Why Upgrade to ISA 2006 Firewalls?
Many people who current use ISA 2000 or 2004 will want to know why they should upgrade to ISA 2006 firewalls. While the upgrade from ISA Server 2000 to ISA 2004 was an easy one to sell because of the major improvements and changes made between ISA Server 2000 and ISA 2004, the changes included with ISA 2006 versus ISA 2004 are more incremental and provide a much smoother transition than the upgrade from 2000 to 2004.
If you take only a superficial look at the ISA 2006, the new features and capabilities seen in ISA 2006 compared to 2004 are difficult for you to see. The user interface is the same, the networking model is same, there have been no changes in terms of how the ISA firewall performs outbound access control, and there have been no changes to the core networking feature set.
The bulk of the improvements seen with the ISA 2006 firewall are focused on secure Web publishing. The other major difference between ISA 2006 and ISA 2004 is that ISA 2006 has a much more robust mechanism for handling worm flood attacks. Some ISA 2004 firewalls have suffered from worm and DNS flood attack situations. ISA 2006 includes built in mechanism to prevent exhaustion of non-paged pool memory so that even when under heavy denial of service type worm or DNS flood attacks, the ISA 2006 firewall will be able to stand up even when the ISA 2004 firewall might fall over and need to be rebooted.
When thinking about upgrading to the new ISA Firewall, consider the following:
- ISA 2006 worm and DNS flood protection will increase uptime and stability
- Significant enhancements have been made in increasing the security for remote access connections to Outlook Web Access (OWA), Outlook Mobile Access (OMA), Exchange ActiveSync (EAS) and RPC/HTTP (Outlook Anywhere). You will be able to do things such as customize the log on form, enable password changes from the log on form, and be able to automatically inform users of how many days there are until a password change is required in the log on form
- Those of you publishing SharePoint Portal servers may have frustrations and incomplete functionality when using ISA 2004. If you have SharePoint Portal Servers in place you will be able to get full functionality from your SPS deployments when publishing through an ISA 2006 firewall as it was purpose designed to provide secure remote access to SharePoint Portal Servers
- For all of you publishing Web sites, including Exchange and SharePoint Portal Server sites, you are now able to use forms-based authentication for any type of Web publishing scenario, and that editing the log on form is now completely supported by Microsoft
- For any of you publishing secure sites requiring pre-authentication at the ISA firewall, be aware that there are additional authentication mechanisms available, including LDAP authentication and RADIUS One-time password. Both these authentication methods allow the ISA firewall publishing the Web sites to be removed from the Active Directory domain but still authenticate users belonging to the domain. RADIUS OTP provides those of you who don’t wish to use SecurID with another two-factor authentication option.
- Anyone interested in publishing a Web farm will benefit greatly by upgrading from ISA 2004 to ISA 2006. This is especially true for those of you who have front-end Exchange Servers and want to have two or more front-end Exchange Servers. The same is true for Client Access Servers. The ISA 2006 Web farm load balancing feature removes the requirement for you to make the FE/Client Access Server SecureNET clients when NLB was enabled on the FE Exchange Server array. In fact, ISA 2006 Web farm load balancing completely removes the requirement for NLB on the FE Exchange Server array or a third-party hardware load balancer.
While it might seem to you that there is a relatively small feature set on which to base upgrades from 2004 to 2006, the improvements included with ISA Server 2006 make it worth upgrading for any company that publishes Web sties. This might appear to you at first to represent a relatively small percentage of the entire ISA firewall feature set, but from my experience with thousands of ISA Firewall admins, it appears that ISA Server’s largest deployment scenario is for secure reverse Web proxy, and this is exactly the feature set that the ISA Firewall development team has focused upon.
What’s New and Improved in ISA Server 2006
What it does
Web Farm Load Balancing
ISA 2006 Web Farm Load Balancing enables the ISA firewall administrator to publish a farm of Web servers that host the same content or perform similar roles. The ISA firewall provides both load balancing and fail over and fail back for the published Web farm and does not require NLB to enabled on the ISA firewall array or on the Web farm. You’ll benefit from this feature because they do not need to enable NLB on the farm warm (which would require that the farm members be SecureNET clients) and you don’t need to purchase an expensive external load balancer, such as F5.
Forms-based authentication support for all Web Publishing Rules
In ISA 2004, Forms-based authentication was supported only for Outlook Web Access Web Publishing Rules. ISA Server 2006 expands its forms-based authentication support by enabling forms-based authentication for all Web sites published using Web Publishing Rules.
