In all of the conversations about remote access security last week, I completely forgot about one of the best security products Microsoft has in its stable — the Intelligent Application Gateway (or IAG). The IAG is an SSL VPN gateway that is based on the Whale SSL VPN solution that Microsoft purchased a couple of years ago. Microsoft took the Whale product and made some improvements before releasing it as the IAG.
As you might know, an SSL VPN means many things to many people. To a network purist, a true SSL VPN is a solution that allows network layer connectivity to a corporate network from over the Internet, in the same way that PPTP or L2TP/IPsec allows connections. An example of this would be the Microsoft SSTP protocol. However, to other people, an SSL VPN is a portal that allows users access to applications by clicking on the application link. These applications might be Web applications, or they might be client/server applications, such as Outlook MAPI or Outlook RPC/HTTP.
What got me to thinking about the IAG was a question someone asked about how to enable client certificate authentication with the RPC/HTTP Outlook client. He was concerned that anyone with an Outlook 2003 or 2007 client would be able to try to connect over RPC/HTTP. So, in order to solve this problem, he wanted some kind of client certificate authentication solution.
Unfortunately, due to a limitation in the Outlook 2003/2007 client, there’s no way the client will support client certificate authentication, which is a real shame, because you want something a bit more secure than just password authentication before allowing access to a key corporate resource like email. You might even think “come on! I can have User Certificate authentication with my little ActiveSync enabled phone. What’s up with Outlook?”
Good point. However, there’s no fix on the way for the Outlook problem. However, you can solve this problem by using an IAG. IAG does support client certificate authentication to identify trusted hosts. The user can connect to the IAG first and authenticate with his User Certificate. Once authenticated, the Outlook client can then connect to the Exchange Server through the SSL tunnel. In fact, you don’t even need to use RPC/HTTP when connecting through the IAG, since the MAPI connections will move over the SSL tunnel created when the user connected to the IAG’s SSL VPN gateway! Now, that’s sweet 🙂
The IAG can do plenty more things. For a comprehensive review of SSL VPNs and the IAG, which out my article series on ISAserver.org at http://isaserver.org/tutorials/Microsoft-Intelligent-Application-Gateway-2007-Part1.html
For other information about the IAG, check out: http://www.microsoft.com/forefront/edgesecurity/iag/default.mspx
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
MVP – Microsoft Firewalls (ISA)