• Sidebar: ISA Server Functions
• Sidebar: DynaComm i:filter

Internet Security and Acceleration (ISA) Server 2006, now in beta and scheduled for release in the second half of 2006, is a minor update to Microsoft's ISA Server 2004 firewall, virtual private networking, and content-caching product. It contains few architectural changes, but adds small features that ease administration and boost versatility. ISA Server 2006 precedes a more substantial upgrade that will depend on the next version of Windows Server (code-named Longhorn Server) and will likely include content-filtering technology recently acquired from FutureSoft.

Readers unfamiliar with ISA Server should see the sidebar "ISA Server Functions".

Available in Two Editions and in Appliances

Like its predecessor, ISA Server 2004, ISA Server 2006 will come in Standard and Enterprise Editions.

Standard Edition is a lower-cost option for customers whose needs are met by a single ISA Server, or who have multiple firewalls or cache-only ISA Servers located at different points on their network but have no need to manage them as a single unit.

Enterprise Edition is for customers who are willing to pay more in exchange for higher availability, scalability, and manageability. ISA Server 2006 Enterprise allows servers to be grouped into arrays, which provide greater processing capacity and greater availability through load balancing and failover redundancy. All array members or all Enterprise Edition ISA Servers in the organization can be configured and managed centrally; rules and other policies are stored in an Active Directory Application Mode (ADAM) database hosted on one or more servers.

Pricing and licensing details for ISA Server 2006 have not been revealed, but ISA 2004 Standard's approximate per-processor pricing is US$1,500, while ISA 2004 Enterprise costs about US$6,000 per processor. It seems unlikely that these prices will change much.

In addition to selling ISA Server as a software-only product, Microsoft also sells it to OEMs, such as Celestix, Hewlett-Packard, and Network Engines, that use it to build ISA Server appliances. Unlike some hardware-based firewalls that use custom processors and have no internal disk drives, these appliances are basically conventional servers that run Windows Server 2003. However, they ship with ISA Server preinstalled and preconfigured, and the Windows OS has been "hardened" by the OEM so that only the required components and services are installed and running.

With ISA Server 2004, Microsoft licensed only Standard Edition to appliance OEMs. With ISA Server 2006, Microsoft will also license Enterprise Edition to OEMs, making it possible for those partners to craft firewall appliance offerings aimed at the needs of large organizations.

What's New in ISA Server 2006

Although ISA Server 2006 does not carry the "R2" moniker used by some Microsoft servers, such as Windows Server 2003 R2, to denote minor releases, ISA Server 2006 is nevertheless a minor release. It has not undergone any major architectural changes, the user interface has few changes, and it contains only small improvements over ISA Server 2004. These new features are unlikely to win over customers that previously dismissed ISA Server, and existing customers without Software Assurance (SA) are unlikely to see enough incremental value to pay for the new release. However, for customers with SA, the upgrade process should be relatively quick and painless and they may benefit from some of the new features. Furthermore, there should be no compatibility problems with third-party ISA Server add-ins and utilities such as EMC's Rainfinity load-balancing and failover software.

In addition to the improvements and new features Microsoft added recently to ISA Server 2004 in Service Pack 2, such as better caching of patches client PCs request from Windows Update or Microsoft Update Web sites (see "ISA Server SP2 Adds Features" on page 10 of the Mar. 2006 Update), ISA Server 2006 incorporates numerous small changes that generally ease administrative tasks, add flexibility, and increase the number of specialized situations ISA Server can handle, such as supporting smart card or RSA token authentication methods.

New features include the following:

SharePoint publishing wizard. Windows SharePoint Services and SharePoint Portal Server are not just for hosting portals and team sites for intranet users. They can also provide authenticated access to employees and business partners connecting from the Internet, and organizations may even want to expose some SharePoint content to anonymous external users. (Microsoft is crafting the features and licensing requirements of the next SharePoint releases to encourage their use as public Web platforms.)

A new wizard in ISA Server 2006 makes it easier to publish a SharePoint site to the Internet and to properly configure features such as authentication and encryption, as well as link translation, which makes it easier to make intranet sites accessible to Internet users. Once a public Web address (URL) is assigned to the SharePoint site by an administrator, ISA Server 2006 automatically translates incoming requests made to the public URL into the corresponding intranet URL for that SharePoint site. And before routing SharePoint's reply to the user, ISA Server 2006 converts any intranet URLs embedded in the pages into their public URL equivalents.