Kerberos Constrained Delegation
In ISA 2004, User Certificate authentication could be performed by the ISA firewall, but the user’s credentials could not be forwarded to the published Web server. This generated multiple authentication prompts. In ISA Server 2006, a user can pre-authenticate with the ISA firewall and then that users credentials can be delegated as Kerberos credentials to the published Web servers, thus avoiding multiple authentication prompts and improving the end-user experience.
Enhanced Delegation of Authentication support
ISA 2004 supported only delegation of basic authentication. ISA Server 2006 enhances support for authentication delegation by enabling credentials to be delegated as Kerberos, Integrated, Negotiate or basic. This increases the flexibility of deployment for ISA firewalls since many published Web servers do not support basic authentication. In addition, the increases security for Web Publishing scenarios where SSL to SSL bridging is not an option and prevents the clear text basic credentials from being intercepted on the wire.
Separate name resolution from CONNECT name in Web Publishing Rules
In ISA 2004, the same name was used for name resolution and the CONNECT name sent to the published Web server. This created a situation where the ISA firewall administrator had to create a split DNS, or enter a custom HOSTS file entry on the ISA firewall so that the CONNECT name resolved to the IP address of the published server on the internal network. ISA Server 2006 solves this problem by allowing you to specific a name or IP address that is separate from the CONNECT name used by the Web Publishing Rule.
Improved Exchange Server Web Publishing Rule Wizard
The ISA Server 2006 Exchange Server Web Publishing Wizard includes a number of improvements that makes publishing all versions of Exchange, from version 5.5 to 2007 easier than ever.
Integrated support for Password changes on log on form
In ISA 2004, there was little or no support for allowing the users to change their passwords when using Forms-based authentication. ISA Server 2006 solves this problem by integrating the ability for a user to change his password right in the log on form. No special configuration tasks are required on the ISA firewall or published OWA Server
Integrated support for Password change notification on log on form
In ISA 2004, there was no integrated support for providing users information about pending password expiration dates. ISA 2006 solves this problem by making the option available to the ISA firewall administrator to inform users of pending password expiration dates. You can customized the warning period by specifying the number of days in advance that you want users to be aware of password expiration.
Improved Mail Server Publishing Wizard
In ISA 2004, a single Mail Server Publishing Wizard was used to published both Exchange Web services and non-Web services. ISA Server 2006 breaks out Web from non-Web publishing tasks into two separate wizards, making it easier to publish non-Web protocols for your Exchange mail server.
SharePoint Portal Server Publishing Wizard
It was possible to publish SharePoint Portal Servers using ISA 2004, but the process was potentially complex and not all features were available from the Internet because of problem with link translation. ISA Server 2006 solves this problem with enhanced support for SharePoint Portal Server publishing and an updated link translation dictionary that takes all the complexity of successfully publishing a SharePoint Portal Server deployment.
One of the most requested features that didn’t make its way into ISA 2004 was single sign-on. In ISA 2004, users had to reauthenticate even if they were connecting to a Web server in the same domain as the original Web server. ISA Server 2006 solves this problem by enabling single sign-on on a per-listen/per-domain basis. If multiple Web sites belong to the same domain, and are published by the same Web listener, then users will not be required to reauthenticate and cached credentials are used.
Support for wildcard certificates on the published Web Server
ISA 2004 supported wildcard certificates on its Web listener, but did not support wildcard certificates on the published Web server located behind the ISA firewall. ISA Server 2006 improves on wildcard certificate support by allowing the ISA firewall administrator to use a wildcard certificate on the published Web server.
Advanced Client Certificate Restrictions and Configurable Certificate Trust List
A completely new feature included with ISA Server 2006 is Client Certificate Restrictions and configurable Certificate Trust List.
The Client Certificate Restrictions feature allows you to set restrictions on the certificates users can provide when User Certificate authentication is enabled. Restrictions can be defined based on:
In addition, you can set restrictions on the OID (object ID) presented by the User Certificate
The Configurable Trust List option enables you to set specific trusted CAs on a per-Web Listener basis. This list of trusted CAs is separate and distinct from the ISA firewall machine’s list of Trusted CAs. This enables the ISA firewall administrator to limit the User Certificates that can be used to authenticate with the ISA firewall to those issued only by a specific set of CAs, such as the company’s private CAs. This allows you to implement User Certificate Authentication as a method to limit access only to corporate managed machines and devices, such as PDAs and PDA enabled phones.
