ISA 2006 Web Caching

[LEFT][CODE]http://www.isaserver.org/tutorials/ISA-2006-Web-Caching.html[/CODE]


A lot of ISA Firewall admins might forget that the ISA Firewall isn’t only an enterprise class network firewall, but also a nifty Web caching device. The Web caching feature allows the ISA Firewall to cache the responses it gets from user requests from behind the ISA Firewall. This can speed up the Web browsing experience for users and even allow users to view cached content when the Web server hosting the content is offline.
[CENTER]

[URL="http://www.amazon.com/exec/obidos/ASIN/1931836191/wwwshindernet-20"]
[/URL][/CENTER]
The first step in getting Web caching working is to turn it on. To do that, open the ISA Firewall console and then expand the [B]Configuration[/B] node in the left pane of the console. Click on the [B]Cache[/B] node and then click the [B]Tasks[/B] tab in the Task Pane. Click the [B]Define Cache Drives (Enable Caching)[/B] link.
[B][IMG]http://www.isaserver.org/img/upl/image0021190629209095.jpg[/IMG]
Figure 1[/B]
In the [B]Define Cache Drives[/B] dialog box, enter the size of the disk cache you want to have. I generally allow about 10 MB per user. In the example below you see that I’m setting the cache to be [B]250 MB[/B]. Keep in mind that the maximum size for a cache file on a single drive is 64 GB. Also, the drive much be formatted to use NTFS.
[B][IMG]http://www.isaserver.org/img/upl/image0041190629209110.jpg[/IMG]
Figure 2[/B]
Right click the [B]Cache[/B] node in the left pane of the console and click [B]Properties[/B].
[B][IMG]http://www.isaserver.org/img/upl/image0061190629209110.jpg[/IMG]
Figure 3[/B]
The [B]General[/B] tab of the [B]Cache Settings[/B] dialog box tells you how big your cache is.
[B][IMG]http://www.isaserver.org/img/upl/image0081190629233720.jpg[/IMG]
Figure 4[/B]
On the [B]Advanced[/B] tab you have several options.
The [B]Cache objects that have an unspecified last modification time[/B] option allows the ISA Firewall to cache objects that don’t have a time stamp. When the ISA Firewall caches these objects, you can set custom cache rules to determine how long these objects stay in the cache.
The [B]Cache objects even if they do not have an HTTP status code of 200[/B] allows you to cache pages that do not return an OK response when connecting to the destination Web server. This allows for offline caching and other caching behaviors.
The [B]Maximum size of URL cached in memory (bytes)[/B] option allows you to configure the maximum size of an object placed in the in-memory cache. The in-memory cache is much faster than the on-disk cache, so you don’t want to clog the in-memory cache with large objects, such as graphics and files. You can enter a custom value if you like, but the default is [B]12800[/B] bytes.
You have two options for when [B]If Web site of expired object cannot be reached[/B]. You can configure the ISA Firewall to:

[LIST][*][B]Do not return the expired object (return an error page) [/B]This tells the ISA Firewall to return an error indicating that the object is not available, even if the object is in the cache.[*][B]Return the expired object only if expiration was[/B]. This allows the ISA Firewall to return objects in the cache even when the Web site is not available. How long the ISA Firewall will continue to return these objects from the cache depends on the following settings: [B]At less than this percentage of original Time-to-Live[/B], [B]But no more than (minutes)[/B]. These two options determine how long the object can be returned from the cache when the Web server hosting that content is not available.[/LIST]
The [B]Percentage of free memory to use for caching[/B] is actually the percentage of memory you want to give to the cache file. It’s really not the percentage of “free” memory because the cache memory size won’t change over time and will not give up memory to other processes. So this is a static value based on how much memory your machine has. The default is 10%, but if you have lots of RAM, you might consider increasing this at 10% intervals until you run into trouble to see how much memory you can dedicate to Web caching.
[B][IMG]http://www.isaserver.org/img/upl/image0101190629233720.jpg[/IMG]
Figure 5[/B]
[B]Creating Cache Rules[/B]

Cache rules allow you to define what objects you want to cache and the cache behavior for those objects. To create a cache rule, click on the [B]Cache[/B] node in the left pane of the ISA Firewall console and then click the [B]Tasks[/B] tab on the Task Pane. Click the [B]Create a Cache Rule[/B] link.
[B][IMG]http://www.isaserver.org/img/upl/image0121190629233735.jpg[/IMG]
Figure 6[/B]
On the [B]Welcome to the New Cache Rule Wizard[/B] page, enter a name for the cache rule. In this example we’ll create a cache rule that is applied to all content accessed from the Internet, with the exception of the Microsoft Update Site, which has its own rule that should be above all other rules. Click [B]Next[/B].
[B][IMG]http://www.isaserver.org/img/upl/image0141190629256407.jpg[/IMG]
Figure 7[/B]
On the [B]Cache Rule Destination[/B] page, click the [B]Add[/B] button. In the [B]Add Network Entities[/B] dialog box you select which destination you want this rule to apply to. In this example we want the rule to apply to all Internet access, so we’ll click the [B]Networks [/B]folder and then double click on the [B]External[/B] entry. Note that you can create very finely tuned cache rules by having the destination be a [B]URL Set[/B] or a [B]Domain Name Set[/B]. Click [B]Close[/B] on the [B]Add Network Entities [/B]dialog box.
[CENTER]

[URL="http://www.amazon.com/exec/obidos/ASIN/1931836191/wwwshindernet-20"]
[/URL][/CENTER]
[B][IMG]http://www.isaserver.org/img/upl/image0161190629256423.jpg[/IMG]
Figure 8[/B]
On the [B]Content Retrieval [/B]page you set how objects stored in the cache are retrieved when requested by users. You have three options:

