White Paper: Why ISA 2006 is a Better Solution than ISA 2000 and 2004

ISA Server 2000 was Microsoft’s first full fledged firewall product, and it offered a host of new features not found in its predecessor, Proxy Server 2.0, nor in most of the third party commercial firewall products in its price class. These included:

• 
  
  Multi-layered filtering (packet filtering at the network layer, circuit filtering at the transport layer, and application filtering at the application layer)
  
  
• 
  
  Integrated remote access virtual private networking (VPN) and site to site VPN gateway
  
  
• 
  
  Active Directory integration
  
  
• 
  
  Secure Network Address Translation (SecureNAT)
  
  
• 
  
  Secure server publishing
  
  
• 
  
  Email content screening via SMTP filters
  
  
• 
  
  H.323 gateway support for use of Microsoft NetMeeting and other H.323 conferencing software

ISA 2004 was the first major overhaul of Microsoft ISA Server since its introduction in 2000. ISA firewall admins found improvements in three key areas:

• Advanced protection
  
• Ease of use
  
• High performance

More specifically, ISA 2004 raised the bar on application layer security capabilities through enforcement of comprehensive and flexible application layer inspection policies, customizable protocol filters and network routing relationships that can help protect IT assets and corporate intellectual property from hackers, viruses and unauthorized use. Simple, easy to learn and use management tools, along with an enhanced user interface, shortened ramp-up time for new security administrators and helped customers avoid security breaches that can occur because of firewall misconfiguration.

While ISA 2004 put the ISA firewall product in head to head competition with Check Point and Cisco ASA/PIX in the network level firewall market, the ISA 2004 firewall lacked some features that made it harder than it should have been to compete with Blue Coat as the forward and reverse Web proxy server of choice. While it was clear that the ISA 2004 firewall and Web proxy server was more secure and more flexible than Blue Coat, the primary thrust of the ISA 2004 improvements were focused on its network stateful packet inspection and application layer inspection firewall feature set and not on its Web proxy components.

So, while ISA 2004 was focused on making the ISA firewall product equal or superior to the Check Point, Cisco ASA/PIX and Netscreen firewall products, the ISA 2006 enhancements are aimed at making the ISA firewall product line superior to Blue Coat in three core scenarios: Exchange Web services publishing, SharePoint Portal Server Publishing, and Internet Information Server (IIS) publishing.

The ISA 2006 firewall and Web proxy and caching product is at this point so impressive, that in my considered opinion no network security professional would consider providing remote access to Exchange, SharePoint Portal Server or IIS without an ISA firewall in place to protect them and to do otherwise would reflect on the decision maker’s judgment and motivations.

Before going into the details of ISA 2006, let’s roll back a bit and take a look at what ISA 2004 brought to the table. Since the ISA 2006 firewall includes all the ISA 2004 SP2 features and capabilities, it will give you a better idea of the ISA 2006 firewall’s feature set.

What was New in ISA 2004

ISA Server 2004 added many new features and improved others, along with completely revamping the interface, to greatly increase the functionality, especially at the enterprise level. As a refresher, the table below shows what was new in ISA 2004:

