Configuring Firewall Chains

ISA Server supports both distributed and hierarchical caching. In distributed caching, the ISA Server cache is distributed among array members. In hierarchical caching, different ISA Servers or arrays can connect to other ISA Servers or arrays for cached data access, or eventual access to the Internet. The array closest to the Internet is considered the “upstream” array while the array that is most far from the Internet is considered the “downstream” array. Aside from caching, a chained configuration can provide authentication functions as well.

A chain configuration has a number of potentially helpful and cost saving possibilities. Downstream servers / arrays are commonly used for different company divisions or departments. For example, let’s say your company has a primary ISA Server array that connects to the Internet. However, the marketing group uses the Internet quite frequently, so a downstream server is provided for the marketing group so that caching functions for the marketing group can be handled by single server that speeds access to site content and services that group. The following steps outline how this process works.

1. When a request is made to the server that cannot be fulfilled from it’s cache, it passes the request to the upstream array.
2. If the upstream array holds the requested item in the cache, it is passed to the downstream server.
3. The downstream server then caches the item and provides it to the client. If the same request is made again, the downstream server can simply provide the item directly from its cache.
4. If the upstream server does not hold the requested item, it retrieves it from the Internet, caches it, then passes it to the downstream server who also caches the item before returning it to the client.


Curt Simmons is the Author of ‘Microsoft Internet Security and Acceleration Server 2000 Study Guide : Exam 70-227 ( Certification Study Guides) (June 2001)

CHAPTER 10 of this book available on! CLICK HERE!!!!

Curt Simmons is also the Author of ‘Microsoft ISA Configuration and Administration

As you can see, the idea is the keep the cached content the marketing group needs as close to the group as possible so that content is readily available and can be quickly served.

There are many other potential applications as well. For example, you might have a satellite office with a single ISA Server that does not have a direct Internet connection. The downstream server can dial-up to the network’s upstream array for service. You might also use a number of downstream servers to segment network traffic. As you can see there are a number of possibilities and a chained configuration can often be used to solve traffic and connectivity issues.

Upstream and downstream servers are aware of each other’s presence and configuration du to the array membership list. Using a polling method and a default URL of http://arrayname/array.dll?, both upstream and downstream members are aware of the array members in other arrays on your network. You can also ensure that connections between downstream servers to upstream servers provide authentication in order to provide an additional measure of security.

Fortunately, the use of firewall chains is more of a planning issue than a configuration issue because configuration is quite easy. Once you are sure how you want to chain any servers or arrays together, you can simply access the Network Configuration properties page for the desired server or array that will be a downstream server / array, as shown in Figure 1.

As you can see, you can choose to use the primary connection (and dial-up entry) if one is configured, or you can choose to chain to a particular computer. Use the browse button to select the desired upstream server, or enter the FQDN in the provided dialog box. Also notice that you can sue the account option so that you can logon to the server using a certain account. If a dial-up entry is required to connect to the upstream server, simply use the check box to enable it.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top