Internet bandwidth is consumed by a variety of Internet application protocols. The most popular application layer protocol used to access Internet resources is the HTTP protocol, used to access resources on the World Wide Web. Although bandwidth costs on a per-kilobyte or per-megabyte basis have come down over the years, the amount of bandwidth consumed by users on the campus network increases year after year. HTTP connections to Internet resources not only lead to costly increases in bandwidth costs, it also reduces the amount of bandwidth available on the Internet link for other important protocols and applications, such as SMTP, POP3 and VPN.

ISA Server 2000 can help reduce overall bandwidth usage and cost by caching Web content on the ISA Server 2000 Web caching server. Not only is ISA Server 2000 a powerful application layer firewall, it is also a robust Web caching server. Web caching servers hold content accessed by users and serve the same content to the same or other users who later make a request for the same resources. Another benefit from Web caching is that the user’s Web browsing experience is improved because content can be returned to users from the Web caching server on the high speed campus network instead of from distant Web servers.

In this document, we will discuss the following subjects that will aid you in accelerating campus users’ Web browsing experience and potentially help reduce overall bandwidth utilization:

How Web caching works
Standalone Web caching servers and caching arrays
How to Place a Web caching server on the campus network

How Web Caching Works

The Web plays a large role in the Internet use of school, college and university network users – in many cases, more so than for those in the corporate world. Because the Web is so heavily used for research by both faculty members and students, fast access to often-used Web sites is a big issue that campus network administrators must address. Web caching is a way to reduce waiting times and increase the satisfaction of users who depend on Web content to do their work.

The goal of Web caching is to bring Web content closer to users. The term “closer” refers not so much to location as to the speed at which the content can be returned to the user making the request. A typical Internet connection has a top data transfer rate of 1.5Mbps (T-1) to 45Mbps (T-3), whereas a typical local area network connection speed is 100Mbps to 1000Mbps. Even slow Ethernet provides a speed of 10Mbps, considerably faster than a T-1. Thus, if the content requested by the user on the campus network can be placed on a server on the campus network, then that content can be returned to the user much more quickly than content located on an Internet server. Internet content copied to and held on a local server is called cached content. Cached content can be returned to the user more quickly, and more reliably, than content located on a machine located at a remote location on the Internet.

The ISA Server 2000 Web caching mechanism works in different ways, depending on whether or not the content is already located in the ISA Server 2000 Web cache. Figure A shows the sequence of events when a host on the campus network requests content not already contained in the ISA Server 2000 Web cache:

The user sends a request for content located on an Internet Web server. This request is forwarded to the ISA Server 2000 Web Proxy server.
The ISA Server 2000 Web Proxy server checks to see if it has the content contained in cache. If the content is not in cache, or if the content has expired (i.e., the header information in the content indicates that it should no longer be served from a Web cache), then the ISA Server 2000 Web Proxy server forwards the request to the Web Server on the Internet.
The Web server on the Internet returns the information requested.
The ISA Server 2000 Web Proxy server places the information in its in-memory Web cache. ISA Server 2000 uses an in-memory Web cache to store the most popular and frequently requested content. This allows the ISA Server 2000 Web Proxy server to return the popular content more quickly to the users on the internal network.
After placing the Web content in the in-memory cache, the ISA Server 2000 Web Proxy server returns the content to the user who requested it.
After a period of time, the ISA Server 2000 Web Proxy server will copy the contents of the in-memory cache to the disk based cache. If the content turns out not to be popular, the in-memory cache will flush the content and the only copy of the content on the ISA server will be in the disk based cache.

Figure A

Figure B shows the series of events when a second host on the internal network makes a request for the same Web content before the content is flushed from the in-memory cache:

The host on the internal network sends the request to the ISA Server 2000 Web Proxy server.
The ISA Server 2000 Web Proxy server checks to see if it has cached this content and whether the content has expired. If the content is still valid, the ISA server retrieves the content from the in-memory cache.
The content that is retrieved from cache is returned to the user who requested it.

Figure B

Figure C demonstrates the series of events when the user requests the same content but the content has been flushed from the in-memory cache:

The Web client computer sends the request to the ISA Server 2000 Web Proxy server. The ISA Server 2000 Web Proxy server checks to see if it has the Web content in its disk cache and whether that content is still valid.
The ISA Server 2000 Web Proxy server determines that it has the content and retrieves the content from the disk-based cache.
The ISA Server 2000 Web Proxy server places the content in the in-memory cache.
The content is retrieved from the in-memory cache and returned to the Web proxy client on the campus network.

