ISA Server 2006, the third edition of Microsoft's advanced firewall and proxy server, is due for release in the second half of 2006. New features in ISA Server 2006 include simplified branch office deployment, a new Microsoft Operations Manager (MOM) management pack, attack detection tools, worm flood protection, HTTP traffic compression, improved support for Background Intelligent Transfer Service (BITS), and new publishing tools and options. Although ISA Server 2006 promises to be an evolutionary, rather than revolutionary, version of the product, I find some of the revisions to be significant and worthy of investigation. In particular, if you've struggled to publish Exchange Web Client Access or Share-Point sites, or if Network Load Balancing (NLB) clusters mystify you, you'll find improvements in ISA Server 2006 much more admin-friendly. Let's focus here on the publishing tasks that debut in ISA Server 2006. We'll look at how to configure Web listeners and survey the options for publishing server farms, Exchange Web Client access, and SharePoint sites.
Configuring a Web Listener
Web listener is the name for technology that allows HTTP clients from outside an organization's network to connect to services hosted within the network. In general, an administrator configures a specific Web listener for each HTTP-based service (e.g., Exchange Web access, a Web site, a SharePoint site) that he or she wants to publish to external clients. Configuring Web listeners in ISA Server 2006 requires more effort than it does in ISA Server 2004, even though you configure-Web listeners from the Toolbox pane of the ISA Server Management console in both versions.
The first step, which is common to both ISA Server 2004 and 2006, is configuring a Web listener name. The second step is new to ISA Server 2006 and requires you to specify whether to publish services using only HTTPS or HTTP. If you choose to publish over HTTPS only, you must install a Secure Sockets Layer (SSL) certificate on the ISA Server 2006 computer before configuring the Web listener.
In the third step, you specify those ISA networks, with their IP addresses, that will be listening for incoming Web requests. The method for doing so is almost identical in ISA Server 2004 and 2006. On the SSL certificate management screen, you can choose to use a single certificate for the Web listener or individual certificates for each IP address you specified earlier. If you use multiple certificates, they must be installed before you begin this step.
Another new ISA Server 2006 addition to configuring Web listeners is the Authentication Settings page, which Figure 1 shows. The drop-down menu offers HTML Form Authentication, HTTP Authentication, SSL Client Certificate Authentication, or No Authentication. The validation options depend heavily on the authentication scheme you choose. For example, it's possible to collect user delegation credentials in a form, request an SSL certificate, and specify how ISA Server 2006 will validate credentials. Validation options are Active Directory (AD) Windows or LDAP, Remote Authentication Dial-In User Service (RADIUS), RADIUS One-Time Password (OTP), and RSA SecurID.
If you select HTML Form Authentication, the next screen lets you configure single sign-on (SSO) authentication. SSO allows single authentication for all sites that the ISA Server 2006 computer publisher configures for a particular Web listener. To configure SSO, you must enter the SSO domain name. If you don't choose HTML Form Authentication, SSO isn't an option.
In both ISA Server 2004 and 2006, the final screen summarizes the choices you've made. Clicking Finish enables use of the Web listener.
Load-Balancing Web Servers
ISA Server 2006 simplifies publishing load-balanced servers to such an extent that even the greenest Help desk technician can do it. The advantage over third-party appliances is that ISA Server 2006 makes it child's play to load-balance protected Web servers. Administrators need not implement NLB on the servers themselves, a task that isn't straightforward at the best of times. To take advantage of this new feature, you must use the Server Farm Definition Wizard to configure a new server farm. You can access the wizard by right-clicking the Server Farms object and selecting the New Server Farm option from the context menu. You can find the Server Farms object in the Network Object area under Web Listeners in the ISA Server Management console.
The first page of the wizard requires you to name the server farm. The second page lets you add the names or IP addresses of computers in the farm. Remember that ISA Server manages the load-balancing process: If you have existing NLB load-balanced Web servers, you need to publish the load-balanced cluster as a typical server.
The subsequent dialog lets you configure server monitoring. Rather than configuring network load-balancing heartbeats, ISA Server 2006 determines whether a server in the cluster is no longer responding either by sending an HTTP/HTTPS "GET" request, a Ping request, or a TCP connection to a specified port. Although these methods determine whether a server is responding or not, they don't check the server's current load, a feature of the more-complicated-to-configure NLB.
After you've configured the server farm, you need to publish the Web sites. To do so, select Publish Web Sites from the Tasks pane in the ISA Server Management console. The wizard that initiates is similar to the wizard in ISA Server 2004—until you encounter the Publishing Type page, which Figure 2 shows. You need to specify to ISA Server whether to publish a single Web site or external load balancer (such as NLB), a server farm of load-balanced Web servers, or multiple individual Web sites.
On the Internal Publishing Details page, you specify the internal site name, whether ISA Server will use SSL to connect to this site (and encrypt the traffic over the demilitarized zone—DMZ), and whether the original host header will be forwarded to the site. This page also lets you specify a particular folder on the target Web server. Clicking Next calls a dropdown menu from which you can either select the Web listener for the server farm you want to publish or initiate the process of configuring a Web listener for a new server farm if you didn't follow the steps I mentioned earlier. When you select a server farm Web listener, you can configure how ISA Server will load-balance the incoming requests on the Specify Server Farm page, which Figure 3 shows. If you select Cookie-based Load Balancing, clients are issued a cookie that informs ISA Server 2006 which of the servers within the server farm should continue to handle a particular client's session. Source IP-based load balancing attempts to maintain session consistency according to client IP address.
The Public Name Details page will be familiar if you've published Web servers with ISA Server 2004. On this page, you specify the Fully Qualified Domain Name (FQDN) or IP address that external users will use to access the published site. On the subsequent page, you need to specify a Web listener. On the third page, you can select an authentication delegation method. The available methods are
- No delegation—allow end-to-end authentication
- No delegation—don't allow end-to-end authentication
- Basic authentication
- NTLM authentication
- Negotiate (Kerberos/NT LAN Manager—NTLM)
- Kerberos constrained delegation