As I explained in "ISA Server's Caching Capabilities, Part 1," February 2004, http://www.winnetmag.com/windowssecurity, Instant Doc ID 41274, Microsoft Internet Security and Acceleration (ISA) Server 2000 is not only a firewall but also a service that accelerates Internet access by using an excellent caching functionality. The ISA Server cache stores frequently used URL objects (i.e., the content associated with URLs) in memory and in cache files on ISA Server's hard drive. Part 1 describes ISA Server's caching behavior and shows you how to configure cache routing rules and cache settings. In this article, I explain ISA Server's active caching feature, prepopulating the cache, advanced cache options, monitoring the cache, and scripts for working with the cache. ISA Server caches requests for both forward proxying (i.e., for internal clients requesting external URL objects) and reverse proxying (i.e., external clients requesting internal published URL objects), but this two-article series covers only ISA Server's forward-proxying capabilities.
ISA Server has an active caching feature. If you enable active caching, ISA Server determines the most frequently used URLs and retrieves them periodically from the Web server to make sure that the cache always has fresh versions of the files. You can use the Active Caching tab of the Cache Configuration Properties dialog box to configure active caching to retrieve files frequently, normally, or less frequently. To open the dialog box, open the Microsoft Management Console (MMC) ISA Management snap-in, right-click Cache Configuration under the ISA Server system you want to configure, select Properties, and go to the Active Caching tab. Note that frequent destinations don't always remain frequent and that if ISA Server uses a dial-up connection to the Internet, active caching will dial the modem.
The active caching mechanism is something of a black box. Microsoft doesn't document the algorithm that active caching uses to determine which files it caches and when it caches them. You can't specify which URLs should be actively cached (e.g., you can't create a destination set for actively cached URLs) or when. However, active caching happens when the CPU is least used, which is most likely at night when ISA Server is least used.
If you need to conserve bandwidth or if you're paying for bandwidth by the bits, use the less frequent option. Otherwise, I find it hard to suggest which option to choose because of the algorithm being unpublished. The best course is to try the different options and watch the bandwidth usage to ensure that it isn't wasted on needless caching.
Prepopulating the Cache
Instead of relying on active caching to keep the content of popular URL objects up-to-date, you can prepopulate the cache with frequently used URLs. To do so, you create a new scheduled job. In the ISA Management snap-in under the server you want to configure, go to Cache Configuration\Scheduled Content Download. Right-click Scheduled Content Download Jobs, and select New, Job to start the New Scheduled Content Download Job Wizard. After you specify a job name, the wizard prompts you for the time and date of the first job. The next screen asks you how often you want to run the job. The next screen lets you enter a URL and specify whether you want to follow links to other domains and whether you want ISA Server to cache dynamic content. The wizard's last screen, which Figure 1 shows, asks you about Time to Live (TTL) and link depth. As I mentioned in Part 1, the Web server's replies carry TTL information in the Expires header. You can override the Web server's TTL setting by selecting the first check box—Always override object's TTL—and specifying a new TTL in minutes. If you select the second check box—Override TTL if not defined—ISA Server will update objects in the cache according to the settings you specified on the HTTP tab of the Cache Configuration Properties dialog box—unless the Web server has sent caching headers, which take precedence. If you select the second check box and specify a new TTL in minutes, that time takes precedence over your settings on the HTTP tab.
ISA Server's content download feature works like a Web crawler: ISA Server sends a request to the specified URL and follows each link on the initial page unless you limit the link depth on the New Scheduled Content Download Job Wizard's last screen. You can also specify a limit for the number of objects (such as Web pages or images) to be cached.
Web Figure 1 (http://www.winnetmag.com/windowssecurity, InstantDoc ID 41570) shows how the cache looks after ISA Server has downloaded content from http://www.microsoft.com. You can see the entire structure of the initial URL.
Figure 2 shows advanced cache configuration options. By selecting the Do not cache objects larger than check box and specifying a number of kilobytes, you can ensure that if a user requests the URL of a large object, such as a large picture file, ISA Server won't cache it. Selecting the Cache objects that have an unspecified last modification time check box forces ISA Server to cache responses that don't have the Last-Modified header that I discussed in Part 1. Selecting the Cache objects even if they do not have an HTTP status code of 200 check box enables negative caching—that is, caching of responses that have a code of other than 200 OK. ISA Server with negative caching enabled will cache the following Web server replies:
- 203 Partial Content
- 300 Redirection
- 301 Permanent Move
- 410 Object is gone
By default, ISA Server doesn't cache the URLs of dynamic content (i.e., URLs that contain a question mark). When a Web server application generates dynamic content whose URL doesn't have a question mark, the application usually adds the Expires: 0 header to prevent caching. You can select the Cache dynamic content (objects with question marks in the URL) check box to override this behavior, but think twice about doing so. ISA Server will cache and display the results of any user's Web query, resulting in potentially expired data being presented to the user.
