Académique Documents
Professionnel Documents
Culture Documents
Contents
Introduction ...............................................................................................................................1
Overview of ISA Server 2004 Web Caching.............................................................................2
Forward Caching ..................................................................................................................2
Reverse Caching ..................................................................................................................4
ISA Server 2000 Caching Enhancements ................................................................................6
Active Caching......................................................................................................................6
Scheduled Content Download Jobs .....................................................................................6
Cache Rules .........................................................................................................................7
Web Proxy Chaining and Web Routing................................................................................7
Cache Array Routing Protocol (CARP) ................................................................................9
Transparent Caching with ISA Server 2004.......................................................................10
Advantages of an Integrated Firewall and Web Caching Server ...........................................11
Caching Scenarios..................................................................................................................12
Conclusion ..............................................................................................................................13
Introduction
Microsoft Internet Security and Acceleration Server 2004 (ISA Server 2004) is an extensible
enterprise firewall and Web caching server that integrates with Microsoft Windows 2000 and
Windows Server 2003 for policy-based access control of all communications moving through
the ISA Server 2004 firewall.
The ISA Server 2004 Web cache improves network performance and the end user
experience by storing frequently requested Web content in a local Web cache. The ISA
Server 2004 multilayer firewall provides sophisticated stateful network layer filtering and
stateful application layer inspection.
The ISA Server 2004 filters and inspects all information moving through it at the packet, circuit
and application layers and applies firewall access policy to all traffic moving through the
firewall. The Web caching component can be implement, or as part of a multihomed
integrated firewall and Web caching solution.
ISA Server 2004 sports an intuitive and easy to use firewall management interface that
simplifies managing firewall policy. ISA Server 2004 builds on and extends the security,
directory, and virtual private networking (VPN) features included with Windows 2000 and
Windows Server 2003. Whether deployed as separate cache and firewall servers or as an
integrated firewall and Web caching solution, ISA Server 2004 can be used to improve the
speed of Internet access and maximize employee productivity. And at the same time,
enhance network security by enforcing Internet usage policy for organizations of all sizes
This white paper examines the benefits of the Web caching component of ISA Server 2004.
Specific Web caching technologies and methodologies discussed in this white paper include:
Active Caching
Cache Rules
The paper provides a description of each of these technologies and methodologies and also
provides examples of how ISA Server 2004 improves network performance and the end user
Web browsing experience. For more information on the technical details of how ISA Server
2004 Web caching works, please visit the ISA Server 2004 technical documentation library at
www.microsoft.com/isaserver.
Forward Caching
Forward caching occurs when a user on the corporate network makes a request for Web
content located on Internet Web server. The user initiates an HTTP, HTTPS (SSL) or HTTP
tunneled FTP request to an Internet Web server and the request is intercepted by the ISA
Server 2004 firewall and Web caching server. The content is then stored in the ISA Server
2004 Web cache and returned to the user.
The ISA Server 2004 Web caching process behaves slightly different depending on if the
content is already located in the Web cache. Figure 1 depicts the sequence of events for
forward Web caching when a host on the corporate network requests content not already
contained in cache:
1. The user sends a request for content located on an Internet Web server. The Web
request is intercepted by the ISA Server 2004 firewall and Web caching server.
2. ISA Server 2004 checks if the requested content is contained in cache. If the content is
not in cache, or if the content has expired (i.e., the header information in the content
indicates that it should no longer be served from a Web cache), then the ISA Server 2004
firewall and Web proxy server forwards the request to the Web Server on the Internet.
3. The Web server on the Internet returns the information requested.
4. The ISA Server 2004 Web caching server places the Web content in its in-memory Web
cache. ISA Server 2004 uses an in-memory Web cache to store the most popular and
frequently requested content. This enables the ISA Server 2004 Web caching server to
return the popular content more quickly to the users on the internal network.
5. After placing the Web content in the in-memory cache, ISA Server 2004 Web caching
server returns the content to the user who requested it.
6. After a period of time, the ISA Server 2004 Web Proxy server will copy the contents of the
in-memory cache to the disk based cache. If the content turns out not to be popular, the
in-memory cache will flush the content and the only copy of the content on the ISA server
will be in the disk based cache.
Web cache
Figure 2 depicts the series of events when a second host on the internal network makes a
request for the same Web content before the content is flushed from the in-memory cache:
1. The host on the internal network sends the request to the ISA Server 2004 Web Proxy
server.
2. The ISA Server 2000 Web Proxy server checks to see if it has cached this content and
whether the content has expired. If the content is still valid, the ISA server retrieves the
content from the in-memory cache.
