allow array-level access policy rules that restrict enterprise policy

Both array and enterprise policy are enabled when this option is selected. Only array level rules that are more restrictive than enterprise policy rules will be applied. The array policy can be used to fine tune the level of security provided by the enterprise access policy.

Allow publishing rules

Enable this option to allow publishing rules on array member computers. Web Publishing Rules must be done on a per server basis; a Web Publishing rule configured on one member of the array is not automatically copied to other array members. The reason for this is that incoming requests must be directed to a specific IP address. Web caching arrays do not provide the same functionality as Microsoft Network Load Balancing (NLB).

Force packet filtering on the array

When you have an array of ISA Server 2000 firewalls, you can force packet filtering on each member server of an array. Packet filtering is applied on the external interface of the ISA Server 2000 firewall members. However, in this example we are installing an array of unihomed Web caching only servers. There is no external interface on these machines; they have only a single network interface, connected to the internal network. For this reason, we will not enable the Force packet filtering on the array option.

 

In this example, we will select Use array policy only because the caching array will not be used as a firewall. We will also select Allow publishing rules so we can publish servers such as Microsoft Outlook Web Access using the caching array.

 

*       Note:

For more information about using a unihomed Web Proxy machine to publish Outlook Web Access, please refer to ISA Server 2000 Exchange 2000/2003 Deployment Kit at http://isaserver.org/news/exchangekit.html.

 

 

4.       It will take several minutes for the Active Directory to initialize. It may seem that the computer is hung up, but be patient.

 

 

5.       Click OK in the dialog box informing you that the ISA Server Enterprise Initialization Tool successfully imported the ISA Schema into the Active Directory.

 

 

The next step is to install ISA Server 2000 in Cache mode on the ARRAY1 computer. The procedure varies somewhat from the way ISA Server 2000 is installed in Cache mode on a standalone (non-array) machine. Perform the following steps to install the first caching array member machine:

 


1.       Double click the ISAAutorun.exe file to open the ISA Server 2000 installation and features page. Click Continue on the ISA 2000 page warning you that you will need to install ISA Server 2000 Service Pack 1 and other updates.

 

 


2.       Click Continue on the Welcome to the Microsoft ISA Server installation program page.

 

 


3.       Enter your CD key on the CD Key page. Click OK.

 

 


4.       Write down the product ID number that appears in the Product ID dialog box and click OK.

 

 


5.       Read the user license agreement on the EULA page and click I Agree.

 

 


6.       Click the Full Installation button on the installation type page.

 

 


7.       Click Yes in the dialog box asking if you want to install the server as an array member. This option is available because you have already initialized the Active Directory.

 

 


8.       The New Array dialog box appears. Enter a name for a new Web caching array in the New Array dialog box. Click OK after entering the name.

 

 


9.       Select the Use custom enterprise policy settings option on the Configure enterprise policy settings dialog box. Select the Use array policy only option. This enables you to create access and caching policy on the array computers without needing to worry about any other policies that might be enforced on the enterprise level. Put a checkmark in the Allow publishing rules checkbox. Do not put a checkmark in the Force packet filtering on this array checkbox.

 

Click Continue.

 

 


10.   On the ISA installation mode page, select the Cache mode option and click Continue.

 

 


11.   On the cache size page, select an NTFS formatted drive from the list and then enter a cache size in the Cache size (MB) text box. Click Set and then click OK.

 

 


12.   Click OK in the dialog box warning you that you have selected to install the Message Screener.

 

 


13.   Remove the checkmark from the Start ISA Server Getting Started Wizard checkbox and click OK.

 

 


14.   Click OK in the dialog box informing you that the installation has completed successfully. Click the close button (the “X” in the upper right of the balloon) in the message informing you that ISA 2000 will cause Windows to become unstable.

 

 


15.   Click OK in the dialog box informing you that setup has failed to start one or more services.

 

 

  1. You will need to install ISA Server 2000 Service Pack 1 and ISA Server 2000 Hotfix 255 before you can run ISA Server 2000 on Windows Server 2003. Please refer to the article Installing ISA Server 2000 on Windows Server 2003 at http://www.tacteam.net/isaserverorg/exchangekit/2003installisa/2003installisa.htm for details on installing ISA Server 2000 on Windows Server 2003 machines.

