Microsoft Internet Security and Acceleration Server 2000 in Education Deployment Kit
Accelerating the Web Browsing Experience with ISA Server 2000
Dr. Thomas W Shinder
Debra L. Shinder
Table of Contents
Internet bandwidth is consumed by a variety of Internet application protocols. The most popular application layer protocol used to access Internet resources is the HTTP protocol, used to access resources on the World Wide Web. Although bandwidth costs on a per-kilobyte or per-megabyte basis have come down over the years, the amount of bandwidth consumed by users on the campus network increases year after year. HTTP connections to Internet resources not only lead to costly increases in bandwidth costs, it also reduces the amount of bandwidth available on the Internet link for other important protocols and applications, such as SMTP, POP3 and VPN.
ISA Server 2000 can help reduce overall bandwidth usage and cost by caching Web content on the ISA Server 2000 Web caching server. Not only is ISA Server 2000 a powerful application layer firewall, it is also a robust Web caching server. Web caching servers hold content accessed by users and serve the same content to the same or other users who later make a request for the same resources. Another benefit from Web caching is that the user’s Web browsing experience is improved because content can be returned to users from the Web caching server on the high speed campus network instead of from distant Web servers.
In this document, we will discuss the following subjects that will aid you in accelerating campus users’ Web browsing experience and potentially help reduce overall bandwidth utilization:
The Web plays a large role in the Internet use of school, college and university network users – in many cases, more so than for those in the corporate world. Because the Web is so heavily used for research by both faculty members and students, fast access to often-used Web sites is a big issue that campus network administrators must address. Web caching is a way to reduce waiting times and increase the satisfaction of users who depend on Web content to do their work.
The goal of Web caching is to bring Web content closer to users. The term “closer” refers not so much to location as to the speed at which the content can be returned to the user making the request. A typical Internet connection has a top data transfer rate of 1.5Mbps (T-1) to 45Mbps (T-3), whereas a typical local area network connection speed is 100Mbps to 1000Mbps. Even slow Ethernet provides a speed of 10Mbps, considerably faster than a T-1. Thus, if the content requested by the user on the campus network can be placed on a server on the campus network, then that content can be returned to the user much more quickly than content located on an Internet server. Internet content copied to and held on a local server is called cached content. Cached content can be returned to the user more quickly, and more reliably, than content located on a machine located at a remote location on the Internet.
The ISA Server 2000 Web caching mechanism works in different ways, depending on whether or not the content is already located in the ISA Server 2000 Web cache. Figure A shows the sequence of events when a host on the campus network requests content not already contained in the ISA Server 2000 Web cache:
Figure B shows the series of events when a second host on the internal network makes a request for the same Web content before the content is flushed from the in-memory cache:
Figure C demonstrates the series of events when the user requests the same content but the content has been flushed from the in-memory cache:
Web caching improves significantly as the number of users accessing the Internet through the cache increases.
For more details on how ISA Server 2000 Web caching works, please refer to the ISA Server 2000 Software Development Kit article How ISA Server Caching Works http://msdn.microsoft.com/library/default.asp?url=/library/en-us/isa/isaabout_7s8j.asp
Standalone ISA Server 2000 Web caching servers are not members of a caching array. The standalone Web caching server always handles the requests sent to it. A request may be served directly from cache, or the ISA server may need to retrieve the content from the Internet Web server before returning the information to the requesting host.
ISA Server 2000 caching arrays use the Cache Array Routing Protocol (CARP). CARP enables servers in the array to split or balance the load of retrieving and caching Web content among themselves. The CARP algorithm can assign URLs to individual servers within the caching array. Each Web caching server in the array is responsible for a percentage of the total URL space. Content for any specific URL is always stored on the Web server responsible for that URL; the content is not duplicated on any other member of the array.
There are two ways that requests for Web content can be obtained from a caching array:
· The request can be routed by the array
· The client can determine on its own which array member is responsible for the URL and contact that array member directly
Figure D displays what happens when content is routed within the array. This is what happens when the client is not configured with the ISA Server 2000 autoconfiguration script:
Figure E shows what happens when a Web Proxy client is configured to use the autoconfiguration script. The autoconfiguration script enables the Web client to determine which array member is responsible for a specific URL and the forward the request directly to that server regardless of the server the Web client is configured to use. The Web Proxy client can do this because the autoconfiguration script contains a list of the names of caching array servers and the algorithm used to determine which server is responsible for a requested URL.
