Configuring URL and Domain Packet Prioritization with Diffserv
By Greg Mullholland
One of the new features that was added with ISA 2004 Service Pack 2 was the ability to do packet prioritization for HTTP and HTTPS traffic. This feature is provided by ISA’s Diffserv filter which will scan domains and URL’s within the HTTP(S) traffic and assign a priority to them using Diffserv bits.
Diffserv works in conjunction with your QoS enabled routers to improve bandwidth across the Internet and other WAN links you might have. Packet prioritization is defined as a global policy rather than being handled on a per-rule basis. By this I mean that all browser traffic that passes through ISA is subject to these controls.
If you haven’t got sp2 yet I have included the link to ISA Server downloads here:
For the purpose of this article I am not going to go into the ins and outs of Diffserv, only to say that essentially it is a protocol that defines traffic prioritization at layer 3. Diffserv markings are placed in the header of the IP packet and are then used to classify or shape traffic.
If you need to find out more a good place to start would be here:
So what do we do with it?
Let’s do a walkthrough install shall we, that should make it a bit clearer.
By now with all the commotion you should have noticed a “Specify Diffserv Preferences” option under Global HTTP Policy Settings under the Configuration/General node. If not find it now, this is where we need to do our stuff!
First and foremost we need to enable prioritization of these bits and we do this by ticking the box which says Allow the setting of Diffserv bits according to URLs and domain names
We then jump along to the next tab to the right and configure the priorities and binary Diffserv values to be used or supported by your ISA Server.
So let’s create our first priority by choosing the Add button
Since this is my first rule I have simply assigned a binary value (also known as the Differentiation Service Codepoint or DSCP) of 110010 for the Diffserv bits. This value also matches the binary value that my router would use.
Here I have enabled a size limit for this priority and by doing this I am basically saying that this priority should only be applied to responses or requests which do not exceed that limit. If the request or response does exceed that limit the next priority that matches it will be applied.
For the sake of ease I have configured two more priority which will match my router settings and I will apply these rules to different URLs and domains.
So now we have some priorities in place its time to assign them to something. Open the URLs tab and choose the Add button again.
Here for instance I will assign my first priority to google.com and my second priority to microsoft.com. I can also apply different priorities to URLs within the same parent domain. That is to say, I can assign www.microsoft.com /isaserver/* a higher priority than the rest of the Microsoft site by adding www.microsoft.com/* and making sure that the isaserver URL is higher in the priority ruling.
OK so we have configured some priorities for HTTP URLs but what about traffic that is tunneled over HTPS connections? Here is where the domain rules come in. ISA cannot doesn’t know what the URL is when the traffic is tunneled over HTTPS so it will apply the Diffserv bits to domains.
To setup priorities for domains, simply go to the domains tab and select the Add button again and enter the domain names applicable, giving them the correct priority.
Again you can use the wildcard * to separate priorities to different parts of a domain and assigning the correct priorities.
The final thing we need to do in order to make this work is to select which ISA Networks these settings will apply to. To do this, you guessed it, the only tab left, Networks.
Given that I only have a QoS router on my external network and it is going to work in conjunction with my ISA Server, I am going to enable these settings on the External network. You may have other Networks defined in ISA in some scenarios and QoS routers at your disposal but the same principles will apply in those instances.
So that’s it. No longer can we lament about the fact that Microsoft ditched he Bandwidth Control feature in ISA Server 2000. The reality is that for those of us who are serious about packet prioritization and traffic shaping we can now use our ISA Servers along with a traffic control mechanism that the rest of the industry is using to do this effectively, which should keep folks happy, for a while!