To enhance performance for users, ISA Server stores all objects in memory first (writing them to disk later) and looks for objects in memory first. Microsoft hasn't documented the algorithm ISA Server uses to determine when to move objects out of memory to disk. I can only speculate that objects used the most frequently stay in memory so that ISA Server can serve them faster. The Percentage of free memory to use for caching field controls how much memory ISA Server should use for caching. If you want to prevent ISA Server from caching large objects in memory, you can enter an upper limit in the Maximum size of URL cached in memory (bytes) field.
Two options control what happens when ISA Server can't reach the original server of expired URLs. If you select the Do not return the expired object (return an error page) option, ISA Server will return an error. If you select the Return the expired object only if expiration was option, you can control how long ISA Server will continue to return an old object. You set the time as a percentage of the original TTL value and set an upper limit in minutes.
ISA Server provides more than 20 performance counters to help you capture performance data. To work with the most important ones, click Start on your ISA Server machine, open the Microsoft ISA Server program group, and select Microsoft ISA Server Performance Monitor to start the Windows Performance Monitor with its predefined workspace containing the key counters.
The Cache Hit Ratio (%) counter exposed by the ISA Server Web Proxy service shows the percentage of URL requests that ISA Server has been able to serve from the cache. Obviously, you want this number to be as high as possible. The Cache Running Hit Ratio (%) is the hit rate for the last 10,000 requests and therefore gives you a recent picture of ISA Server's cache performance.
To generate a report that shows this caching performance data, expand your ISA Server's Monitoring Configuration node in the ISA Management snap-in, right-click Report Jobs, and select New, Report Job. Click the Schedule tab and select the Immediately option to generate a report right away. The default name of the report is Report Job; you can type in another name if you like. You can also select a time period (e.g., a day, a month) for which to create a report.
To view the report, go to <ISA Server Name>\Monitoring\Reports\Traffic & Utilization in the ISA Management snap-in and double-click the report in the right pane. An instance of Microsoft Internet Explorer (IE) will open, and the report will appear in the browser. (ISA Server creates a report as a simple HTML file in the Temporary Internet Files folder, then starts IE to render the file.) The report contains a wealth of information, but we're interested only in the Cache Performance section. The report shows the performance data in two forms: in a table, as Web Figure 2 shows, and in a pie chart. The more efficiently the cache is used, the lower the percentage of Objects returned from the Internet. Objects returned from cache without verification shows the number and percentage of objects that were valid in the cache at the time of the report. The report also shows the number of objects returned after verification, meaning that ISA Server sent a request for the object to the Web server and the Web server responded that the object hadn't changed, so ISA Server returned the cached object. Note that this report shows cache activity for 1 day.
Maintenance with Scripts
The ISA Server CD-ROM contains scripts (in the sdk\samples\admin\scripts directory) that let you manage ISA Server programmatically and accomplish tasks (such as removing a URL from the cache) that you can't easily do by using the ISA Management snap-in. The scripts use ISA Server programmatic interfaces (so-called FPC objects) that you can access by using COM Automation from VBScript, Visual Basic (VB), Java, and other languages.
You can use the command
delete_url.vbs ISA-LEON http://www.braginski.com/ default.htm
to run the delete_url.vbs script to delete a URL from the cache. (Note that the command is split across several lines to fit the format of this publication. You would enter it on one line.) The first parameter is an ISA Server array or server name; the second parameter is the URL to be deleted. If the script doesn't find the URL in the cache, the script returns the error The system cannot find the file specified.
The fetchurl.vbs script fetches a URL and stores it under a specific name for a specific amount of time. In the command
fetchurl.vbs http://www. braginski.com/default.htm http://www.NewBraginski.com/ NewHtml.html 1
the first parameter specifies the URL to fetch, the second parameter is the name under which the URL should be stored in the ISA Server cache, and the third parameter is the TTL in minutes. In most cases, the URL and the name under which to store it will match, but you still must include all three parameters.
The cachesettings.vbs sample script displays cache settings for an ISA Server array or standalone server. Typing the command
results in a prompt for your array name, then yields the following output for my ISA-LEON machine:
Array name: ISA-LEON Active caching is currently disabled Cache drives: E: Cache drives present: 1 Total cache size: 100
The setcache.vbs script lets you interactively set HTTP caching options (which I covered in Part 1) and active caching options. If you're interested in learning more about ISA Server programmatic management, the ISA Server software development kit (SDK) documentation is the place to begin. For details about the FPC objects, go to "Objects" at http://msdn.microsoft.com/library/en-us/isa/isaobj1_0rub.asp?frame=true.
Remember that to use the caching facilities of ISA Server, you just need to install ISA Server in caching mode. This simple step will introduce the power of the ISA Server cache to an enterprise network of any size.