Business Benefits of ISA Server 2006
.gif "Cc526343.chm_head_left(en-us,TechNet.10).gif") |
|
.gif "Cc526343.chm_head_right(en-us,TechNet.10).gif") |
Business Benefits of ISA Server 2006
ISA Server 2006 is an integrated edge security gateway that helps protect your Hosting environment from Internet-based threats while providing your users fast and secure remote access to applications and data. ISA Server 2006 is available in two versions: Standard Edition and Enterprise Edition. The Microsoft Solution for Hosted Messaging and Collaboration version 4.0 assumes the user will use the Enterprise Edition, as it provides greater fault-tolerance features.
ISA Server 2006 provides integrated security, efficient management, and fast, secure access for all types of networks. The benefits that are applicable to the Microsoft Solution for Hosted Messaging and Collaboration version 4.0 are listed in the following tables.
Microsoft Exchange Server 2007 includes several improvements to the suite of anti-spam and antivirus features that was introduced in Microsoft Exchange Server 2003. For a complete list of these improvements, please read New Anti-Spam and Antivirus Functionality.
Table: Secure Remote Access to Servers
| Benefit | Description |
|---|---|
| Firewall-generated forms for forms-based authentication | ISA Server 2006 can generate the forms used by Outlook Web Access (OWA) sites for forms-based authentication. This enhances security for remote access to OWA sites by preventing unauthenticated users from contacting the OWA server. |
| Enforced Microsoft Exchange remote procedure call (RPC) connections from full Microsoft Outlook messaging and collaboration MAPI clients | The Exchange Server publishing rules in ISA Server 2006 give remote users connection to Exchange Server using the fully functional Outlook MAPI client over the Internet. However, the Outlook client must be configured to use secure RPC so that the connection is encrypted. With the ISA Server 2006 RPC policy, you can block all non-encrypted Outlook MAPI client connections. |
| Outlook Web Access Publishing Wizard | Clientless remote access through SSL connections form the core of SSL VPNs. The ISA Server 2006 Outlook Web Access Publishing Wizard walks you through creating a firewall rule and creates the Outlook Web Access SSL connection to your Exchange server. All network elements can be created in the wizard, and you never need to leave the wizard to create a policy element. |
| SharePoint Server Publishing Wizard | A new wizard publishes multiple Windows SharePoint Services sites simultaneously and provides for automatic link translation. |
| Integrated support for Exchange Server 2007 | Support for the Exchange Server 2007 feature set is built-in to ISA Server 2006. |
Table: Management
| Benefit | Description |
|---|---|
| Ease-of-use management features | ISA Server 2006 includes management features that make it easier to improve security of networks by avoiding misconfigurations. UI features include task panes, context-sensitive Help panes, and a Getting Started Wizard. |
| Easy-to-use wizards | New configuration wizards exist for publishing Windows SharePoint Services, Exchange, and general Web sites. |
| Export and import of configuration data | ISA Server 2006 provides the ability to export and import configuration information. You can use this feature to save configuration parameters to an XML file, and then import the information from the file to another server. |
| Delegated permissions wizard for firewall administrator roles | The Administration Delegation Wizard helps you assign administrative roles to users and groups. These predefined roles delegate the level of administrative control users have over specified ISA Server 2006 services. |
| Centralized logging and reporting | ISA Server 2006 Enterprise Edition logs and reports traffic moving through all members of an array. There is never a need to collect log file information from each firewall and organize it to create unified report information. |
| Centralized storage of firewall policy (Configuration Storage server) | ISA Server 2006 Enterprise Edition uses Active Directory Application Mode (ADAM) for firewall policy storage. ADAM storage enables you to place policy storage containers anywhere in the organization, allowing enhanced flexibility and availability for firewall policy redundancy and facilitated access. |
| Automatic array configuration | New servers can be dynamically added to your architecture and arrays with a simple wizard. ISA Server automatically reads the ADAM database for configuration and policy details. |
| ISA Server 2006 Microsoft Operations Manager (MOM) Management Pack | A newly designed MOM Management Pack for ISA Server 2006 enables enterprise-level event monitoring and consolidation of common firewall activities. |
Table: Monitoring and Reporting
| Benefit | Description |
|---|---|
| Real-time monitoring of log entries | With ISA Server 2006, you can view firewall, Web Proxy, and SMTP Message Screener logs in real time. The ISA Server Management snap-in displays the log entries as they are recorded in the firewall's log file. |
| Built-in log query facility | You can query the log files using the built-in log query facility. Logs can be queried for information contained in any field recorded in the logs. You can limit the scope of the query to a specific time frame. The results appear in the ISA Server Management snap-in and can be copied to the Clipboard and pasted into another application for more detailed analysis. |
| Real-time monitoring and filtering of firewall sessions | With ISA Server 2006, you can view all active connections to the firewall. From a session view, you can sort or disconnect individual or groups of sessions. In addition, you can filter the entries in the session's interface to focus on the sessions of interest using the built-in session filtering facility. |
| Connection verifiers | You can verify connectivity by regularly monitoring connections to a specific computer or URL from the ISA Server 2006 computer using connection verifiers. You can configure which method to use to determine connectivity: Ping, TCP connect to a specific port, or HTTP GET. You can select which connection to monitor by specifying an IP address, computer name, or URL. |