Web caching ISA Server 2000 machines can be dedicated Web caching servers or part of an integrated ISA Server 2000 firewall and Web caching server. This provides educational institutions a great deal of flexibility when considering where to place the ISA Server 2000 Web caching server on the campus network.
There are several popular topologies for an ISA Server 2000 Web caching server:
· ISA Server 2000 Front-end Firewall Topology
· ISA Server 2000 Back-end Firewall Topology
· ISA Server 2000 Front-end and Back-end Firewalls
· ISA Server 2000 Application Layer Filtering Web Proxy in the Perimeter Network
Small educational institutions that do not already have a large investment in a current firewall infrastructure may prefer to make the ISA Server 2000 firewall a front-end firewall. The front-end firewall has two network interfaces: a network interface on the campus network and a network interface directly connected to the Internet. All communications that come into and out of the campus network must go through the ISA Server and are exposed to ISA Server 2000’s deep application layer inspection.
The advantages of this configuration include:
Educational institutions that already have an existing firewall infrastructure may prefer to leave the current firewalls in place and put the ISA Server 2000 firewall behind the current firewalls. This topology allows third party firewalls to provide high speed packet filtering (stateful filtering) before forwarding the remaining packets to the application aware ISA Server 2000 firewall. The network between the third party front-end firewalls and the ISA Server firewall is a perimeter network where publicly accessible servers and services can be placed.
Each third-party packet filtering firewall has two network interfaces: an interface directly connected to the Internet and an interface connected to a perimeter network between the third-party packet filtering firewalls and the ISA Server 2000 application layer aware firewall. The ISA Server 2000 firewall also has two interfaces: an interface on the perimeter network and an interface on the protected internal campus LAN.
Advantages of this configuration include:
The figure below shows the topology of the ISA Server 2000 back-end firewall topology.
The ISA Server 2000 front-end and back-end firewall configuration uses two ISA Server 2000 computers, one as the Internet edge firewall and the other as the corporate LAN edge firewall. The front-end ISA Server 2000 firewall has an interface directly connected to the Internet and an interface on the perimeter network between the firewalls. The back-end ISA Server 2000 firewall has an interface on the perimeter network and an interface on the protected campus LAN.
The advantages of this configuration include:
Please see kit doc Protecting Departmental/Student LAN segments with ISA Server 2000 for more information about Web proxy and Firewall chaining.
The figure below shows the topology for the ISA Server 2000 front-end back-end firewall configuration.
Some educational institutions already have an existing firewall infrastructure that includes front-end and back-end firewalls. These campuses have a large investment in their current firewall infrastructures and prefer to leave them intact. You can still leverage ISA Server 2000’s application layer filtering features by making the ISA Server an application layer filtering proxy. This ISA Server 2000 proxy can be placed on the perimeter network between the front-end and back-end third party packet filtering firewalls or you can place the ISA Server 2000 application layer proxy on the internal campus network.
Advantages of the application layer filtering proxy configuration include:
The figure below shows the topology of the application layer filtering proxy configuration.
Many education institutions have an existing firewall infrastructure and they are more interested in taking advantage of ISA Server 2000’s Web caching capabilities rather than its firewall functionality. If this is your situation, you can put the ISA Server 2000 Web caching server anywhere in the network and it does not need to be in the outbound or inbound path for all traffic. You can use a single NIC (unihomed) ISA Server 2000 Web Proxy server installed in cache mode and gain all the benefits the ISA Server 2000 Web caching server has to offer.
In the following walkthrough, we will go through the steps required to install ISA Server 2000 on a Windows Server 2003 machine that has a single network card. This machine can be placed on the internal network, or on a DMZ segment between firewalls that you already have in place.
Perform the following steps to install ISA Server 2000 on a unihomed Windows Server 2003 computer:
The cache size is based on the number of users you expect to connect to the Internet through the Web Proxy server. A good rule of thumb is that you should start with a file of 100 MB and increase the size 1-5 MB/user. The size of the cache should be based on the type of content you expect to host, and the amount of memory installed on the ISA Server 2000 Web caching server. In an ideal environment, the entire cache can be stored in memory to provide the best performance. An ideal cache size can only be ascertained after performing an ISA Server 2000 performance analysis using ISA Server 2000 Performance counters in the System Monitor.
