SolutionBase: What's coming in ISA Server 2006

ISA Server 2004 provides an easy way to quickly set up a firewall in a Windows environment, but it's far from perfect. In this article, Tom Shinder points out some of the improvements that are coming in ISA Server 2006.

It seems like only yesterday that ISA Server 2004 went public. In fact, ISA 2004 went RTM on May 31, 2004, almost two years ago. This month Microsoft announced the release of ISA Server 2006 public beta 1. The release of another ISA firewall product so soon on the heals of the previous version might come as somewhat of a surprise to many, since there was an interim of four years between Proxy Server 2.0 and ISA Server 2000, and four years between ISA Server 2000 and ISA 2004.

Microsoft has decided to shorten the interval between ISA firewall releases in order to bring more value to their software assurance customers. The release of ISA Server 2006 represents the first step in that direction. After the release of ISA Server 2006 sometime later this year, you can expect a new version of the ISA firewall product about every two years. Future versions of the ISA firewall will leverage the enhanced networking features included in the Longhorn Server product.

ISA Server 2006 should be considered a "point one" upgrade to the ISA 2004 firewall. You won't find any of the earth shaking architectural or interface changes that you saw with the transition from ISA Server 2000 and ISA 2004. What you will find are incremental changes, targeted primarily at the Web proxy component of the ISA firewall.

In this article we'll take a short look at some of new features and improvements ISA Server 2006 has compared to ISA 2004. These include:

  • Improvements to the Firewall feature set
  • Improvements to the Web proxy feature set
  • Improvements to the Site to site VPN gateway feature set

Improvements to the Firewall Feature Set

In spite of the ISA Server 2006 focus on the Web proxy filter, you should keep in mind that the ISA firewall is a firewall, first, second and last. You can never "turn off" the ISA firewall's firewall component. Microsoft has enhanced the ISA firewall's firewall feature set by improving its IDS and IPS feature sets by providing:

  • Enhanced Flood resiliency
  • Improved protection again disk and memory based DoS attacks

Enhanced Flood Resiliency

ISA 2004 sometimes had problems when deployed in unmanaged or poorly managed networks where network worms and automated attacks were a major problem. These worms would flood the ISA firewall's interfaces and consume firewall resources to the extent of creating a denial of service condition.

In order to prevent worms and other automated attacks from flooding the ISA firewall and creating a denial of service condition, the new ISA firewall includes a number of options aimed to mitigate network flood attacks against the ISA firewall. These include:

  • Limit TCP connection requests per minute per IP address
  • Limit TCP concurrent connections per IP address
  • Limit TCP half-open connections per IP address
  • Limit non-TCP concurrent sessions per IP address
  • Limit non-TCP new sessions per minute, per rule
  • Limit TCP and non-TCP denied messages

Figure A shows the Flood Mitigation tab in the Flood Mitigation dialog box.

Figure A

The Flood Mitigation dialog box

Each of these options enable the ISA firewall to protect itself better against SYN attacks, HTTP flood attacks, UDP attacks, and non-TCP or UDP ICMP based attacks. In addition, you can customize the configuration of each of these protective measures by clicking the Configure button to the right of each flood mitigation option. Figure B shows an example of how to customize the event trigger for denied packets.

Figure B

Configuring Flood Mitigation Settings

The ISA Server 2006 firewall also provides other mechanisms that would otherwise take down an ISA Server 2004 firewall. These include:

  • Log throttling
  • Improved control over non-paged memory pool consumption
  • Improved control over pending DNS queries

The log throttling component prevents the ISA firewall from consuming excessive disk space when logging the denied packets related to a worm flood attack. This prevents a potential shutdown of the ISA firewall services, which would put the ISA firewall into lockdown mode. The improvements in how the ISA firewall handles non-paged memory pool prevents the ISA firewall from consuming all available non-paged pool memory due to excessive half-open connections that could result from a SYN attack (as well as others).

Improvements in how the ISA Server 2006 firewall handles pending DNS queries prevents flood attacks sourcing from Web proxy and Firewall clients from creating a denial of service condition on the ISA firewall. This enhanced DNS attack protection is required for these clients because the default configuration for Web proxy and Firewall clients is to allow the ISA firewall to perform DNS name resolution on behalf of these clients. Improved control over pending DNS queries prevents the ISA firewall from exhausting available resources due to an excessive number of pending DNS queries made by Web and Firewall clients.

