Protecting Microsoft Networks with ISA Server 2004

Protecting Microsoft Networks with ISA Server 2004 Enhanced Exchange/ VPN Support By Thomas W. Shinder, M.D. ISAserver.org TACTEAM ISA Server / Security Traditional Firewall Security Packet Filters worked great! CEO: Is our network secure? PIX Admin: Yes, I‘ve configured packet filters to block all attacks – PIX IS SECURITY What’s on Tap Informal presentation What’s new and improved in Exchange Server remote access connectivity and protection What’s new and improved in the ISA Server 2004 VPN Server and Gateway ISA Server 2004 Enhanced Exchange Server Protection Forms-based authentication Improved Exchange Publishing Wizard Support for OMA/ActiveSync Publishing RADIUS support for OWA Web Publishing scenarios SSL to SSL Bridging HTTP Security Filter protects SSL connections (SSL to SSL bridging) ISA Server 2004 Forms-Based Authentication Prevents caching of credentials Controls sessions time-outs Closes connection when user leaves site Prevents attachment access or viewing Delegates Basic authentication Supports all versions of Exchange ISA Server 2004 Enhanced Exchange Publishing Wizard Publish OWA/OMA/ActiveSync Intuitive connection bridging interface Certificates actually appear in console! Create Web listeners “on the fly” Does the rule configuration “heavylifting" Still need to prepare the network infrastructure to make it all work ISA Server 2004 Support for OMA/ActiveSync Publishing Adds /OMA/* Adds /Microsoft-Server-ActiveSync/* Still need to configure the network infrastructure and split DNS Also need to configure Exchange Server SSL and authentication settings ISA Server 2004 RADIUS Support for OWA Publishing Use RADIUS to authenticate remote OWA users ISA Server 2004 does not need to be member of the domain Not supported for Forms-based authentication Use IPSec between ISA Server 2004 box and RADIUS server (PAP used) ISA Server 2004 SSL to SSL Bridging Client terminates SSL at the ISA Server 2004 firewall ISA Server 2004 firewall initiates second SSL link to Exchange Server ISA Server 2004 firewall inspects connection while in transient unencrypted state SSL to HTTP also supported (not recommended) ISA Server 2004 HTTP Security Filter Protects OWA/OMA/ActiveSync Connections SSL to SSL encryption breaks open the SSL tunnel HTTP Security Filter examines HTTP data moving through the “tunnel” Can control virtually any aspect of the connection and block based on variety of characteristics ISA Server 2004 Enhanced VPN Server and Gateway Support for IPSec Tunnel Mode for interoperability User/Group based access control from VPN clients to any other location Lock down VPN client access only to required resources User/group based access control also possible for VPN site to site links VPN SecureNAT client now supported! ISA Server 2004 IPSec Tunnel Mode Support We’ve been waiting for this for years Supports IPSec tunnel mode with multiple third parties – Cisco/Checkpoint/Netscreen Not as secure as L2TP/IPSec Detailed configuration article available when product releases ISA Server 2004 User/Group based Access Control for Remote Access VPN Clients VPN log on credentials used for access control Limit access to specific servers Limit access to specific protocols Limit access to specific content Limit access to specific servers, using specific protocols to obtain specific content Log all VPN remote access client connections – user information included ISA Server 2004 User/Group based Access Control for Site to Site Links Great for branch office scenarios Limit branch office users to specific resources on the main office corpnet Log on traffic, Exchange, File servers, and that’s it Granular access control based on user group ISA Server 2004 VPN SecureNAT Client Full Internet Support access for VPN clients ISA Server 2004 required Firewall client And/or Web Proxy client Can still use Firewall and Web Proxy client Enhance security and protocol support when VPN clients configured as Firewall and Web Proxy clients ISA Server 2004 Exchange and VPN Summary 2004 Rocks ISA Server FBA and RADIUS pumps up the security volume on ISA Server 2004 remote access Exchange Server security New VPN features make ISA Server 2004 VPN servers and gateways “best of breed” for protecting Microsoft networks ISA Server 2004 For More Information Buy my book! ISA Server 2004 Configuration Guide ISA Server 2004 Branch Office Kit ISA Server 2004 Exchange Server Kit ISA Server 2004 VPN Kit ISA Server 2004 Quick Start Guide www.isaserver.org www.msfirewall.org/isa2004kits.htm