What was New in ISA Server 2004
New Feature	What it does
Multiple Network support	Allows you to configure more than one network, each with distinct relationships to other networks. You can define access policies relative to the networks. Unlike ISA Server 2000, where all network traffic was inspected relative to a local address table (LAT) that only included addresses on the local network, with ISA Server 2004 you can apply the firewall and security features to traffic between any networks or network objects.
Per-network policies	The new multi-networking features of ISA Server 2004 enable you to protect your network against internal and external security threats, by limiting communication between clients even within your own organization. Multi-networking functionality supports sophisticated perimeter network (also known as a DMZ, demilitarized zone, or screened subnet) scenarios, allowing you to configure how clients in different networks access the perimeter network. Access policy between networks can then be based on the unique security zone represented by each network.
Routed and NAT network relationships	You can use ISA Server 2004 to define routing relationship between networks, depending on the type of access and communication required between the networks. In some cases, you may want more secure, less transparent communication between the networks; for these scenarios you can define a network address translation (NAT) relationship. In other scenarios you want to simply route traffic through ISA Server; in this case, you can define a routed relationship. In contrast to ISA Server 2000, packets moving between routed networks are fully exposed to ISA Server 2004 stateful filtering and inspection mechanisms.
Stateful packet and application layer inspection for Remote Access VPN Connection	Virtual private network (VPN) clients are configured as a separate network zone. Therefore, you can create distinct policies for VPN clients. The firewall rule engine discriminately checks requests from VPN clients, statefully filtering and inspecting these requests and dynamically opening connections, based on the access policy.
Stateful packet and Application layer inspection for traffic moving through site to site VPN tunnel	Networks joined by an ISA Server 2000 site to site link where considered trusted network and firewall policy was not applied to communication moving through the link. ISA Server 2004 introduces stateful packet and application layer inspection for all communications moving through a site to site VPN connection. This allows you to control resources specific hosts or networks can access on the opposite side of the link. User/group based access policies can be used to gain granular control over resource utilization via the link.
Secure NAT client support for VPN clients connected to ISA Server 2004 VPN server	With ISA Server 2000, only VPN clients configured as Firewall clients could access the Internet via their connected ISA Server 2000 VPN server. ISA Server 2004 expands VPN client support by allowing SecureNAT clients to access the Internet without the Firewall client installed on the client system. You can also enhance corporate network security by forcing user/group based firewall policy on VPN SecureNAT clients.
VPN Quarantine	ISA Server 2004 leverages the Windows Server 2003 SP1 VPN Quarantine feature. VPN Quarantine allows you to quarantine VPN clients on a separate network until they meet a predefined set of security requirements. VPN clients passing security tests are allowed network access based on VPN client firewall policies. VPN clients who fail security testing may be provided limited access to servers that will help them meet network security requirements.
Ability to publish PPTP VPN servers	You could only publish L2TP/IPSec NAT-T VPN servers using ISA Server 2000. ISA Server 2004 Server Publishing Rules allow you to publish all IP protocols and allows you to publish PPTP servers. The ISA Server 2004 smart PPTP application filter performs the complex connection management. In addition, you can easily publish the Windows Server 2003 NAT-T L2TP/IPSec VPN server using ISA Server 2006 Server Publishing.
IPSec tunnel mode support for site to site VPN links	ISA Server 2000 could use the PPTP and L2TP/IPSec VPN protocols to join networks over the Internet using a VPN site to site link. ISA Server 2004 improves site to site link support by allowing you to use IPSec tunnel mode as the VPN protocol.
Extended protocol support	ISA Server 2004 extends ISA Server 2000 functionality, by allowing you to control access and usage of any protocol, including IP-level protocols. This enables users to use applications such as ping and tracert, and to create VPN connections using the Point-to-Point Tunneling Protocol (PPTP). In addition, Internet Protocol security (IPSec) traffic can be enabled through ISA Server.
Support for complex protocols requiring multiple primary connections	Many streaming media and voice/video applications require that the firewall manage complex protocols. ISA Server 2000 was able to manage complex protocols, but required that the firewall administrator create complex scripts to create protocol definitions requiring multiple primary outbound connections. ISA Server 2004 greatly improves this situation by allowing you to create protocol definitions within an easy to use New Protocol Wizard.
Customizable protocol definitions	ISA Server 2004 allows you to control the source and destination port number for any protocol for which you create a Firewall Rule. This allows the ISA Server 2004 firewall administrator a very high level of control over what packets are allowed inbound and outbound through the firewall.
Firewall user groups	ISA Server 2000 utilized users and groups created in the Active Directory or on the local firewall computer for user/group based access control. ISA Server 2004 also uses these sources, but allows you to create custom firewall groups that are comprised of preexisting groups in the local accounts database or Active Directory domain. This increases your flexibility to control access based on user or group membership because the firewall administrator can create custom security groups from these existing groups. This removes the requirement that the firewall administrator be a domain administrator in order to credit custom security groups for inbound or outbound access control.
Forwarding of firewall client credentials to Web Proxy service	The ISA Server 2000 HTTP Redirector had to forward requests to the Web Proxy service in order for firewall clients to benefit from the Web cache in ISA Server 2000. User credentials were removed during this process and the request failed if user credentials were required. ISA Server 2004 removes the problem by allowing Firewall clients to access the Web cache via the Web Proxy filter without requiring separate authentication with the Web Proxy service (which no longer exists in ISA 2004 and beyond).
RADIUS support for Web Proxy client authentication	In order for ISA Server 2000 to authenticate Web proxy clients, the machine must have been a member of the Active Directory domain or the user account must exist on the firewall computers local user database. ISA Server 2004 allows you to authenticate users in the Active Directory and other authentication databases by using RADIUS to query the Active Directory. Web publishing rules can also use RADIUS to authenticate remote access connections.
Delegation of basic authentication	Published Web sites are protected from unauthenticated access by requiring the ISA Server 2004 firewall to authenticate the user before the connection is forwarded to the published Web site. This prevents exploits from unauthenticated users from ever reaching the published Web server.