There is a great deal of excellent information on how to optimize your Web caching server’s cache size in the article ISA Server Performance Best Practices at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/isa/isaprfbp.asp
For more information on the SMTP Message Screener and how to use it as part of your multilevel email protection plan, please refer to the ISA Server 2000 Exchange 2000/2003 Deployment Kit at http://isaserver.org/news/exchangekit.html
There are a number of security hotfixes that should be applied to the Windows Server 2003 and ISA Server 2000 software. You can use the Windows Update site or the Software Update Service (SUS) to update the operating system. Please visit the Microsoft ISA Server 2000 Web site at http://www.microsoft.com/isaserver/downloads/default.asp for updates that should be applied to the ISA Server 2000 software.
There is not a great deal of information available on the installation and configuration of caching arrays. This is unfortunate because caching arrays can significantly improve the Web browsing experience of a large number of users on the campus network. In addition, the configuration of all the members of an array is stored in the Active Directory and can be automatically assigned to each new machine added to the array. This conserves a great deal of administrative effort when installing new ISA Server 2000 Web caching servers.
The following steps are required to install an ISA Server 2000 caching array:
· Initialize the Active Directory to support caching arrays
· Install ISA Server 2000 and create the array
· Join the second machine to the array
The first step is to initialize the Active Directory. Perform the following steps on the ARRAY1 computer:
1. Double click on the ISAAutorun.exe file to open the ISA Server 2000 installation and features page. Double click the Run ISA Server Enterprise Initialization icon.
2. Click Yes on the ISA Server Enterprise Initialization Tool dialog box informing you that the ISA Server schema will be installed to the Active Directory.
3. In the ISA Enterprise Initialization dialog box, you have several options:
Use array policy only
This option applies the access policy to all machines in the array. When changes to access and caching policy are made on one machine of the array, the changes are replicated automatically to all other machines belonging to the same array. Only access and caching policies created for the array are applied, in contrast to enterprise policy and array policy configurations.
Use this enterprise policy
Allow array-level access policy rules that restrict enterprise policy
Both array and enterprise policy are enabled when this option is selected. Only array level rules that are more restrictive than enterprise policy rules will be applied. The array policy can be used to fine tune the level of security provided by the enterprise access policy.
Allow publishing rules
Enable this option to allow publishing rules on array member computers. Web Publishing Rules must be done on a per server basis; a Web Publishing rule configured on one member of the array is not automatically copied to other array members. The reason for this is that incoming requests must be directed to a specific IP address. Web caching arrays do not provide the same functionality as Microsoft Network Load Balancing (NLB).
Force packet filtering on the array
When you have an array of ISA Server 2000 firewalls, you can force packet filtering on each member server of an array. Packet filtering is applied on the external interface of the ISA Server 2000 firewall members. However, in this example we are installing an array of unihomed Web caching only servers. There is no external interface on these machines; they have only a single network interface, connected to the internal network. For this reason, we will not enable the Force packet filtering on the array option.
In this example, we will select Use array policy only because the caching array will not be used as a firewall. We will also select Allow publishing rules so we can publish servers such as Microsoft Outlook Web Access using the caching array.
For more information about using a unihomed Web Proxy machine to publish Outlook Web Access, please refer to ISA Server 2000 Exchange 2000/2003 Deployment Kit at http://isaserver.org/news/exchangekit.html.
4. It will take several minutes for the Active Directory to initialize. It may seem that the computer is hung up, but be patient.
5. Click OK in the dialog box informing you that the ISA Server Enterprise Initialization Tool successfully imported the ISA Schema into the Active Directory.
The next step is to install ISA Server 2000 in Cache mode on the ARRAY1 computer. The procedure varies somewhat from the way ISA Server 2000 is installed in Cache mode on a standalone (non-array) machine. Perform the following steps to install the first caching array member machine:
1. Double click the ISAAutorun.exe file to open the ISA Server 2000 installation and features page. Click Continue on the ISA 2000 page warning you that you will need to install ISA Server 2000 Service Pack 1 and other updates.
2. Click Continue on the Welcome to the Microsoft ISA Server installation program page.
3. Enter your CD key on the CD Key page. Click OK.
4. Write down the product ID number that appears in the Product ID dialog box and click OK.
5. Read the user license agreement on the EULA page and click I Agree.
6. Click the Full Installation button on the installation type page.
7. Click Yes in the dialog box asking if you want to install the server as an array member. This option is available because you have already initialized the Active Directory.
