ISA Server 2006 is similar to its predecessor, but there's enough new stuff to make it worth a look.
When I first loaded Internet Security Acceleration Server 2006 (ISA 2006), I thought I might have grabbed my old ISA 2004 CD by mistake. The two versions look identical. If you've been following Microsoft's firewall, you've probably gotten used to seeing drastic changes between versions. That's not the case this time around.
That first impression changed once I spent a few days digging into ISA 2006. This is a refined upgrade that adds enough functionality to warrant a close look by IT shops now running ISA 2004.
Microsoft put a lot of work into improving server publishing with ISA 2006.
Publishing servers is the process of making the servers on your internal network
or in your demilitarized zone (DMZ) available to Internet clients. This is tricky
business, because you must walk a fine line between opening enough ports to
allow access while not increasing your vulnerability. It is on this fine line
that ISA 2006 really shines.
Microsoft ISA 2006
Reviewed: Beta 2
Current Status: Beta 2 (early-2006)
Expected Release: Late 2006/early 2007
Launch the correct wizard, fill in the required information and ISA creates
a rule set for you. No more worrying about which ports to allow. ISA 2006 includes
wizards for publishing the following:
- Exchange Web Clients -- such as Outlook Web Access (OWA), RPC/HTTPS, Outlook
Mobile Access (OMA) and Exchange ActiveSync
- Mail Servers running RPC, IMAP, POP3, SMTP or NNTP
- SharePoint Sites
- Web Sites
- You can also publish non-Web/mail server protocols such as DNS, FTP, SQL,
MMS, Telnet or RDP. There are 117 built-in protocols to work with, or you
can create a custom rule for any protocol if you know the port number.
- When publishing servers you can choose to restrict access to authenticated
users or allow all users full access. ISA 2006 supports the following types
- Radius: Lets ISA grant domain authentication without having to join the
ISA server to the domain.
- LDAP: Lets ISA authenticate users via LDAP without a Radius server and
without joining the domain. You specify the domain controllers to use, and
whether you want to secure communications with LDAPS (Secure LDAP).
- Single Sign-On: Lets users authenticate once with ISA 2006, then access
any number of servers behind it without having to re-authenticate (seamlessly
moving between SharePoint sites and OWA, for example).
- Forms-based authentication: Now lets you customize forms. There is also
a new level that uses a passcode/password combination, where the passcode
is for ISA 2006 authentication and the password is for authentication delegation.
- Two-factor authentication: ISA 2006 uses forms-based authentication and
a client certificate for improved security.
- Delegation: ISA 2006 can delegate credentials using NTLM or Kerberos authentication.
- Digital certificates: ISA 2006 can assign digital certificates to a specific
IP address on a network adapter.
[Click on image for larger view.]
|Figure 1. ISA 2006 lets you
view and log traffic as it passes through your firewall.
ISA sports other new publishing features as well. When publishing Exchange
servers, it asks which version of Exchange you're running and will only create
rules for the features supported in that version. The wizard supports Exchange
5.5, 2000, 2003 and 2007. You can also publish a web farm (groups of servers
offering the same data). In this case, ISA 2006 functions as a load balancer
and distributes traffic across all machines in the farm.
Next month we'll look at some of the other, more granular new features like
content compression and bandwidth control.
Although Beta Man is anonymous, please feel free to contact him/her about this review or other betas.