Preservation of source IP address in Web publishing rules	ISA Server 2000 Web Publishing Rules replaced the source IP address of the remote client with the IP address of the internal interface of the firewall before forwarding the request to the published Web server. ISA Server 2004 corrects this problem by allowing you to choose on a per-rule basis whether the firewall should replace the original IP address with its own, or forward the original IP address of the remote client to the Web server.
Insert ISA Server IP Address as Source IP address for Server Publishing Rules	ISA Server 2000 Server Publishing Rules required you to preserve the source IP address of the external client. This required that the published server be a SecureNET client of the ISA firewall. In ISA 2004, you were given the option to preserve the client source IP address, or replace the client source IP address with the IP address of the ISA firewall. This removed the requirement of making the published server a SecureNET client and enabled more flexible deployment options.
SecurID authentication for Web proxy clients	ISA Server 2004 can authenticate remote connections using SecurID two-factor authentication. This provides a very high level of authentication security because a user must “know” something and “have” something to gain access to the published Web server.
Forms based authentication for OWA Access	ISA Server 2004 can generate the forms used by Outlook Web Access sites for forms-based authentication. This enhances security for remote access to OWA sites by preventing unauthenticated users from contacting the OWA server.
Secure Web Publishing Wizard	The new Secure Web Server Publishing Wizard allows you to create secure SSL VPN tunnels to Web sites on your internal network. The SSL Bridging option allows ISA Server 2004 to decrypt encrypted traffic and expose the traffic to the HTTP policy’s stateful inspection mechanism. The SSL Tunneling option relays unmodified encrypted traffic to the published Web server.
Forced encryption for secure Exchange RPC connections	RPC policy can be set on the ISA Server 2004 firewall to prevent non-encrypted communications from remote Outlook MAPI clients connecting over the Internet. This enhances network and Exchange security by preventing user credentials and data from being exchanged in a non-encrypted format.
HTTP filtering on a per-rule basis	ISA Server 2004 HTTP policy allows the firewall to perform deep HTTP application layer inspection (application layer filtering). The extent of the inspection is configured on a per-rule basis. This allows you to configure custom constraints for HTTP inbound and outbound access.
Ability to block access to all executable content	You can configure ISA Server 2004 HTTP policy to block all connection attempts to Windows executable content, regardless of the file extension used on the resource.
Ability to control HTTP file downloads by file extension	ISA Server 2004 HTTP policy allows you allow all files extensions, allow all except a specified group of extensions, or block all extensions except for a specified group.
Application of HTTP filtering to all ISA Server 2004 client connections	ISA Server 2000 could block content for Web Proxy client based HTTP and FTP connections via MIME type (for HTTP) or file extension (for FTP). ISA Server 2004 HTTP policy allows you to control HTTP access for all ISA Server 2004 client connections.
Ability to block HTTP content based on keywords or strings (signatures)	ISA Server 2004 deep HTTP inspection allows you to create “HTTP Signatures” that can be compared against the Request URL, Request headers, Request body, Response headers and Response body. This allows you extremely precise control over what content internal and external users can access through the ISA Server 2004 firewall.
Ability to control which HTTP methods are allowed	You can control which HTTP methods are allowed through the firewall by setting access controls on user access to various methods. For example, you can limit the HTTP POST method to prevent users from sending data to Web sites using the HTTP POST method.
Ability block unencrypted Exchange RPC connections from full Outlook MAPI clients	ISA Server 2004 Secure Exchange Server Publishing Rules allow remote users to connect to Exchange using the fully functional Outlook MAPI client over the Internet. However, the Outlook client must be configured to use secure RPC so that the connection is encrypted. ISA Server 2004 RPC policy allows you to block all non-encrypted Outlook MAPI client connections.
FTP policy	ISA Server 2004 FTP policy can be configured to allow users to upload and download via FTP, or you can limit user FTP access to download only.
Link Translator	Some published Web sites may include references to internal names of computers. Because only the ISA Server 2004 firewall and external namespace, and not the internal network namespace, is available to external clients, these references will appear as broken links. ISA Server 2004 includes a link translation feature, that allows you to create a dictionary of definitions for internal computer names that map to publicly-known names.
Real-time monitoring of log entries	ISA Server 2004 allows you to see Firewall, Web Proxy and SMTP Message Screener logs in real time. The monitoring console displays the log entries as they are recorded in the firewall’s log file.
Built-in log query facility	You can query the log files using the built-in log query facility. Logs can be queried for information contained in any field recorded in the logs. You can limit the scope of the query to a specific time frame. The results appear in the ISA Server 2004 console and can be copied to the clipboard and pasted into another application for more detailed analysis.
Connectivity verifiers	You can verify connectivity by regularly monitoring connections to a specific computer or URL from the ISA Server 2004 computer using Connection Verifiers. You can configure which method to use to determine connectivity: ping, TCP connect to a port, or HTTP GET. You can select which connection to monitor, by specifying an IP address, computer name, or URL.
Report publishing	ISA Server 2004 report jobs can be configured to automatically save a copy of a report to a local folder or network file share. The folder or file share the reports are saved in can be mapped to Web site virtual directory so that other users can view the report. You can also manually publish reports that have not been configured to automatically publish after report creation.
E-mail notification of report creation	You can configure a report job to send you an e-mail message after a report job is completed.
Ability to customize time for log summary creation	ISA Server 2000 was hard-coded to create log summaries at 12:30 AM. Reports are based on information contained in log summaries. ISA Server 2004 allows you to easily customize the time when log summaries are created. This gives you increased flexibility in determining the time of day reports are created.
Ability to log to an MSDE database	Logs can now be stored in MSDE format by default. Logging to a local database enhances query speed and flexibility.
Ability to import and export configuration data	ISA Server introduces the ability to export and import configuration information. You can use this feature to save configuration parameters to an XML file, and then import the information from the file to another server.
Delegated Permissions Wizard for firewall administrator roles	The Administration Delegation Wizard helps you assign administrative roles to user and to groups of users. These predefined roles delegate the level of administrative control users are allowed over specified ISA Server 2006 services.