8. The New Array dialog box appears. Enter a name for a new Web caching array in the New Array dialog box. Click OK after entering the name.
9. Select the Use custom enterprise policy settings option on the Configure enterprise policy settings dialog box. Select the Use array policy only option. This enables you to create access and caching policy on the array computers without needing to worry about any other policies that might be enforced on the enterprise level. Put a checkmark in the Allow publishing rules checkbox. Do not put a checkmark in the Force packet filtering on this array checkbox.
10. On the ISA installation mode page, select the Cache mode option and click Continue.
11. On the cache size page, select an NTFS formatted drive from the list and then enter a cache size in the Cache size (MB) text box. Click Set and then click OK.
12. Click OK in the dialog box warning you that you have selected to install the Message Screener.
13. Remove the checkmark from the Start ISA Server Getting Started Wizard checkbox and click OK.
14. Click OK in the dialog box informing you that the installation has completed successfully. Click the close button (the “X” in the upper right of the balloon) in the message informing you that ISA 2000 will cause Windows to become unstable.
15. Click OK in the dialog box informing you that setup has failed to start one or more services.
The next step is to install ISA Server 2000 on the second member of the array. This machine will join the CACHEARRAY1 Web caching array.
Perform the following steps on the ARRAY2 machine:
We now have two ISA Server 2000 Web caching servers participating in a Web caching array. While many ISA Server 2000 administrators are accustomed to the look of the ISA Server 2000 management console for standalone alone machines installed in Integrated or Firewall mode, many ISA Server 2000 administrators have not worked with ISA Server 2000 arrays. There are some significant differences in the options available and the information provided by the ISA Server 2000 management console depending on whether you have a standalone or array configuration.
Perform the following steps to explorer the ISA Management console for your caching array:
Open the ISA
Management console on one of the array members. You will see the
Notice that under the Access Policy node there is no IP Packet Filters node. The reason for this is that you cannot have packet filtering enabled on a machine installed in Caching only mode.
Notice that the name under the Servers and Arrays node is the name of the array, rather than the name of the machine you are working at. This contrasts with a standalone version of ISA Server 2000, where the name located under the Servers and Arrays node is the name of the ISA Server 2000 firewall or Web caching computer.
Click Cancel in this dialog box to dismiss it.
3. Expand the Server and Arrays node and right click on the CACHEARRAY1 node. In the CACHEARRAY1 Properties dialog box, click on the Policies node. Notice that the selections we made when creating the array policy are selected in this dialog box. You have the option to change the characteristics of the array policy here.
For example, you can select the Use default enterprise policy settings option to apply the default enterprise policy to the array. You can change the current array policy to disallow publishing rules by removing the checkmark from the Allow publishing rules checkbox. If the machine is multihomed and installed in integrated or firewall mode, you can select the Force packet filtering on the array checkbox and force packet filtering.
Click Cancel to dismiss this dialog box without making changes.
4. Click on the Outgoing Web Requests tab. The Resolve requests within array before routing option is selected by default. This option is not available when ISA Server 2000 is installed in standalone mode because the Caching Array Routing Protocol (CARP) is not enabled on standalone ISA Server 2000 machines. This option allows the ISA Server 2000 array member to determine which machine is responsible for the URL requested and attempt to retrieve that URL from the array member responsible for that URL. If this checkbox is not enabled, then CARP is effectively disabled.
5. Expand the Monitoring node and then click on the Services node. You will see the status of services running on all members of the array. This is in contrast to what you see in a standalone installation of ISA Server 2000 server, where you only see the status of the standalone machine.
6. Click on the Computers node. You will see information related to the computers that are members of the array in the right pane (the left pane has been hidden so that you can see more details).
The load factor determines the relative number of URLs for which an array member is responsible. This is useful if the array members have different hardware or connection specifications. If one array member has more memory or a faster processor, you may wish to assign a relatively larger number of URLs to that machine. You can right click on the array member as seen in the right pane of the Computers node and assign a new load factor.
7. In the Sessions node, we see which machines have active sessions with members of the array. In this example, client side routing is enabled. We see that the client has established sessions with both members of the array, and that ARRAY1 has a session with ARRAY2. Client side routing is enabled in this example, so that the client can determine, in advance, which array member is responsible for the URL and connect directly to it. The client shows sessions with both array members because it first created a connection to its configured array member to obtain autdiscovery information, or because it used that array member to retrieve the URL via the routing script.