 

The next step is to install ISA Server 2000 on the second member of the array. This machine will join the CACHEARRAY1 Web caching array.

 


Perform the following steps on the ARRAY2 machine:

 

  1. Double click on the ISAAutorun.exe file to open the ISA Server 2000 installation and feature page. Click Continue in the ISA 2000 dialog box warning you that ISA Server 2000 Service Pack 1 and other components must be installed in order for the software to work correctly on Windows Server 2003.

 

 


  1. Click Continue on the Welcome to the Microsoft ISA Server installation program page.

 

 


  1. Enter your CD Key in the CD key dialog box. Click OK.

 

 


  1. Write down your product ID number as it appears in the Product ID dialog box. Click OK.

 

 


  1. Click I Agree on the end user license agreement page.

 

 


  1. On the installation type page, click the Full Installation button.

 

 


  1. Click Yes in the dialog box asking if you want to install this server as an array member.

 

 


  1. You are presented with a dialog box containing a list of arrays that this machine can join. In our example, the only available array is the CACHEARRAY1 array that we created earlier. Note that you can click the New button and create a new array if you like. We want this machine to join the existing CACHEARRAY1 array. Select that array and click OK.

 

 


  1. Select an NTFS formatted drive and enter a cache size in the Cache size (MB) text box, then click Set. Click OK.

 

 


  1. Click OK in the dialog box informing you that you selected to install the Message Screener.

 

 


  1. Click OK in the dialog box informing you that ISA Server 2000 was installed successfully. Close the close button on the balloon informing you that ISA 2000 will cause Windows to become unstable.

 

 


  1. Click OK in the dialog box informing you that setup has failed to start one or more services.

 

 

  1. You will need to install ISA Server 2000 Service Pack 1 and ISA Server 2000 Hotfix 255 before you can run ISA Server 2000 on Windows Server 2003. Please refer to article Installing ISA Server 2000 on Windows Server 2003 at http://www.tacteam.net/isaserverorg/exchangekit/2003installisa/2003installisa.htm for details on installing ISA Server 2000 on Windows Server 2003 machines.

 

We now have two ISA Server 2000 Web caching servers participating in a Web caching array. While many ISA Server 2000 administrators are accustomed to the look of the ISA Server 2000 management console for standalone alone machines installed in Integrated or Firewall mode, many ISA Server 2000 administrators have not worked with ISA Server 2000 arrays. There are some significant differences in the options available and the information provided by the ISA Server 2000 management console depending on whether you have a standalone or array configuration.

 


Perform the following steps to explorer the ISA Management console for your caching array:

 

1.       Open the ISA Management console on one of the array members. You will see the Enterprise policy node, which is only available when an ISA Server 2000 machine is installed in an array. In the example we’re using at this time, there are no enterprise policies in place, so no enterprise policy based access controls will be placed on the array member machines.

 

Notice that under the Access Policy node there is no IP Packet Filters node. The reason for this is that you cannot have packet filtering enabled on a machine installed in Caching only mode.

 

Notice that the name under the Servers and Arrays node is the name of the array, rather than the name of the machine you are working at. This contrasts with a standalone version of ISA Server 2000, where the name located under the Servers and Arrays node is the name of the ISA Server 2000 firewall or Web caching computer.

 

 


2.       Expand the Enterprise node and then expand the Policies node. Click on the Enterprise Policy 1 node and then right click on it. In the Enterprise Policy 1 Properties dialog box, click the Arrays node. If there were an enterprise array available in the Active Directory, that enterprise array would appear in this list. Notice that the CACHEARRAY1 array does not appear in this list. The reason for this is that we instructed the array policy for the CACHEARRY1 array to be applied only to the array. This prevents it from being managed by an additional set of access policies, which is what enterprise policies represent.

 

Click Cancel in this dialog box to dismiss it.