Table 1

All of those new features add functionality and flexibility above and beyond that provided by ISA 2000 and are included in the ISA 2006 firewall. But what do they really mean to you?

• 
  
  Multi-networking support greatly increased ISA 2004’s scalability and flexibility and gives much more granular control by applying different levels of security and access for different networks.
  
  
• 
  
  New VPN features made it easier and more secure to use virtual private networking through the ISA firewall. The ability to publish PPTP VPN servers is important to businesses that, for whatever reasons, don’t want to implement L2TP/IPSec for all VPN connections. VPN quarantine enhanced network security by allowing you to set security criteria VPN clients must meet before being allowed access to the corporate network. IPSec tunnel mode support greatly increased ISA 2004 firewall’s interoperability with a wide array of third-party VPN gateways.
  
  
• 
  
  New firewall features (and improvements to those that were included in ISA 2000) provided more precise control over what does and doesn’t enter the network. These enhancements positioned the ISA 2004 firewall to compete directly with third party firewall products, such as Check Point and PIX/ASA.
  
  
• 
  
  New Web cache and Web proxy features made it easier to publish Web sites, giving ISA firewall admins more control over Web caching, and enhanced the security of all published Web sites.
  
  
• 
  
  New remote access features increased usability and security of Outlook Web Access (OWA), Outlook Mobile Access (OMA), Exchange ActiveSync (EAS), terminal services and Outlook RPC/HTTP. The ability to block unencrypted Exchange RPC communications greatly enhanced security in secure Exchange RPC publishing scenarios. In ISA 2000 out of the box, if Exchange RPC was allowed, you couldn’t distinguish between encrypted and unencrypted communications – all Exchange RPC communications were allowed. The ability to block unencrypted ones was included in feature pack 1 for ISA Server 2000, but required editing of the registry to enable. ISA 2004 made it as simple as checking a checkbox.
  
  
• 
  
  New application layer inspection features extended the level of control administrators had over Web and e-mail content, making it easier to block exactly what you want to block, and ensuring that users who need access to resources will have it. For example, signature blocking could be used as a spam control mechanism, allowing you to block keywords and strings in the message content. It could also be used as an anti-virus mechanism and a way to recognize and block common SMTP attacks. Unfortunately, the SMTP Message Screener was dropped in ISA Server 2006, with the expectation that customers would prefer to use Antigen for spam and anti-virus control. However, at this time, Antigen for SMTP has not been integrated with the ISA Server 2006 product line.
  
  
• 
  
  New monitoring and reporting capabilities are more important than ever in today’s regulated business environment, where it is vital to be able to provide detailed documentation to prove compliance with government and industry rules that require that specific security standards be met. The ability to import and export configuration information makes it easy to back up that information or to create multiple servers with the same configuration.
  
  
• 
  
  Link translation is important when you publish sites that contain links to internal resources (for example, SharePoint sites that you want to make available to external users). This capability was included in feature pack 1 for ISA 2000, but was made much easier to use in ISA 2004. ISA Server 2006 further enhances support for Link Translation, especially for SharePoint Portal Server Sites
  
  
• 
  
  New wizards such as the Delegated Permissions wizard, Outlook Web Access (OWA) Publishing wizard and the Secure Web Publishing wizard helped you to accomplish common tasks more quickly and easily, and help to prevent misconfiguration (which is one of the most common reasons for firewall failure). ISA Server 2006 further refines and enhances the Web Publishing Wizards included with ISA 2004.

With advanced security for your Microsoft applications, ISA Server 2004 protected the customer’s critical business assets and helped the organization stay on top of communications demands. In addition, ISA server 2004 provided security around the most common usage scenarios, such as collaboration, remote access, and server publishing. ISA Server 2006 includes all these features and includes significant feature enhancements over those provided by ISA 2004, which will be discussed later in this section.

Enhanced Usability in ISA Server 2004

The user interface in ISA Server 2004 was a dramatic departure from the ISA 2000 firewall console. The new interface was more intuitive and functional, and the three-pane layout and tabbed interface of the ISA Management console made it easier than ever to configure and manage ISA Server.

The new interface put common ISA firewall management tasks at your fingertips, eliminating the need to search through Help files or click through multiple dialog boxes to find the configuration options you want.

