Configure Web Chaining Rules ISA Server 2006

Web Chaining Rules allow you to chain downstream ISA firewalls to upstream ISA firewalls, or even non-ISA firewall-based Web proxy servers. Web proxy chaining allows you to configure a hierarchical caching solution. In contrast, a multi-server ISA firewall array allows you to create a parallel caching solution. You can combine hierarchical and parallel caching solutions to significantly improve performance and reduce the total amount of bandwidth used on Internet links, WAN links, and even on the intranet.

The most popular use for Web Chaining is to chain branch office ISA firewalls with main office ISA firewalls. This has several advantages:

• Content requested from all branch offices and the main office is cached on the main office ISA firewall array. This reduces overall Internet link bandwidth utilization

• Content requested from each branch office is cached on the local ISA firewall array. This reduces bandwidth utilization on the branch office WAN and/or Internet link

• Content hosted on main office Web servers can be dynamically cached or pre-loaded into the caches of branch offices. This allows this content to be available to branch offices even when the WAN or Internet link is down

With the increasing popularity of branch office deployments of the ISA firewall, you can expect to see even greater use of Web Chaining Rules.

To create a Web Chaining Rule, click the Networks node in the left pane of the ISA firewall console and then click the Web Chaining Rules tab in the middle pane. Then perform the following steps to create the Web Chaining Rule:

1. Click the Tasks tab in the Task Pane and then click the Create New Web Chaining Rule link.

Figure 1

2. On the Welcome to the New Web Chaining Rule Wizard page, enter a name for the rule in the Web chaining rule name text box. In this example we’ll chain the ISA firewall at a branch office to a ISA firewall Web caching array at the main office, so we’ll name the rule Branch to Main Array and click Next.

Figure 2

3. On the Web Chaining Rule Destination page, click the Add button. In the Add Network Entities dialog box, select the destinations to which this Web Chaining Rule will apply. Since we want all requests for Web content regardless of where that Web content is located to be forwarded to the main office array, we’ll select the All Networks (and Local Host) entry in the Add Network Entities dialog box. Click Close in the Add Network Entities dialog box and then click Next.

Figure 3

4. On the Request Action page, you configure how you want the Web requests to that particular destination routed by the ISA firewall. The default setting is to route the request directly to the destination Web site. However, in a Web Chaining configuration, you want the request forwarded to another Web proxy device. In this case, you would select the Redirect requests to the specified upstream server option. When you select this option, the next page of the wizard will ask you for details regarding the upstream Web proxy. Select this option and click Next.

Figure 4

5. On the Primary Routing page, enter the name of the upstream ISA firewall array. You can leave the default ports in place if you haven’t changed them on the upstream array. In this example, the name resolves to one of the members of the main office array. Once the branch office ISA firewall receives the autoconfiguration script from the main office array, it will have a list of names of all the servers in the array and forward requests to the appropriate main office array member based on the CARP algorithm (CARP allows the branch office ISA firewall to perform client side routing of Web requests to the Web caching array member responsible for the URL).If the upstream array member requires credentials for Web access, click the Set Account button to enter the credentials the downstream array member should use to authenticate with the upstream. Click OK to save the account information and then select the authentication protocol from the Authentication drop down list. Since we always join ISA firewalls to the domain (an ISA firewall best practice), we can use integrated authentication. This prevents us from having to use SSL to secure the communications between the branch office ISA firewall and the main office array. Click Next on the Primary Routing page.

Figure 5

6. On the Backup Action page you select how Web requests are routed when the upstream ISA firewall Web proxy isn’t available. In this example, we’ll assume that the branch office has its down Internet connection. Since the branch office has its own Internet connection, we can select the Retrieve requests directly from the specified destination option and connections will be forwarded directly to the Internet servers from the branch office ISA firewall, instead of routing them to the main office ISA firewall Web caching array. Click Next

Figure 6

7. Click Finish on the Completing the New Web Chaining Rule Wizard page.

Figure 7

I should note here that Web Chaining Rules give you a lot of flexibility in how requests from Web proxy clients are processed by the ISA firewall.