Beta Man

Deja Vu

ISA Server 2006 is similar to its predecessor, but there's enough new stuff to make it worth a look.

When I first loaded Internet Security Acceleration Server 2006 (ISA 2006), I thought I might have grabbed my old ISA 2004 CD by mistake. The two versions look identical. If you've been following Microsoft's firewall, you've probably gotten used to seeing drastic changes between versions. That's not the case this time around.

That first impression changed once I spent a few days digging into ISA 2006. This is a refined upgrade that adds enough functionality to warrant a close look by IT shops now running ISA 2004.

Microsoft put a lot of work into improving server publishing with ISA 2006. Publishing servers is the process of making the servers on your internal network or in your demilitarized zone (DMZ) available to Internet clients. This is tricky business, because you must walk a fine line between opening enough ports to allow access while not increasing your vulnerability. It is on this fine line that ISA 2006 really shines.

Microsoft ISA 2006
Version Reviewed: Beta 2
Current Status: Beta 2 (early-2006)
Expected Release: Late 2006/early 2007

Launch the correct wizard, fill in the required information and ISA creates a rule set for you. No more worrying about which ports to allow. ISA 2006 includes wizards for publishing the following:

  • Exchange Web Clients -- such as Outlook Web Access (OWA), RPC/HTTPS, Outlook Mobile Access (OMA) and Exchange ActiveSync
  • Mail Servers running RPC, IMAP, POP3, SMTP or NNTP
  • SharePoint Sites
  • Web Sites
  • You can also publish non-Web/mail server protocols such as DNS, FTP, SQL, MMS, Telnet or RDP. There are 117 built-in protocols to work with, or you can create a custom rule for any protocol if you know the port number.
  • When publishing servers you can choose to restrict access to authenticated users or allow all users full access. ISA 2006 supports the following types of authentication:
  • Radius: Lets ISA grant domain authentication without having to join the ISA server to the domain.
  • LDAP: Lets ISA authenticate users via LDAP without a Radius server and without joining the domain. You specify the domain controllers to use, and whether you want to secure communications with LDAPS (Secure LDAP).
  • Single Sign-On: Lets users authenticate once with ISA 2006, then access any number of servers behind it without having to re-authenticate (seamlessly moving between SharePoint sites and OWA, for example).
  • Forms-based authentication: Now lets you customize forms. There is also a new level that uses a passcode/password combination, where the passcode is for ISA 2006 authentication and the password is for authentication delegation.
  • Two-factor authentication: ISA 2006 uses forms-based authentication and a client certificate for improved security.
  • Delegation: ISA 2006 can delegate credentials using NTLM or Kerberos authentication.
  • Digital certificates: ISA 2006 can assign digital certificates to a specific IP address on a network adapter.
Traffic cop
[Click on image for larger view.]
Figure 1. ISA 2006 lets you view and log traffic as it passes through your firewall.

ISA sports other new publishing features as well. When publishing Exchange servers, it asks which version of Exchange you're running and will only create rules for the features supported in that version. The wizard supports Exchange 5.5, 2000, 2003 and 2007. You can also publish a web farm (groups of servers offering the same data). In this case, ISA 2006 functions as a load balancer and distributes traffic across all machines in the farm.

Next month we'll look at some of the other, more granular new features like content compression and bandwidth control.

About the Author

Although Beta Man is anonymous, please feel free to contact him/her about this review or other betas.


comments powered by Disqus

Subscribe on YouTube