Why ISA 2006 Firewalls are Better than ISA 2000/2004 Firewalls

Many ISA firewall admins who are currently running ISA Server 2000 or 2004 will want to know why they should upgrade to ISA Server 2006. While the upgrade from ISA Server 2000 to ISA 2004 was an easy one to understand because of the major improvements and changes made between ISA Server 2000 and ISA 2004, the changes included with ISA 2006 versus ISA 2004 are more incremental and provide a much smoother transition than the upgrade from 2000 to 2004.

Most of the new features and capabilities seen in ISA 2006 compared to 2004 are difficult for the average ISA firewall admin to see if only a superficial look at the product is taken. The user interface is the same, the networking model is same, there have been no changes in terms of how the ISA firewall performs outbound access control, and there have been no changes to the core networking and traditional firewall feature set.

The bulk of the improvements seen with the ISA 2006 firewall are focused on secure Web publishing. While the Microsoft marketing message focuses on the three pillars of

• secure application publishing
  
• branch office gateway
  
• Web access protection

Technical decision makers will quickly discover that ISA 2006 adds relatively little to ISA 2004 SP2 in the outbound access control and protection and branch office gateway scenarios. However, they will notice that there are some profound improvements in secure application publishing. To be more specific, to secure Web Publishing.

The other major difference between ISA 2006 and ISA 2004 is that ISA 2006 has a much more robust mechanism for handling worm and other types of flood attacks. Some ISA 2004 servers have suffered from worm and DNS flood attack situations (note that these attacks never compromised the ISA firewall, but affected performance). ISA 2006 includes built in mechanism to prevent exhaustion of non-paged pool memory so that even when under heavy denial of service type worm or DNS flood attacks, the ISA 2006 firewall will be able to stand up even when the ISA 2004 firewall might fall over and need to be rebooted.

My recommendations for upgrading from ISA 2004 to ISA 2006 include the following:

• ISA 2006 worm and DNS flood protection will increase uptime and stability. The ISA 2006 updates to its stateful packet inspection and IDS/IPS functionality make it worth the upgrade.
  
• Significant enhancements have been made in increasing the security for remote access connections to Outlook Web Access (OWA), Outlook Mobile Access (OMA), Exchange ActiveSync (EAS) and RPC/HTTP (Outlook Anywhere). You will be able to do things such as customize the log on form, enable password changes from the log on form, and be able to automatically inform users of how many days there are until a password change is required in the log on form
  
• ISA firewall admins publishing SharePoint Portal servers may have frustrations and incomplete functionality when using ISA 2004. If you have SharePoint Portal Server in place that you will be able to get full functionality from your SPS deployments when publishing through an ISA 2006 firewall, as it is purpose designed to provide secure remote access to SharePoint Portal Servers
  
• For all ISA firewall admins publishing Web sites, including Exchange and SharePoint Portal Server sites, you’ll be able to use forms-based authentication for any type of Web publishing scenario, and that editing the log on form is now completely supported by Microsoft
  
• For any ISA firewall admin publishing secure sites requiring pre-authentication at the ISA firewall, there are additional authentication mechanisms available, including LDAP authentication and RADIUS One-time password. Both these authentication methods allow the ISA firewall publishing the Web sites to be removed from the Active Directory domain, but still authenticate users belonging to the domain. RADIUS OTP provides ISA firewall admins who don’t wish to use SecurID with another two-factor authentication option.
  
• Any ISA firewall admin interested in publishing a Web farm will benefit greatly by upgrading from ISA 2004 to ISA 2006. This is especially the case if you have front-end Exchange Servers and want to have two or more front-end Exchange Servers configured as a fault tolerant and redundant Web farm. The ISA 2006 Web farm load balancing feature removes the requirement to make the FE Exchange Servers SecureNET clients when NLB was enabled on the FE Exchange Server array. In fact, ISA 2006 Web farm load balancing completely removes the requirement for NLB on the FE Exchange Server array or a third-party hardware load balancer. You can completely remove the third party load balancer and benefit from higher security, better performance and better session management that you would have with the “hardware” load balancer and you get all this at no additional cost.

While it might seem that there is a relatively small feature set on which to base upgrades from 2004 to 2006, the improvements included with ISA Server 2006 make it worth upgrading for any company that publishes Web sites. This might appear to you at first to represent a relatively small percentage of the entire ISA firewall feature set, but from my discussions with ISA customer base at large, it appears that ISA firewall’s largest deployment scenario is for reverse proxy, and this is exactly the feature set that the ISA Server development team has focused upon.

What’s New and Improved in the ISA 2006 Firewall and Web Proxy and Caching Solution

The table below provides a comprehensive, but not necessarily complete list of new and updated features included in the ISA 2006 firewall.