 

 


3.       Expand the Server and Arrays node and right click on the CACHEARRAY1 node. In the CACHEARRAY1 Properties dialog box, click on the Policies node. Notice that the selections we made when creating the array policy are selected in this dialog box. You have the option to change the characteristics of the array policy here.

 

For example, you can select the Use default enterprise policy settings option to apply the default enterprise policy to the array. You can change the current array policy to disallow publishing rules by removing the checkmark from the Allow publishing rules checkbox. If the machine is multihomed and installed in integrated or firewall mode, you can select the Force packet filtering on the array checkbox and force packet filtering.

 

Click Cancel to dismiss this dialog box without making changes.

 

 


4.       Click on the Outgoing Web Requests tab. The Resolve requests within array before routing option is selected by default. This option is not available when ISA Server 2000 is installed in standalone mode because the Caching Array Routing Protocol (CARP) is not enabled on standalone ISA Server 2000 machines. This option allows the ISA Server 2000 array member to determine which machine is responsible for the URL requested and attempt to retrieve that URL from the array member responsible for that URL. If this checkbox is not enabled, then CARP is effectively disabled.

 

 


5.       Expand the Monitoring node and then click on the Services node. You will see the status of services running on all members of the array. This is in contrast to what you see in a standalone installation of ISA Server 2000 server, where you only see the status of the standalone machine.

 

 


6.       Click on the Computers node. You will see information related to the computers that are members of the array in the right pane (the left pane has been hidden so that you can see more details).

 

The load factor determines the relative number of URLs for which an array member is responsible. This is useful if the array members have different hardware or connection specifications. If one array member has more memory or a faster processor, you may wish to assign a relatively larger number of URLs to that machine. You can right click on the array member as seen in the right pane of the Computers node and assign a new load factor.

 

 


7.       In the Sessions node, we see which machines have active sessions with members of the array. In this example, client side routing is enabled. We see that the client has established sessions with both members of the array, and that ARRAY1 has a session with ARRAY2. Client side routing is enabled in this example, so that the client can determine, in advance, which array member is responsible for the URL and connect directly to it. The client shows sessions with both array members because it first created a connection to its configured array member to obtain autdiscovery information, or because it used that array member to retrieve the URL via the routing script.

 

 

 


8.       Below are some lines from the Web Proxy log in a front-end ISA Server 2000 firewall in front of the array members. Lines 1 and 2 show ARRAY1 retrieving URLs that it is responsible for. Lines 3 and 4 shows ARRAY2 retrieving URLs that it is responsible for. This provides an example of how ISA Server 2000 caching arrays distribute the load for retrieving and storing Web content.

 

1- 10.0.2.3   anonymous     Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)      2004-01-14    15:51:58       FRONTENDFW    -      www.microsoft.com    207.46.156.252       80     156    536    460    http   GET       http://www.microsoft.com/products/info/img/trans.gif   Inet   200

 

2- 10.0.2.3   anonymous     Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)      2004-01-14    15:51:59       FRONTENDFW    -      www.microsoft.com    207.46.156.252       80     265    589    2784   http   GET       http://www.microsoft.com/products/info/catimg/prodimg/1/22/b1066225-66dd-4b55-86e2-3cc1397cd47b_small.jpg     Inet   200

 

3- 10.0.2.4   anonymous     Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)      2004-01-14    15:51:59       FRONTENDFW    -      www.microsoft.com    207.46.156.252       80     422    592    29457  http   GET       http://www.microsoft.com/library/images/showCase/1/22/c183cfc4-a2ae-4b91-9892-2e76c7426593_1.jpg       Inet   200

 

4- 10.0.2.4   anonymous     Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)      2004-01-14    15:51:59       FRONTENDFW    -      www.microsoft.com    207.46.156.252       80     172    601    2887   http   GET       http://www.microsoft.com/products/info/catimg/prodimg/1/22/3c3bd1bb-5595-4512-bcca-f764770e1d71_small.jpg     Inet   200

 

 

9.       The following Web Proxy log entries are from one of the array member computers, ARRAY1. The first line shows a connection request coming from the Web Proxy client. The second and third lines show connection requests made by the other array member. The other array member sends these requests to this machine because it is not responsible for the URLs being requested.