3. Content retrieved from cache is returned to the user who requested it
`
4
Web cache
Reverse caching takes place when users on the Internet request Web content located on the
corporate network. ISA Server 2004 enables you to publish Web content hosted on networks
behind the ISA Server 2004 firewall and Web caching server through the mechanism of Web
Publishing rules. The ISA Server 2004 firewall and Web caching server forwards the request
to the corporate Web server when the Internet user requests content. The Web server sends
the requested content to the ISA Server 2004 firewall and Web caching server, which is then
returned to the Internet user who made the request.
Figure 3 depicts the series of events that take place when Web content requested by the
Internet-based client requests resources on the corporate Web server in a reverse caching
scenario:
1. The Internet user sends a request for content located on a corporate Web server. The
Web request is intercepted by the ISA Server 2004 firewall and Web caching server.
2. ISA Server 2004 checks if the requested content is contained in cache. If the content is
not in cache, or if the content has expired (i.e., the header information in the content
indicates that it should no longer be served from a Web cache), then the ISA Server 2004
firewall and Web caching server forwards the request to the Web Server on the corporate
network.
3. The Web server on the corporate network returns the requested information.
4. The ISA Server 2004 Web caching server places the Web content in its in-memory Web
cache. ISA Server 2004 uses the in-memory Web cache to store the most popular and
frequently requested content. This enables the server to return the popular content more
quickly to users on the Internet.
5. After placing the Web content in the in-memory cache, the ISA Server 2004 Web caching
server returns the content to the user who requested it.
6. After a period of time, the ISA Server 2000 Web Proxy server copies the contents of the
in-memory cache to the disk based cache. If the content turns out not to be popular, the
in-memory cache will flush the content and the only copy of the content on the ISA server
will be in the disk based cache.
Accelerating the Internet with ISA Server 2004 Web Caching
7. The content contained in disk cache will be returned to the in-memory cache if a request
for that content is received at a later time.
Web cache
Figure 3: Reverse caching scenario when corporate Web resources are not contained in cache
Subsequent requests from Internet users for corporate Web resources will be serviced from
the either the in-memory or disk-based Web cache.
In addition to speeding up access to Web resources hosted on the corporate Web server,
reverse caching also reduces the amount of bandwidth used on the corporate network by
Internet users accessing content on the corporate Web server.
Active caching
Cache Rules
Active Caching
When a computer on the private network sends a request for Web content through the ISA
Server 2004 firewall and Web caching server, that content is automatically placed in the Web
cache. This type of caching is referred to as passive caching. Passive caching takes place in
response to a user request for Web content.
However, passive caching of content is only the first step to improving performance for
subsequent requests for the same Web content. The next step is for the ISA Server 2004
firewall and Web caching server to anticipate what requests users will make and place the
Web content in the Web cache before it is requested. ISA Server 2004 implements this idea
using a mechanism known as Active Caching. ISA Server 2004 Active Caching insures that
popular Web content is always up to date. This prevents users from accessing potentially
outdated Web content stored in the Web cache.
Active Caching uses a special algorithm to determine which Web content in the Web cache is
most likely to benefit from being automatically updated. Web content already in cache that
meets the Active Caching criteria is downloaded before the content expires, depending on the
current activity of the ISA Server 2004 machine. If the machine is not busy, then the content
will be downloaded about half way before the cached content is scheduled to expire.
Downloading updated content is delayed until ISA Server 2004 is less busy servicing
requests. This reduces the chance of the Active Cache feature from interfering with Web
requests made by corporate network users.
be served to branch office. Branch office users can quickly download even large files from
cache, while at the same time freeing up the branch office link to the main office during work
hours for other business related network activity..
Cache Rules
Cache rules enable you to control the content stored in the cache and how Web content is
stored and returned to users from the cache. Cache rules can be used to fine tune caching of
content from all Web sites, or a subset of Web sites. You can also use cache rules to control
how the cache handles all content groups, are just a subset of Web content type. Perhaps the
most powerful feature of Cache Rules is that they allow you to control how long Web content
remains in cache. A validity period is used determine how long Web content should be served
from the Web cache.
Web content stored in the Web cache expires according to Time to Live (TTL) settings for the
cached content. For Web content downloaded using the HTTP protocol, content expiration is
based on the TTL defined in the response header and the TTL settings in the cache rule. The
upper and lower TTL boundaries are based on a percentage of content age, which is the
amount of time that has passed since the cached Web content was created or modified.
Cached content obtained through the FTP protocol expires based on the TTL defined for FTP
content in the cache rule.
ISA Server 2004 checks whether a
copy of the requested Web content exists in the
cache before the content is returned from the cache to the user who requested it. Cached
content is considered valid only if the content has not exceeded its TTL as specified in the
HTTP or FTP caching properties of the cache rule or in the object itself. In addition, you can
also configure the cache rule so that the requested object is never cached and requests for
that content are always routed to the Internet Web server. The is a common setting for sites
that update content very frequently
in its cache, and then returns the object from its own cache to the user who requested the
Web content.