What’s New and Improved in ISA Server 2006
New Feature	What it does
Web Farm Load Balancing NEW	ISA 2006 Web Farm Load Balancing enables the ISA firewall administrator to publish a farm of Web servers that host the same content or perform similar roles. The ISA firewall provides both load balancing and fail over and fail back for the published Web farm and does not require NLB to enabled on the ISA firewall array or on the Web farm. Customers benefit from this feature because they do not need to enable NLB on the farm warm (which would require that the farm members be SecureNET clients) and the customer does not need to purchase an expensive external load balancer, such as F5.
Forms-based authentication support for all Web Publishing Rules NEW	In ISA 2004, Forms-based authentication was supported only for Outlook Web Access Web Publishing Rules. ISA Server 2006 expands its forms-based authentication support by enabling forms-based authentication for all Web sites published using Web Publishing Rules.
Kerberos Constrained Delegation NEW	In ISA 2004, User Certificate authentication could be performed by the ISA firewall, but the user’s credentials could not be forwarded to the published Web server. This generated multiple authentication prompts. In ISA Server 2006, a user can pre-authenticate with the ISA firewall and then that users credentials can be delegated as Kerberos credentials to the published Web servers, thus avoiding multiple authentication prompts and improving the end-user experience.
Enhanced Delegation of Authentication support	ISA 2004 supported only delegation of basic authentication. ISA Server 2006 enhances support for authentication delegation by enabling credentials to be delegated as Kerberos, Integrated, Negotiate or basic. This increases the flexibility of deployment for ISA firewalls since many published Web servers do not support basic authentication. In addition, the increases security for Web Publishing scenarios where SSL to SSL bridging is not an option and prevents the clear text basic credentials from being intercepted on the wire.
Separate name resolution from CONNECT name in Web Publishing Rules NEW	In ISA 2004, the same name was used for name resolution and the CONNECT name sent to the published Web server. This created a situation where the ISA firewall administrator had to create a split DNS, or enter a customer HOSTS file entry on the ISA firewall so that the CONNECT name resolved to the IP address of the published server on the internal network. ISA Server 2006 solves this problem by allowing you to specific a name or IP address that is separate from the CONNECT name used by the Web Publishing Rule.
Improved Exchange Server Web Publishing Rule Wizard	The ISA Server 2006 Exchange Server Web Publishing Wizard includes a number of improvements that makes publishing all versions of Exchange, from version 5.5 to 2007 easier than ever.
Integrated support for Password changes on log on form NEW	In ISA 2004, there was little or no support for allowing the users to change their passwords when using Forms-based authentication. ISA Server 2006 solves this problem by integrating the ability for a user to change his password right in the log on form. No special configuration tasks are required on the ISA firewall or published OWA Server
Integrated support for Password change notification on log on form NEW	In ISA 2004, there was no integrated support for providing users information about pending password expiration dates. ISA 2006 solves this problem by making the option available to the ISA firewall administrator to inform users of pending password expiration dates. You can customized the warning period by specifying the number of days in advance that you want users to be aware of password expiration.
Improved Mail Server Publishing Wizard	In ISA 2004, a single Mail Server Publishing Wizard was used to published both Exchange Web services and non-Web services. ISA Server 2006 breaks out Web from non-Web publishing tasks into two separate wizards, making it easier to publish non-Web protocols for your Exchange mail server.
SharePoint Portal Server Publishing Wizard NEW	It was possible to publish SharePoint Portal Servers using ISA 2004, but the process was potentially complex and not all features were available from the Internet because of problem with link translation. ISA Server 2006 solves this problem with enhanced support for SharePoint Portal Server publishing and an updated link translation dictionary that takes all the complexity of successfully publishing a SharePoint Portal Server deployment.
Single Sign-on NEW	One of the most requested features that didn’t make its way into ISA 2004 was single sign-on. In ISA 2004, users had to reauthenticate even if they were connecting to a Web server in the same domain as the original Web server. ISA Server 2006 solves this problem by enabling single sign-on on a per-listen/per-domain basis. If multiple Web sites belong to the same domain, and are published by the same Web listener, then users will not be required to reauthenticate and cached credentials are used.
Support for wildcard certificates on the published Web Server NEW	ISA 2004 supported wildcard certificates on its Web listener, but did not support wildcard certificates on the published Web server located behind the ISA firewall. ISA Server 2006 improves on wildcard certificate support by allowing the ISA firewall administrator to use a wildcard certificate on the published Web server.
Advanced Client Certificate Restrictions and Configurable Certificate Trust List NEW	A completely new feature included with ISA Server 2006 is Client Certificate Restrictions and configurable Certificate Trust List. The Client Certificate Restrictions feature allows you to set restrictions on the certificates users can provide when User Certificate authentication is enabled. Restrictions can be defined based on: – Issuer – Subject – Enhanced Key Usage – Extensions In addition, you can set restrictions on the OID (object ID) presented by the User Certificate The Configurable Trust List option enables you to set specific trusted CAs on a per-Web Listener basis. This list of trusted CAs is separate and distinct from the ISA firewall machine’s list of Trusted CAs. This enables the ISA firewall administrator to limit the User Certificates that can be used to authenticate with the ISA firewall to those issued only by a specific set of CAs, such as the company’s private CAs. This allows you to implement User Certificate Authentication as a method to limit access only to corporate managed machines and devices, such as PDAs and PDA enabled phones.
