ISA Server 2004 content caching solutions typically fit into one of two models. In the first model, the ISA server acts as an edge firewall to a network, such as what is shown in Figure 8.2. In this case, the ISA server provides for full firewall functionality to the clients on the network, monitoring and securing all traffic to the clients on the network. In addition, the server acts as a web and FTP proxy for the internal clients.
Figure 8.2. Understanding the edge firewall content caching model.
The second content caching deployment model for ISA Server 2004 is one where the ISA server provides for caching to only the clients on the network, similar to what is shown in Figure 8.3. In this model, the ISA server is used as a cache-only server, with a single network interface connected to either the internal or the DMZ network of an organization. This model, which was the common deployment model for ISA's predecessor, Proxy Server 1.x/2.x, allows for proxy capabilities, but doesn't take full advantage of the firewall functionality in the server.
Figure 8.3. Understanding the caching-only server model.
From a content caching perspective, both deployment models for ISA are essentially the same. For some organizations, deploying a full-blown edge firewall and content caching proxy server is ideal. For other organizations with an existing investment in security and firewall technologies, it may make sense to deploy a unihomed (single NIC) ISA server in the DMZ of the existing firewall to take advantage of the content caching capabilities, as well as to provide for reverse proxy functionality. For more information on this type of deployment scenario, refer to Chapter 7, "Deploying ISA Server as a Reverse Proxy in an Existing Firewall DMZ."
Understanding the Types of Proxy Servers
Proxy servers handle traffic in different ways, depending on how they are configured. In general, all proxy servers fall into one of three categories: forward proxy, transparent proxy, or reverse proxy. A single server can hold more than one of these roles; the roles simply refer to the type of proxying that the server handles, as follows:Forward proxy
A forward proxy is a traditional proxy server that clients are aware of and to which they send their web requests directly (rather than to the Internet). This type of proxy requires some way for the client browser to be configured to point directly to the proxy server.Transparent proxy
A transparent proxy provides for proxy functionality, but is invisible to the client workstation. A transparent proxy can be set up in ISA if the web traffic from the workstations is filtered directly through the ISA Server in some fashion, such as when the ISA server acts as an edge firewall.Reverse proxy
Reverse proxy refers to the proxy server's capability to handle requests made from the Internet to internal web servers. One common reverse proxy scenario would involve ISA handling all traffic sent to a publicly accessible Outlook Web Access (OWA) server. Reverse proxy provides for enhanced security by not exposing internal web servers directly to the Internet.
Sizing Hardware Components for an ISA Caching Server
For firewall purposes, it is difficult to overload an ISA Server, simply because only so much data typically can be pushed at an ISA server through a standard Internet connection. For example, the rule of thumb with ISA Server is to assume that each T1 supplied to ISA adds an additional 2.5% of CPU utilization. This allows for theoretical ISA deployments of a single server on an Internet connection of up to T3 status.Content caching, however, changes the performance equation somewhat because the amount of processor utilization required by the system increases. This is particularly so if ISA will be used as a transparent proxy, where clients are not aware that they are using a proxy. Transparent proxy servers, described in more detail later in this chapter, utilize approximately twice as much processor time as regular forward proxy servers. Even with this knowledge taken into account, however, adding ISA servers to an environment for performance reasons becomes an issue only when the number of proxy clients approaches 1000. That said, all these factors should be taken into account when designing an ISA Server implementation.NOTEISA Server 2004 licensing operates on a per-processor basis. Subsequently, a dual-CPU server costs twice as much to license as a single-CPU system. Because adding processors produces diminishing returns from a performance perspective (doubling the number of CPUs increases performance by only 50% in most cases), it is most cost effective to deploy single-CPU ISA servers where possible. In larger environments, it makes sense to add CPUs when performance dictates it, but it is important to keep in mind the licensing issue when scoping possible ISA configurations.ISA Server 2004 by itself does not require much in the realm of disk space. Enabling content caching on an ISA server, on the other hand, requires a large amount of disk space to be made available to the server in the form of the ISA cache file. This file can be predefined as a certain size, and it is important to allow as much space as will be required by the server to store the cache images and text. Depending on the level of usage that the proxy server will see, this could end up being a cache drive of 1050GB.A good rule of thumb would be to configure an ISA Server with an OS partition of 10GB or so, a dedicated log drive of 1030GB, and a cache drive of 1050GB, if space allows. These are not hard and fast rules, but it is important to allow for the most ideal configuration for ISA caching.
Deploying Caching Redundancy with the Cache Array Routing Protocol (CARP)
For large environments, it may become necessary to deploy more than one caching server to provide for redundancy and load balancing of web caching. The Enterprise version of ISA Server 2004 allows for the creation of arrays of ISA servers that utilize the Network Load Balancing (NLB) protocol to provide for failover and load sharing capabilities. In addition, Enterprise ISA Servers support the Cache Array Routing Protocol (CARP), which provides for intelligent redirection of clients to individual ISA array members, based on the presence of cached data on those servers. This helps to further extend the caching capabilities of ISA Server 2004.Chapter 6, "Deploying ISA Server Arrays with ISA Server 2004 Enterprise Edition."