ISA 2006 Web Caching
A lot of ISA Firewall admins might forget that the ISA Firewall isn’t only an enterprise class network firewall, but also a nifty Web caching device. The Web caching feature allows the ISA Firewall to cache the responses it gets from user requests from behind the ISA Firewall. This can speed up the Web browsing experience for users and even allow users to view cached content when the Web server hosting the content is offline.
The first step in getting Web caching working is to turn it on. To do that, open the ISA Firewall console and then expand the Configuration node in the left pane of the console. Click on the Cache node and then click the Tasks tab in the Task Pane. Click the Define Cache Drives (Enable Caching) link.
In the Define Cache Drives dialog box, enter the size of the disk cache you want to have. I generally allow about 10 MB per user. In the example below you see that I’m setting the cache to be 250 MB. Keep in mind that the maximum size for a cache file on a single drive is 64 GB. Also, the drive much be formatted to use NTFS.
Right click the Cache node in the left pane of the console and click Properties.
The General tab of the Cache Settings dialog box tells you how big your cache is.
On the Advanced tab you have several options.
The Cache objects that have an unspecified last modification time option allows the ISA Firewall to cache objects that don’t have a time stamp. When the ISA Firewall caches these objects, you can set custom cache rules to determine how long these objects stay in the cache.
The Cache objects even if they do not have an HTTP status code of 200 allows you to cache pages that do not return an OK response when connecting to the destination Web server. This allows for offline caching and other caching behaviors.
The Maximum size of URL cached in memory (bytes) option allows you to configure the maximum size of an object placed in the in-memory cache. The in-memory cache is much faster than the on-disk cache, so you don’t want to clog the in-memory cache with large objects, such as graphics and files. You can enter a custom value if you like, but the default is 12800 bytes.
You have two options for when If Web site of expired object cannot be reached. You can configure the ISA Firewall to:
- Do not return the expired object (return an error page) This tells the ISA Firewall to return an error indicating that the object is not available, even if the object is in the cache.
- Return the expired object only if expiration was. This allows the ISA Firewall to return objects in the cache even when the Web site is not available. How long the ISA Firewall will continue to return these objects from the cache depends on the following settings: At less than this percentage of original Time-to-Live, But no more than (minutes). These two options determine how long the object can be returned from the cache when the Web server hosting that content is not available.
The Percentage of free memory to use for caching is actually the percentage of memory you want to give to the cache file. It’s really not the percentage of “free” memory because the cache memory size won’t change over time and will not give up memory to other processes. So this is a static value based on how much memory your machine has. The default is 10%, but if you have lots of RAM, you might consider increasing this at 10% intervals until you run into trouble to see how much memory you can dedicate to Web caching.
Creating Cache Rules
Cache rules allow you to define what objects you want to cache and the cache behavior for those objects. To create a cache rule, click on the Cache node in the left pane of the ISA Firewall console and then click the Tasks tab on the Task Pane. Click the Create a Cache Rule link.
On the Welcome to the New Cache Rule Wizard page, enter a name for the cache rule. In this example we’ll create a cache rule that is applied to all content accessed from the Internet, with the exception of the Microsoft Update Site, which has its own rule that should be above all other rules. Click Next.
On the Cache Rule Destination page, click the Add button. In the Add Network Entities dialog box you select which destination you want this rule to apply to. In this example we want the rule to apply to all Internet access, so we’ll click the Networks folder and then double click on the External entry. Note that you can create very finely tuned cache rules by having the destination be a URL Set or a Domain Name Set. Click Close on the Add Network Entities dialog box.
On the Content Retrieval page you set how objects stored in the cache are retrieved when requested by users. You have three options:
- Only if a valid version of the object exists in cache. If no valid version exists, route the request to the server. So, if there is an expired version of the object in the cache, the ISA Firewall will connect to the Web server to get a fresh version of the object
- If any version of the object exists in cache. If none exists, route the request to the server. So, if there is any version of the object in the cache, it will return it to the user, even if it is expired. If no version of the object is in cache, it will go to the Web server to get it.
- If any version of the object exists in cache. If none exists, drop the request (never route the request to the server. So, if any version is in the cache, it will return it to the user. If there is no version of the object in the cache, the ISA Firewall will not try to get it from the Web server and will just drop the request
The default option is Only if a valid version of the object exists in the cache. If no valid version exists, route the request to the server. In this example we’ll select the default and click Next.
On the Cache Content page you tell the ISA Firewall whether retrieved content is stored in the cache. By default, an object is stored in the cache only if its source and request headers indicate that the object should be cached. However, you have the option to select the option Never, no content will ever be cached. So, if there is a site where you never want the content to be cached, maybe because you always need the most up to date content, then you should select that option.
Three other options are:
- Dynamic content: When you select this option, the ISA Firewall will cache the content, even if the Web server indicates that the content should not be cached.
- Content for offline browsing: This allows the ISA Firewall to cache content even when the Web server is not available or the location of the objects has changed.
- Content requiring user authentication for retrieval: This allows the ISA Firewall to access content that required user authentication. Be careful with this one, because it has the potential to allow users to see the authenticated content from other users
On the Cache Advanced Configuration page, you can limit the size of cached objects. By default, there is no limit to the size of an object that can be cached. However, if you select the Do not cache objects larger than option, you can set a maximum size of cached objects. Use this option if you’re worried about your cache file getting filled up too quickly by very large objects, such as pictures or data files.
The other option on this page is Cache SSL responses. Be aware that the ISA Firewall cannot cache SSL responses in a forward Web proxy scenario because the ISA Firewall cannot see what’s inside the SSL tunnel. However, if you install Collective Software’s ClearTunnel, you will be able to cache responses made over an SSL connection. For more information about ClearTunnel, check out www.collectivesoftware.com.
On the HTTP Caching page, unless the source specifies an expiration time, HTTP objects stored in the cache are updated according to the time-to-live (TTL) settings. The TTL is the amount of time content remains in the cache before it expires. Content age is the amount of time since the object was created or modified, which is information contained in the object’s header.
The Set TTL of objects (% of content age) is set at 20% by default. HTTP objects remain valid in the cache according to TTL settings. TTL settings are based on the TTL defined in the response header, and the TTL boundaries defined in the cache rule. The percent of the content age is a percentage of the time of the content's existence. The higher the percentage, the less frequently the cache is updated.
You can also set TTL time boundaries, so that you can set custom No less than and No more than times.
Finally, you can override expiration times included in the cached object’s header by selecting the Also apply these TTL boundaries to sources that specify expiration.
The ISA Firewall can also cache objects obtained via FTP for Web Proxy clients (the ISA Firewall won’t cache FTP responses from non-Web proxy client applications). The default is to enable FTP caching and a TTL of 1 day is selected. You can change these defaults to meet your needs. Click Next.
Click Finish on the Completing the New Cache Rule Wizard page.
On the Cache Rules tab, right click the All Sites rule and click Move Down. We need to do this because the Microsoft Update Cache Rule needs to be on top.
In this article we took a break from covering the ISA Firewall’s network firewall feature set and set our sights on the Web proxy filter’s Web caching element. We went through the process of turning on the cache and then how to configure the basic Web cache settings. We finished up by seeing how to create a cache rule and the options available in cache rules.