Beta Man

HTTP Traffic Cop

Major enhancements to ISA Server 2006 include better bandwidth controls and improved monitoring.

Microsoft has taken a good product and made it better in many ways. Internet Security and Acceleration Server (ISA) 2006 may look similar to ISA 2004, but it has some major upgrades. For one, it makes publishing resources from your internal network and DMZ much easier, especially if you're running Exchange and SharePoint. New authentication methods like straight LDAP without Radius help you verify users in whichever way makes the most sense for your situation.

Microsoft ISA 2006
Version Reviewed: Beta 2
Current Status: Beta 2 (early-2006)
Expected Release: Late 2006/early 2007
Playing with Bandwidth
ISA can preserve bandwidth by compressing HTTP content. This is useful when you have a slow WAN link between your clients and the ISA server. ISA uses GZIP and Deflate compression algorithms to eliminate redundant data and reduce file size. Windows 2000 and 2003 support both of these algorithms, as long as the client is using Internet Explorer 4.0 or higher.

ISA also controls bandwidth for all HTTP and HTTPS traffic. This lets you give certain packets preferential treatment based on their destination. ISA does this with the Differentiated Services protocol, which uses a tab in the header of each packet to assign priority. Packet prioritization applies to all HTTP and HTTPS traffic passing through ISA, rather than applying specific firewall rules. After you enable packet prioritization, you configure the URLs and domains to which it will be applied.

Flood Watch
ISA 2006's flood mitigation protection keeps you safe from virus outbreaks and malicious attacks. It identifies clients generating excessive traffic that are likely infected with worms, viruses or spyware. You can configure the maximum number of TCP and HTTP requests per minute per IP address.

It will also control the maximum amount of concurrent connections, half-open connections and non-TCP connections. You can configure ISA to simply drop this traffic or drop and log traffic. The default flood mitigation settings ensure that ISA Server will still function, even under flood attack. It denies malicious traffic while serving all other traffic.

Improved traffic monitoring is another ISA 2006 highlight. Many other firewalls provide no logging or make it difficult to use the data. ISA displays live traffic as it comes through your firewall, telling you if the traffic was allowed or denied and which firewall rule rendered the decision. This makes it easy to associate a denial with a specific rule. ISA 2006 generates data on log time, client IP, destination IP, destination port, protocol, action, rules, result code, HTTP status code, client username, source network, destination network, URL, server name and log record type.

Speaks Fluent Link
If your intranet is published to the outside world or if your public Web site has any references to internal computers, ISA can help map and maintain those connections. Those references would otherwise appear as broken links because internal domain names are inaccessible from the Internet. ISA's link translation uses a dictionary of definitions for internal computer names that map to publicly known names. It automatically builds this dictionary as you create Web publishing rules.

You can also manually add explicit mappings to the dictionary. This saves you from having to redo all your Web code to point to public names. When an internal name is returned to the outside, ISA will replace the internal name with the external name as defined in the dictionary. The updated link translation in ISA 2006 supports additional character sets and is automatically activated when you create a Web server publishing rule.

Final Verdict
After almost a month, there really haven't been any problems with ISA 2006. It's the best version of ISA so far. The monitoring immediately pinpoints which rule is blocking traffic. The new security features like flood mitigation and bandwidth management features like HTTP compression and packet prioritization are reasons enough to upgrade as soon as ISA 2006 goes live.

About the Author

Although Beta Man is anonymous, please feel free to contact him/her about this review or other betas.


comments powered by Disqus

Subscribe on YouTube