On the surface, experienced ISA firewall admins might think there’s not much new in the new ISA firewall. But there’s a whole lot in there that doesn’t hit you in the eye at first. One of the big improvements included with the new ISA firewall are your authentication options.
Just check out this bevy of authentication goodies and you’ll run and not walk to your ISA firewall software provider for an upgrade:
- Single sign on (SSO), in which a user authenticates once with ISA Server and can access any number of servers that are behind ISA Server, without reauthenticating.
- Two-factor authentication using forms-based authentication and a client certificate.
- Forms-based authentication support for publishing any Web server.
- Customizable forms for forms-based authentication and forms for mobile clients, and use of per-user-agent authentication schemes.
- Fallback from forms-based authentication to Basic authentication, for non-browser clients.
- Delegation of credentials by using NTLM or Kerberos authentication.
- Kerberos constrained delegation.
- Credentials caching.
- Password management, in which ISA Server can check the status of the user’s account and report it to the user. This feature can also be configured to enable users to change their passwords.
- Secure Sockets Layer (SSL) client certificate constraints.
- Ability to assign a different digital certificate to each IP address on a network adapter.
- A new type of forms-based authentication: User name passcode/password, where the passcode is used for ISA Server authentication and the password is used for authentication delegation.
- Support for Active Directory® directory service authentication using the Lightweight Directory Access Protocol (LDAP), allowing Active Directory authentication when ISA Server is in a workgroup, or in a forest other than the one that contains the accounts of the user. ISA Server also supports multi-forest configurations, in which the user can be authenticated on a different set of LDAP servers.
- One-time password support for Remote Authentication Dial-In User Service (RADIUS). In ISA Server 2004, this support was provided for RSA SecurID only.
- Default blocking of authentication delegation.
For more information on the new ISA firewall’s authentication options, check out this great article from the Microsoft ISA firewall Learning Center: http://www.microsoft.com/technet/prodtechnol/isa/2006/authentication.mspx
Thomas W Shinder, M.D.
MVP — ISA Firewalls