| Customizing ISA Server 2006 reports | ISA Server 2006 includes an enhanced report customization feature for adding more information in the firewall reports. |
| Report publishing | You can configure ISA Server 2006 report jobs to automatically save a copy of a report to a local folder or network file share. The folder or file share the reports are saved in can be mapped to a Web site virtual directory so that other users can view the report. You can also manually publish reports that have not been configured to automatically publish after report creation. |
| E-mail notification after report creation | You can configure a report job to send you an e-mail message after a report job is completed. |
| Customized time for log summary creation | ISA Server 2006 is designed to create log summaries at 00:30 (12:30 A.M.). Reports are based on information contained in log summaries. You can easily customize the time when log summaries are created with ISA Server 2006. This gives you increased flexibility in determining the time of day reports are created. |
| Log on to an MSDE database | In addition to text files and Microsoft SQL Server databases, logs can now be stored in an .mdb file. Logging on to a local database enhances query speed and flexibility. |
| Enhanced SQL Server logging | You can log on to a computer running a SQL Server database located on another computer on the Internal network. ISA Server 2006 SQL Server logging has been optimized to provide much higher performance. |
Table: Multi-Networking
| Benefit | Description |
|---|---|
| Multiple network configuration | You can configure one or more networks, each with distinct relationships to other networks. Access policies are defined relative to the networks and not necessarily relative to a specific internal network. ISA Server 2006 extends the firewall and security features to apply to traffic between any networks or network objects. |
| Unique per-network policies | The new multi-networking features of ISA Server 2006 enable you to better protect your network against internal and external security threats by limiting communication between clients. Multi-networking functionality supports sophisticated perimeter networks, also known as demilitarized zone (DMZ) or screened subnet scenarios, helping you to configure how clients in different networks access the perimeter network. Access policies between networks can then be based on the unique security zone represented by each network. |
| Route and Network Address Translation (NAT) network relationships | You can use ISA Server 2006 to define routing relationships between networks, depending on the type of access and communication required between the networks. In some cases, you may want more secure, less transparent communication between the networks. For these scenarios, you can define a NAT relationship. In other situations, you want to simply route traffic through ISA Server. In these cases, you can define a route relationship. Packets moving between routed networks are fully exposed to ISA Server 2006 stateful filtering and inspection mechanisms. |
| Network Load Balancing (NLB) | NLB provides real-time failover and load balancing of connections made through an ISA Server 2006 Enterprise Edition array. Real-time failover enables high availability for enterprise arrays, while load balancing evenly distributes connections across firewall array servers to prevent network slow downs related to impacted firewalls. |
Table: Advanced Firewall Protection
| Benefit | Description |
|---|---|
| Multi-layer firewall | ISA Server 2006 provides three types of firewall functionality: packet filtering (also called circuit-layer), stateful filtering, and application layer filtering. |
| Application layer filtering | ISA Server provides deep content filtering through built-in application filters. |
| HTTP filtering on a per-rule basis | ISA Server 2006 HTTP policy allows the firewall to perform deep HTTP stateful inspection (application layer filtering). The extent of the inspection is configured on a per-rule basis. With this capability, you can configure custom constraints for HTTP inbound and outbound access. |
| Access blocked to all executable content | You can configure ISA Server 2006 HTTP policy to block all connection attempts to the Microsoft Windows operating system executable content, regardless of the file extension used on the resource. |
| HTTP file downloads controlled through file extension | The ISA Server 2006 HTTP policy enables you to define policy based on file extension, including "allow all except a specified group of extensions" or "block all extensions except for a specified group." |
| HTTP filtering is applied to all ISA Server 2006 client connections | With the ISA Server 2006 HTTP policy, you can control HTTP access for all ISA Server 2006 client connections. |
| Control HTTP access based on "HTTP Signatures" | ISA Server 2006 deep HTTP inspection can help you create "HTTP Signatures" that can be compared to the Request URL, Request headers, Request body, and Response body. This gives you precise control over what content internal and external users can access through the ISA Server 2006 firewall. |
| Control of allowed HTTP methods | You can control what HTTP methods are allowed through the firewall by setting access controls on user access to various methods. For example, you can limit the HTTP POST method to prevent users from sending data to Web sites using the HTTP POST method. |
| Extensive protocol support | ISA Server 2006 gives you control over accessing and using any protocol, including IP-level protocols. Users can then use applications such as Ping and Tracert. In addition, IPSec traffic can be enabled through ISA Server. |
| Support for complex protocols requiring multiple primary connections | Many streaming media and voice or video applications require that the firewall manage complex protocols. ISA Server 2006 can manage these protocols and has an easy-to-use New Protocol Wizard you can use to create protocol definitions. |
| Customizable protocol definitions | With ISA Server 2006, you can control the source and destination port number for any protocol for which you create a firewall rule. This gives the ISA Server 2006 firewall administrator a high level of control over what packets are allowed inbound and outbound through the firewall. |
