What is the ISA 2006 Firewall's Branch Office Story?
One of the core deployment scenarios aimed for the new ISA firewall is as a branch office security gateway (more commonly known as a branch office firewall). If you look at the branch office gateway page on the Microsoft.com site at http://www.microsoft.com/isaserver/2006/bog.mspx you'll see a number of technologies that can be of benefit in a branch office deployment. These technologies include:
This feature enables the branch office ISA firewall to cache content obtain using the BITS and is aimed at reducing the amount of traffic generated by MS updates being transferred between the main and branch offices. In order to get this to actually work in the way to provide you the most benefit, you should deploy a Web proxy chaining relationship between the main and branch office ISA firewalls.
Branch office VPN wizard
ISA 2000 had a branch office site to site VPN wizard. That wizard disappeared in ISA 2004, but now it's back with ISA 2006. The BO VPN wizard makes it a lot easier to create a site to site VPN connection between main and branch offices by generating answer files that setup the site to site VPN at the branch office.
Automated branch office ISA firewall deployment tools
The appcfgwzd.exe application can be run at the branch office using the answer file created at the main office to setup the branch office ISA firewall. This wizard even has an option to make the branch office ISA firewall a domain member, which was a tricky thing to do before we had this wizard.
Optimized CSS replication mechanisms
We don't have a lot of details on this one, but it looks like the replication traffic between CSSs has been reduced. This is a good thing, as most ISA firewall admins like to place a copy of the CSS at the branch office so that in the event that the site to site VPN goes down, or any other type of link that connects the branch office to the main office goes down, then the branch office admin will still be able to access the CSS for ISA firewall configuration and management.
Secure Remote Management
Unlike ISA Server Standard Edition where you need to connect to the ISA firewall itself to manage it, you never need to connect to members of ISA Enterprise Edition firewall arrays for Firewall and Web proxy and caching configuration and management. All configuration is done on the CSS and the CSSs use secure links to the ISA firewall array members to update the firewall array members' firewall policy settings. This enables you to sit at your desk at the main office and manage thousands of ISA EE firewall located all over the world, since policy is automatically push to the branch office arrays.
The ISA 2006 firewall network security model makes sure that security breaches at the branch offices to not spread to the main office or other branch offices. Remember, unlike common "hardware" firewalls, the ISA firewall doesn't implicitly trust any network. There is no concept of "trusted" network with the ISA firewall because today you can't trust any network. The ISA firewall applies stateful packet and application layer inspection on all connections made to and through the ISA firewall. This enables the ISA firewall to not only stop dangerous traffic from branch offices from getting the to main office and other branch offices, but also enables you to log all the traffic, complete with the user name and the application that the user used to make the connection.
HTTP compression reduces the amount of bandwidth used on the branch office link to the main office because less data needs to be transferred over the link. In order to make this actually work, you need to create a Web proxy chaining relationship between the main and branch offices. The reason for this is that you don't want to enable HTTP compression on the IIS servers because of a potential DoS condition. For a detailed explanation on this, check out the ISA 2004 SP2 White paper at http://www.microsoft.com/technet/prodtechnol/isa/2...
DiffServ is useful if you have a Diffserv enabled routing infrastructure where you have established Diffserv service groups. DiffServ provides a method of packet prioritization and the ISA 2006 implementation of Diffserv packet marketing works with HTTP/S only. This has the potential to improve performance and the end user experience for accessing main office data contain on mission critical servers by providing preferential access to those servers.
Web caching, including distributed and hierarchical caching
Web proxy chaining represents a hierarchical caching infrastructure while multi-server ISA CARP arrays is an example of a distributed caching architecture. Branch office deployments can benefit from both these types of Web caching approaches to reduce bandwidth usage over both the branch office link to the main office and Internet bandwidth usage on the primary main office Internet link.
This is a great list of features! The problem I've found at this point is that there's not much information on the Microsoft site on how to bring all these technologies together to fully realize the ISA firewall's advantage as a branch office firewall. With ISA 2004, there was a killer branch office deployment kit that walked you through a large number of branch office deployment scenarios, which you can find at http://www.microsoft.com/technet/prodtechnol/isa/2... However, there is no similar documentation for ISA 2006
Let me know if you think such a project would be worthwhile and if MS doesn't do it, I'll work on it for the ISAserver.org Web site.
Thomas W Shinder, M.D.
MVP — ISA Firewalls