ISA Server 2006 Service Pack 1: New features and enhancements
Many ISA Server Administrators waited a long time for the publication of ISA Server 2006 Service Pack 1. At the time of writing this article, ISA Server 2006 Service Pack 1 is still not available as RTM, but as a Beta version.
ISA Server 2006 Service Pack 1 has many improvements on ISA Server 2006 and more new features than any other published Service Pack. The number of new features is so long that I personally call ISA Server 2006 Service Pack 1 – ISA Server 2006 R2.
The number of new and enhanced features might be the reason for the delay for publishing the next version of ISA Server 2006 – called Microsoft Forefront TMG (Threat Management Gateway).
ISA Server 2006 Service Pack 1 New Features
- Configuration Change Tracking
All configuration changes of the ISA Server configuration can be saved for later review. This will give administrators a better overview of what has been changed and if there are multiple administrators, who has changed the configuration. The Configuration Change Tracking feature can also be used as a Server checklist of what has changed in the ISA configuration.
- Web Publishing Rule Test Button
As most of your ISA Server Administrators know, the configuration of a secure Webserver Publishing rule with HTTPS to HTTPS or HTTP bridging could be an challenge, because many things have to be considered: you have to select correct certificates, name resolution is critical, and more. With ISA Server 2006 Service Pack 1 a new Web Publishing Rule Test Button has been integrated in ISA Server 2006 Service Pack 1 which should help you test created Webserver Publishing rules. ISA Server will then check if the Internal Server is reachable from the ISA Server side and outside the Firewall.
- Traffic Simulator
The new Traffic Simluator function in ISA Server 2006 is a great feature to simulate network traffic through ISA Server 2006. The Traffic Simulator will send simulated traffic through the ISA Server rules engine as real traffic would flow through ISA. The new Traffic Simulator could be compared with the Active Directory Group Policy feature called Group Policy results and RSOP (Resultant Sets of Policies). This new feature is wonderful for us ISA Server Administrators because it lets us quickly check if our rule sets work as expected.
- Diagnostic Logging Query
The Diagnostic Logging query is not new to ISA Server 2006 because this feature was published in ISA Server 2004 Service Pack 3 but this feature will be enhanced in ISA Server 2006 Service Pack 1. The Diagnostic Logging Query is a feature only for concrete problems related to ISA Server Firewall rules and should only be enabled for diagnostic purposes anfd after the problem has been resolved the Diagnostic logging feature should be disabled because it consumes system resources. The Diagnostic Logging query feature in ISA Server 2006 Service Pack 1 makes it easier to see only the data that is relevant to the current troubleshooting effort.
ISA Server 2006 Service Pack 1 Enhancements
- Support for Network Load Balancing (NLB) multicast and multicast with IGMP operations
ISA Server 2006 NLB clusters use Unicast by default and this could not be changed until Microsoft published an update for ISA Server 2006 NLB. The use of Unicast NLB could disturb the use of bidirectional affinity (BDA). In Unicast mode, ISA nodes in an ISA Server array are all designated a single virtual IP address. The NLB driver assigns a new unicast MAC to all computers to be used by the Virtual IP (VIP). When traffic arrives to the ISA Server, the switch sends all traffic to all ports. This behavior could cause switch flooding. Multicast does not use this method and has some other enhancements over Unicast, but also has some potential pitfalls. In multicast mode, NLB designates a multicast MAC address to all computers in the cluster. Multicast combined with Internet Group Management Protocol (IGMP) prevents all ports being flooded. The multicast support enhancement is documented in Microsoft KB article, An update enables multicast operations for ISA Server integrated NLB. The implementation of this enhancement was complex. ISA Server 2006 Service Pack 1 has this feature integrated.
- Support for certificates with multiple Subject Alternative Name (SAN) entries in published web servers
The long awaited feature for all Exchange Server Administrators that have the need to publish Exchange Services like Outlook Web Acccess (OWA) and Outlook Anywhere must use digital certificates to secure the network traffic. Exchange Server 2007 supports the use of SAN (Subject Alternate Names) certificates – created by a Windows Server 2003 CA (SAN support must be enabled via Certutil.exe). A SAN certificate can contain more than one Server name in one certificate, so you can publish different Exchange services with only one certificate. The problem with ISA Server 2006 is that ISA Server 2006 doesn’t support SAN certificates. ISA Server 2006 always uses the first name found in the certificate and ignores the rest. With ISA Server 2006 Service Pack 1 you can use SAN certificates – great!