| Granular control over IP options | With ISA Server 2006, you can configure IP options on a granular basis and only allow the IP options you require while blocking all others. |
| Network objects | With ISA Server 2006, you can greatly expand your ability to define network objects by creating computers, networks, network sets, address ranges, subnets, computer sets, and domain name sets. These network objects are used to define source and destination settings for firewall rules. |
| Firewall Rule wizards | ISA Server 2006 includes a new set of rule wizards that make it easier to create access policy. ISA Server 2006 access policy can be created by a sophisticated firewall rule that you can use to configure any required policy element. You do not need to leave the rule wizard to create a network object. Any network object or relationship can be created within the new wizard. |
| Firewall rules represent an ordered list | ISA Server 2006 firewall rules are represented in an ordered list in which connection parameters are first compared to the top listed rule. ISA Server 2006 moves down the list of rules until it finds a rule matching the connection parameters and enforces the matching rule's policy. This approach to firewall policy makes it easier to determine why a specific connection is allowed or denied. |
| Flood Resiliency | A new Flood Resiliency feature protects ISA Server 2006 from being permanently unavailable, compromised, or unmanageable during a flooding attack. |
| Enhanced remediation during attack | Flood Resiliency provides enhanced remediation during attacks through log throttling, control of memory consumption, and control of pending DNS queries. |
Table: Authentication
| Benefit | Description |
|---|---|
| Authentication | Users can be authenticated using built-in Windows, lightweight directory access protocol (LDAP), RADIUS, or RSA SecurID authentication. Front-end and back-end configuration has been separated, providing for more flexibility and granularity. Single sign on is supported for authentication to Web sites. Rules can be applied to users or user groups in any namespace. Third-party vendors can use the software development kit (SDK) to extend these built-in authentication mechanisms. |
| RADIUS support for Web Proxy client authentication | With ISA Server 2006, you can authenticate users in Active Directory directory service and other authentication databases by using RADIUS to query Active Directory. Web publishing rules can also use RADIUS to authenticate remote access connections. |
| Delegation of Basic authentication | Published Web sites are protected from unauthenticated access by requiring the ISA Server 2006 firewall to authenticate the user before the connection is forwarded to the published Web site. This prevents exploits from unauthenticated users from reaching the published Web server. |
| SecurID authentication for Web Proxy clients | ISA Server 2006 can authenticate remote connections using SecurID two-factor authentication. This provides a high level of authentication security because a user must know something and have something to gain access to the published Web server. |
| Single sign on | Single sign on allows users to access a group of published Web sites without being required to authenticate with each Web site. |
| Forms-based authentication | Forms-based authentication is now available for all published Web sites, and not just for Outlook Web Access. |
| Session management | ISA Server 2006 includes improved control of cookie-based sessions to provide for better security. |
| Support for LDAP authentication | LDAP authentication allows ISA Server to authenticate to Active Directory without being a member of the domain. |
Table: Server Publishing
| Benefit | Description |
|---|---|
| Secure Web publishing | With ISA Server, you can place servers behind the firewall, either on the corporate network or on a perimeter network, and publish their services. With the improved secure Web Publishing Wizard, you can create a rule that lets users have SSL remote access to published Web servers. |
| Path mapping for Web publishing rules | ISA Server 2006 significantly improves the flexibility of Web publishing because you can redirect the path sent to the firewall by the user to any path of choice on the published Web server. |
| Preservation of source IP address in Web publishing rules | ISA Server 2006 gives you a choice on a per-rule basis whether the firewall should replace the original IP address with its own or forward the original IP address of the remote client to the Web server. |
| Link translation | Some published Web sites may include references to internal names of computers. Because only the ISA Server 2006 firewall and external namespace, and not the internal network namespace, are available to external clients, these references appear as broken links. ISA Server 2006 includes a link translation feature that you can use to create a dictionary of definitions for internal computer names that map to publicly known names. ISA Server 2006 implements link translation automatically during Web publishing. |
| Cross-Array Link Translation | This feature allows links in Web content containing an internal server name to be translated to the public name even if the Web content is published in a different array. |
| SSL bridging support | To guard against embedded attacks in HTTP traffic, SSL bridging allows SSL protected packets to be decrypted by ISA Server 2006, inspected, and re-encrypted. |
Table: Performance
| Benefit | Description |
|---|---|
| Cache rules | With the centralized cache rule mechanism of ISA Server, you can configure how objects stored in the cache are retrieved and served from the cache. |
| Web Publishing Load Balancing | ISA Server 2006 will automatically balance the request stream coming from a remote user to an array of published servers. |
| HTTP compression | HTTP compression reduces file size by using algorithms to eliminate redundant data during transmission of HTTP packets. |
| Diffserv (Quality of Service) | ISA Server 2006 includes a new packet prioritization functionality (provided by the Diffserv Web filter), which scans the URL or domain and assigns a packet priority using Diffserv bits. |