Fall back to basic authentication for non-Web browser clients
One of the major problems ISA firewall administrators had with ISA 2004 was that they needed to create two listeners, requiring two different certificates, to publish both RPC/HTTP and OWA sites when forms-based authentication was enabled on the OWA Web listener. ISA Server 2006 solves this problem by detecting the user-agent string in the client request and falling back to basic authentication when the client is not a Web browser. This allows you to publish OWA with forms-based authentication enabled and RPC/HTTP using the same Web listener. The end result is that if you have only a single external IP address, both OWA with FBA and RPC/HTTP can be published using that single IP address, something not possible with ISA 2004.
Enhanced Link Translation Dictionary
Link translation dictionaries are used to change the contents of pages returned to external users. This is helpful when Web applications imbed private computer names in responses sent to external clients, since external clients are not able to connect to servers using their Internal names. ISA Server 2006 includes an enhanced link translation dictionary that automatically populates itself based on settings in your Web Publishing Rules. This allows the ISA firewall administrator to provide a seamless experience for external users who need to access multiple sites published by the ISA firewall. For example, this feature allows OWA users to receive links to SharePoint Portal Server messages in their OWA e-mail and access those links automatically, without complex reconfiguration required on the OWA and SharePoint Portal Server or even on the ISA firewall itself.
Cross array link translation
Cross array link translation allows you to publish Web sites across multiple arrays and have the link translation dictionary available for all arrays in the same ISA Enterprise Edition enterprise group. This greatly simplifies large deployments by automatically populating the link translation list and avoiding the requirement for manual reconfiguration.
Improved CARP Support in ISA 2006 Enterprise Edition
Changes were made to the CARP algorithm with the release of ISA 2004 SP2. These changes have been carried over to ISA Server 2006 so that instead of requiring CARP exceptions to URLs you don’t want to be load balanced, you now create CARP exceptions for URLs that you do want load balanced.
This change was made within the context of another change included with ISA 2004 SP2, where instead of using the URL to predetermine which array member handled the request, the FQDN is now used instead. The prevents problems with session handling for connections that might be spread across multiple array members for specific URLs contained within the same page or session.
BITS Caching for Microsoft Update Sites
BITS caching for Microsoft Updates was introduced with ISA 2004 SP2. This feature has been carried over and included with ISA Server 2006. BITS caching for Microsoft updates greatly improves bandwidth utilization over site to site or WAN links, making more bandwidth available to branch offices that would otherwise be overwhelmed with update traffic from servers located at the main office or the Internet. Main office servers also benefit from bandwidth optimization provided by BITS update caching.
HTTP Compression support
Support for HTTP Compression was introduced in ISA 2004 SP2 and carried over to ISA Server 2006. HTTP compression allows the ISA firewall administrator to control from where clients can ask for HTTP compression and from what servers can return HTTP compression. HTTP compression is very useful in a branch office scenario where bandwidth to the main office is at a premium.
Diffserv QoS Support for HTTP communications
Diffserv QoS support was introduced with ISA 2004 SP2 and carried over to ISA Server 2006. Diffserv is a method that can be used on Diffserv enabled networks to give preference to certain packets over others. The ISA firewall administrator can use Diffserv to prioritize packets destined to certain server over those of non-priority servers
Add multiple VIPs within the ISA Server management console
ISA 2004 supported multiple VIP IP addresses. However, in order to add more than one VIP, the ISA firewall administrator had to drop out of the ISA management console and enter these IP addresses in the TCP/IP configuration of the NIC. ISA Server 2006 improves this situation by allowing the administrator to enter addition VIPs in the ISA management console.
Branch office Connectivity Wizard
With ISA 2004, deploying branch office ISA firewalls was potentially complex, sometime requiring a site to site VPN connection to be configured and then trying to join the branch office ISA firewall to the domain after the site to site VPN tunnel was established. ISA Server 2006 takes the complexity out of branch office deployment by introducing a branch office deployment wizard, that enables the ISA firewall administrator to create a simple answer file that allows a non-technical user to plug a branch office ISA firewall device and run the answer file from a simple link.
Ability to assign multiple certificates to a single Web listener
ISA 2004 allowed the ISA firewall administrator to bind only a single certificate to a Web listener. This was problematic when you wanted to use the same Web listener to publish multiple secure Web sties. ISA Server 2006 solves this problem by allowing you to bind multiple certificates to the same Web listener and assigning that Web listener to multiple Web Publishing Rules, enabling single sign-on and an improved end-user experience.
Support for customized forms for Forms-based authentication
ISA 2004 supported forms-based authentication only for publishing OWA sites and customizing the form was not supported. With ISA Server 2006, you can now use forms-based authentication to publish any site and forms customization is supported.
