Solutions Fast Track
New GUI: More Than Just a Pretty Face
Improving the user experience by making the interface friendlier was a major goal of the ISA Server 2004 development team, and they've done a good job.
The ISA Server 2004 console is much richer than that of ISA 2000, with a three-pane window that still includes the familiar tree structure in the left pane, but gives you tabbed pages in the middle and right panes that make it easy to select the type of tasks you want to perform and get precise help in performing them.
The left pane nodes include: ISA Server (Name) Top Node, Monitoring Node, Firewall Policy Node, Virtual Private Networks (VPN) Node, and Configuration Node.
The Configuration Node contains four subnodes: Networks, Cache, Add-ins, and General.
The Getting Started page makes it easy to set up the ISA Server firewall and/or caching server.
The Dashboard is just what its name implies - a 'big picture' view that summarizes each of the Monitoring areas represented by a tab (except Logging).
The firewall policy node is the 'heart' of the ISA Server interface. This is where you create access rules, Web publishing rules, mail server publishing rules, and other server publishing rules to control access to and from your network.
The Virtual Private Networks node provides a friendly interface for performing common VPN configuration tasks and controlling client access.
The Networks tab (Configuration node) is used to create and configure networks in a multiple network environment.
The Cache subnode is used to define cache drives, create cache rules, configure general cache settings or disable caching altogether, making the ISA server function solely as a firewall.
The Add-ins subnode is used to configure ISA Server's application layer filtering (ALF). This is where you enable, view, modify, and disable application filters and Web filters.
The General subnode includes general administrative tasks.
Teaching Old Features New Tricks
If your company has multiple ISA Server installations in different locations, you don't want to have to physically visit every ISA Server machine to perform management tasks on each.
Three ways to remotely manage your ISA Server firewalls are: the ISA Server management console, Windows 2000 terminal services or Server 2003 remote desktop, and through a third-party Web interface.
ISA Server 2004 allows you to control access and usage of any protocol, including IP-level protocols.
Improvements have been made to the authentication process in ISA Server 2004. Users can be authenticated via the built-in Windows authentication or Remote Authentication Dial-In User Service (RADIUS) or other namespaces.
It is now easier to set up Outlook Web Access (OWA) to work with ISA 2004, thanks to the OWA Publishing wizard.
With ISA Server 2004, you have more flexibility in defining network objects because you can specify them according to the following categories: Networks, Network sets, Computers, Computer sets, Address ranges, Subnets, URL sets, Domain name sets, and Web listeners.
ISA Server 2004 includes a new set of rule wizards that make it easier than ever to create access policies.
In ISA Server 2000, the Server Publishing Rules forwarded incoming connections to a published server on the same port where the original request was received. ISA Server 2004 allows you to receive a connection on a particular port number and then redirect the request to a different port number on the published server.
ISA Server 2004 includes many improvements and enhancements to VPN and remote access functionality, including more flexibility for site-to-site VPN links, better control over VPN clients, PPTP server publishing, and forced Encryption for Secure Exchange RPC Connections.
Several improvements have been made to the Web Cache and Web Proxy features in ISA Server, including improvements to the Cache Rule Wizard, more flexibility in caching of SSL content, path mapping for Web Publishing Rules, and enhancements to scheduled content download.
Microsoft has listened to customers and made a number of improvements and additions to ISA Server 2004's logging, monitoring, and reporting functions. These include real-time monitoring of log entries, real-time monitoring and filtering of firewall sessions, a built-in log querying mechanism, connection verifiers, ability to customize reports, ability to publish reports, e-mail notification for report jobs, ability to configure time of log summary, better SQL logging, and the ability to log to an MSDE database.
New Features on the Block
With ISA Server 2004, Microsoft has introduced a multi-networking model that is appropriate for interconnected networks used by many corporations.
Now you can create network rules and control how different networks communicate with one another.
ISA Server 2004 includes several built-in network definitions, including: the Internal network (includes the addresses on the primary protected network), the External network (includes addresses that don't belong to any other network), the VPN clients network (includes the addresses assigned to VPN clients), and the Local host network (includes the IP addresses on the ISA Server).
ISA Server 2004's new multi-networking features make it easy for you to protect your network against internal and external security threats by limiting communication between clients, even within your own organization.
You can use ISA Server 2004 to define the routing relationship between networks, depending on the type of access and communication required between the networks.
ISA Server 2004 provides network templates that you can use to easily configure firewall policy governing the traffic between multiple networks.
ISA Server 2004's HTTP policy allows the firewall to perform deep HTTP stateful inspection (application layer filtering). You can configure the extent of the inspection on a per-rule basis.
You can configure ISA Server 2004's HTTP policy to block all connection attempts to Windows executable content, regardless of the file extension used on the resource.
ISA Server 2004's HTTP policy makes it easy for you to allow all file extensions, allow all except a specified group of extensions, or block all extensions except for a specified group.
With ISA Server 2004's HTTP policy, you can control HTTP access for all ISA Server 2004 client connections, regardless of client type.
ISA Server 2004's deep HTTP inspection also allows you to create 'HTTP Signatures' that can be compared to the Request URL, Request headers, Request body, Response headers, and Response body.
You can control which HTTP methods are allowed through the firewall by setting access controls on user access to various methods.
ISA Server 2004's Secure Exchange Server Publishing Rules allow remote users to connect to the Exchange server by using the fully-functional Outlook MAPI client over the Internet.
You can configure ISA Server 2004's FTP policy to allow users to upload and download via FTP, or you can limit user FTP access to download only.
ISA Server 2004 includes a link translation feature, which allows you to create a dictionary of definitions for internal computer names that map to publicly-known names.
ISA Server 2004 leverages the Network Access Quarantine Control feature built into Windows Server 2003 to provide VPN quarantine, which allows you to quarantine VPN clients on a separate network until they meet a predefined set of security requirements.
ISA Server 2004 adds support for port redirection and the ability to publish FTP servers on alternate ports.
Missing in Action: Gone But Not Forgotten
ISA Server 2000 was able to split live media streams using Windows Media Technologies (WMT) to reduce the amount of bandwidth used for streaming audio or video, depending on the number of internal clients that were viewing the same streaming media. According to customer feedback, most companies implementing ISA Server did not use the streaming media splitting feature, so Microsoft did not include it in ISA Server 2004.
The H.323 gateway is used for call handling and routing of Voice over IP (VoIP) calls. Microsoft dropped support for the H.323 gateway in ISA Server 2004 because of low usage.
ISA Server 2000 included a bandwidth control feature, but users complained that bandwidth controls in ISA Server 2000 didn't work, or didn't work as expected. Support for the bandwidth control feature was dropped in ISA Server 2004.
ISA Server 2000 supported not only forward/reverse and distributed/hierarchical caching types, but also supported active caching. This feature would automatically initiate requests to update objects that were stored in cache without any intervention from the user. In keeping with Microsoft's emphasis on firewall functionality in ISA Server 2004, the active caching feature was left out.