 

1- 10.0.2.2   anonymous     Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)      2004-01-14    15:33:24       ARRAY1 -      www.tacteam.net      64.90.59.34   80     8703   307    2120   http   GET       http://www.tacteam.net/isaserverorg/kitsurvey/Image2232.gif   Inet   200

 

2- 10.0.2.4   anonymous     Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)      2004-01-14    15:35:58       ARRAY1 -      www.microsoft.com    207.46.134.189       80     110    389    507    http   GET       http://www.microsoft.com/homepage/gif/1ptrans.gif      Inet   200

 

3- 10.0.2.4   anonymous     Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)      2004-01-14    15:35:59       ARRAY1 -      www.microsoft.com    207.46.134.189       80     234    335    16727  http   GET       http://www.microsoft.com/library/flyoutmenu/default.htc       Inet   200

 


Configuring Web Caching Options

There are several Web caching options that enable you to customize how the ISA Server 2000 Web caching feature behaves.

 

Perform the following steps to investigate and configure these options:

 

1.       Open the ISA Management console and expand the Servers and Arrays node and then expand the array name. Right click on the Cache Configuration node and click Properties.

 

 


2.       On the General tab of the Cache Configuration Properties dialog box, you see the amount of disk space dedicated to the cache on the machine on which you’re running the console.

 

 


3.       Click on the HTTP tab. The Enable HTTP caching option causes the ISA Server 2000 machine to perform Web caching. If this option is disabled, the ISA Server 2000 computer will not cache Web content.

 

The options under the Unless source specifies expiration, update object in cache allow you to control when objects in cache are expired. Many Web servers are configured to return host header information that instructs Web caches when to expire Web content. When the content expires, the cached object is no longer valid and the content must be retrieved from the Internet Web server. The options are:

Frequently This option expires cached content immediately if the Web server returning the object does not indicate how long the Web content should be valid. This option has the potential to increase the amount of bandwidth used on your Internet connection, but does ensure that users receive the most up to date content on Web servers that do not provide expiration information.

Normally This option ages content based on the time it was created; the Web server includes this information in the host header. The Web cache calculates how old the object is, based on the time the object was created on the Web server. When the object is in cache for 20% of its age, it will expire from the cache. For example, if the object is 5 days old by the time it is cached, then it will remain in cache for 1 day. However, there are limits placed on the percentage. The object will not expire in less than 15 minutes and not later than 1 day. This option balances the amount of bandwidth used on the Internet connection with the freshness of the content for Web content that does not contain expiration information.

Less Frequently This option ages content based on the time it was created. In this case, it waits until the object reaches 40% of its age before expiring the content. For example, if the object placed in cache was 5 days old by the time it was cached, it will stay in cache for 2 days before it is expired. However, is will not expire in less then 30 minutes and will not remain in cache longer than 2 days. Again, this applies only to Web content that doesn’t include expiration information in its header. This option reduces the amount of bandwidth used on the Internet connection for Web objects that do not include expiration information, but carries the risk of users obtaining content that is not completely up to date.

Set time to Live (TTL) of object in cache to:  This option allows you to configure a custom percentage of content age and minimum and maximum limits. This allows you to fine tune your caching settings based on analysis of your Web caching performance.

 

 


4.       Click on the FTP tab. Place a checkmark in the Enable FTP caching checkbox if you want to cache files obtained via FTP. Note that these FTP files must be obtained via the Web Proxy service either from a Web Proxy client, or via a SecureNAT or Firewall client that has accessed the cache via the HTTP Redirector filter. FTP objects do not contain expiration information so you must configure your own expiration interval for these. The default is 1440 minutes (one day).

 

 


5.       The Active Caching option enables the ISA Server 2000 Web caching server to retrieve Web content proactively based on how popular that content may be. Active caching insures that users obtain the most current content from the Internet Web server for popular Web content. This feature can increase the amount of bandwidth used on the Internet connection but insures that users have an improved Web browsing experience.