Improvements to the Web proxy Feature Set

While the ISA Server 2006 firewall's flood mitigation feature is a nice step in the right direction, the most significant improvements you'll see in the ISA firewall are related to the ISA firewall's Web proxy filter. The ISA firewall implements a Web proxy server component as a firewall filter that communicates with the core firewall services. This prevents any possible attacks against the Web proxy components from compromising the core firewall services.

The Web proxy filter enables the ISA firewall to provide Web proxy services both to machines that are explicitly configured as Web proxy clients, and also to machines configured as SecureNAT and Firewall clients by leveraging hooks the ISA firewall's firewall service has with the Web proxy filter to provide transparent redirection of non-Web proxy client requests to the Web proxy filter.

Both inbound and outbound HTTP connections are managed by the ISA firewall's Web proxy filter. The major enhancements to the ISA Server 2006 Web proxy filter are seen in various Web Publishing scenarios. Web publishing is the term the ISA firewall uses for reverse proxy. The major improvements you'll see with the ISA firewall's Web publishing mechanisms include:

  • Enhanced SharePoint Portal Server support
  • Single sign-on
  • New authentication options for Web Publishing Rules
  • Web publishing load balancing for Web server farms
  • Link Translation

Enhanced SharePoint Portal Server Support

ISA 2004 firewall administrations often had problems with publishing SharePoint Portal Servers because of embedded links pointing to internal Web sites containing private names. Often it was possible to create multiple Web Publishing Rules to get around this problem, but this sometimes created significant administrator overhead and in some situations, there were no good solutions to the problem. Other problems that were frequently encountered were multiple logon prompts seen by users because of the limitations of basic and delegated basic authentication.

ISA Server 2006 firewalls now allow you to use NTLM delegated authentication by default. This potentially obviates the need to use SSL to SSL bridging to protect the basic authentication credential communicating between the ISA firewall's internal interface and the published SharePoint Portal Server's Web site.

In addition to improved authentication support, the default link translation dictionary makes it possible to have a seamless end-user experience when working with published OWA and SharePoint Portal Server sites. For example, a user connects to the OWA site and receives an e-mail message with a link pointing to a published SharePoint Portal Server sites. In ISA 2004, the user would have to reauthenticate and name resolution might also break. But with the new ISA Server 2006 built in support for NTLM authentication delegation and default link translation dictionary improvements, end-users never have to reauthenticate and don't experience broken links to published SharePoint Portal servers.

Figure C shows the first page of the New SharePoint Publishing Rule Wizard.

Figure C

The New SharePoint Publishing Rule Wizard

Single Sign-on

Both ISA Server 2000 and ISA 2004 firewall administrators complained about lack of support for single sign on (SSO). For these earlier versions of the ISA firewall, single sign on was supported only when connecting to the same Web server over the same Web listener. If the user tried to make a subsequent connection to a different server, even when using the same Web listener, the user would be required to reauthenticate. This led to many complaints from users and subsequently many complaints from ISA firewall administrators to Microsoft.

The ISA Server 2006 firewall solves the single sign on problem by providing single sign on for all Web sites published by a single Web listener. Figure D shows the Single Sign On Settings page of the New Web Listener Definition dialog box. Here you enter the single sign on domain and all connections to servers in that domain will not require reauthentication by the ISA firewall.

Figure D

Configuring single sign-on settings

New Authentication Options for Web Publishing Rules

One of the most significant changes introduced with the ISA Server 2006 firewall is to the authentication options available in Web publishing scenarios. These authentication options are directed at how the ISA firewall delegates authentication credentials to the published server.

Authentication delegation enables both the ISA firewall and the published server to authenticate a user before the connection to the published server is established. The ISA firewall first pre-authenticates and pre-authorizes the user. If the user successfully authenticates to the ISA firewall and if that user is authorized to connect to the published Web server, then the ISA firewall forwards that user's authentication credentials to the published Web server, where the Web server also authenticates the user. If both the ISA firewall and Web server OK the connection, then the connection attempt is allowed and the user accesses content on the Web site.

With ISA 2004, the only type of delegation available was delegation of basic credentials. This introduced a significant problem for those ISA firewall admins who were forced by management to use SSL to HTTP bridging. Since the connection from the ISA firewall to the published Web server wasn't protected by SSL, clear text credentials were passed between the ISA firewall and the published Web site. Since no network can be considered trusted, this represented a significant security problem.