Figure 4 depicts how Web proxy chaining works in this branch office/main office scenario:
1. The Web client sends a request for Web content to the Web caching server at the branch
office.
2. If the Web caching server at the branch office contains a valid version of the Web content
in its cache, it will return the content to the user who requested it.
3. If the content the branch office user requested is not contained in the branch office
servers cache, then the request it forwarded to an upstream Web caching server in the
Web proxy chain.
4. If the upstream Web caching server has a valid copy of the requested content in cache,
then the content is returned to the branch office Web caching server. The branch office
Web caching server places the content in its own Web cache and then returns the
content to the branch office user who requested the content.
5. If the upstream Web caching server at the main office does not contain the requested
content in its cache, it will forward the request to the Web server on the Internet.
6. The Internet Web server returns the requested content to the main office Web caching
server. The Web caching server at the main office places the content in cache.
7. The main office returns the content to the branch office Web caching server. The branch
office Web caching server places the content in its cache.
8. The branch office Web caching server returns the content from its cache to the user who
requested it.
5
3
6
4
7
1
Figure 4: Web proxy chaining between a branch office and main office Web caching server
You can see from this example that Web Proxy chaining brings Web content closer to the
user at multiple levels. The members further up in the hierarchy have more content in their
Web cache than servers further down the chain. The increases the chance that the
downstream Web caching server will be able to obtain cached content without requiring a
connection to the Internet server.
Web proxy routing allows you to conditionally route requests based on the destination
included in the request. For example, an organization with a branch office in the England sets
up an ISA Server 2004 Web caching server at that office. The branch office server is
connected to an English ISP. You can create a Web routing rule on the branch office ISA
Server 2004 Web caching server in England so that it directs requests for Internet hosts in the
United Kingdom through the local ISP connection and sends all other requests to the ISA
Server 2004 firewall at the companys main office in the United States.
In this way, the downstream ISA Server 2004 computer at the branch office in the United
Kingdom benefits from the ISA Server 2004 cache at headquarters. This benefit is enhanced
by caching of more local Web content that has been retrieved from the local ISP.
Figure 5 depicts how Web routing rules work in this scenario:
1. A client on the branch office network in England issues a request for a resource at
www.domain.us. The request is routed by the ISA Server 2004 firewall to the main office
and forwarded to the main office.
2. The main office ISA Server 2004 firewall and forwards the request to the Web site locted
in the US.
3. A client on the branch office network in England issue a request for a resource at
www.domain.co.uk. The request is routed by the ISA Server 2004 firewall and Web
caching server to the Web server located in the UK via the local ISP.
Deterministic The CARP algorithm tells the Web client exactly where the Web content
for a particular URL will be cached in an array. The client does not need to send queries
to array members asking which one is responsible for the content.
Load-balanced You can adjust load balancing factors so that the more capable servers
receive the most requests. This enables the ISA Server 2004 firewall administrator to
assign higher loads to array members with more powerful hardware.
Reliable. If a particular ISA Server 2004 array member becomes unavailable, the Web
client sends a request to a second ISA Server 2004 machine in the array. When the
original server comes back online, then the client will send requests to the array member
with primary responsibility for the URL and obtain Web content from the appropriate array
member.
Scalable The number of servers in the array may be increased or decreased without
causing network performance problems. The performance of the cache is always
proportional to the number of servers in the array. Performance is increased with
additional array members and decreased when there are fewer array members.
Stable Adding and removing servers will not cause all of the cached objects to shift
between the servers. If an array is increased from four to five servers, approximately 1/5
of the cached objects will be shifted to the new server. This takes place without transfer of
currently cached content.
An example of where CARP would be of value is for a medium sized organization with 1500
client computers connecting to the Internet through an array of 3 ISA Server 2004 firewall and
Web caching servers. Web clients send requests to the array member responsible for a
specific URL and immediately obtained cached content from that array member. If one of the
array members becomes unavailable for any reason, the Web client immediately resends a
request to a second array member. CARP enables the companys web client to access the
Internet, even when two of the three caching array members have become unavailable.
DHCP
DNS
Group Policy
The firewall administrator can use one or more of these methods to enable transparent
access to the ISA Server 2004 Web cache. This allows Web content to be accessed and
cached as transparently as other caching protocols that require off box solutions and routerbased port redirection.
10
Organizations have a wide range of options for Web caching and each has its advantages.
