How to Configure Web and Firewall Chaining
ISA Server 2004 Standard Edition supports the chaining of multiple servers running ISA Server together to provide flexible Web proxy services. These servers can be chained in a hierarchical manner so that one ISA Server computer routes Internet requests to another ISA Server computer, rather than routing the request directly to the Internet. ISA Server also supports Firewall chaining to allow requests from SecureNAT and Firewall clients to be forwarded to another ISA Server computer.
Why Use Web Chaining?
Web chaining is useful if your organization has multiple branch office locations, but all Internet requests are routed through one location at the head office. In this scenario, you can install ISA Server in each office and then configure ISA Server at the branch offices to route all Internet requests to the server running ISA Server at the head office.
You can also configure Web chaining so that not all Web requests are sent to the upstream server. For example, you can configure rules for conditionally routing Internet requests, depending on the destination Web server. This is useful if the head office and the branch offices are in different countries. If one of the branch offices has a direct Internet connection and many of the Web sites used by users in that branch office are in the same country as the branch office, you may choose to have the branch office ISA Server computer route all requests for specific domain names directly to the Internet. You can still have the branch office server route all other requests to the headoffice
ISA server.
One of the benefits of using Web chaining is the accumulated caching on ISA Server. If all the servers running ISA Server in the branch offices are configured to forward their requests to the head-office ISA Server, the head-office ISA Server will develop a large cache that contains many requested items. The combination of caching at the local branch office and at head office increases the chances that the Internet content can be delivered to the client with the least use of network bandwidth.
Configuring Web Chaining Rules
To configure Web chaining rules, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration node, select Networks, and then click the Web Chaining tab.
2. To create a new Web chaining rule, on the Tasks tab, click Create New Web Chaining Rule.
3. On the Welcome To The New Web Chaining Rule Wizard page, in the Web Chaining Rule Name box, type a name for the Web chaining rule. Click Next.
4. On the Web Chaining Rule Destination page, click Add to specify the destinations that will be affected by this rule.
5. In the Add Network Entities dialog box, select the destinations that this rule will apply to. For example, if the rule should apply to all Internet requests, expand Networks, then click External. Click Close.
6. On the Web Chaining Rule Destination page, click Next.
7. On the Request Action page, select how the request should be processed. You have three options:
. Retrieve Requests Directly From The Specified Destination—In this case, the Web request is routed directly to the Internet.
. Redirect Requests To A Specified Upstream Server—In this case, the Web request is routed to the server that you specify.
. Redirect Requests To—In this case, the request is routed to the specified Web site.
To configure Web chaining, select Redirect Requests To A Specified Upstream Server and then click Next.
8. On the Primary Routing page, shown in Figure 5-8, in the Server box, type the name of the server to which this server will send the requests. You can also specify the port numbers for HTTP and SSL and configure an account that will be used to authenticate at the upstream ISA Server. Click Next.
9. On the Backup Action page configure what ISA Server should do if the upstream ISA Server is unavailable. You have three choices:
. Ignore Requests—In this case, ISA Server will not respond to client requests.
. Retrieve Requests Directly From The Specified Destination—In this case, ISA Server will route the request to the Internet.
. Route Requests To An Upstream Server—In this case, you can specify an alternative upstream server.
Select the option you require and then click Next.
10. On the Completing The New Web Chaining Rule Wizard page, review the configuration and then click Finish.
11. After creating the Web Chaining rule, you can configure how the ISA Server computer will bridge HTTP and HTTPS requests when using the Web chaining rule. To configure bridging, click the Web chaining rule and then, on the Tasks tab, click Define SSL Bridging For Selected Rule. On this page, you can configure how to redirect HTTP and SSL requests when sending the requests to the upstream server.