Routing Web requests
As part of the network configuration, you can create routing rules, which determine whether a Web Proxy client request is:
| • | Retrieved directly from the specified destination |
| • | Sent to an upstream server |
| • | Redirected to an alternate site |
The upstream proxy server can be a Microsoft Internet Security and Acceleration (ISA) Server computer or a Microsoft Proxy Server 2.0 server.
Destinations
Routing rules apply to both incoming Web requests and outgoing Web requests. For more information, see Configuring destination sets. For configuration instructions, see Specify the destination set for a routing rule.
Action
You can configure ISA Server to process client requests by:
| • | Retrieving the object directly from the specified destination. |
| • | Routing the request to a specific upstream ISA Server or Proxy Server 2.0 computer. In this case, you can also specify a backup route if the primary route is unavailable. |
| • | Redirecting them to a hosted site. In this case, the request is routed to the specified Web site. |
ISA Server uses the backup route when the primary route is unavailable. The ISA Server computer polls the upstream server that is specified as the primary route periodically to see if it is available. As soon as the primary route is available, requests are sent to that server, rather than the server on the backup route.
In certain cases, the upstream server may require that the downstream proxy pass authentication. For those cases, credentials must be passed. These credentials are used by the upstream server to authenticate the downstream server. For more information, see Chained authentication.
For configuration instructions, see Configure how routing rules retrieve requests.
Dial-up entry
If you route client requests by retrieving the object from the specified destination or by routing the request to an upstream server, you can specify whether ISA Server should use a dial-up entry to service the request. In this case, the active dial-up entry is used. For more information, see Configuring dial-up entries
You can configure ISA Server to dial out when using the primary route. You can also configure ISA Server to dial out when using the backup route. For more information, see Configure how routing rules retrieve requests and Configuring dial-on-demand.
Caching
Before ISA Server determines how the request should be routed, ISA Server checks if a valid copy of the object exists in the cache. An object is considered valid if its time-to-live period (TTL) did not expire, as specified in the Hypertext Transfer Protocol (HTTP) caching properties or on the object itself. Depending on how you configure the routing rule's cache properties, ISA Server will retrieve the object from the cache. You can configure ISA Server to do one of the following:
| • | Route the request only if a valid object does not exist in the cache. |
| • | Route the request if any version of the object does not exist in the cache. |
| • | Never route the request. |
For more information, see How caching works. For configuration instructions, see Configure how Web objects are cached.
You can also configure the routing rule so that the requested object is never saved to the cache. For more information, see Cache policy and cache filtering and Configure how Web objects are cached.
Bridging
For outgoing Web requests, ISA Server enhances standard routing functionality with an Secure Sockets Layer (SSL) bridging feature, which allows you to configure how traffic should be routed to the upstream server. For more information, see SSL bridging.
When you create a routing rule, you can configure how HTTP and SSL requests should be redirected: as HTTP requests or as SSL requests. If requests are redirected as SSL requests, then the ISA Server computer re-encrypts the packets before passing them on. In other words, a new secure channel is established for the communication with the upstream server.
The upstream Web server may require a client certificate. In this case, configure ISA Server to authenticate with a specific client-side certificate. For instructions on configuring client-side certificates, see Use client-side certificate to authenticate to upstream server.
For more information, see Configure how to redirect HTTP requests and Configure how to redirect SSL requests.
Rule order
Routing rules are ordered, with the default routing rule processed last. For each new connection, the ISA Server computer processes the routing rules, in order. The first rule is processed first. If the request matches the conditions specified by the rule, the request is routed, redirected, and cached accordingly. Otherwise, the next rule is processed. This continues until the last, default rule is processed, and applied to the request.
For more information on how ISA Server processes Web requests, see Controlling incoming requests and Controlling outgoing requests. For instructions on ordering routing rules, see Change the order of a routing rule.
Default routing rule
When you install ISA Server, it configures a default routing rule. The default rule is initially configured so that all requested objects should be retrieved from the ISA Server cache. If the object is not in the cache, then it should be retrieved directly from the Internet.
The default routing rule is ordered last. You can modify the default routing rule's action and how it redirects outgoing Web requests, but you cannot delete it.
Example
Suppose you want all HTTP requests for sites in the United Kingdom to be routed to the ISA Server computer in the United Kingdom branch office, called UK_Array. You can create a routing rule to enforce this policy, configuring the following parameters:
| • | Set Destination set to a set that includes *.uk. |
| • | Set Action to Route requests to upstream proxy server. |
| • | Set the Primary route to Upstream proxy server. |
| • | Configure the server to UK_Array. |