Fall back to basic authentication for non-Web browser clients NEW	One of the major problems ISA firewall administrators had with ISA 2004 was that they needed to create two listeners, requiring two different certificates, to publish both RPC/HTTP and OWA sites when forms-based authentication was enabled on the OWA Web listener. ISA Server 2006 solves this problem by detecting the user-agent string in the client request and falling back to basic authentication when the client is not a Web browser. This allows you to publish OWA with forms-based authentication enabled and RPC/HTTP using the same Web listener. The end result is that if the customer has only a single external IP address, both OWA with FBA and RPC/HTTP can be published using that single IP address, something not possible with ISA 2004.
Enhanced Link Translation Dictionary	Link translation dictionaries are used to change the contents of pages returned to external users. This is helpful when Web applications imbed private computer names in responses sent to external clients, since external clients are not able to connect to servers using their Internal names. ISA Server 2006 includes an enhanced link translation dictionary that automatically populates itself based on settings in your Web Publishing Rules. This allows the ISA firewall administrator to provide a seamless experience for external users who need to access multiple sites published by the ISA firewall. For example, this feature allows OWA users to receive links to SharePoint Portal Server messages in their OWA e-mail and access those links automatically, without complex reconfiguration required on the OWA and SharePoint Portal Server or even on the ISA firewall itself.
Cross array link translation NEW	Cross array link translation allows you to publish Web sites across multiple arrays and have the link translation dictionary available for all arrays in the same ISA Enterprise Edition enterprise group. This greatly simplifies large deployments by automatically populating the link translation list and avoiding the requirement for manual reconfiguration.
Improved CARP Support in ISA 2006 Enterprise Edition	Changes were made to the CARP algorithm with the release of ISA 2004 SP2. These changes have been carried over to ISA Server 2006 so that instead of requiring CARP exceptions to URLs you don’t want to be load balanced, you now create CARP exceptions for URLs that you do want load balanced. This change was made within the context of another change included with ISA 2004 SP2, where instead of using the URL to predetermine which array member handled the request, the FQDN is now used instead. The prevents problems with session handling for connections that might be spread across multiple array members for specific URLs contained within the same page or session.
BITS Caching for Microsoft Update Sites	BITS caching for Microsoft Updates was introduced with ISA 2004 SP2. This feature has been carried over and included with ISA Server 2006. BITS caching for Microsoft updates greatly improves bandwidth utilization over site to site or WAN links, making more bandwidth available to branch offices that would otherwise be overwhelmed with update traffic from servers located at the main office or the Internet. Main office servers also benefit from bandwidth optimization provided by BITS update caching.
HTTP Compression support	Support for HTTP Compression was introduced in ISA 2004 SP2 and carried over to ISA Server 2006. HTTP compression allows the ISA firewall administrator to control from where clients can ask for HTTP compression and from what servers can return HTTP compression. HTTP compression is very useful in a branch office scenario where bandwidth to the main office is at a premium.
Diffserv QoS Support for HTTP communications	Diffserv QoS support was introduced with ISA 2004 SP2 and carried over to ISA Server 2006. Diffserv is a method that can be used on Diffserv enabled networks to give preference to certain packets over others. The ISA firewall administrator can use Diffserv to prioritize packets destined to certain server over those of non-priority servers
Add multiple VIPs within the ISA Server management console NEW	ISA 2004 supported multiple VIP IP addresses. However, in order to add more than one VIP, the ISA firewall administrator had to drop out of the ISA management console and enter these IP addresses in the TCP/IP configuration of the NIC. ISA Server 2006 improves this situation by allowing the administrator to enter addition VIPs in the ISA management console.
Branch office Connectivity Wizard NEW	With ISA 2004, deploying branch office ISA firewalls was potentially complex, sometime requiring a site to site VPN connection to be configured and then trying to join the branch office ISA firewall to the domain after the site to site VPN tunnel was established. ISA Server 2006 takes the complexity out of branch office deployment by introducing a branch office deployment wizard, that enables the ISA firewall administrator to create a simple answer file that allows a non-technical user to plug a branch office ISA firewall device and run the answer file from a simple link.
Ability to assign multiple certificates to a single Web listener NEW	ISA 2004 allowed the ISA firewall administrator to bind only a single certificate to a Web listener. This was problematic when you wanted to use the same Web listener to publish multiple secure Web sties. ISA Server 2006 solves this problem by allowing you to bind multiple certificates to the same Web listener and assigning that Web listener to multiple Web Publishing Rules, enabling single sign-on and an improved end-user experience.
Support for customized forms for Forms-based authentication NEW	ISA 2004 supported forms-based authentication only for publishing OWA sites and customizing the form was not supported. With ISA Server 2006, you can now use forms-based authentication to publish any site and forms customization is supported.