LDAP authentication for Web Publishing Rules
With ISA 2004, if the ISA firewall machine was not a member of the domain, the only viable method of pre-authenticating users at the ISA firewall was to use RADIUS authentication for Web Publishing Rules. RADIUS is limited because it does not allow the administrator to leverage Active Directory Groups. With ISA Server 2006, you can use LDAP authentication for ISA firewalls that are not domain members and take advantage of Active Directory Groups. In addition, the ISA 2006 firewall can be configured to use multiple LDAP servers and rules can be configured to look at authentication strings and forward the authentication request to the appropriate LDAP server (Active Directory domain controller).
RADIUS One-Time Passwords (OTP) for Web Publishing Rules
Another authentication option now available to non-domain member for Web Publishing Rules is RADIUS One-Time passwords (OTP). RADIUS OTP allows users to authenticate using a password that is valid on a single attempt and cannot be reused.
Improved cookie management
ISA 2004 did not provide a administrator accessible method for managing cookies on client machines connecting to published Web resources. With ISA Server 2006, the administrator is provided several options for controlling how cookies are validated and configurable credentials caching.
Enhanced Flood Mitigation Settings
ISA 2004 included a basic flood mitigation feature that helped protect the networks that the ISA firewall was connected, in addition to the ISA firewall machine itself. ISA Server 2006 builds on the ISA 2004 flood protection mechanism to help protect against more types of flood attacks
Customer Experience Program
The customer experience program provides a mechanism where Microsoft can obtain information about how ISA Server is deployed and used in production environments. No personally identifiable information is sent to Microsoft, and this information is used to help Microsoft understand how to improve the product in service packs and future releases. The Customer Experience Program was first introduced with ISA 2004 SP2.
Support for Published Configuration Storage Servers
ISA Server 2006 enables the administrator to connect to Configuration Storage Servers at the main office even when the site to site VPN connection between branch and main offices becomes unavailable. You can publish the main office Configuration Storage Server and configure the branch office ISA firewall to connect to the published Configuration Storage Server over the Internet in the event that the site to site VPN connection becomes unavailable.
Enhanced support for SSL Accelerators in NLB Scenarios
When an NLB array of ISA firewall’s publishes secure SSL Web sites, the same Web site certificate must be installed on all the array members accepting incoming connections for the published Web site. This can be problematic when SSL accelerator cards are used and require that different certificates be bound to each SSL card in the NLB array. ISA Server 2006 supports binding different certificates to each card in the array to better support SSL accelerator cards.
Support for outbound SSL Bridging (add-on required)
Although not a feature in the base product, ISA firewall administrators can significantly increase the network security by using an ISA Server add-on product named ClearTunnel (www.collectivesoftware.com) ClearTunnel enables the ISA firewall to perform application layer inspection on outbound SSL connections and prevents potential exploits from being downloaded from the Internet through an encrypted SSL tunnel. SSL connections outbound represent a major security threat to corporate networks today, so the ability to inspect outbound SSL communications is a great enhancement to the network security that ISA Server can provide.
Updated MOM Management Pack
ISA Server 2006 includes an updated MOM pack.
ISA Server 2006 builds on the configuration and security alerts includes with ISA 2004 and adds a number of new alerts that help information the ISA administrator of configuration issues, certificate issue, security issues, and threat triggers. The new alerts included with ISA Server 2006 will make it easier than ever to troubleshoot ISA firewall related problems.
Site to Site VPN Wizard and Unattended Answer File support
ISA Server 2000 included a comprehensive site to site VPN wizard that took the complexities out of configuring a site to site VPN connection. This feature was removed from ISA 2004. In ISA Server 2006, the site to site VPN wizard returns and makes creating site to site VPN connections easier than ever. In addition to simplifying the creation of a site to site VPN, the new ISA 2006 site to site VPN wizards allows the main office ISA firewall administrator to create a simple answer file that a non-technical users at a branch office can use to automatically connect the branch office ISA firewall to the main office corporate network.
Logging supports Referring Server
A common complaint among ISA firewall administrators was the inability to log the referring server for connections made to servers published using Web Publishing Rules. ISA Server 2006 solves this problem by adding the ability to log the referring server in the ISA firewall’s Web proxy log files.
In this article we spent some time going over reasons to upgrade to the new ISA Firewall. While on first blush it appears that there aren’t too many differences between the 2004 and 2006 ISA Firewalls, you’ll find that if you look under the hood that there are quite a few improvements found in the 2006 ISA Firewall. This is especially true if you do a lot of Web Publishing or have problems with flood conditions on your network. Even if you don’t find yourself fitting into either of these two categories, a review of the list of new and improved features should convince you that upgrading to the new ISA Firewall might be a smart thing to do.