Enhanced flood resiliency. ISA Server 2006 is less vulnerable to performance degradation from denial-of-service attacks that flood the firewall with bogus requests. ISA Server 2006 adds the ability to identify and block clients that exceed configurable limits on connection requests and sessions. It can even consolidate alerts and turn off further logging of connection attempts from that client so that the logging functions don't slow the firewall down and fill the firewall and event logs with useless information.

Enhanced authentication and single sign-on support. When publishing internal applications such as Exchange, SharePoint, and line-of-business applications (enterprise resource planning, customer relationship management) to Internet-based users (without requiring them to establish a VPN connection first), the firewall should properly authenticate connection requests before passing them to the application servers. ISA Server 2006 has numerous enhancements in this area. Users can now use forms-based authentication for applications other than Exchange's Outlook Web Access (multiple authentication form templates are available in 26 different languages), and ISA Server 2006 can identify the type of client requesting access (e.g., PC, PDA, phone) and serve up a logon form that is suitably sized for that device's screen. Users can also use client certificates, smart cards, RSA SecureID token cards, or Radius one-time password (OTP) solutions to authenticate themselves against Active Directory (AD). With ISA Server 2006, the firewall need no longer be a domain member to both authenticate users against AD and obtain their membership in AD security groups; it can use Lightweight Directory Access Protocol (LDAP) to accomplish these same functions more securely. (LDAP has a smaller potential attack surface than the existing method of passing RPC calls between firewall and a domain controller.) Once an initial request is authenticated, ISA Server 2006's single sign-on features can pass authentication information to other published application servers, thereby eliminating additional requests for the same credentials.

Improved certificate support. Certificates are used extensively by ISA Server and Internet clients for both authentication and for encryption, but certificate-related support calls comprise ISA Server's most frequent and costly support incidents, so Microsoft has tried to improve how ISA Server 2006 handles certificates. ISA Server 2006 has more capabilities, such as the ability to bind multiple certificates to a single external IP address, which makes it easier to configure the firewall to allow outside connections to multiple published applications that may require different certificates. The administrative interface now shows the state of certificates used by ISA Server and identifies incorrectly installed and expired certificates. It will also generate alerts detectable by products such as Microsoft Operations Manager so that problems can be detected and corrected faster.

Improved server farm support. ISA Server 2006 allows administrators to define farms of Web or application servers and publish them to the Internet as a single URL. Administrators can create individual access rules that apply to all farm members—such as "allow anonymous Web access from the Internet to all servers in the farm." Another new ISA Server 2006 server farm feature is Web Publishing Load Balancing, which allows the firewall to balance user requests from the Internet to an array of servers, monitor the state of each member of the array, and redirect requests away from failed members.

What's Missing

When Directions analyzed ISA 2004 (see "ISA Server 2004 More Flexible, Secure" on page 12 of the Apr. 2004 Update), it noted some deficiencies and caveats of which prospective buyers should be aware. With ISA Server 2006, this list remains unchanged.

No Web service XML proxy. Even though Microsoft is one of the industry's strongest proponents of Web services, ISA Server 2006 lacks the type of XML-level Web service inspection and filtering offered by its competitor CheckPoint and by ISA Server add-ins such as Forum XWall. Although Web services can be permitted to pass through ISA Server via its generic Web proxy, administrators cannot configure it to check specific attributes of XML data inside the Hypertext Transfer Protocol (HTTP) payload. Such support would enhance the firewall's ability to detect and block intrusions and denial-of-service attacks targeting Web services.

In 2004, Microsoft claimed that this was not yet a major need, given that business-to-business Web services were then rare, and it said that it intended to offer deeper Web service inspection in a future release. However, since Microsoft chose not to address this issue in ISA Server 2006, the company must still feel that the need is not yet particularly urgent.

