Service Pack 2 (SP2) for Internet Security and Acceleration (ISA) Server 2004, Microsoft's firewall, virtual private networking, and content-caching product, not only rolls up all hotfixes issued since the July 2004 release of the Standard Edition and the Feb. 2005 release of the Enterprise Edition but also contains several improvements to existing features and adds a few new features aimed primarily at customers who use ISA Server 2004 to link branch offices to central corporate networks.

New Features

ISA Server 2004 SP2 adds three new features to both editions and enhances an Enterprise Edition feature, but it doesn't turn the new features on unless the customer makes configuration changes after installation.

Windows Update caching. ISA Server, in addition to being a security firewall, can also cache Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP) files so that repeat requests can be fulfilled locally out of an ISA Server cache rather than retrieving data from the original source or an upstream cache. This local caching improves browser response time and conserves bandwidth on the customer's Internet or WAN. However, ISA Server 2004's caching feature did not work with traffic carried over Microsoft's Background Intelligent Transfer Services (BITS), an HTTP-based file transfer protocol introduced in 2002 that can move files in the background over slow and unreliable network links. BITS can resume interrupted file transfers where they left off and is used by the Windows Update Agent on Windows 2000 and later operating systems to download patch files from the Microsoft Update or Windows Update Web sites, or alternatively from Windows Server Update Services (WSUS) servers inside the organization's firewall.

ISA Server 2004 SP2 adds BITS caching support specifically for Microsoft Update and Windows Update; caching for other users of BITS, such as the Systems Management Server (SMS) client, is not supported. BITS caching will be attractive to small businesses or branch offices that do not use SMS or WSUS, and instead configure their PCs to automatically download patches from Microsoft. Once one PC has fully downloaded a patch file, all other PCs requiring that same patch file can get it locally out of an ISA Server cache.

HTTP compression. Since the introduction of HTTP 1.1 support, Web server software, such as Internet Information Services (IIS), and browsers, such as Internet Explorer, can negotiate to use data compression to reduce the bits transferred over the wire. However, for this process to work, all intermediate application-level firewalls (also known as proxy servers) must also support this compression. ISA Server 2004 SP2 adds support for HTTP compression, enabling it to decompress, inspect, and then recompress the Web traffic passing through it. This is particularly important to branch offices where Internet connection bandwidth is often limited. SP2 also enables ISA Server 2004 to cache compressed content, and adds support for range compression, which is valuable for transferring certain types of files, such as older Adobe Portable Document Format (PDF) files, whose reader software requests portions of the file at a time.

Differentiated Services support. ISA Server 2004 SP2 allows organizations to give HTTP traffic from specific URLs or domain names preferential treatment as it passes through corporate routers. Using a protocol called Differentiated Services, or diffserv, ISA Server 2004 SP2 can scan all HTTP traffic, and IP packets that meet the configured criteria are labeled with a flag that tells downstream corporate routers configured for Quality of Service (QoS) functionality to route them ahead of unprioritized traffic. This can be particularly valuable in situations in which browser users in remote offices need to access Web servers running mission-critical applications at headquarters, in which case this traffic should take precedence over other traffic. Although this feature is useful in situations in which the customer has a private WAN connecting the sites, if the traffic passes over the Internet through a virtual private network (VPN), the routers owned by the Internet providers along the path treat it as normal traffic.

Changed Features

SP2 also makes some small improvements to ISA Server 2004's client auto detection, Web authentication security, certificate alerting, and debug tracing features. The biggest improvement alters the way the Cache Array Routing Protocol (CARP) protocol works.

CARP improvements. One of the distinguishing features of ISA Server 2004 Enterprise Edition is that it supports combining multiple caching servers to act as one large virtual cache—that is, a cache array. By using CARP, ISA Server evenly assigns groups of cached URLs to individual array members. Although each ISA Server computer is responsible for caching information only for its group of URLs, if a machine in the CARP array goes offline, the others can dynamically reallocate the load. However, determining the particular cache server based on the requested URL can pose problems for Web pages and applications that store session state information on each individual Web server.

With SP2, CARP routing uses only the host name rather than the full URL to determine which array member handles the request. CARP therefore assigns all of the subsequent requests for a particular host, such as www.directionsonmicrosoft.com, to a specific array member. This ensures that each session is handled by a single array member, which preserves the session context. However, the SP2 CARP feature also includes an exception list mechanism that allows customers to add sites for which they want traffic to be distributed to all array members—administrators would do this when a particular site generates too much traffic to be handled by a single array member and the administrators know that the site works fine when cached over multiple array members.

Resources

Additional ISA Server information and links to the SP2 download page can be found at www.microsoft.com/isaserver.

ISA Server 2004 Standard Edition is covered in "ISA Server 2004 More Flexible, Secure" on page 12 of the Apr. 2004 Update, and pricing information is covered in "ISA Server 2004 Standard Edition Ships" on page 9 of the Aug. 2004 Update.

ISA Server 2004 Enterprise Edition is covered in "ISA Server 2004 Enterprise Ships" on page 17 of the Apr. 2005 Update.