How to Prevent Selected Sites from Being Cached by the Web Proxy Service

By Thomas W Shinder M.D.

One question that shows up on a regular basis on the ISA firewall newsgroups, Web boards and mailing list is how to prevent selected sites from being cached. There are a number of reasons why you wouldn’t want to cache a particular site. The content might change on a regular basis, or maybe for security reasons you don’t want any evidence that you visited that site. Such evidence would exist in the cache file.

By default, all content that the Web Proxy service is cached based on "directives" it receives from the Web servers. Most Web servers are configured to support a "public cache" with the goal in mind to reduce that amount of overall traffic on the Internet and more importantly, reduce the amount of traffic used on the Web server’s Internet connection. There’s no reason for the same users to return to the same Web server if the content doesn’t change. Keep in mind that caching behavior is determined by the Web server being contacted by the ISA Server. Only after receiving directives from the Web server does the ISA Server make its own assessments regarding what content is cached and how long it is cached.

However, there is a method you can use to prevent the ISA firewall from caching responses from Web servers regardless of what directives are returned from those servers. There just two basic steps you need to take:

For example, support you want to prevent the ISA Server from caching any of the content at www.stuff.com. Perform the following steps to create the Destination Set:

1. Open the ISA Management console. Expand the server or array name, and then expand the Policy Elements node.
2. Right click the Destination Sets node, point to New, and then click Set.

Figure 1

3. In the Name text box, type the name of the Destination Set. In the Description text box, type a meaningful description of the Destination Set.

Figure 2

4. Click the Add button. Select the Destination option and then type the Fully Qualified domain name (FQDN) of the site you want to filter. Type a path in the Path box if you want to filter only a specific folder at the site.

Figure 3

5. You’ll see the entry appear in the New Destination Set dialog box.

figure 4

6. Click OK and then click OK again.

Now that you have the Destination Set in place, you can create the Web Routing Rule. Perform the following steps to create the Web Routing Rule:

1. Open the ISA Management console, expand the server or array name and then expand the Network Configuration node.
2. Right click the Routing node, point to New, and then click Rule.

Figure 5

3. Type a name for the routing rule in the Routing Rule text box and click Next.

Figure 6

4. Click the down arrow in the Apply this rule to drop down list box and select the Specified Destination Set option. In the Name text box, click the Destination Set you created for your Web Cache filter and then click Next.

Figure 7

5. Click the appropriate request action. This will differ depending on your ISA Server environment. Select the Use a dial-up entry check box if you use a dial-up interface for the external interface on the ISA Server. Click Next.

Figure 8

6. Click A valid version of the object; if none exists, retrieve the request using the specified requested action. Click Next.

Figure 9

7. Click No content will ever be cached. Click Next.

Figure 10

8. Review your settings, and then click Finish.

Note that any cached content will stay in the cache until it times out or if replaced by more current or more popular objects. Note that you don’t have to block caching for an entire site.

For example, suppose there is only a single directory at a particular site you want to prevent caching. In this case you would create a Destination Set that has the FQDN in it (like we did above) and a path. If you wanted to block access only to www.stuff.com/secret, the Destination Set would look like the figure below.

Figure 11