No SIP application proxy. The Session Initiation Protocol (SIP) is used by Microsoft's Live Communications Server (LCS) 2005 to exchange instant messages and presence information with other LCS servers and Communicator 2005 clients. SIP is crucial to the expansion of voice, video, and other kinds of real-time communication over Internet infrastructure. However, ISA Server 2006 still lacks a SIP application-level proxy component, which is necessary to route and filter SIP-based voice, video, file transfer, and data conferencing traffic. Although Microsoft introduced a separate SIP access proxy with LCS 2005 (which can be co-located on the ISA Server or hosted on a separate server), this access proxy supports presence information and instant messages only. Communicator users still cannot establish Voice-over-IP (VoIP), video, and data conferencing sessions with users on the other side of the ISA Server 2006 firewall without using additional third-party products or by first establishing a VPN session. However, Microsoft partner Collective Software does have a product in beta, LCS-Bridge for ISA Server, that enables ISA Server to process all types of SIP traffic from the Internet.

No Internet Protocol version 6 (IPv6) support. Even though Windows XP and Windows Server 2003 already include support for IPv6—the next generation of the Internet Protocol, which supports larger address spaces, more dynamic configuration, and many other features—ISA Server 2006 does not. Although IPv6 firewall support is already offered by rival CheckPoint, Microsoft feels that the need is not particularly urgent given the fact that almost no ISPs offer IPv6 today and few people have begun using it. However, some organizations have begun testing the protocol, so demand is likely to increase in some markets, especially in Asia, where the shortage of IPv4 addresses is particularly acute.

No bandwidth-allocation controls. With ISA Server 2006, administrators cannot grant certain protocols more bandwidth than others. Since the connection to the Internet is a common bottleneck, this lack means that casual Internet use, such as internal users listening to streaming media from the Internet, could degrade more vital business communications. It also means that real-time communication protocols, particularly VoIP, could be disrupted by other traffic. (Note that with the release of ISA 2004 SP2, ISA Server now allows customers to prioritize HTTP traffic to certain destinations over other HTTP traffic.)

Big Changes Ahead

The most likely explanation for some of the missing features is that the release of Longhorn Server (estimated for mid-2007) will include major changes to its TCP/IP network protocol stack. These changes include full integration and support for IPv6, better use of multiple processors, support for Winsock Kernel (a new kernel-mode programming interface that will eventually replace the current Transport Driver Interface API), and new mechanisms for offloading protocol stack handling to network interface cards with onboard processors. Because ISA Server depends heavily on the underlying TCP/IP stack, it will have to undergo major changes as well. Microsoft likely avoided adding any features to ISA Server 2006 involving significant architectural changes that would be abandoned in the next release.

Because of the Longhorn TCP/IP changes, ISA Server 2006 will not even be forward-compatible with Longhorn. Customers will have to wait for the next release of ISA Server before they will be able to upgrade their firewall servers to Longhorn. However, Windows Vista, which also gets the new TCP/IP stack and which is due to ship by the end of 2006, will be supported as an ISA Server 2006 client. Microsoft will release a new Vista-compatible Firewall Client for ISA Server 2006 (a client-side component only needed for certain protocols and authentication requirements) before Vista ships.

The release of ISA Server that coincides with or follows Longhorn Server will also likely include the content filtering technology Microsoft acquired from FutureSoft in Feb. 2006. (See the sidebar "DynaComm i:filter".)

Resources

Additional ISA Server information can be found at www.microsoft.com/isaserver.

The new features introduced in ISA Server 2004 SP2 were covered in "ISA Server SP2 Adds Features" on page 10 of the Mar. 2006 Update.

ISA Server 2004 Standard Edition is described in "ISA Server 2004 More Flexible, Secure" on page 12 of the Apr. 2004 Update, and pricing information is discussed in "ISA Server 2004 Standard Edition Ships" on page 9 of the Aug. 2004 Update.

ISA Server 2004 Enterprise Edition is covered in "ISA Server 2004 Enterprise Ships" on page 17 of the Apr. 2005 Update.

Microsoft's support for IPv6 is described in "Windows Support for IPv6 Increases" on page 3 of the Apr. 2005 Update.

Upcoming changes to the TCP/IP implementation in Windows Longhorn Server and Windows Vista are described at www.microsoft.com/technet/community/columns/cableguy/cg0905.mspx and www.microsoft.com/technet/community/columns/cableguy/cg1105.mspx.