8. Below are some lines from the Web Proxy log in a front-end ISA Server 2000 firewall in front of the array members. Lines 1 and 2 show ARRAY1 retrieving URLs that it is responsible for. Lines 3 and 4 shows ARRAY2 retrieving URLs that it is responsible for. This provides an example of how ISA Server 2000 caching arrays distribute the load for retrieving and storing Web content.
1- 10.0.2.3 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322) 2004-01-14 15:51:58 FRONTENDFW - www.microsoft.com 126.96.36.199 80 156 536 460 http GET http://www.microsoft.com/products/info/img/trans.gif Inet 200
2- 10.0.2.3 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322) 2004-01-14 15:51:59 FRONTENDFW - www.microsoft.com 188.8.131.52 80 265 589 2784 http GET http://www.microsoft.com/products/info/catimg/prodimg/1/22/b1066225-66dd-4b55-86e2-3cc1397cd47b_small.jpg Inet 200
3- 10.0.2.4 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322) 2004-01-14 15:51:59 FRONTENDFW - www.microsoft.com 184.108.40.206 80 422 592 29457 http GET http://www.microsoft.com/library/images/showCase/1/22/c183cfc4-a2ae-4b91-9892-2e76c7426593_1.jpg Inet 200
4- 10.0.2.4 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322) 2004-01-14 15:51:59 FRONTENDFW - www.microsoft.com 220.127.116.11 80 172 601 2887 http GET http://www.microsoft.com/products/info/catimg/prodimg/1/22/3c3bd1bb-5595-4512-bcca-f764770e1d71_small.jpg Inet 200
9. The following Web Proxy log entries are from one of the array member computers, ARRAY1. The first line shows a connection request coming from the Web Proxy client. The second and third lines show connection requests made by the other array member. The other array member sends these requests to this machine because it is not responsible for the URLs being requested.
1- 10.0.2.2 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322) 2004-01-14 15:33:24 ARRAY1 - www.tacteam.net 18.104.22.168 80 8703 307 2120 http GET http://www.tacteam.net/isaserverorg/kitsurvey/Image2232.gif Inet 200
2- 10.0.2.4 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322) 2004-01-14 15:35:58 ARRAY1 - www.microsoft.com 22.214.171.124 80 110 389 507 http GET http://www.microsoft.com/homepage/gif/1ptrans.gif Inet 200
3- 10.0.2.4 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322) 2004-01-14 15:35:59 ARRAY1 - www.microsoft.com 126.96.36.199 80 234 335 16727 http GET http://www.microsoft.com/library/flyoutmenu/default.htc Inet 200
There are several Web caching options that enable you to customize how the ISA Server 2000 Web caching feature behaves.
Perform the following steps to investigate and configure these options:
1. Open the ISA Management console and expand the Servers and Arrays node and then expand the array name. Right click on the Cache Configuration node and click Properties.
2. On the General tab of the Cache Configuration Properties dialog box, you see the amount of disk space dedicated to the cache on the machine on which you’re running the console.
3. Click on the HTTP tab. The Enable HTTP caching option causes the ISA Server 2000 machine to perform Web caching. If this option is disabled, the ISA Server 2000 computer will not cache Web content.
The options under the Unless source specifies expiration, update object in cache allow you to control when objects in cache are expired. Many Web servers are configured to return host header information that instructs Web caches when to expire Web content. When the content expires, the cached object is no longer valid and the content must be retrieved from the Internet Web server. The options are:
Frequently This option expires cached content immediately if the Web server returning the object does not indicate how long the Web content should be valid. This option has the potential to increase the amount of bandwidth used on your Internet connection, but does ensure that users receive the most up to date content on Web servers that do not provide expiration information.
Normally This option ages content based on the time it was created; the Web server includes this information in the host header. The Web cache calculates how old the object is, based on the time the object was created on the Web server. When the object is in cache for 20% of its age, it will expire from the cache. For example, if the object is 5 days old by the time it is cached, then it will remain in cache for 1 day. However, there are limits placed on the percentage. The object will not expire in less than 15 minutes and not later than 1 day. This option balances the amount of bandwidth used on the Internet connection with the freshness of the content for Web content that does not contain expiration information.
