ISA Server 2006 Overview
ISA Server 2006 is the next step in Microsoft’s Security Strategy. ISA Server 2006 is the successor of ISA Server 2004. ISA Server 2006 RTM is expected to be released at end of June 2006.
ISA Server 2006 contains all the features of ISA Server 2004 with SP2 except for the Message Screener. The Message Screener from ISA Server 2004 is no longer available in ISA Server 2006.
The SMTP Filter is still in ISA Server 2006.
If you want to try ISA Server 2006 Beta 1, you should download ISA Server 2006 Beta from the Microsoft Website. It is possible to download the English Standard and Enterprise Version of ISA Server 2006.
Figure 1: Download and install ISA Server 2006
After successful Installation of ISA Server 2006, you will see a new Customer Feedback Option in the ISA MMC and in the Properties of the ISA Server object in ISA MMC. This Customer Feedback is not new to ISA Server 2006 but was first seen with ISA Server 2004 SP2.
Figure 2: Customer Feedback in ISA Server 2006
If you do not want to participate in this Customer Experience Improvement Program click No, I don’t wish to participate.
New in Publishing
There are some enhancements in Webserverpublishing rules in ISA Server 2006. One of the interesting things in ISA Server 2006 is that it is now possible to Publish SharePoint Sites with an ISA Server 2006 Wizard. In the past you had to manually create a Publishing rule for SPS and you had to read the SPS Publishing Whitepaper on the Microsoft Website.
Figure 3: Sharepoint Portal Server Publishing
It is now also possible to Publish specific Exchange Mailserver versions. Exchange provides Publishing Wizards from Exchange 5.5 to Exchange V12.
Figure 4: Exchange version specific Publishing
ISA Server 2006 now also supports the Publishing of Load Balanced Web servers. Load Balanced Web servers are grouped in units called a Farm to provide continuous Access and performance improvements.
Figure 5: Publishing Load Balanced Web servers
The new Publishing Wizard provides better Support for Certificate Integration to provide SSL Bridging features and Client SSL Authentication. I will tell you more about this enhancement later.
Figure 6: Client Connection Security
The new Web listener Definition Wizard that listens for incoming Web requests has a new Icon (a “World ball”) and it is possible to select if ISA Server should compress the content through this defined Web Listener. The Compression feature first came with ISA Server 2004 SP2.
Figure 7: Web listener Publishing Wizard
The new Web Listener Definition Wizard allows you to select a single certificate for the specified Weblistener.
Figure 8: Certificate Selection
It is possible to assign a certificate for each IP address bound to the Adapter that the listener will use.
It is not possible to assign more than one certificate to a single IP Address. For more Information on this read the following statement from the ISA Server Product Team.
There is a new Certificate selection and verification console where it is possible to select certificates. You can see the Validity of the Certificates and the Issuing CA and the friendly name. Invalid certificates will be highlighted in red.
Figure 9: Certificate verification
One of the biggest changes in ISA Server 2006 is the built-in Support for different Authentication schemes.
Depending on the type of listener, you have the choice of the following Authentication Methods:
- HTML Client Certificate Authentication
- HTTP Authentication
- HTML Form Based Authentication
ISA Server can validate the credentials against:
- Active Directory
- Active Directory via LDAP (new in ISA Server 2006)
- RADIUS (OTP)
- RSA SecurID
Figure 10: Authentication settings
ISA Server 2006 can now work with Kerberos constrained Delegation if ISA Server is a domain member.
Figure 11: Authentication Delegation
ISA Server 2006 now allows Single Sign On (SSO) for ISA Weblistener.
Figure 12: SSO Settings
Customizable Forms Based Authentication
With ISA Server 2006 it is now possible to create a customized HTML form instead of the default. With this feature you can customize the form to fulfil your Corporate Identity requirements.
Figure 13: Customized Forms
In an upcoming Beta Version of ISA Server 2006 it should be possible to provide an integrated Password change feature for OWA users. Currently you must activate this feature manually on Exchange side and there is no easy way to activate the Password Change feature in the FBA process on ISA site.
The Link Translation feature in ISA Server 2006 has completely changed. The Link Translation feature supports additional Character Sets and is automatically activated when you create a Web server Publishing rule.
Figure 14: Link Translation
ISA Server 2004 came with support for RADIUS in Webserverpublishing Rules and for VPN so that ISA Server must not be a member of the Active Directory Domain.
Implementing RADIUS Authentication has some pros and cons so Microsoft now Support native LDAP Authentication in ISA Server 2006 in form of an LDAP Authentication Webfilter.
Figure 15: LDAP Authentication Webfilter
You can specify the Active Directory Servers to use and you can choose to use a Global Catalog Server. If you want to secure the communication with the Active Directory Server you can use LDAPS (Secure LDAP).
Figure 16: Specify LDAP Server
VPN changes in ISA Server 2006
ISA Server 2006 supports the following VPN protocols:
- L2TP over IPSEC
- Pure IPSEC
There are no significant changes in ISA Server 2006 VPN support in Beta I. An interesting change in ISA Server2006 VPN Support is the ISA Server Branch Office Connectivity Wizard.
Some of you had used the VPN Site to Site Wizard in ISA Server 2000 where it was possible to create the required VPN Connection and, after creation, save the configuration to a Floppy Disc. With this Floppy disc it was possible to end the VPN Setup at the other Site where the counterpart ISA Server resides.
With ISA Server 2006 this Wizard lives again.
Figure 17: ISA Server Branch Office Connectivity Wizard
The VPN Branch Office Wizard will help you to create a VPN connection between a Branch Office and a Headquarter. After completing the Wizard all information could be written to disc or other removable media, transferred to the Branch and at this site you can finish the VPN Implementation by inserting the Media, starting the VPN Wizard and specify the Import file.
This feature in Beta 1 is only available for ISA Server Enterprise Edition and requires a manually start of the AppCfgwzd.exe located on the ISA Files.
ISA Server 2004 capability to limit DoS and Worm attacks and to fight against flooding is very limited. With ISA Server 2006 Microsoft has implemented a new feature called Flood Mitigation.
With the help of Flood Mitigation it is possible to limit the number of concurrent TCP and UDP Sessions per IP address, the number of HTTP requests per Minute, per IP address, the number of TCP connections request per Minute, per IP address and many more.
To get the best out of the new Flood Mitigation feature you must carefully monitor your network to distinguish between Flood Attacks and Worms and normal legitimate processes from your Applications in your network.
Figure 18: Flood Mitigation feature
I hope this article was useful for you to see what has changed and improved in ISA Server 2006. If you look into the details of ISA Server 2006 I’m sure you will find many more changes. ISA Server 2006 has several evolutionary enhancements with an emphasis in Publishing, Certificate Management and Authentication. In my opinion Microsoft could name ISA Server 2006 – ISA Server 2004 R2. ISA Server 2006 is a stopover to the next version of Microsoft ISA Server.
ISA Server 2006 Overview
Download the ISA Server 2006 Trial
ISA Server 2006 Reviewers Guide