LDAP authentication for Web Publishing Rules NEW	With ISA 2004, if the ISA firewall machine was not a member of the domain, the only viable method of pre-authenticating users at the ISA firewall was to use RADIUS authentication for Web Publishing Rules. RADIUS is limited because it does not allow the administrator to leverage Active Directory Groups. With ISA Server 2006, you can use LDAP authentication for ISA firewalls that are not domain members and take advantage of Active Directory Groups. In addition, the ISA 2006 firewall can be configured to use multiple LDAP servers and rules can be configured to look at authentication strings and forward the authentication request to the appropriate LDAP server (Active Directory domain controller).
RADIUS One-Time Passwords (OTP) for Web Publishing Rules NEW	Another authentication option now available to non-domain member for Web Publishing Rules is RADIUS One-Time passwords (OTP). RADIUS OTP allows users to authenticate using a password that is valid on a single attempt and cannot be reused.
Improved cookie management	ISA 2004 did not provide a administrator accessible method for managing cookies on client machines connecting to published Web resources. With ISA Server 2006, the administrator is provided several options for controlling how cookies are validated and configurable credentials caching.
Enhanced Flood Mitigation Settings	ISA 2004 included a basic flood mitigation feature that helped protect the networks that the ISA firewall was connected, in addition to the ISA firewall machine itself. ISA Server 2006 builds on the ISA 2004 flood protection mechanism to help protect against more types of flood attacks
Customer Experience Program NEW	The customer experience program provides a mechanism where Microsoft can obtain information about how ISA Server is deployed and used in production environments. No personally identifiable information is sent to Microsoft, and this information is used to help Microsoft understand how to improve the product in service packs and future releases. The Customer Experience Program was first introduced with ISA 2004 SP2.
Support for Published Configuration Storage Servers NEW	ISA Server 2006 enables the administrator to connect to Configuration Storage Servers at the main office even when the site to site VPN connection between branch and main offices becomes unavailable. You can publish the main office Configuration Storage Server and configure the branch office ISA firewall to connect to the published Configuration Storage Server over the Internet in the event that the site to site VPN connection becomes unavailable.
Enhanced support for SSL Accelerators in NLB Scenarios NEW	When an NLB array of ISA firewall’s publishes secure SSL Web sites, the same Web site certificate must be installed on all the array members accepting incoming connections for the published Web site. This can be problematic when SSL accelerator cards are used and require that different certificates be bound to each SSL card in the NLB array. ISA Server 2006 supports binding different certificates to each card in the array to better support SSL accelerator cards.
Support for outbound SSL Bridging (add-on required) NEW	Although not a feature in the base product, ISA firewall administrators can significantly increase the network security by using an ISA Server add-on product named ClearTunnel (www.collectivesoftware.com) ClearTunnel enables the ISA firewall to perform application layer inspection on outbound SSL connections and prevents potential exploits from being downloaded from the Internet through an encrypted SSL tunnel. SSL connections outbound represent a major security threat to corporate networks today, so the ability to inspect outbound SSL communications is a great enhancement to the network security that ISA Server can provide.
Updated MOM Management Pack	ISA Server 2006 includes an updated MOM pack.
Improved Alerting	ISA Server 2006 builds on the configuration and security alerts includes with ISA 2004 and adds a number of new alerts that help information the ISA administrator of configuration issues, certificate issue, security issues, and threat triggers. The new alerts included with ISA Server 2006 will make it easier than ever to troubleshoot ISA firewall related problems.
Site to Site VPN Wizard and Unattended Answer File support NEW	ISA Server 2000 included a comprehensive site to site VPN wizard that took the complexities out of configuring a site to site VPN connection. This feature was removed from ISA 2004. In ISA Server 2006, the site to site VPN wizard returns and makes creating site to site VPN connections easier than ever. In addition to simplifying the creation of a site to site VPN, the new ISA 2006 site to site VPN wizards allows the main office ISA firewall administrator to create a simple answer file that a non-technical users at a branch office can use to automatically connect the branch office ISA firewall to the main office corporate network.
Logging supports Referring Server NEW	A common complaint among ISA firewall administrators was the inability to log the referring server for connections made to servers published using Web Publishing Rules. ISA Server 2006 solves this problem by adding the ability to log the referring server in the ISA firewall’s Web proxy log files.

Table 2

Conclusion

As you can see, there is a lot more included in the new ISA 2006 firewall than initially meets the eye. While the ISA 2006 firewall doesn’t provide the world shaking differences we saw with the upgrade from ISA Server 2000, I think you’ll find that the upgrade to ISA 2006 is well worth the effort both in terms of increased functionality and user satisfaction, and increased uptime and reliability.

If you have questions about what the new ISA 2006 firewall has to offer your organization, feel free to post a question on the Web boards in the links provided in this article. If you wish to contact me privately, you can contact me at [email protected] and I can help provide information that will help you make a compelling argument to your business decision makers who sign the checks for your ISA firewall upgrade. I can also help you deal with the “network guys” who don’t understand the ISA firewall and might push back at your attempts to secure your network and networked applications.