- Kerberos Constrained Delegation (KCD) authentication supports trusted-domain user accounts
Credentials from users located in a trusted domain can now be delegated to an internally published Web site when using KCD
RSA SecurID supports public timeout
For RSA SecurID authentication, a new form has been created that gives the user the option to select between a public or private session timeout.
Improve Web Publishing Load Balancing (WPLB) cookie handling
ISA Server 2006 Service Pack 1 now saves the domain name of the Server to which the user is connected. ISA Server saves the domain as a cookie so that a user is not redirected to another Server within the Webserver farm.
Filtering RPC Access rule traffic by UUID
In ISA Server 2006 without Service Pack 1 it was possible to publish RPC services based on the Universally Unique Identifier (UUID), but not within an access rule. The RPC protocol can now be added to the protocols list by selecting New RPC protocol in the Protocols option in ISA Servers toolbox so that it is possible to create outgoing access rules with filtered RPC traffic.
ISA Server 2006 includes some new alert improvements.
New alert indicator
When a new error type alert is generated, the upper section of the details pane is now highlighted in red. This is an extremely cool feature to see which of the alarms is new to ISA Server so you do not have to look at the timestamp information of the alert.
New alert for logging failure
If ISA Server could not log traffic to the MSDE or local text file ISA Server enters into Lockdown mode to protect the Firewall. A new alert Indicator is triggered when the logging process takes longer than 15 seconds. This will help the ISA administrator identify logging problems before ISA Server enters lockdown mode.
New performance counter
A Windows performance counter has been added to measure the kilobytes per second for an HTTP/HTTPS request/response. This feature serves as an indicator to help administrators determine how to improve performance of an HTTP/HTTPS request/response process.
Change Tracking feature
Every time you change the configuration of ISA Server 2006, a dialog box opens after you click Apply to save the ISA Server policy. This dialog box allows you to track the changes.
Figure 1: Configuration Change Description
You can see all changes in the ISA Server Monitoring tab named Change Tracking.
Figure 2: Change log
It is possible to enable or disable the tracking feature in the ISA console. Navigate to the ISA Server object and click properties. It is also possible to limit the number of entries.
Figure 3: Enable/Disable change tracking
Web Publishing Rule Test Button
In every Publishing rule you will see a new button called Test. This new feature is used to test the functionality of the publishing rule.
Figure 4: Test Button
If you click the test button a new window appears and you will see that ISA server tries to reach the Server and paths that you configured in the publishing rule.
Figure 5: Web Publishing test results
The new Traffic Simulator in ISA Server 2006 Service Pack 1 lets you simulate traffic that flows through ISA Server. The Traffic Simulator is available for all Publishing and Rule scenarios on ISA Server 2006.
Figure 6: Traffic simulator
After you entered the required information to test, click the start button and you will see the results. In this example, the request is allowed through the Firewall rule but the name could not be resolved.
Figure 7: URL Test
Diagnostic Logging query
The Diagnostic logging query filter is now integrated into the ISA Server console and it is now easier to find information.
Figure 8: Enhanced Diagnostic logging
Diagnostic logging tracks the whole way through ISA Server policy components. It enhances the normal logviewer in ISA Server 2006 by tracing the flow of specific packets through the ISA rules engine. It reports on packet progress and provides information about traffic handling and rule matching.
In this article I explained the new and enhanced features in ISA Server 2006 Service Pack 1. ISA Server 2006 SP1 contains many new and enhanced features and these new features should give you the time to wait for the next major update from ISA Server 2006 to Microsoft Forefront TMG (Threat Management Gateway).
- ISA Server 2006 SP1 Features
- A user cannot access a Web site that is published in ISA Server 2006 by using Kerberos constrained delegation if the user is not in the same domain as the ISA Server computer