What is an IAG 2007 SSL VPN?
We spend a lot of time on the IAG 2007 SSL VPN during out MVP week at the main Microsoft campus in Redmond. It was time well spent, as many of the ISA Firewall MVPs weren't aware of what the IAG was, and what an SSL VPN had to offer.
First off, the IAG 2007 SSL VPN has the ISA Firewall 2006 installed on it. Microsoft decided to do this so that the IAG can be protected from attack and so that it can be placed at the edge of the network. Since the ISA Firewall was designed to be an edge firewall, and has never been compromised, it makes sense to put the ISA Firewall on the IAG to protect the device itself.
One thing the IAG is not is an outbound access device. The IAG is all about inbound access, using either it's SSL VPN feature or it's PPTP or L2TP/IPSec remote access VPN capabilities.
I asked about whether the IAG would be supported in a site to site VPN scenario. That is to say, if I called PSS and asked about problems with a site to site VPN between an IAG and an ISA firewall, or between two IAG devices, they would support me.
The goal of the IAG SSL VPN is to provide you remote access to all your corporate applications without having to worry about problems associated with typical remote access VPN connections, such as network numbering problems, or firewalls that block outbound PPTP or L2TP/IPSec and NAT-T.
But the IAG goes much farther than that. It provides three types of SSL VPN capabilities, including:
- Traditional Reverse proxy
- Port and socket forwarding
- Network level VPN over SSL (TCP over TCP like VPN)
In addition, the IAG provides very robust client side checking. This checking can be done to evaluate the level of access the client has to the corporate network, or if the client is allowed to connect at all. You can also change the application experience based on the client configuration -- such as hiding the "attachment" button if it's detected that the user is connecting from a Kiosk.
You probably want the details, and I'll provide those details in a feature article in two weeks. Until then, I highly recommend that you visit the Microsoft site and check out a VM of the IAG at www.microsoft.com/forefront/edge