Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


October 2004

What You Need to Know About Microsoft Internet Security and Acceleration Server 2004


From the October 2004 Edition
of Windows IT Pro
Paul Thurrott
Need to Know
InstantDoc #43918
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Firewalls Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Microsoft followed up its first attempt at a firewall and Internet-caching product, dubbed Microsoft Proxy Server, with a far more impressive software release--Microsoft Internet Security and Acceleration (ISA) Server 2000. ISA Server 2000 offers multilayer enterprise firewall capabilities, Web proxy and caching services, stateful packet inspection, and other advanced security features in a scalable, high-performance software package. Four years later, Microsoft is ready to unleash its third-generation firewall product, ISA Server 2004. The new version will offer an even wider range of features and functionality, including an interesting hardware-based option that might appeal to large enterprises. Here's what you need to know about ISA Server 2004.

Application-Level Security and Integration with Microsoft Services
The biggest improvement in ISA Server 2004 is its ability to perform deep-level stateful inspection (i.e., application-level filtering) of HTTP connections. This feature will be a boon to Microsoft-oriented shops because ISA Server 2004 will intelligently filter network traffic to and from Microsoft server products such as Microsoft Exchange Server, Internet Information Services (IIS), and Windows SharePoint Services (WSS). You can also use ISA Server policies to enforce secure connections between Exchange Server and Microsoft Outlook, although you need to configure the Outlook client to use secure remote procedure calls (RPCs).

You use a rules-based mechanism to configure custom settings for ISA Server 2004's packet-inspection features for both inbound and outbound network traffic. Advanced users can configure ISA Server 2004 to work with the Windows 2003 VPN Quarantine tools that are available in the Windows Server 2003 Resource Kit. Although difficult to configure, these tools ensure that no client systems can connect to the network until they have the latest security patches and other software that your enterprise deems necessary.

Simpler Management Tools
ISA Server 2004 ships with a redesigned Microsoft Management Console (MMC)­based management console that sports simple wizards and task lists to help you achieve certain configurations for the wide range of network topologies that ISA Server supports. For example, the management console makes it fairly simple to set up ISA Server 2004 out of the box as an edge server or as a node in a multipronged environment that includes internal, perimeter, external, VPN, and other network zones, each with its own policies and routing rules. The policy editor is particularly well designed, with a Visual Studio (VS)­inspired drag-and-drop editing feature that lets you drop features onto rules to create policies. The editor is XML-based, so you can import and export configurations for backup or for multiple-machine deployments.

I can't overstate the importance of the new easy-to-use UI. Firewall misconfiguration is one of the most common causes of security breaches through firewalls. The straight forward configuration coupled with the ease of updating a software-based solution gives ISA Server 2004 an edge over most hardware-based firewalls.

ISA Server 2004 also includes a new monitoring dashboard that presents a summary view of session state, alerts, events, performance, and other criteria. And a real-time log viewer displays ISA Server's firewall, Web Proxy, and SMTP Message Screener logs.

Optional Hardware Device Support
Select Microsoft partners, including Celestix Networks, HP, and Network Engines, will ship ISA Server­based firewall appliances, most of which target midsized or large companies. Essentially single-purpose Windows 2003 servers with semi-closed architectures, these boxes will offer the complete feature set of ISA Server 2004 and the flexibility of an appliance. Hardware vendors provide the service for these devices, giving customers a single point of contact for sales, service, and support. Because of pricing ($3000 and up for low-end boxes and $10,000 and up for rack-mounted solutions), these appliances won't serve small businesses well. I'd like to see Microsoft work with its hardware partners to develop low-cost firewall appliances as well.

Recommendations
ISA Server 2004 is a huge improvement over its predecessor, but it does have several downsides. One major limitation is that it doesn't fully integrate with Microsoft Small Business Server (SBS) 2003 and that product's unique (and arguably superior) management tools. However, Microsoft says that it's working on SBS 2003 integration and will have a more elegant solution in the future. And until the Windows 2003 update, code-named R2 for Release 2, includes a better quarantine feature, quarantine functionality won't be widely deployed. Finally, ISA Server 2004 is very much Microsoft oriented: Although it will work in a heterogeneous environment, it won't integrate with non-Microsoft servers unless third-party developers come up to speed and release add-on products that build on ISA's extensible platform.

