About caching Web objects

When objects are cached, Microsoft Forefront Threat Management Gateway appends them to the cache content file. If the cache content file is too full to hold a new object, Forefront TMG removes older objects from the cache, determining which objects to remove by using a formula that evaluates age, how often the object is accessed, and size.

Forefront TMG caches objects to RAM and to the disk. Objects cached to memory can be retrieved faster than objects cached to the disk. By default, 10 percent of the RAM is used for caching objects. All additional objects are cached only to the disk. Generally, more RAM provides faster performance for serving cache objects. Older requests are stored on the hard disk. On large deployments, a high-performance hard disk should be used.

Not all Internet content can be cached. Forefront TMG does not cache Web pages with specific information in the response or request headers, as described in the following table.

Header type Details

Cache-control: no-cache response header

The HTTP 1.1 cache-control header prevents all catching.

Cache-control: private response header

The HTTP 1.1 cache-control: private header indicates that the object must not be stored in a shared cache and is intended only for the specific client.

Pragma: no-cache response header

HTTP 1.0 servers cannot use the cache-control header. The pragma: no-cache header ensures that if the client communicates with the server over a secure HTTPS connection and the server returns a pragma: no-cache header with the response, the response is not cached.

WWW-authenticate response header

Indicates that authentication is required.

Set-cookie response header

Indicates a page that uses a browser cookie to identify the user

Authorization request header

This is not cached unless origin server explicitly allowed this by including "cache-control: public" header in the response.

Cache-control: no-store request header

Indicates that the cache must not store any part of either the request or any response to it.

If a Web site does not have appropriately configured cache-control directives for content that should not be cached, Forefront TMG may return user content to a malicious user.