 

Put a checkmark in the Enable active caching checkbox to enable active caching. Each of the options represents a different level of aggressiveness of the Active Caching algorithm.

 

*       Note:

For more information on the details of how Active Caching is performed, please refer to the KB article Description of Active Caching Feature at http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q301/2/31.ASP&NoWebContent=1

 

 


6.       Click on the Advanced tab. Here you have a number of options regarding how objects are stored and maintained in cache:

 

Do not cache objects larger than This option allows you to limit the size of Web and FTP objects that are stored in cache. The larger this value, the fewer total objects will be stored in cache, and the lower the value, the greater the number of objects that can be potentially stored in cache.

Cache objects even if they do not have an HTTP status code of 200 This option allows you to cache negative responses. If a Web site or Web object is unavailable, the site will not be contacted for a period of time and an immediate response is given to the user reflecting this condition.

Cache objects that have an unspecified last modification time This tell the cache to store objects that do not have a modification time included with them. In this case, the objects expire immediately unless you configure the Web Proxy server to return expired objects.

Cache dynamic content (objects with question mark in the URL) This option allows the Web Proxy to cache information that was the result of a query. These queries have question marks included in the URL.

Maximum size or URL cached in memory This determines the largest Web object stored in the in-memory cache.

If Web site of expired object cannot be reached This option allows you to configure how to handle Web objects in cache that have expired, but cannot be updated because the Web site is unavailable. You have the option to select Do not return the expired object (return an error page) or Return the expired object only if expiration was. The former setting sends the user an error that the site cannot be reached. The latter option allows you to set the amount of time the expired object can be returned from cache without being updated from the Web server.

 

 

The Cache configuration is modified for all members of the array. You do not need to visit each array member and mirror the cache configuration you created on one array member.

 


Customizing Web Caching Options with Web Routing Rules

Another way to customize how Web objects are cached is by creating Web Routing Rules. A Web Routing Rule allows you to control how requests to specific destinations are handled by the Web Proxy service. A Web Routing rule might be configured to enable you to:

 

·         Forward requests to specific sites to an upstream Web Proxy server. For example, you might wish all requests for the campus Web site to be handled by the local Web Proxy server, but want to allow all Internet bound requests to be forwarded to an upstream Web Proxy server

·         Web Routing Rules can help you deal with problems related to not having a split DNS infrastructure. You can create a Web Routing Rule to forward requests for publicly accessible resources located on the campus network to be routed directly to the Web server, instead of looping back through the Web Proxy server

·         A Web Routing Rule allows you to customize how content is cached for specific sites. For example, you may wish to never cache content from sites that host frequently changing data.

 


Perform the following steps to create a Web Routing Rule and learn how it enables you to customize how Web content is cached:

 

1.       The first step is to create a Destination Set that can be used in the Web Routing Rule. Open the ISA Management console and expand the Servers and Arrays node and then expand the Policy Elements node. Right click on Destination Sets, point to New and click Set.

 

 


2.       In the New Destination Set dialog box, enter a name for the Destination Set in the Name text box, then click the Add button.

 

 


3.       In the Add/Edit Destination Set, select the Destination option and enter the URL for the destination. In this example, we’ll enter www.microsoft.com. Click OK.

 

 


4.       Click OK in the New Destination Set dialog box to save the Destination Set.

 

 


5.       Expand the Network Configuration node in the left pane of the console and right click the Routing node. Point to New and click Rule.

 

 

 


6.       Enter a name for the Web Routing Rule in the Routing rule name text box on the Welcome to the New Routing Rule Wizard page. Click Next.

 

 


7.       In the Destination Sets dialog box, select the Specified destination set entry from the Apply this rule to drop down list. Select the Microsoft Web Site destination from the Name drop down list.

 

 


8.       The Request Action page allows you control how the Web Proxy service forwards the request:

 

Retrieve them directly from specified destination This option forwards the requests to the Web site where the content is located. This is the normal behavior of the Web Proxy server.

Route to a specified upstream server This option allows you to forward the requests to an upstream Web Proxy server.

