When Microsoft introduced its Internet Security and
Acceleration (ISA) Server in 2000, it was hailed as much more than just an
upgrade to Proxy Server. At last,
Microsoft had a true firewall product on the market that provided
application filtering, circuit-level filtering, and
traditional packet filtering.

The goal was to compete with established firewall products
such as Check Point and Cisco’s PIX, and ISA Server has steadily increased its
market share since its release.

This year, Microsoft released a new and improved edition of
its firewall. Does ISA Server 2004 offer as many dramatic improvements over its
predecessor as ISA Server 2000 did when compared to Proxy Server? In this
article, we’ll examine what’s new and different in ISA Server 2004, and why
users of both Proxy Server 2.0 and ISA Server 2000 should consider upgrading.
We’ll also discuss a few ISA 2000 features that didn’t make it into the new
version.

New features

ISA Server 2004 is still a multilayered filtering firewall, a
secure VPN gateway, and a Web caching server like ISA 2000, but Microsoft
introduces a multiplicity of new features, along with new functionality. Let’s
look at some of the most prominent new attractions: the interface, multiple
network support, firewall enhancements, and VPN features.

New intuitive interface

The “advanced” graphical interface for ISA 2000, used by
most ISA administrators, is a simple two-paned Microsoft Management Console
(MMC), as shown in Figure A.

Figure A

ISA 2000’s simple MMC interface

Alternatively, you can select the Taskpad
view, shown in Figure B. This view attempts
to provide a more intuitive look, but many ISA administrators find it confusing.

Figure B

ISA 2000’s Taskpad view

ISA 2004 does away with the dual-view interface and adds a
Tasks pane on the right side of the console, as shown in Figure C. The tree structure in the left pane is similar to that in
the ISA 2000 interface, but the middle pane is richer, giving you tabbed pages
that make it much easier to gather information and perform common tasks.

Figure C

The new ISA 2004 three-paned interface

The new interface combines the advantages of ISA 2000’s
graphical Taskpad view with the easy navigability of
its Advanced view.

We’re especially pleased with the improvements to the
Monitoring node interface. In ISA 2000 (even in Taskpad
view), this interface consisted of three folders representing alerts, logs, and
report jobs. The new Monitoring node provides tabbed pages for each of six
functions: alerts, sessions, services, reports, connectivity, and logging. A
seventh tab displays the Dashboard, shown
in Figure D, which summarizes
information from the six functions detailed in the other tabs. This gives administrators
a quick overview of what’s going on.

Figure D

ISA Server now includes a Dashboard.

One of the best things about the new interface is that you
seldom need to leave the ISA Server 2004 console to perform configurations that
are related to configuring the ISA Server.

Multiple network support

Perhaps one of the biggest differences between ISA Server
2004 and ISA Server 2000 is the former’s support for
multiple networks. Business networks today are not simple, and multinetworking lets you define relationships between
interconnected networks. There are already built-in definitions for such
default networks as:

  • The
    Internal network, which includes the IP addresses on the ISA Server’s
    primary protected network
  • The
    External network, which includes all of the IP addresses that don’t belong
    to any other network
  • The
    VPN clients’ network, which includes the IP addresses that are assigned to
    VPN clients using the ISA Server VPN gateway
  • The
    Local host network, which includes the IP addresses on the ISA Server’s
    network interfaces

ISA 2000 inspected the network traffic based on the local
address table (LAT). The LAT included only addresses on the internal network.
With ISA 2004, you can apply firewall security to the traffic transferred from
any network to any other. You can set policies on a per-network basis, and you
can define whether the relationship between networks is NATed or routed.

Multinetworking is easy to configure
because Microsoft has included templates for configuring the firewall policies
between networks. There are templates for many different situations, including using
ISA as an edge firewall or a front-end firewall, creating a perimeter network
with two ISA servers, putting ISA between the perimeter network and the
internal network, and deploying ISA as only a Web Proxy caching server (single
NIC configuration). You can select a network in the middle details pane and
then select a template from the right pane, as shown in Figure E.

Figure E

Apply network templates to configure firewall policies between networks.