Less Frequently This option ages content based on the time it was created. In this case, it waits until the object reaches 40% of its age before expiring the content. For example, if the object placed in cache was 5 days old by the time it was cached, it will stay in cache for 2 days before it is expired. However, is will not expire in less then 30 minutes and will not remain in cache longer than 2 days. Again, this applies only to Web content that doesn’t include expiration information in its header. This option reduces the amount of bandwidth used on the Internet connection for Web objects that do not include expiration information, but carries the risk of users obtaining content that is not completely up to date.
Set time to Live (TTL) of object in cache to: This option allows you to configure a custom percentage of content age and minimum and maximum limits. This allows you to fine tune your caching settings based on analysis of your Web caching performance.
4. Click on the FTP tab. Place a checkmark in the Enable FTP caching checkbox if you want to cache files obtained via FTP. Note that these FTP files must be obtained via the Web Proxy service either from a Web Proxy client, or via a SecureNAT or Firewall client that has accessed the cache via the HTTP Redirector filter. FTP objects do not contain expiration information so you must configure your own expiration interval for these. The default is 1440 minutes (one day).
5. The Active Caching option enables the ISA Server 2000 Web caching server to retrieve Web content proactively based on how popular that content may be. Active caching insures that users obtain the most current content from the Internet Web server for popular Web content. This feature can increase the amount of bandwidth used on the Internet connection but insures that users have an improved Web browsing experience.
Put a checkmark in the Enable active caching checkbox to enable active caching. Each of the options represents a different level of aggressiveness of the Active Caching algorithm.
For more information on the details of how Active Caching is performed, please refer to the KB article Description of Active Caching Feature at http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q301/2/31.ASP&NoWebContent=1
6. Click on the Advanced tab. Here you have a number of options regarding how objects are stored and maintained in cache:
Do not cache objects larger than This option allows you to limit the size of Web and FTP objects that are stored in cache. The larger this value, the fewer total objects will be stored in cache, and the lower the value, the greater the number of objects that can be potentially stored in cache.
Cache objects even if they do not have an HTTP status code of 200 This option allows you to cache negative responses. If a Web site or Web object is unavailable, the site will not be contacted for a period of time and an immediate response is given to the user reflecting this condition.
Cache objects that have an unspecified last modification time This tell the cache to store objects that do not have a modification time included with them. In this case, the objects expire immediately unless you configure the Web Proxy server to return expired objects.
Cache dynamic content (objects with question mark in the URL) This option allows the Web Proxy to cache information that was the result of a query. These queries have question marks included in the URL.
Maximum size or URL cached in memory This determines the largest Web object stored in the in-memory cache.
If Web site of expired object cannot be reached This option allows you to configure how to handle Web objects in cache that have expired, but cannot be updated because the Web site is unavailable. You have the option to select Do not return the expired object (return an error page) or Return the expired object only if expiration was. The former setting sends the user an error that the site cannot be reached. The latter option allows you to set the amount of time the expired object can be returned from cache without being updated from the Web server.
The Cache configuration is modified for all members of the array. You do not need to visit each array member and mirror the cache configuration you created on one array member.
Another way to customize how Web objects are cached is by creating Web Routing Rules. A Web Routing Rule allows you to control how requests to specific destinations are handled by the Web Proxy service. A Web Routing rule might be configured to enable you to:
· Forward requests to specific sites to an upstream Web Proxy server. For example, you might wish all requests for the campus Web site to be handled by the local Web Proxy server, but want to allow all Internet bound requests to be forwarded to an upstream Web Proxy server
· Web Routing Rules can help you deal with problems related to not having a split DNS infrastructure. You can create a Web Routing Rule to forward requests for publicly accessible resources located on the campus network to be routed directly to the Web server, instead of looping back through the Web Proxy server
· A Web Routing Rule allows you to customize how content is cached for specific sites. For example, you may wish to never cache content from sites that host frequently changing data.
Perform the following steps to create a Web Routing Rule and learn how it enables you to customize how Web content is cached:
1. The first step is to create a Destination Set that can be used in the Web Routing Rule. Open the ISA Management console and expand the Servers and Arrays node and then expand the Policy Elements node. Right click on Destination Sets, point to New and click Set.
2. In the New Destination Set dialog box, enter a name for the Destination Set in the Name text box, then click the Add button.
3. In the Add/Edit Destination Set, select the Destination option and enter the URL for the destination. In this example, we’ll enter www.microsoft.com. Click OK.
4. Click OK in the New Destination Set dialog box to save the Destination Set.
5. Expand the Network Configuration node in the left pane of the console and right click the Routing node. Point to New and click Rule.
