Microsoft Releases Application Request Router 3.0
Microsoft announced the release of Application Request Router (ARR) 3.0 late last week.
ARR 3.0 is a routing module that works with Internet Information Services (IIS) 7.0 on Windows Server 2008 or IIS 8.0 on Windows Server 2012. Of late, Microsoft has recommended the use of ARR as a reverse-proxy replacement for its Threat Management Gateway (TMG) 2010 product, which Microsoft no longer sells.
The most notable feature in ARR 3.0 is its support for the WebSocket protocol, but that's just available for organizations running Windows Server 2012 with IIS 8.0. ARR 3.0 can now distinguish WebSocket requests from HTTP requests, which is something that the previous release, ARR 2.5, couldn't do.
WebSocket is an Internet Engineering Task Force protocol as well as an API candidate recommendation of the Worldwide Web Consortium. It's designed to enable two-way traffic between a client and server for Web applications. It contrasts with the one-way traffic model of HTTP. Having WebSocket support will open up scenarios for more interesting applications, according to Microsoft.
Other new features in ARR 3.0 include "support for application-triggered session affinity opt out," URL health monitoring retries, "failcheck reliability improvements" and fixes for various software flaws, according to Microsoft's announcement of ARR 3.0. The announcement also includes download links. ARR 3.0 also can be obtained through Microsoft's Web Platform Installer.
Microsoft has explained that ARR can serve as a reverse-proxy substitute for its deprecated TMG 2010 product. Another option is to use Microsoft's Unified Access Gateway 2010 Service Pack 3 product, released in February, although it's considered to be more expensive than TMG 2010. Microsoft has published some outlines on how ARR can enable reverse-proxy support for both Exchange Server 2013 and Lync Server 2013.
While TMG 2010 has been used as a preauthentication traffic check to keep unauthorized users from trying to access Exchange Server, Microsoft has argued that this preauthentication check may not be necessary with its newer Exchange Server products. That view is countered by Microsoft's partners that sell load balancing and application delivery controller products. They contend that it's still better to take the authentication load off Exchange to avoid potential problems that can occur should distributed denial of service attacks be launched.
In any case, installing ARR does not add preauthentication checks, according to Roop Sankar of the Microsoft Exchange team.
"IIS ARR doesn't provide any pre-authentication. If pre-auth is a requirement then you can look at Web Application Proxy (WAP) which is available in Windows Server 2012 R2," Sankar explained in this Exchange team blog post.
Microsoft's Web Application Proxy is a remote access role for Windows Server 2012 R2 that can be used to support a browser- and device-based authentication scheme in conjunction with Active Directory Federation Services, according to Greg Taylor, principal program manager lead for the Exchange customer adoption team at Microsoft. WAP currently supports preauthentication just for Outlook Web App users. It doesn't support users of Microsoft's Outlook Anywhere or Exchange ActiveSync protocols, he explained.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.