New firewall features

In keeping with its overall focus on security, Microsoft is
emphasizing the “S” in ISA Server 2004 even more than in 2000, and is
including several new firewall features. There are a number of new Application
Layer Filtering (ALF) features, such as the following:

  • You
    can configure deep HTTP stateful inspection on a per-rule basis to create
    custom constraints for inbound and outbound HTTP.
  • You
    can block access to executable files based on the first word of the binary
    (MZ) through the HTTP policy, or you can block or allow file types based
    on file extension; you can apply the policy to specific users or groups.
  • You
    can control HTTP access for all ISA Server 2004 client types (firewall
    client, SecureNAT client, or Web Proxy client), whereas ISA 2000 blocked
    Web content only by MIME type (Web) or file extension (FTP) for Web Proxy
    clients. You can also control the use of specific HTTP methods (verbs).
  • You
    can use keywords or strings (called signatures)
    to block HTTP content, which allows you to use ISA Server 2004 for
    firewall-level control over applications and services that tunnel themselves through an HTTP channel.
  • You
    can use FTP policy to restrict FTP downloads while allowing uploads (or
    you can allow both or block FTP altogether).

Tip

Link translation is
an ISA Server 2004 application layer feature that was not originally included with
ISA Server 2000 but was added with Feature Pack 1. It lets you map internal
computer names and paths to public names and paths, which helps avoid broken
links when you publish a SharePoint Web site or redirect connections to
different servers on the corporate network based on the path in a Web request.

Firewall user groups

Another new firewall feature in ISA Server 2004 is the
ability to create firewall user groups. ISA 2000 uses Active Directory users
and groups or, on the ISA Server computer, local users and groups. The new
firewall groups are important because they can be created by a firewall
administrator who does not have to be
a domain administrator.

ISA Server 2004 more easily handles complex protocols, such
as those used by streaming media and voice/video applications. ISA 2000
required that you write scripts to create protocol definitions for protocols
that needed more than one primary outbound connection. With ISA 2004, these
definitions are created via the New Protocol Wizard. You can also control the
source and destination port numbers for any protocols for which you have made a
firewall rule.

With ISA 2000, it was often difficult for administrators to
determine the order in which rules would be processed. ISA 2004 has simplified
this greatly, using a unified ordered list that processes rules from top to
bottom, regardless of client type and whether the rule is to allow or deny.

New VPN features

VPN functionality has been enhanced by several new features,
including the following:

  • Because
    the VPN clients are now placed in a separate network zone, you can apply
    access policies specifically to VPN clients.
  • ISA
    2004 does stateful filtering and inspection for the traffic going between
    two sites in a site-to-site (gateway-to-gateway) VPN. ISA 2000 did not
    apply firewall policy to site-to-site links because they were considered
    to be “trusted” networks.
  • VPN
    clients that are configured as SecureNAT clients can access the Internet
    through the VPN connection. With ISA 2000, only firewall and Web Proxy
    clients could do so, which means you had to install the firewall client
    software and/or configure the Web browser on machines that needed Internet
    access through the VPN.
  • You
    can publish PPTP VPN servers. ISA 2000 allowed you to publish
    only L2TP/IPSec VPN servers.
  • ISA
    Server 2004 supports IPSec tunnel mode for site-to-site VPNs. ISA 2000
    supported only PPTP and L2TP/IPSec for site-to-site links. IPSec tunnel
    mode allows the ISA firewall to participate in a site-to-site VPN link
    with third-party VPN gateways.

One of the most exciting new features in ISA Server 2004 is
VPN Quarantine Control. This feature builds on Windows Server 2003’s Network
Access Quarantine Control feature. It allows you to control the configurations
of VPN clients and ensure that they meet your specified security criteria. For
example, you can require that the latest service packs and security updates be
installed on the VPN client machine, that antivirus software be installed and
running, or that a personal firewall be enabled.

If a VPN client doesn’t meet the criteria, it is placed on a
quarantined network where it can access limited resources. For example, the
quarantined clients might be able to access a server from which they can
download the required software.

This feature is similar to the managed VPN client or secure
VPN client features of some other firewall vendors. Usually, you must use their
proprietary VPN client software to have this control over your VPN clients, but
ISA 2004 can do it for clients using the built-in Windows VPN client software.

Before you get too excited about VPN Quarantine Control, be
forewarned that configuring it is not a point-and-click operation. You’ll need
to install additional components on the ISA Server (available in the Resource
Kit) and create a quarantine script, which is then installed on the client
computers using Connection Manager.

Enhanced SSL support

You can use the Secure Web Publishing Wizard to make SSL
tunnels to Web sites on the internal network. SSL bridging makes it possible for
the ISA server to decrypt SSL traffic so it can be inspected and HTTP policy
applied. It can then be re-encrypted and sent on to its destination. This
thwarts attackers who place malicious code inside SSL packets so they cannot be
inspected by the firewall.

Improved features

Many of ISA Server 2000’s features have been improved in ISA
Server 2004. We’ll look at some enhancements to authentication, monitoring and
logging, and Exchange integration.

