A free feature pack is available to organizations running Microsoft’s Internet Security and Acceleration (ISA) Server 2000. This pack adds a bundle of new features to Microsoft’s firewall and content caching product, with the most significant ones aimed primarily at providing new ways of securing access to Exchange Servers from the Internet.

(For details on ISA Server, see "ISA Server Steps onto Internet" on page 11 of the Apr. 2001 Update and "Comet Becomes Internet Security and Acceleration Server 2000" on page 9 of the July 2000 Update.)

Internet Access to Exchange

Available now, ISA Feature Pack 1 makes it possible for ordinary Outlook clients to securely connect to Exchange servers located behind ISA Server firewalls. Prior to this Feature Pack, home-based and traveling users had to do one of the following:

• Use Outlook Web Access (OWA), Exchange’s Web-based client, but suffer OWA’s reduced performance and functionality
• Connect from Outlook or Outlook Express using a simple mailreader protocol, such as POP3, but lose all other Exchange functions, such as group calendaring or shared contacts
• Establish a virtual private network (VPN) connection before connecting Outlook to the server.

Although this last method works very well once properly configured, VPNs are complex to support. In addition, some organizations do not wish to give all users complete VPN access because this exposes all network resources, not just Exchange Servers, and can also create a potential security hole where a compromised VPN client computer unknowingly becomes a proxy for an Internet-based attacker.

The Feature Pack makes it possible to configure ISA Server 2000 to permit inbound Messaging API remote procedure call (MAPI RPC) connections from Outlook clients on the Internet to Exchange servers behind ISA Server. ISA Server also enforces the requirement for RPCs to be encrypted, making the communications secure from eavesdropping. The new feature also supports outbound MAPI-RPC connections to Exchange servers hosted by application service providers on the Internet. Prior to this feature it was not possible to open RPCs through ISA Server without opening up large security holes.

However, once organizations move to Exchange Server 2003 and Outlook 11 when available later this year, this feature won’t be needed; the new products tackle the problem by tunneling the MAPI-RPCs inside HTTP, eliminating the need to configure ISA to pass RPCs altogether.

The Feature Pack includes wizards and documentation that guide administrators to properly configure all components needed to implement this feature.

Other Features and Availability

The Feature Pack also installs a special version of URLScan, an Internet Information Server (IIS) tool that detects and filters for malformed URL requests to IIS. It is designed to protect against viruses attacking over HTTP, such as Code Red, Nimda, and Goner. The special version of URLScan for ISA Server eliminates the need to configure URLScan on each IIS server behind the firewall, which includes those hosting OWA. (For more on URLScan, see "Get Secure, Stay Secure" on page 17 of the Dec. 2001 Update.)

The Feature Pack also contains several other new features. One allows Internet-based users to use RSA’s SecureID two-factor authentication token cards to log on to OWA, and other secured intranet Web servers located behind ISA Server, without first establishing a VPN connection. Another makes it possible to move content developed for internal Web sites to the Internet without having to translate all the internal URL pathnames to ones that resolve from the Internet.

For more information and to download the Feature Pack, see www.microsoft.com/isaserver/featurepack1.