Microsoft recently released the beta version of its new ISA Server 2006. ISA
Server is an application layer firewall, a VPN gateway with proxy and caching
functionalities. The Enterprise Edition of ISA 2006 uses a multi-tiered
enterprise and array model. An array is a representation of one
or more ISA Server computers that are physically connected and share the same
configuration.
An ISA Server enterprise consists of one or more arrays that group together
ISA Server firewall computers in the enterprise. Each enterprise manages its own
array members. It uses firewall policies to protect networks and control traffic
flowing in and out of the organization. The firewall policy consists of access
and publishing rules defined at the enterprise level and at the array level.
|
What's new?
The new ISA Server has many new features and is high on security and
authentication. Its new authentication features include a Single Sign On (SSO),
in which a user authenticates once with ISA Server and can access any number of
servers that are behind ISA Server, without re-authenticating. It also supports
two-factor authentication using smart card or SecurID token. The new ISA Server
2006 promises to provide improved security through its integration with
Microsoft Application infrastructure and Windows services such as NTLM and
Kerberos authentication, Active Directory service, VPN, Routing and Remote
Access, Network Load Balancing (NLB), etc. Plus, it has integrated
support for Exchange 12 and SharePoint Server.
Web Server Publishing allows administrators to make internal Web applications
available to users outside of the network. Traditionally this involved sending
all traffic that uses TCP port 80 to an internal Web server. Now Web publishing
with ISA Server 2006 inspects all HTTP content before it reaches the Web
servers. This makes it secure from HTTP port attacks.
ISA Server 2006 can be placed in different places on any enterprise network under different topologies |
It can also be used as a central location to block disallowed Web requests,
which is much easier than configuring each Web server individually. This
provides greater control over intranet resources. Configuring access and
security to a large number of Web sites can be time consuming. To make this easy
ISA 2006 has a feature called Server farms. A farm of servers can be defined as
a network object, and then used in as many different publishing rules as
desired.
The new ISA server also provides protection against Application attacks which
are common these days. To protect against various application threats it has a
Multilayer Firewall functionality which has packet filtering (also called
circuit-layer), stateful filtering, and application layer filtering (Deep Packet
Inspection). Flood Resiliency provides protection against Worm attacks, Syn
attacks, DoS and DDoS attacks.
This version has a new feature called Flood Mitigation, which can protect you against various attacks |
In ISA Server 2004 there was connection quota capability to lessen flooding
attacks but there was no way to determine what type of attack was going on. ISA
Server or whatever port or protocol was involved in the attack, etc. But now
with its Flood Resiliency feature it can provide resistance against these
attacks. It can detect the attacking IP address and can also validate if it is
spoofed or not. It can limit TCP connection, TCP concurrent connections, and
requests per minute per IP address.
The other new features of ISA server 2006 include HTTP compression, Diffsserv
(Quality of Service), Single sign on and BITS caching. HTTP compression reduces
file size by using some algorithms to eliminate redundant data. Most of the
common Web-related file types can be compressed for ISA 2006. HTTP compression
in ISA Server is a global HTTP policy setting and it can be applied to all HTTP
traffic that passes through ISA Server to or from a specified network or network
object.
The ISA Server also has real time monitoring and log filtering. It allows a
view of all active connections to and through the firewall, and from a session
view, you can sort or disconnect individual or groups of sessions. It also
provides detailed logs for inbound and outbound access and when combined with
authentication, the logs will contain information about activity by user name.
It can automatically generate several reports too. ISA Server 2006 requires
Windows 2003 with SP1.
Setting up ISA Server
Installing ISA Server 2006 is simple and pretty much similar to ISA 2004. During
installation it asks for the 'internal network address ranges' and the
network adapter to use which is connected to the internal network. You can even
add the private IP address range as your internal network address range.
Configuring ISA Server 2006 is easy as there is a wizard that helps you
configure most of the features.
Using ISA 2006 with SharePoint
First we need to configure ISA Server 2006 as an Edge firewall. To do so, open
ISA Server Management. Expand Configuration and click on Networks. In the right
window click on Edge Firewall and Network Template Wizard will pop-up. It will
ask you for information about the internal network IP address and policies.
Provide the required information and finish the wizard. Once you the Wizard is
finished, your ISA Server is configured as an Edge Firewall.
Go to the ISA Management window and in the Details pane, click on Firewall
Policy. Click the Tasks tab and then on Publish SharePoint sites. A new
SharePoint Publishing Rule window will pop-up. The wizard will ask you to choose
a Publishing Type. Here you need to tell ISA if you are publishing a single
website or an external load-balancer or multiple websites; or if you want to
publish a Server farm. Choose the first option. In the next window you would be
asked for your internal website name, which happens to be your SharePoint site.
You can also choose to use SSL to connect to this site.
Next it will ask you to select a Web Listener. Here click on the New button
to create a new Web Listener. On clicking, a new wizard will pop-up. Provide a
name for the Web Listener. In the next window, it will ask you if you require
SSL secured connections with clients or not. Next you need to choose Web
Listener IP addresses and provide a SSL Certificate for the Web Listener. Also
define how you would like clients to authenticate to ISA server. Once you have
created a Web Listener it will take you back to the SharePoint Publishing
wizard.
Next in this wizard, you will asked to choose a method by which ISA Server
should Authenticate to the published website. Here choose Basic Authentication
and in the next step it will ask you to specify the users on whom this rule
should be applied. Click on 'Apply Changes on Main Window' on completion of
the wizard. Now on the SharePoint Server open IIS Manager and go to
Authentication and Access Control. Click on Edit and select Basic
Authentication. Save changes to IIS Manager. Now your ISA Server is ready to
work with SharePoint server.