Figure C

Web caching improves significantly as the number of users accessing the Internet through the cache increases.

Note:

For more details on how ISA Server 2000 Web caching works, please refer to the ISA Server 2000 Software Development Kit article How ISA Server Caching Works http://msdn.microsoft.com/library/default.asp?url=/library/en-us/isa/isaabout_7s8j.asp

Standalone Web Caching Servers and Caching Arrays

Standalone ISA Server 2000 Web caching servers are not members of a caching array. The standalone Web caching server always handles the requests sent to it. A request may be served directly from cache, or the ISA server may need to retrieve the content from the Internet Web server before returning the information to the requesting host.

ISA Server 2000 caching arrays use the Cache Array Routing Protocol (CARP). CARP enables servers in the array to split or balance the load of retrieving and caching Web content among themselves. The CARP algorithm can assign URLs to individual servers within the caching array. Each Web caching server in the array is responsible for a percentage of the total URL space. Content for any specific URL is always stored on the Web server responsible for that URL; the content is not duplicated on any other member of the array.

There are two ways that requests for Web content can be obtained from a caching array:

· The request can be routed by the array

· The client can determine on its own which array member is responsible for the URL and contact that array member directly

Figure D displays what happens when content is routed within the array. This is what happens when the client is not configured with the ISA Server 2000 autoconfiguration script:

The Web client on the campus network sends a request for Web content to the ISA Server 2000 Web Proxy server. This is the Web Proxy server that the Web client has been specifically configured to contact.
The Web Proxy server to which the client sent the request determines that another member of the array is responsible for the URL. The request is forwarded to the other array member.
The second Web Proxy server checks to see if it has a valid version of the Web content in cache. If the second Web Proxy server determines that it does not have a valid version of the Web content, it requests the content from the Internet Web server.
The Internet Web server returns the Web content to the second Web Proxy server
The Web content is placed in the in-memory Web cache on the second Web Proxy server.
The second Web proxy server returns the content to the first Web Proxy server.
The first Web proxy server (the one that received the request from the Web Proxy client), returns the requested Web content to the Web proxy client machine on the campus network. Note that the first Web Proxy server does not cache this content because it is not responsible for the requested URL.

Figure D

Figure E shows what happens when a Web Proxy client is configured to use the autoconfiguration script. The autoconfiguration script enables the Web client to determine which array member is responsible for a specific URL and the forward the request directly to that server regardless of the server the Web client is configured to use. The Web Proxy client can do this because the autoconfiguration script contains a list of the names of caching array servers and the algorithm used to determine which server is responsible for a requested URL.

The Web client sends a request to the ISA Server 2000 Web Proxy server responsible for the URL. The client is configured with the autoconfiguration script and so is able to determine in advance which Web Proxy server is responsible for the URL.
The Web proxy server checks to see if it is responsible for the URL. If the Web Proxy server is responsible for the URL, it checks to see if it has a valid version of the requested Web content. If the Web Proxy server does not have a valid version of the Web content, it sends a request to the Internet Web server.
The Internet Web server returns the content to the Web Proxy server.
The Web Proxy server places the content in its in-memory cache.
The Web Proxy server forwards the content in cache to the requesting client.
Web content in the in-memory cache is placed in the disk cache after a period of time. The content may be purged from the in-memory cache if the caching algorithm determines that it is not popular enough to be kept in memory.

Figure E

Placing a Web Caching Server on the Campus Network

Web caching ISA Server 2000 machines can be dedicated Web caching servers or part of an integrated ISA Server 2000 firewall and Web caching server. This provides educational institutions a great deal of flexibility when considering where to place the ISA Server 2000 Web caching server on the campus network.

There are several popular topologies for an ISA Server 2000 Web caching server:

· ISA Server 2000 Front-end Firewall Topology

· ISA Server 2000 Back-end Firewall Topology

· ISA Server 2000 Front-end and Back-end Firewalls

· ISA Server 2000 Application Layer Filtering Web Proxy in the Perimeter Network

ISA Server 2000 Front-end Firewall Topology

Small educational institutions that do not already have a large investment in a current firewall infrastructure may prefer to make the ISA Server 2000 firewall a front-end firewall. The front-end firewall has two network interfaces: a network interface on the campus network and a network interface directly connected to the Internet. All communications that come into and out of the campus network must go through the ISA Server and are exposed to ISA Server 2000’s deep application layer inspection.