There are several reasons why choosing ISA Server 2004 as your firewall and Web caching
solution is a good choice:
The integrated firewall and Web caching solution provides a single, unified management
interface. This simplifies management of the firewall and Web caching components and
minimizes the risk of misconfiguration of both components
Web caching protocols requiring additional network devices to off-load the caching
process incur greater protocol overhead and increase overall network traffic. This can
increase the number of retransmits required to access Web content
Off box solutions present a second point of failure. Problems with the dedicated Web
caching device or lost connectivity between the router and Web caching device can
prevent access to cached content and potentially prevent access to all Web content
Caching methods requiring off-box caching devices require the purchase of multiple,
dedicated caching devices for organizations that wish to scale-out. In contrast, ISA Server
2004 firewall and Web caching servers can scale out by adding CARP array members.
The organization not only benefits from scaling out the cache, but also has added
addition firewall resources that can provide load balancing and failover for Internet access
in general
These are just a few reasons why an ISA Server 2004 integrated firewall and Web caching
solution is the superior choice for any Internet connected organization.
11
Caching Scenarios
Web Proxy Chaining for Branch Offices
Internet Connected Company, Inc. is an Internet marketing firm with its main office in Dallas,
Texas and three small sales offices located in Houston, San Antonia and Austin. The main
office has 500 hundred employees. Each of the three branch offices has approximately 50
employees. The branch offices connect to headquarters by 768K DSL links. The main office
connects to the Internet with a 1.54Mb T1 link. The Internet is used for research on industry
trade Web sites and sending and receiving business related e-mail.
The sales offices commonly researches the same Web sites for their marketing projects. To
help reduce the traffic on each of the branch office and main office Internet links, an ISA
Server 2004 firewall and Web caching server is added to each branch office. Scheduled
Content Download Jobs for important industry Web sites are created at each of the branch
office sites and configured to take place during times when employees are not in the offices.
An ISA Server 2004 firewall and Web caching server is also installed at the main office. A
Web proxy chaining relationship is set up between the main and branch offices. Active
Caching is enabled both the branch and main offices.
The branch offices now have the Web content they require stored on their local Web caching
machines. This reduces the traffic on the DSL links connecting them to the main office. In
addition, the main office also has the same content contained in its cache. Because Active
Caching is enabled, branch office users can benefit from the fresh Web content contained in
the main office cache.
Caching Arrays on a Campus Network
A large university campus is experiencing problems with excessive Web traffic on their T3
Internet connection. Network engineers have researched the traffic patterns and determined
that over 80% of the traffic is Web related and that a significant percentage of the requests
repeat connections to common Web sites. The university decides to implement ISA Server
2004 caching arrays to reduce the overall amount burden on the Internet link.
ISA Server 2004 firewall and Web caching servers are placed at the edges of all student and
departmental LANs on campus. An array of four ISA Server 2004 Web caching servers is
placed on the campus backbone network. The ISA Server 2004 firewall and Web caching
servers on the student and departmental LANs are configured in a Web proxy chaining
configuration using the caching array on the campus backbone as their upstream proxy.
The amount of bandwidth used on the campus Internet link is significantly reduced after the
ISA Server 2004 firewall and Web caching servers are introduced to the campus networks. In
addition, the bandwidth used on the campus backbone network is reduced because content is
also cached on the student and departmental LAN servers.
12
Conclusion
ISA Server 2004 provides a rich set of enterprise level firewall, Web caching and VPN
capabilities. Administrators can monitor and configure all ISA Server 2004 computers in their
organization from a single desktop using its centralized administrative interface. Multiple ISA
Server 2004 firewall and Web caching servers can be joined in either caching arrays or Web
proxy chains to increase Internet performance and availability of Internet content for corporate
Web users.
As an enterprise class firewall, ISA Server 2004 supports comprehensive control of all
information that passes through the server. This ensures that all Web traffic can be inspected
and forwarded or rejected based on a wide range of criteria including: who sent it, where it is
going, and what application is sending or receiving it. The criteria can even be extended to
include specific rules such as schedules and key words. The firewall features of ISA Server
2004 are ideal for protecting the perimeter of an organizations network or securing key
portions of the private, internal network.
ISA Server 2004s Web caching abilities enable the firewall administrator to customize how
cached content is delivered to the user and what content should be cached and not cached.
Active caching, Content Download Job, Web Routing Rules and transparent Web proxy
enable the ISA Server 2004 Web caching server to be placed anywhere in the corporate
network with virtually no disruption of the current network and firewall infrastructure.
Because of its tight firewall integration, ISA Server 2004 also provides one of the most
advanced and secure VPN server components on the market. It supports a wide range of
VPN scenarios including connections from clients outside the organizations network and
connections between an organizations offices. It can even fully secure connections that
transfer sensitive information within an organizations private network.
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in
this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does
not give you any license to these patents, trademarks, copyrights, or other intellectual property.
2004 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsoft, Windows, Windows 2000, Windows 2000 Server, Windows Server 2003, Windows Server System, ISA Server, and ISA
Server 2004 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
13