Microsoft KB Archive/821098

= Content cache issues on downstream ISA Server computer =

Article ID: 821098

Article Last Modified on 4/4/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Service Pack 1
 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition

-



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
This article discusses problems that you may experience when you cache Hypertext Transfer Protocol (HTTP) content on a downstream Internet Security and Acceleration (ISA) Server. In these scenarios, all the following configuration conditions apply:
 * The downstream ISA Server computer does not request authentication.
 * The downstream ISA Server computer is chaining to an upstream proxy server and you have not set the connection user in the Routing rule of the downstream server.
 * The upstream proxy server requests authentication.

Scenario 1
You may notice that users can retrieve HTTP content, although the upstream proxy server does not allow these users to view the content.

Note This problem is fixed in ISA Server Service Pack 1 (SP1).

Scenario 2
The downstream ISA Server computer no longer caches content, although you want it to cache content for network configuration and performance reasons.

This problem appears only after you install ISA Server SP1 on the downstream ISA Server computer.



Scenario 1
Because of the rule configuration on the upstream proxy server, the downstream ISA Server computer caches requests from users who are permitted to retrieve content. Users who do not have permission to gain access to the same content can request this content because it is served directly from the cache of the downstream ISA Server computer. The content is not requested through the whole proxy chain (downstream/upstream).

Scenario 2
After you install ISA Server SP1 on the downstream ISA Server computer, the computer no longer caches content that requires client authentication at the upstream proxy server.



Scenario 1
To fix this problem, install ISA Server SP1.

The following file is available for download from the Microsoft Download Center:

Download the 821098 package now.

After you install ISA Server SP1 on the downstream ISA Server computer, the computer no longer caches content that requires authentication at the upstream proxy server.

Scenario 2
The fix for this issue is mentioned in the following Knowledge Base article:

830221 Your ISA Server 2000 server stops responding to SSL CONNECT requests

After you install ISA Server SP2 and apply this hotfix, you can set the downstream ISA Server computer to cache or not to cache HTTP content. If you have installed ISA Server SP1 or SP2 on the downstream ISA Server computer, and you want to revert to scenario 1 to enable caching of HTTP content on authenticated requests, through the downstream/upstream chain, make sure that ISA Server SP2 is applied, and then install the hotfix. You must also modify the registry.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Add the following registry subkey on the downstream ISA Server computer:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters\ DontMarkSessionAsPrivateifProxyAuthSeen

Set the DWORD value to 1.

Note If you create this registry key, the behavior that scenario 1 describes will return. Be aware of the security issues that are raised in the &quot;Symptoms&quot; section for scenario 1.

If you want the downstream ISA Server computer to disable caching of HTTP content that was retrieved through the downstream/upstream chain through an upstream authentication request, add the following registry subkey on the downstream ISA Server computer:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters\ DontMarkSessionAsPrivateifProxyAuthSeen

Set the DWORD value to 0.

Note By default, this is the setting after you install ISA Server SP1 or SP2 on the downstream ISA Server computer.

Keywords: kbhotfixserver kbqfe kbhotfixserver kbqfe kbisaserv2000presp2fix kbsecurity kbcaching kbqfe kbfix kbbug KB821098

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.