Two of Microsoft's Internet Security and Acceleration (ISA) Server appliance OEMs have begun shipping devices based on Microsoft's new Intelligent Application Gateway (IAG) 2007 platform, which is based on technology gained in the mid-2006 acquisition of Whale Communications. These appliances run an updated version of the Whale virtual private networking (VPN) technology integrated with ISA Server 2006. Compared to regular ISA Server, an IAG appliance provides remote access to corporate applications more securely. However, customers now need to purchase Client Access Licenses (CALs), which could make the solution more expensive compared to ISA Server alone or earlier Whale products.

IAG Overview

The Whale technology provides Secure Socket Layer VPN (SSL VPN) capabilities, which basically use Web browsers to function as VPN clients. Unlike traditional VPNs, which don't discriminate between applications (the access is all or nothing), SSL VPNs can be enabled on an application-by-application basis. For example, an SSL VPN could allow a Web application to pass but could still block Outlook Express from using the POP3 e-mail protocol.

IAG appliances are specially tailored to provide secure inbound remote access to applications residing on corporate networks from public and other nonmanaged PCs. Even though IAG 2007 appliances are built on an embedded version of ISA Server 2006—Microsoft's firewall, VPN, and content-caching software—they are intended to augment, rather than replace, discrete general-purpose ISA Server 2006 firewalls or firewalls from other vendors, such as Check Point or Cisco.

Unlike Microsoft's traditional VPN technology, IAG 2007 devices do not require preinstallation or preconfiguration of client-side components and do not assume client devices are secure. For example, before establishing a session, the IAG checks that the client device meets security requirements and forces it to delete all cached data at the end of a session.

(For an in-depth analysis of the Whale IAG technology and the benefits of SSL VPNs, see "Acquisition to Boost VPN Features" on page 23 of the July 2006 Update.)

Available as OEM Appliances Only

Ending speculation as to whether Microsoft was planning to go into the security appliance business, the company has announced that it will no longer sell the hardware appliances formerly produced by Whale; instead, it will sell IAG 2007 solely through OEM partners, which initially consist of Celestix Networks and Network Engines.

Furthermore, the IAG 2007 OEM appliances will not use the AirGap hardware technology Whale used in its older e-Gap line of appliances. AirGap consisted of two separate servers interconnected by a proprietary SCSI-attached hardware switch that relayed data between the two servers. Although Whale claimed this protected the back-end server from being compromised in case the Internet-facing front-end server was hacked, Microsoft says this complex hardware architecture is no longer necessary to meet IAG 2007's security goals.

New Pricing and Licensing Model

IAG 2007 is being sold under a new pricing and licensing model that departs both from the Whale model and from the model used by ISA Server 2006.

ISA Server 2006 software is priced on a per-processor basis (US$1,500 for Standard Edition and US$6,000 for Enterprise Edition) when sold directly to customers, and ISA Server OEM appliance vendors build the per-processor licenses into the total cost of their products. However, for IAG 2007 appliances, OEM partners do not pay Microsoft the per-CPU ISA Server license fees, but instead will pay a lower flat amount for a bundle of Windows Server 2003, ISA Server 2006 Standard Edition, and IAG 2007 software. Although this change should drop the cost of IAG 2007 appliances below that of comparable ISA 2006 appliances or older Whale e-Gap appliances, there's a catch: customers now require an IAG 2007 CAL for each authenticated remote user or device. The retail license price for a single IAG 2007 CAL is US$22, with volume discounts available through Open, Select, and Enterprise Agreements. This means that larger organizations that need to support hundreds or thousands of Internet users will pay more than they did for Whale e-Gap appliances or for ISA Server's more basic remote access features.

Software Assurance (SA), Microsoft's upgrade and maintenance program, is available on the IAG 2007 CALs, but not on the OEM Server licenses. These SA rights give remote users the upgrade rights to connect to the next-generation of ISA Server software or appliances (these will be based on the Windows "Longhorn" Server platform and will have the IAG technology integrated with ISA Server). However, SA on the CALs does not convey any rights to upgrade the software on the appliance; that right depends on a separate maintenance agreement purchased from the particular IAG 2007 appliance vendor.

For organizations that must support VPN access by nonemployees, such as business partners or students, a per-server External Connector license is also available in lieu of individual CALs, but Microsoft has not published its price.

Whale separately sold extras called Intelligent Application Optimizers, Network Connectors, and other security modules needed to provide connectivity and security for various applications such as Outlook Web Access, SharePoint, Lotus Domino, and SAP Enterprise Portal. The new IAG 2007 appliances come with updated versions of these software components included in the base price.

Microsoft claims that existing Whale customers with current service and support contracts will be provided with a migration path to IAG 2007, but has not published details. Those without maintenance agreements will need to purchase new appliances and CALs.

Resources

Microsoft's IAG home page is at www.microsoft.com/forefront/edgesecurity/iag.

Licensing details can be found at www.microsoft.com/forefront/edgesecurity/howtobuy.mspx.

Celestix WSA SSL VPN appliances are described at www.celestix.com/products/iag.

Network Engines NS-IAG appliances can be found at www.networkengines.com/default.asp?LINKNAME=IAG.

ISA Server 2006 features are described in "ISA Server 2006 Ships" on page 18 of the Nov. 2006 Update and "ISA Server 2006 in Beta" on page 16 of the Apr. 2006 Update.