Microsoft ISA Server 2004 Overview
1. Introduction
With Microsoft’s Internet Security & Acceleration (ISA) Server 2004 software due for release some time in mid-2004, and the beta version already available for evaluation, it would seem to be a good time to look at the differences between this and the already very popular ISA Server 2000. The purpose of this document is to provide an overview of the new product and how it differs from the previous version. The user should be able to make a well informed decision based upon this as to whether or not they need to upgrade from their existing ISA Server 2000 system or if a new ISA Server 2004 system is suitable for their environment.
2. What Is Microsoft ISA Server 2004?
Microsoft ISA Server 2004 is the next stage in a product line stretching back to Microsoft’s original Proxy Server, which provided basic web caching, SOCKS and NAT capabilities for TCP/IP-based networks using Microsoft operating systems (OSes). The product line progressed through Proxy Server 2.0 to Microsoft ISA Server 2000 for the Windows Server 2000 product, and now with the widespread adoption of Windows Server 2003, Microsoft has produced ISA Server 2004 with new features and a redesigned user interface (UI) to match its current server OS. “Microsoft Internet Security and Acceleration (ISA) Server 2004 is the advanced application layer firewall, VPN and Web cache solution that enables customers to easily maximize existing IT investments by improving network security and performance.” - Microsoft, ISA Server 2004 Frequently Asked Questions. ISA Server 2004 offers a software-based alternative to other vendors’ hardware-based firewall and caching alternatives with direct hooks into the Microsoft Windows security, logging and reporting mechanisms. The common UI shared with other Microsoft products, and the Wizards and pre-defined templates included in the product, make it ideal for the Windows network administrator who has neither the time nor training budget to master other security and bandwidth management tools such as Cisco PIX firewalls and Squid-based web caches.
3. What Advances/Improvements Are to Be Found In Microsoft ISA Server 2004?
Microsoft views ISA Server 2004 as a significant advance in the ISA Server product line and the new and improved features certainly seem to bear this out: Previously, ISA Server 2000 only supported a single internal and a single external network (without the use of third party plugins). This prevented implementation
�
of multiple DMZs and load balancing between multiple external connections, for example. ISA Server 2004 now offers unlimited networks and types (internal, external, VPN and DMZ). In line with the new multiple network topology, ISA Server 2004 allows individual security policies to be created and assigned to each individual network. VPN support has been expanded from PPTP, L2TP and IPSec to now also include IPSec Tunnel Mode. ISA Server 2000 provided NATing of networks in the LAT to and from the external network. This has now been enhanced to provide routing and NATing to and from any network configured on the machine running ISA Server 2004. Stateful inspection of packets passing through ISA Server 2004 on all configured networks is now available as opposed to the static filters previously available on NAT/LAT traffic and complete lack of filtering on VPN traffic. Web cache and firewall components are now combined into one multilayered filtering engine, leading to improved performance. Management of the ISA Server component is now carried out through a custom designed, easy-to-use, UI as opposed to the MMC plug-in used previously. Advanced user authentication means RADIUS, SecurID and a range of third-party mechanisms can be used to authenticate and apply policies to users accessing both your internal and external network resources. Microsoft ISA Server 2004 provides improved SSL access for remote users to web servers behind your firewall, enabling publishing of secure content on external networks.
4. Who Should Consider Microsoft ISA Server 2004?
Institutions already using ISA Server 2000 but who find its feature set restrictive would do well to look into the advanced features provided by this new product. Particularly of use would be the improved stateful packet inspection which may provide a better solution for current distance-learning packages struggling to operate through the ISA Server 2000 infrastructure in place in some FE sites. The web caching aspect of the product seems to have changed very little since the product’s previous incarnation (which was, however, a huge improvement on the Proxy Server 2.0 product). Consequently, people currently using ISA Server 2000 mainly as a web cache with alternative security and firewalling solutions may not gain much from an upgrade to the new product unless they are looking to consolidate services into a single machine. As mentioned previously, ISA Server 2004 can provide a cost effective alternative to hardware-based network security and bandwidth management solutions, and is ideal for the Microsoft-centric administrator who has no wish or budget to retrain for other Open Source or commercial alternatives; this makes it ideal for the FE community.
5. Further Reading
Microsoft Official ISA Server 2004 Home http://www.microsoft.com/isaserver/beta/default.asp ISAserver.org – Very useful independent ISA Server resource site http://www.isaserver.org/
