HTTP Traffic Cop
Major enhancements to ISA Server 2006 include better bandwidth controls and improved monitoring.
Microsoft has taken a good product and made it better in many ways. Internet Security and Acceleration Server (ISA) 2006 may look similar to ISA 2004, but it has some major upgrades. For one, it makes publishing resources from your internal network and DMZ much easier, especially if you're running Exchange and SharePoint. New authentication methods like straight LDAP without Radius help you verify users in whichever way makes the most sense for your situation.
Playing with Bandwidth
Microsoft ISA 2006
Reviewed: Beta 2
Current Status: Beta 2 (early-2006)
Expected Release: Late 2006/early 2007
ISA can preserve bandwidth by compressing HTTP content. This is useful when you
have a slow WAN link between your clients and the ISA server. ISA uses GZIP and
Deflate compression algorithms to eliminate redundant data and reduce file size.
Windows 2000 and 2003 support both of these algorithms, as long as the client
is using Internet Explorer 4.0 or higher.
ISA also controls bandwidth for all HTTP and HTTPS traffic. This lets you give certain packets preferential treatment based on their destination. ISA does this with the Differentiated Services protocol, which uses a tab in the header of each packet to assign priority. Packet prioritization applies to all HTTP and HTTPS traffic passing through ISA, rather than applying specific firewall rules. After you enable packet prioritization, you configure the URLs and domains to which it will be applied.
ISA 2006's flood mitigation protection keeps you safe from virus outbreaks and
malicious attacks. It identifies clients generating excessive traffic that are
likely infected with worms, viruses or spyware. You can configure the maximum
number of TCP and HTTP requests per minute per IP address.
It will also control the maximum amount of concurrent connections, half-open connections and non-TCP connections. You can configure ISA to simply drop this traffic or drop and log traffic. The default flood mitigation settings ensure that ISA Server will still function, even under flood attack. It denies malicious traffic while serving all other traffic.
Improved traffic monitoring is another ISA 2006 highlight. Many other firewalls provide no logging or make it difficult to use the data. ISA displays live traffic as it comes through your firewall, telling you if the traffic was allowed or denied and which firewall rule rendered the decision. This makes it easy to associate a denial with a specific rule. ISA 2006 generates data on log time, client IP, destination IP, destination port, protocol, action, rules, result code, HTTP status code, client username, source network, destination network, URL, server name and log record type.
Speaks Fluent Link
If your intranet is published to the outside world or if your public Web site
has any references to internal computers, ISA can help map and maintain those
connections. Those references would otherwise appear as broken links because internal
domain names are inaccessible from the Internet. ISA's link translation uses a
dictionary of definitions for internal computer names that map to publicly known
names. It automatically builds this dictionary as you create Web publishing rules.
You can also manually add explicit mappings to the dictionary. This saves you from having to redo all your Web code to point to public names. When an internal name is returned to the outside, ISA will replace the internal name with the external name as defined in the dictionary. The updated link translation in ISA 2006 supports additional character sets and is automatically activated when you create a Web server publishing rule.
After almost a month, there really haven't been any problems with ISA 2006. It's
the best version of ISA so far. The monitoring immediately pinpoints which rule
is blocking traffic. The new security features like flood mitigation and bandwidth
management features like HTTP compression and packet prioritization are reasons
enough to upgrade as soon as ISA 2006 goes live.
Although Beta Man is anonymous, please feel free to contact him/her about this review or other betas.