Many IT pros have not taken Microsoft’s efforts in the firewall and Web caching arena very seriously, with some suggesting that the company’s Internet Security and Acceleration (ISA) Server is not a serious threat to the hardware security appliances that have stormed the market in recent years. However, there are many companies that have long preferred and relied on the security features in ISA Server—and its precursor, Microsoft Proxy Server—because these software firewalls have some unique features and are usually not as costly as the top-of-the-line hardware appliances.
Now, Microsoft has made some major improvements to ISA Server with the release of ISA Server Feature Pack 1. Here is a look at these improvements.
Enhanced SMTP filter
ISA Server can filter traffic arriving on port 25 on the basis of attachment name or type, size, sender, domain, keyword or SMTP command. ISA FP1 also protects remote users in a session with Exchange, where previously they would have had to use OWA and/or setup a VPN connection. ISA FP1 enforces encryption of all RPC communications between Exchange servers and the remote client. Clients within the security boundary of an ISA Server can now also connect securely to an Exchange Server beyond the local security boundary. All this simplifies administration and use, which can help to boost productivity.
Web and OWA server protection
With the increasing proliferation of application layer viruses and worms (which exploit HTTP and HTTPS), there is a need to be able to filter and nullify these threats. ISA FP1’s URLScan 2.5 feature will help to achieve this by detecting and neutralizing malicious code such as Unicode Decode and directory transversal attacks. URLScan 2.5 can be installed on all Web servers or can just be installed on an ISA Server through which all Web traffic will pass. The latter reduces configuration time and complexity and makes it easier to maintain a standard set of filter policies on one server, rather than having to maintain multiple policies over a large number of servers.
ISA FP1 now supports RSA SecurID authentication. When RSA SecurID is run as an agent on ISA Server, the client is authenticated on the basis of a strong two-factor set of variables, one being a password or PIN, the other being a passcode which is sent from the ISA Server to the RSA ACE/server for validation. If successful, the client’s browser is passed a cookie for further session activity.
With delegated security authentication, ISA Server can preauthenticate clients rather than having those requests passed through to the protected Web or OWA server for validation. This also smoothes the user experience because the user doesn’t receive as many logon dialog boxes. Such delegation can be enabled for every Web publishing rule on a given ISA Server box.
While ISA Server is a complex piece of software, its developers have tried to make the configuration interfaces as simple and intuitive as possible. They have provided wizards for setting up OWA, RPC filtering, link translation, and other common security scenarios.
The OWA wizard will allow administrators to quickly get a secure installation of OWA up and running. The wizard will automate the Web publishing rules, add the right listeners for external ISA Server addresses and manage the selection of security certificates for SSL bridging.
The RPC wizard is even easier. It lists all the available RPC services covered by the ISA Server and with just a check box, administrators can select which RPC service channels they want to open. This eliminates the risk of opening all RPC channels in a network, when just one is needed. The RPC selections that are made can then be used in server publishing rules so that external clients can connect.
Link translation in ISA FP1 is another neat feature and will help in those networks that need to make intranet information accessible to external users. The link translator will analyze a link request from an external user to determine where on the intranet the Web page resides. If the link uses a relative path to the intranet page with a computer name (no FQDN), then to avoid returning a broken link to the requesting client, the link translator rebuilds the link by inserting absolute paths from the external client to the Web page on the internal client. Link translation works for HTTP and HTTPS. This alone, means that intranet pages don’t need to be rebuilt to be accessible from external locations. Link translation also makes it possible, in effect, to have both an intranet and an extranet based on the same set of published Web documents.
There are other items in FP1 that will help administrators to better configure Internet security with ISA Server. These include detailed walkthrough scenarios and technical documents, including Web publishing and Exchange Server publishing guides.
Enhanced ISA Server offers advantages
This sums up the major enhancements to ISA Server by the addition of Feature Pack 1. A common thread amongst many corporate administrators seems to be that ISA Server provides advantages by integrating well into existing Windows 2000 infrastructures and providing fast Web caching, secure authentication/encryption, and firewall services.