Redirect to this option allows you to forward the request to a specific site that you configured, instead of the actual location of the content. For example, if you host the same resources internally and externally, but the name of the resource resolves to an external address, you can direct the request to an internal address.

 

Click Next after selecting the Route to specified upstream server option.

 

 


9.       The Primary Routing page allows you to enter information regarding the upstream server to which the request should be forwarded. Enter the name of the upstream Web Proxy in the Server or array text box. The ISA Server 2000 Web Proxy server must be able to resolve this name correctly so that it can route the request. You can use a DNS server or a HOSTS file entry if the DNS server the ISA Server 2000 Web Proxy server is using is not able to resolve this name correctly.

 

The Port text box contains the port number the upstream Web Proxy server uses to listen for downstream Web Proxy server requests. The default value for ISA Server 2000 Web Proxy servers is TCP 8080. Other Web Proxy servers may use another port number.

 

 


10.   Place a checkmark in the Use this account checkbox. Select the Integrated authentication option from the Authentication drop down list. Click the Set Account button. In the Set Account dialog box, enter a user account that the downstream Web Proxy server can use to authenticate with the upstream Web Proxy server in the event that the upstream Web Proxy server is not able to authenticate the original user who sent the request. For example, user1 may have authenticated with the downstream ISA Server 2000 Web Proxy server when he sent his request. The Web Proxy server forwarded user1’s credentials to the upstream Web Proxy server. However, the upstream Web proxy server requires authentication and does not recognize user1. The account you configure in the Set Account dialog box can be used instead of the original user account to allow authenticated access to the upstream Web proxy.

 

Enter and confirm the password, then click OK in the Set Account dialog box.

 

 


11.   Click Next in the Primary Routing page.

 

 

 


12.   On the Backup Routing page, you have the option to configure a backup route in the event that the upstream Web Proxy server is not available.

 

Ignore requests If the upstream Web Proxy server is not available, the downstream server will drop the request.

Retrieve requests directly from specified destination This allows the ISA Server 2000 Web Proxy server to forward the requests via its default gateway configuration. The disadvantage of this approach is that if the default gateway used by the Web Proxy server is not able to route Internet bound requests correctly, the routing attempt will fail.

 

 


13.   The Cache Retrieval Configuration page allows you to customize how the Web Proxy services handles objects already in the cache.

 

A valid version of the object; if none exists, retrieve the request using the specified requested action This option only returns objects in cache that are valid and have not expired. If the object is expired, the Web Proxy server will request fresh content from the Internet Web server.

Any version of the object; if none exists, retrieve the request using the specified request action This option returns any version of the object, regardless of whether the object has expired. If the object does not exist, then the request will be routed based on your selection in the previous page of the wizard.

Any version of the requested object; Never route the request. This option allows the Web Proxy to return any version of the object in the cache. If the content is not contained in the cache, the request is not routed and the user is returned an error.

 

Select the second option and click Next.

 

 

 


14.   The Cache Content Configuration dialog box determines whether or not objects from the site are cached. You have the following options:

 

All content, including dynamic content, will be cached  This option allows all content on the site to be cached, including content that was retrieved via a query that returned content accessible via a URL with a question mark in it.

If source and request headers indicate to cache, then the content will be cached  This option allows content that the Web server indicates should be cached.

No content will ever be cached  This option prevents any content from the Web site from being cached. The Web Proxy service will always connect to the destination and retrieve the latest content

 

 


15.   Click Finish on the Completing the New Routing Rule Wizard page.

 


Summary

Web caching can significantly improve the Web browsing experience for uses on the campus network and can potentially reduce overall bandwidth costs for the educational institution. ISA Server 2000 Web caching features bring Internet Web content closer to the users on the campus network. Web caching servers can be placed in a number of locations on the campus network and can be installed in either standalone or array configurations. In this document, we discussed the ISA Server 2000 Web caching technologies in detail and provided detailed step by step examples to illustrate how to configure a standalone Web caching server or caching array.

 

Intrusion detection through centralized NT/2000 security event log monitoring!
Intrusion detection through centralized NT/2000 security event log monitoring!