ISA Server 2006 firewalls now support the following delegation methods:

  • No delegation
  • Pass-through authentication
  • Basic
  • NTLM/Kerberos
  • SecurID

Figure E shows the Authentication Delegation page of the New SharePoint Publishing Rule Wizard. Note that these delegation options are available for all Web Publishing scenarios, not just for SharePoint.

Figure E

Selecting Authentication Delegation Settings

Web Publishing Load Balancing for Web Server Farms

My favorite new feature included in the ISA Server 2006 firewall is the new capability to publish server farms using Web Publishing Load Balancing. Web Publishing Load Balancing allows you to publish a Web server farm without having to deploy NLB on the published servers. Web Publishing Load Balancing is useful when you have a collection of Web servers with mirrored content or roles and provides both load balancing and failover for the published servers.

For example, suppose you have several front-end Exchange Servers published by the ISA Server 2006 firewall. You can enable Web Publishing Load Balancing for these published servers and when one or more of the front-end Exchange Servers becomes unavailable, the ISA firewall will automatically detect this condition and redirect external OWA, OMA/ActiveSync or HTTP/RPC users to an online front-end Exchange Server. In addition, the Web Publishing Load Balancing feature will load balance the incoming connections to insure that no single front-end Exchange Server receives a disproportionate amount of connections. Users do not need to log on again in order to benefit from the transparent failover.

Web Publishing Load Balancing can use either IP address and session based affinity, and can work together with the ISA Server 2006 Enterprise Edition integrated NLB, although ISA Server 2006 Enterprise Edition NLB is not required.

Figure F shows a page from the New Server Farm Definition Wizard.

Figure F

Designating Servers in a Web Farm

There are a number of other improvements to the ISA Server 2006 firewall's Web proxy filter, such as enhanced support for the link translation feature, and many other functional changes that make the ISA firewall's Web proxy filter support more flexible and more secure. Because of limited space in this article, I've focused on those features that I believe are the most interesting and useful for the typical ISA firewall admin.

Improvements to the Site to site VPN Gateway Feature Set

Like both the ISA Server 2000 and ISA 2004 firewalls, the ISA Server 2006 firewall includes a powerful site to site VPN gateway feature. The site to site VPN gateway enables you to connect entire networks to one another and apply the ISA firewall's strong stateful packet and application layer inspection engines to all communications moving through the site to site VPN tunnel.

One major drawback of the ISA 2004 firewall was the complexity involved with setting up a branch office Enterprise Edition firewall. There were a great number of steps involved and it was very easy to miss a key configuration value, which could lead to many hours of troubleshooting. The ISA Server 2006 firewall addresses this issue by including a Branch Office VPN Connectivity Wizard.

Using the Branch Office Connectivity Wizard, you can create a simple answer file that configures the branch office ISA firewall with the required site to site VPN link, and then configures the branch office ISA firewall to connect to a Configuration Storage Server (the database for enterprise firewall management) at the main office. All you need to do is ship the ISA firewall to the branch office, send a disk or USB key containing the answer file to a power user (the person at the branch office does not need to have any understanding of ISA or networking) and that power user can automatically provision the branch office ISA firewall using the information in the answer file. The Wizard makes it ridiculously easy for anyone to set up the branch office firewall.

Figure G shows a page from the Branch Office Connectivity Wizard

Figure G

The Branch Office Connectivity Wizard

Looking promising--even in these early stages

The beta 1 version of the ISA Server 2006 firewall introduces significant enhancements to the ISA firewall's flood resiliency, Web Publishing and site to site VPN features. However, I consider this version of the ISA firewall an incremental improvement of the core ISA firewall's feature set, where the bulk of the enhancements have been made to the ISA firewall's Web proxy filter component, and comparatively few improvements have been made to the ISA firewall's core network firewall feature set.

Overall, I consider the new features in the ISA Server 2006 firewall to make it a worthwhile upgrade. Even if you don't need the improvements in the Web proxy filter, you will certainly benefit from the improved flood resiliency. And if you've shied away from using site to site VPN connections for ISA Server 2004 Enterprise Edition because of the enormous complexity of the setup, you'll definitely benefit from the new site to site VPN capabilities.