The advantages of this configuration include:

All communications into and out of the campus network are exposed to firewall policy
You only need to learn how to configure the ISA Server 2000 firewall software; this avoids the potential for firewall misconfiguration when multiple vendor firewalls are used
All inbound and outbound access can be controlled on a granular user or group basis. Users only access the content and servers you want them to access, based on rules you configure
This configuration is easy to set up and maintain

ISA Server 2000 Back-end Firewall Topology

Educational institutions that already have an existing firewall infrastructure may prefer to leave the current firewalls in place and put the ISA Server 2000 firewall behind the current firewalls. This topology allows third party firewalls to provide high speed packet filtering (stateful filtering) before forwarding the remaining packets to the application aware ISA Server 2000 firewall. The network between the third party front-end firewalls and the ISA Server firewall is a perimeter network where publicly accessible servers and services can be placed.

Each third-party packet filtering firewall has two network interfaces: an interface directly connected to the Internet and an interface connected to a perimeter network between the third-party packet filtering firewalls and the ISA Server 2000 application layer aware firewall. The ISA Server 2000 firewall also has two interfaces: an interface on the perimeter network and an interface on the protected internal campus LAN.

Advantages of this configuration include:

Educational institutions do not need to perform a major redesign of their current firewall infrastructures
Third party hardware-based firewalls can perform high-speed packet filtering. This offloads the packet filtering overhead from the ISA Server 2000 firewall and increases the resources available on the ISA Server 2000 firewall to perform deep application layer inspection
Resources located on the campus network are protected by the ISA Server 2000 firewall’s enhanced application layer inspection mechanisms
Granular inbound and outbound access control can be done on a user/group basis

The figure below shows the topology of the ISA Server 2000 back-end firewall topology.

ISA Server 2000 Front-end and Back-end Firewalls

The ISA Server 2000 front-end and back-end firewall configuration uses two ISA Server 2000 computers, one as the Internet edge firewall and the other as the corporate LAN edge firewall. The front-end ISA Server 2000 firewall has an interface directly connected to the Internet and an interface on the perimeter network between the firewalls. The back-end ISA Server 2000 firewall has an interface on the perimeter network and an interface on the protected campus LAN.

The advantages of this configuration include:

A single firewall system; this reduces the training overhead and the probability of a configuration error
Sophisticated application layer filtering protecting hosts on the perimeter network and the internal, core campus network
You can leverage Web Proxy chaining and firewall chaining to significantly increase access control from perimeter network servers and users on the internal network. This prevents attackers from using compromised servers on the perimeter network as a launch point for outbound attacks from the perimeter network
Granular outbound user/group based access control for hosts on both the campus network and the perimeter network
Excellent support for highly secure VPN passthrough, allowing access to protected resources on the campus network

Note:

Please see kit doc Protecting Departmental/Student LAN segments with ISA Server 2000 for more information about Web proxy and Firewall chaining.

The figure below shows the topology for the ISA Server 2000 front-end back-end firewall configuration.

ISA Server 2000 Application Layer Filtering Web Proxy in the Perimeter Network

Some educational institutions already have an existing firewall infrastructure that includes front-end and back-end firewalls. These campuses have a large investment in their current firewall infrastructures and prefer to leave them intact. You can still leverage ISA Server 2000’s application layer filtering features by making the ISA Server an application layer filtering proxy. This ISA Server 2000 proxy can be placed on the perimeter network between the front-end and back-end third party packet filtering firewalls or you can place the ISA Server 2000 application layer proxy on the internal campus network.

Advantages of the application layer filtering proxy configuration include:

The ability to leave the current firewall infrastructure intact; you can “drop in” the ISA Server 2000 application layer filtering proxy virtually anywhere
The third party front-end and back-end packet filtering firewalls can pass packets at high speed while allowing ISA Server 2000 to provide a very high level of security for communications passed through its application layer inspection mechanisms
A hardened ISA Server 2000 proxy can be placed on the perimeter network segment to reduce the attack surface
In reverse Web Proxy scenarios, the ISA Server 2000 application layer filtering proxy can forward user credentials across the back-end firewall to pre-authenticate remote users

The figure below shows the topology of the application layer filtering proxy configuration.