Better authentication

ISA Server 2004 supports authenticating users with Windows
authentication through Remote Authentication Dial-In User Service (RADIUS) and
other namespaces. It also lets you apply rules to users or groups in any
namespace. An ISA 2000 computer had to belong to the Active Directory domain in
order to authenticate Web proxy clients. Now, with RADIUS, the ISA 2004 machine
is not required to be a member of the same domain because RADIUS can query the
Active Directory.

A problem occurred in ISA 2000 when Firewall clients
connected to Web sites where the ISA Server 2000 firewall required
authentication for access. If user credentials were required by a Protocol Rule, the request would
fail because the credentials were removed when the request was forwarded to the
Web proxy service. With ISA 2004, separate authentication with the Web proxy
service is not required because firewall clients can use the HTTP filter to
access the cache.

Another welcomed improvement in ISA 2004 is built-in support
for SecurID token authentication. On another front, unauthenticated users can’t
reach your published Web servers because the ISA 2004 firewall can authenticate
users before their requests are forwarded to a published site. Finally, ISA
2004 improves security to Outlook Web Access (OWA) Web sites by generating logon
forms for forms-based authentication.

Improved monitoring and logging

Monitoring, logging, and reporting are the weak points for
many firewall products; that’s the reason third-party
add-ons in this area are so popular. Microsoft has improved this functionality
in ISA Server 2004 in several ways:

  • The
    new interface allows you to see real-time monitoring of entries into the Firewall,
    Web Proxy, and SMTP Message Screener logs. The console displays each entry
    as it is entered.
  • You
    can use the built-in query tool to query for the information in any field
    in the logs, and you can narrow down the scope of the query by setting
    time ranges.
  • You
    can monitor the connections from the ISA Server to a particular computer
    (by name or IP address) or to a particular URL by creating connectivity
    verifiers. You can also select from three ways of checking connectivity:
    PING, TCP connection to a port, or HTTP GET.
  • You
    can automatically save copies of a report job to a specified local folder
    or network share, and you can map the folder or file to a Web site virtual
    directory to allow others to easily view the reports. You can also get
    e-mail notification when a report job is completed.
  • You
    can log to a Microsoft Data Engine (MSDE) database on the server. This
    speeds up queries and allows you to create complex and sophisticated
    queries against the ISA firewall’s Web Proxy and Firewall service logs.
  • Finally,
    you can set the time when log summaries are to be created. (In ISA 2000,
    the time was hard-coded at 12:30 a.m.)

Improved Exchange integration

ISA Server 2004’s Secure Exchange Server Publishing Rules
make it possible for remote users to access the Exchange server across the
Internet with the full Outlook MAPI client, rather than being limited to OWA.
You use RPC policy to block non-encrypted Outlook MAPI connections for greater
security (the Outlook client will need to be set up to use secure RPC to
encrypt the connection). This ensures that both user credentials and data will
be transmitted in encrypted format.

Microsoft has also made it easier to configure OWA, Outlook
Mobile Access (OMA), and ActiveSync to work with ISA Server 2004. Wizards walk
you through the process. Unlike with ISA 2000, you can create needed network
elements within the wizard.

Missing in action

If you’re an experienced ISA Server 2000 administrator, you’re
likely to notice a few features that were dropped in ISA Server 2004. These
include:

  • The
    H.323 gatekeeper for handling and routing Voice over IP (VoIP) calls
  • Bandwidth
    control to give some connections priority over others
  • Live
    media stream splitting for media streams using Windows Media Technology
    (WMT)
  • Active
    caching to automatically update cache objects

Experienced ISA administrators will also recognize most of
these as the features that were seldom used or that didn’t work very well.

Better than the original

ISA Server 2004 builds on the feature set of its
predecessor, ISA Server 2000, but there are so many changes, and the interface
is so different, that there’s a persuasive argument that it’s more than a mere
upgrade.

In reading this article, you may have noted that almost all
the new features and improvements pertain to the firewall and VPN
functionality. While ISA Server is a fully functional Web caching/proxy server,
it’s obvious that the emphasis in both technical and marketing areas is on
security.

Microsoft has a history of taking about three tries to “get
it right.” (Windows took off with version 3; IE began to gain real popularity
around the third version, etc.) If you think of Proxy Server as the first
incarnation of Microsoft’s venture into security, and ISA Server 2000 as the
second, it’s logical to think that ISA Server 2004 just might be the product
that makes the firewall community sit up, take notice, and admit that Microsoft
is a serious contender.