Connecting the world…


ISA 2006 Web Chaining

ISA Web Chaining rules define how traffic will be handled by the proxy server. Web request to specific destination can be handled in different ways by ISA:

  1. Retrieve directly from the destination / internet;
  2. Forward to an upstream proxy server;
  3. Redirect the request to a specific server / web page;

The most popular use for Web Chaining is to chain branch office ISA firewalls with main office ISA firewalls. But also combining two ISP connections is a commonly used scenario for Web Chaining. I often use Web Chaining from ISA server with some kind of upstream proxy server. A lot of organizations use ISA as proxy server and some kind of dedicated appliance (maybe in DMZ environment) as content scanner.

With Web Chaining you can forward all request to the upstream proxy server, which will retrieve the specified destination from the internet. Specific website could have problems with being forwarded to the upstream server. I normally use Web Chaining to directly retrieve these website from the internet without being forwarded to the upstream proxy.

To create a Web Chaing Rule, open the ISA Management Console and navigate to Networks. In the center of the Management Console you will find a tab called Web Chaining. The default Web Chaining rule is configured to forward all request to an upstream proxy server.

The following screenshots tell you how to configure an additional Web Chaining rule to directly retrieve the destination ( from the internet.

create_wct Start the creation of a Web Chaining rule by clicking on Task – Create new Web Chaining rule.

This will start the New Web Chaining Rule Wizard.

Enter a valid name for the newly created Web Chaining Rule.

destination_wct Select the destination to which this Web Chaining Rule will apply.

I configured an URL set containing the URL:*

action_wct On the Request Action page, you configure how you want the Web requests to that particular destination routed by the ISA firewall.

The default setting is to route the request directly to the destination Web site. This is exactly what I would like to accomplish.

The last step is Finishing the New Web Chaining Rule Wizard.

The newly created Web Chaining Rule is placed above the Default Web Chaining rule in the Web Chaining tab. The rules are matched sequentially, so now all traffic matching the configured URL set will be retrieved directly from the internet. All other traffic will be forwarded to the upstream proxy server.

DSL Terminology

When configuring DSL or other analog connection, I sometimes have problems with the specific terminologies used in these technologies.  I found a post explaining the terminology used for understanding Cisco DSL statistics. Reading this post helps me remember the terminology.

Taken from the post:

To troubleshoot Layer 1 problems, you can use the show dsl interface atm 0 command to verify that the Cisco 877 router is trained to the DSLAM. If the Cisco 877 router is successfully trained to the DSLAM, this command will also display the trained upstream and downstream speed in kbps.


Noise Margin (also signal-to-noise ratio)
When DSL service is provisioned in a DSLAM, the minimum acceptable noise margin is usually specified. CAP DSL service is typically provisioned with a downstream margin of 3 dB and an upstream margin of 6 dB. Research has shown that the optimum margins for DMT service are 6 dB downstream and 6 dB upstream.


Avoiding configuring a DSL service with more noise margin than appropriate is important because the system will train to an unnecessarily low DSL rate to provide the specified margin. It is also important to avoid specifying an exceptionally low margin, such as 1 dB downstream and 1 dB upstream because a small increase in noise level on the transmission line would probably result in excessive errors and a subsequent retraining to a lower DSL rate.


Increasing the transmit power levels will also improve the noise margin but at the cost of interfering with other services in the same cable.


Most DSLAMs and CPE report both the provisioned and actual noise margins for each DSL line. If the actual margin is higher than the provisioned margin, the line should provide an acceptable error rate at the present DSL line rate. As the actual margin drops below the provisioned margin, there is a high probability of an excessive error rate and subsequent retrain to a lower DSL rate.


Attenuation generally refers to any reduction in the strength of any type of signal, whether digital or analog. More precisely in the case of DSL, attenuation is the normal loss of signal strength over distance. Attenuation specifically is a logarithmic function of the power setting. As power increases, attenuation increases logarithmically. Also called simply loss, attenuation is a natural consequence of signal transmission over long distances. The extent of attenuation is usually expressed in units called decibels (dB).


Capacity Used
Percentage of the capacity that is being used.


Here are ranges for these values that I received from an AT&T provisioning engineer.


For Noise Margin: (the higher this value, the better)
8-13 Average
14-22 Very Good
23-28 Excellent


For Attenuation: (the lower this value, the better)
20-30 Excellent
30-40 Very Good
40-60 Average