Installing a Unihomed (single-NIC) Standalone Web Caching Server

Many education institutions have an existing firewall infrastructure and they are more interested in taking advantage of ISA Server 2000’s Web caching capabilities rather than its firewall functionality. If this is your situation, you can put the ISA Server 2000 Web caching server anywhere in the network and it does not need to be in the outbound or inbound path for all traffic. You can use a single NIC (unihomed) ISA Server 2000 Web Proxy server installed in cache mode and gain all the benefits the ISA Server 2000 Web caching server has to offer.

In the following walkthrough, we will go through the steps required to install ISA Server 2000 on a Windows Server 2003 machine that has a single network card. This machine can be placed on the internal network, or on a DMZ segment between firewalls that you already have in place.

Perform the following steps to install ISA Server 2000 on a unihomed Windows Server 2003 computer:

Double click the ISAAutorun.exe file to open the initial ISA Server 2000 installation and features page. Click the Install ISA Server icon.

Click Continue in the ISA 2000 dialog box warning you that ISA Server 2000 requires Service Pack 1 and other updates.

Click Continue on the Welcome to the Microsoft ISA Server installation program page.

Enter your CD key on the CD key page and click OK.

Write down your Product ID as it appears on the Product ID page. Click OK.

Click I Agree on the EULA page.

Click the Full Installation icon on the installation type page. Note that you can change the location of the ISA Server 2000 program installation from the default (which is the Program Files folder on the boot partition. You may want to install ISA Server 2000 on a drive other than the one on which your operating system is installed if you expect very large log files and you wish to use the built in reporting function included with ISA Server 2000. The reason for this is that ISA Server 2000 will only create reports if the log files are located in the default installation location.

Click Yes on the page informing you that the ISA Server Schema was not found in the Active Directory.

Select the Cache mode option on the ISA Server 2000 mode type page. Click Continue.

On the cache drive page, select an NTFS formatted drive on which to store the ISA Server 2000 Web page disk cache. Type the size of the cache file on that drive in the Cache size (MB) text box.

The cache size is based on the number of users you expect to connect to the Internet through the Web Proxy server. A good rule of thumb is that you should start with a file of 100 MB and increase the size 1-5 MB/user. The size of the cache should be based on the type of content you expect to host, and the amount of memory installed on the ISA Server 2000 Web caching server. In an ideal environment, the entire cache can be stored in memory to provide the best performance. An ideal cache size can only be ascertained after performing an ISA Server 2000 performance analysis using ISA Server 2000 Performance counters in the System Monitor.

Note:

There is a great deal of excellent information on how to optimize your Web caching server’s cache size in the article ISA Server Performance Best Practices at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/isa/isaprfbp.asp

Click OK in the dialog box informing you that you have selected to install the SMTP Message Screener and that the SMTP service is not installed on the machine. You will not see this dialog box if the SMTP service is installed on the ISA Server 2000 Web caching server. This dialog box is a result of selecting the Full installation option.

Note:

For more information on the SMTP Message Screener and how to use it as part of your multilevel email protection plan, please refer to the ISA Server 2000 Exchange 2000/2003 Deployment Kit at http://isaserver.org/news/exchangekit.html

Remove the checkmark from the Start ISA Server Getting Started Wizard dialog box. Click OK.

Click OK in the dialog box informing you that the setup has completed successfully. Note that a balloon pops up from the system tray information you that ISA Server 2000 will cause Windows to become unstable. Click the close button (the “X”) to dismiss this warning.

Click OK in the dialog box warning you that setup has failed to start one or more services.

You will need to install ISA Server 2000 Service Pack 1 and ISA Server 2000 Hotfix 255 before you can run ISA Server 2000 on Windows Server 2003. Please refer to the article Installing ISA Server 2000 on Windows Server 2003 at http://www.tacteam.net/isaserverorg/exchangekit/2003installisa/2003installisa.htm for details on installing ISA Server 2000 on Windows Server 2003 machines.

Note:

There are a number of security hotfixes that should be applied to the Windows Server 2003 and ISA Server 2000 software. You can use the Windows Update site or the Software Update Service (SUS) to update the operating system. Please visit the Microsoft ISA Server 2000 Web site at http://www.microsoft.com/isaserver/downloads/default.asp for updates that should be applied to the ISA Server 2000 software.