[LIST][*][B]Only if a valid version of the object exists in cache. If no valid version exists, route the request to the server.[/B] So, if there is an expired version of the object in the cache, the ISA Firewall will connect to the Web server to get a fresh version of the object[*][B]If any version of the object exists in cache[/B]. [B]If none exists, route the request to the server.[/B] So, if there is any version of the object in the cache, it will return it to the user, even if it is expired. If no version of the object is in cache, it will go to the Web server to get it.[*][B]If any version of the object exists in cache. If none exists, drop the request (never route the request to the server. [/B]So, if any version is in the cache, it will return it to the user. If there is no version of the object in the cache, the ISA Firewall will not try to get it from the Web server and will just drop the request[/LIST]
The default option is [B]Only if a valid version of the object exists in the cache. If no valid version exists, route the request to the server[/B]. In this example we’ll select the default and click [B]Next[/B].
[B][IMG]http://www.isaserver.org/img/upl/image0181190629256423.jpg[/IMG]
Figure 9[/B]
On the [B]Cache Content[/B] page you tell the ISA Firewall whether retrieved content is stored in the cache. By default, an object is stored in the cache only if its source and request headers indicate that the object should be cached. However, you have the option to select the option [B]Never, no content will ever be cached[/B]. So, if there is a site where you never want the content to be cached, maybe because you always need the most up to date content, then you should select that option.
Three other options are:

[LIST][*][B]Dynamic content: [/B]When you select this option, the ISA Firewall will cache the content, even if the Web server indicates that the content should not be cached.[*][B]Content for offline browsing: [/B]This allows the ISA Firewall to cache content even when the Web server is not available or the location of the objects has changed.[*][B]Content requiring user authentication for retrieval: [/B]This allows the ISA Firewall to access content that required user authentication. Be careful with this one, because it has the potential to allow users to see the authenticated content from other users[/LIST]
Click [B]Next[/B].
[B][IMG]http://www.isaserver.org/img/upl/image0201190629286595.jpg[/IMG]
Figure 10[/B]
On the [B]Cache Advanced Configuration[/B] page, you can limit the size of cached objects. By default, there is no limit to the size of an object that can be cached. However, if you select the [B]Do not cache objects larger than[/B] option, you can set a maximum size of cached objects. Use this option if you’re worried about your cache file getting filled up too quickly by very large objects, such as pictures or data files.
The other option on this page is [B]Cache SSL responses[/B]. Be aware that the ISA Firewall cannot cache SSL responses in a forward Web proxy scenario because the ISA Firewall cannot see what’s inside the SSL tunnel. However, if you install Collective Software’s [B]ClearTunnel[/B], you will be able to cache responses made over an SSL connection. For more information about [B]ClearTunnel[/B], check out [URL="http://www.collectivesoftware.com/"]www.collectivesoftware.com[/URL].
Click [B]Next[/B].
[B][IMG]http://www.isaserver.org/img/upl/image0221190629286595.jpg[/IMG]
Figure 11[/B]
On the [B]HTTP Caching[/B] page, unless the source specifies an expiration time, HTTP objects stored in the cache are updated according to the time-to-live (TTL) settings. The TTL is the amount of time content remains in the cache before it expires. Content age is the amount of time since the object was created or modified, which is information contained in the object’s header.
The [B]Set TTL of objects (% of content age)[/B] is set at 20% by default. HTTP objects remain valid in the cache according to TTL settings. TTL settings are based on the TTL defined in the response header, and the TTL boundaries defined in the cache rule. The percent of the content age is a percentage of the time of the content's existence. The higher the percentage, the less frequently the cache is updated.
You can also set TTL time boundaries, so that you can set custom [B]No less than[/B] and [B]No more than[/B] times.
Finally, you can override expiration times included in the cached object’s header by selecting the [B]Also apply these TTL boundaries to sources that specify expiration[/B].
Click [B]Next[/B].
[B][IMG]http://www.isaserver.org/img/upl/image0241190629286626.jpg[/IMG]
Figure 12[/B]
The ISA Firewall can also cache objects obtained via FTP for Web Proxy clients (the ISA Firewall won’t cache FTP responses from non-Web proxy client applications). The default is to enable FTP caching and a TTL of 1 day is selected. You can change these defaults to meet your needs. Click [B]Next[/B].
[B][IMG]http://www.isaserver.org/img/upl/image0261190629312985.jpg[/IMG]
Figure 13[/B]
Click [B]Finish[/B] on the [B]Completing the New Cache Rule Wizard[/B] page.
[B][IMG]http://www.isaserver.org/img/upl/image0281190629313001.jpg[/IMG]
Figure 14[/B]
On the [B]Cache Rules[/B] tab, right click the [B]All Sites[/B] rule and click [B]Move Down[/B]. We need to do this because the [B]Microsoft Update Cache Rule[/B] needs to be on top.
[B][IMG]http://www.isaserver.org/img/upl/image0301190629313001.jpg[/IMG]
Figure 15[/B]
[CENTER]

[URL="http://www.amazon.com/exec/obidos/ASIN/1931836191/wwwshindernet-20"]
[/URL][/CENTER]
[B]Summary[/B]

In this article we took a break from covering the ISA Firewall’s network firewall feature set and set our sights on the Web proxy filter’s Web caching element. We went through the process of turning on the cache and then how to configure the basic Web cache settings. We finished up by seeing how to create a cache rule and the options available in cache rules.

[/LEFT]