6. Enter a name for the Web Routing Rule in the Routing rule name text box on the Welcome to the New Routing Rule Wizard page. Click Next.
7. In the Destination Sets dialog box, select the Specified destination set entry from the Apply this rule to drop down list. Select the Microsoft Web Site destination from the Name drop down list.
8. The Request Action page allows you control how the Web Proxy service forwards the request:
Retrieve them directly from specified destination This option forwards the requests to the Web site where the content is located. This is the normal behavior of the Web Proxy server.
Route to a specified upstream server This option allows you to forward the requests to an upstream Web Proxy server.
Redirect to this option allows you to forward the request to a specific site that you configured, instead of the actual location of the content. For example, if you host the same resources internally and externally, but the name of the resource resolves to an external address, you can direct the request to an internal address.
Click Next after selecting the Route to specified upstream server option.
9. The Primary Routing page allows you to enter information regarding the upstream server to which the request should be forwarded. Enter the name of the upstream Web Proxy in the Server or array text box. The ISA Server 2000 Web Proxy server must be able to resolve this name correctly so that it can route the request. You can use a DNS server or a HOSTS file entry if the DNS server the ISA Server 2000 Web Proxy server is using is not able to resolve this name correctly.
The Port text box contains the port number the upstream Web Proxy server uses to listen for downstream Web Proxy server requests. The default value for ISA Server 2000 Web Proxy servers is TCP 8080. Other Web Proxy servers may use another port number.
10. Place a checkmark in the Use this account checkbox. Select the Integrated authentication option from the Authentication drop down list. Click the Set Account button. In the Set Account dialog box, enter a user account that the downstream Web Proxy server can use to authenticate with the upstream Web Proxy server in the event that the upstream Web Proxy server is not able to authenticate the original user who sent the request. For example, user1 may have authenticated with the downstream ISA Server 2000 Web Proxy server when he sent his request. The Web Proxy server forwarded user1’s credentials to the upstream Web Proxy server. However, the upstream Web proxy server requires authentication and does not recognize user1. The account you configure in the Set Account dialog box can be used instead of the original user account to allow authenticated access to the upstream Web proxy.
Enter and confirm the password, then click OK in the Set Account dialog box.
11. Click Next in the Primary Routing page.
12. On the Backup Routing page, you have the option to configure a backup route in the event that the upstream Web Proxy server is not available.
Ignore requests If the upstream Web Proxy server is not available, the downstream server will drop the request.
Retrieve requests directly from specified destination This allows the ISA Server 2000 Web Proxy server to forward the requests via its default gateway configuration. The disadvantage of this approach is that if the default gateway used by the Web Proxy server is not able to route Internet bound requests correctly, the routing attempt will fail.
13. The Cache Retrieval Configuration page allows you to customize how the Web Proxy services handles objects already in the cache.
A valid version of the object; if none exists, retrieve the request using the specified requested action This option only returns objects in cache that are valid and have not expired. If the object is expired, the Web Proxy server will request fresh content from the Internet Web server.
Any version of the object; if none exists, retrieve the request using the specified request action This option returns any version of the object, regardless of whether the object has expired. If the object does not exist, then the request will be routed based on your selection in the previous page of the wizard.
Any version of the requested object; Never route the request. This option allows the Web Proxy to return any version of the object in the cache. If the content is not contained in the cache, the request is not routed and the user is returned an error.
Select the second option and click Next.
14. The Cache Content Configuration dialog box determines whether or not objects from the site are cached. You have the following options:
All content, including dynamic content, will be cached This option allows all content on the site to be cached, including content that was retrieved via a query that returned content accessible via a URL with a question mark in it.
If source and request headers indicate to cache, then the content will be cached This option allows content that the Web server indicates should be cached.
No content will ever be cached This option prevents any content from the Web site from being cached. The Web Proxy service will always connect to the destination and retrieve the latest content
15. Click Finish on the Completing the New Routing Rule Wizard page.
Web caching can significantly improve the Web browsing experience for uses on the campus network and can potentially reduce overall bandwidth costs for the educational institution. ISA Server 2000 Web caching features bring Internet Web content closer to the users on the campus network. Web caching servers can be placed in a number of locations on the campus network and can be installed in either standalone or array configurations. In this document, we discussed the ISA Server 2000 Web caching technologies in detail and provided detailed step by step examples to illustrate how to configure a standalone Web caching server or caching array.