End of Article

Reader Comments
"And until the Windows 2003 update, code-named R2 for Release 2, includes a better quarantine feature, quarantine functionality won't be widely deployed"

Can you elaborate (explain) this comments.

regards,

Kizzy

kizzy September 29, 2004 (Article Rating: )

It amazes me how no one bangs on about the ability to control access by users and groups. With the number of ways users can connect to networks these days; wireless, IPSEC VPN, SSL VPN, LAN, Mobile, Dial-up etc, it is hard work to control networks based on source address. Checkpoint's user facilities are dismal. At Infosec this year I spoke to some Checkpoint people about this very thing. They said they could send somebody along to help!! How difficult is it if there is no real training or documentation for it that a person can use themselves?

I agree with the quarantine functionality statement. I attended an ISA 2004 Hands-on day run by MS and its extremely long winded and tricky to implement at the moment.

Edvaldo

Edvaldo September 30, 2004 (Article Rating: )

I agree with Edvaldo. This is one of the killer features of the ISA firewall's VPN server component! You can get very fined tuned user/group based access control over exactly what servers, using specific protocols, users can access on the corpnet. AND, you can log the user name, source address, destination address, protocol, and APPLICATION they used when they connected to the corporate network. Nice! Maybe Windows IT Pro magazine will want me to do an article on the ISA firewall's one of a kind VPN server? :-)
Thanks! Tom Shinder, MVP ISA Firewalls

kdkdkdkdkd October 27, 2004 (Article Rating: )

I agree with Edvaldo. This is one of the killer features of the ISA firewall's VPN server component! You can get very fined tuned user/group based access control over exactly what servers, using specific protocols, users can access on the corpnet. AND, you can log the user name, source address, destination address, protocol, and APPLICATION they used when they connected to the corporate network. Nice! Maybe Windows IT Pro magazine will want me to do an article on the ISA firewall's one of a kind VPN server? :-)
Thanks! Tom Shinder, MVP ISA Firewalls

kdkdkdkdkd October 27, 2004 (Article Rating: )

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

PsExec

This freeware utility lets you execute processes on a remote system and redirect output to the local system. ...

More fun TechEd 2005 Resources

Kevin points out some more TechEd resources ...
Windows OSs Whitepapers Why SaaS is the Right Solution for Log Management

Are You Satisfied?

A Preliminary Look at Deployment Plans for Microsoft Windows Vista
Related Events Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Microsoft Exchange & Windows Connections event returns to Las Vegas Nov 10 - 13
Connections returns to Las Vegas for this exciting event where each attendee will receive SQL Server 2008 standard with 1 CAL. Co-located with Microsoft ASP.NET, SQL Server, and SharePoint Connections with over 250 in-depth sessions.

Free Online Event! Virtualization:Get the Facts!
Register now and attend this free, live in-depth online conference on November 13 and 20, 2008, produced by Windows IT Pro. All registrants are eligible to receive a complimentary one-year digital subscription to Windows IT Pro (a $49.95 value)!

Check Out Hyper-V Video on ITTV
Watch Karen Forster's interview on Hyper-V's performance on ITTV.net.

Ease Your Scripting Pains with the Flexibility of PowerShell!
Join MVP Paul Robichaux on December 11, 2008 at 11:00 AM EDT as he equips you with PowerShell basics in 3 introductory lessons, each followed by a live Q&A session—all on your own computer!

Latest Advancements in SSL Technology
There are a variety of different kinds of SSL to explore to ensure customer data is kept confidential and secure. In this paper, we will discuss some of these SSL advances to help you decide which would be best for your organization.

PASS Community Summit 2008 in Seattle on Nov 18-21
The don’t-miss event for Microsoft SQL Server Professionals. Register now and you’ll enjoy top-notch Microsoft and Community speakers and more.



Speed Up Your PC!
Try Diskeeper 2008 with InvisiTasking Free Now!

Get Protected -- Data Protection Manager 2007
Protect your virtualized environment with Data Protection Manager

Agent-less Remote Backup Service, Free 30 Day Trial
Award winning remote backup service at a competitive price with no min GB/month. Sign up Now!

ScriptLogic Cartoon Caption Contest
Submit your caption and you will be entered to win $198.42

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Maximize Your SharePoint Investment: Get Your Data Moving
Watch this web seminar now to learn how to maximize your SharePoint investment! Join us as we take a look at the complex business of securing, accessing and managing vast amounts of information in a global network and various ways to get your data moving.

List Your Products in Our Technology Resource Directory
Don't miss the chance to post your free listing in this comprehensive directory for IT and developer professionals, powered by Windows IT Pro. But hurry! Deadline ends Oct. 9.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing