Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1017025
  • 博文数量: 77
  • 博客积分: 946
  • 博客等级: 准尉
  • 技术积分: 2264
  • 用 户 组: 普通用户
  • 注册时间: 2006-02-20 19:56
个人简介

IT基础架构、虚拟化、项目管理,户外运动,6届微软最有价值专家。

文章分类

全部博文(77)

文章存档

2015年(3)

2014年(4)

2013年(6)

2012年(19)

2011年(11)

2010年(7)

2006年(27)

分类: WINDOWS

2006-05-08 16:04:34

In this article I will try to give you a high level overview of the new features in Microsoft ISA Server 2006.


Let's begin

ISA Server 2006 is the next step in Microsoft’s Security Strategy. ISA Server 2006 is the successor of ISA Server 2004. ISA Server 2006 RTM is expected to be released at end of June 2006.

ISA Server 2006 contains all the features of ISA Server 2004 with SP2 except for the Message Screener. The Message Screener from ISA Server 2004 is no longer available in ISA Server 2006.

Please note:
The SMTP Filter is still in ISA Server 2006.

If you want to try ISA Server 2006 Beta 1, you should download ISA Server 2006 Beta from the Microsoft . It is possible to download the English Standard and Enterprise Version of ISA Server 2006.


Figure 1: Download and install ISA Server 2006

Customer Feedback

After successful Installation of ISA Server 2006, you will see a new Customer Feedback Option in the ISA MMC and in the Properties of the ISA Server object in ISA MMC. This Customer Feedback is not new to ISA Server 2006 but was first seen with ISA Server 2004 SP2.


Figure 2: Customer Feedback in ISA Server 2006

If you do not want to participate in this Customer Experience Improvement Program click No, I don’t wish to participate.

New in Publishing

There are some enhancements in Webserverpublishing rules in ISA Server 2006. One of the interesting things in ISA Server 2006 is that it is now possible to Publish SharePoint Sites with an ISA Server 2006 Wizard. In the past you had to manually create a Publishing rule for SPS and you had to read the SPS Publishing Whitepaper on the Microsoft Website.


Figure 3: Sharepoint Portal Server Publishing

It is now also possible to Publish specific Exchange Mailserver versions. Exchange provides Publishing Wizards from Exchange 5.5 to Exchange V12.


Figure 4: Exchange version specific Publishing

ISA Server 2006 now also supports the Publishing of Load Balanced Web servers. Load Balanced Web servers are grouped in units called a Farm to provide continuous Access and performance improvements.


Figure 5: Publishing Load Balanced Web servers

The new Publishing Wizard provides better Support for Certificate Integration to provide SSL Bridging features and Client SSL Authentication. I will tell you more about this enhancement later.


Figure 6: Client Connection Security

The new Web listener Definition Wizard that listens for incoming Web requests has a new Icon (a “World ball”) and it is possible to select if ISA Server should compress the content through this defined Web Listener. The Compression feature first came with ISA Server 2004 SP2.


Figure 7: Web listener Publishing Wizard

The new Web Listener Definition Wizard allows you to select a single certificate for the specified Weblistener.


Figure 8: Certificate Selection

It is possible to assign a certificate for each IP address bound to the Adapter that the listener will use.

Please note:
It is not possible to assign more than one certificate to a single IP Address. For more Information on this read the following statement from the ISA Server Product Team.

There is a new Certificate selection and verification console where it is possible to select certificates. You can see the Validity of the Certificates and the Issuing CA and the friendly name. Invalid certificates will be highlighted in red.


Figure 9: Certificate verification

One of the biggest changes in ISA Server 2006 is the built-in Support for different Authentication schemes.

Depending on the type of listener, you have the choice of the following Authentication Methods:

  • HTML Client Certificate Authentication
  • HTTP Authentication
  • HTML Form Based Authentication

ISA Server can validate the credentials against:

  • Active Directory
  • Active Directory via LDAP (new in ISA Server 2006)
  • RADIUS (OTP)
  • RADIUS
  • RSA SecurID


Figure 10: Authentication settings

ISA Server 2006 can now work with Kerberos constrained Delegation if ISA Server is a domain member.


Figure 11: Authentication Delegation

ISA Server 2006 now allows Single Sign On (SSO) for ISA Weblistener.


Figure 12: SSO Settings

Customizable Forms Based Authentication

With ISA Server 2006 it is now possible to create a customized HTML form instead of the default. With this feature you can customize the form to fulfil your Corporate Identity requirements.


Figure 13: Customized Forms

Please Note:
In an upcoming Beta Version of ISA Server 2006 it should be possible to provide an integrated Password change feature for OWA users. Currently you must activate this feature manually on Exchange side and there is no easy way to activate the Password Change feature in the FBA process on ISA site.

Link Translation

The Link Translation feature in ISA Server 2006 has completely changed. The Link Translation feature supports additional Character Sets and is automatically activated when you create a Web server Publishing rule.


Figure 14: Link Translation

LDAP Authentication

ISA Server 2004 came with support for RADIUS in Webserverpublishing Rules and for VPN so that ISA Server must not be a member of the Active Directory Domain.

Implementing RADIUS Authentication has some pros and cons so Microsoft now Support native LDAP Authentication in ISA Server 2006 in form of an LDAP Authentication Webfilter.


Figure 15: LDAP Authentication Webfilter

You can specify the Active Directory Servers to use and you can choose to use a Global Catalog Server. If you want to secure the communication with the Active Directory Server you can use LDAPS (Secure LDAP).


Figure 16: Specify LDAP Server

VPN changes in ISA Server 2006

ISA Server 2006 supports the following VPN protocols:

  • L2TP over IPSEC
  • PPTP
  • Pure IPSEC

There are no significant changes in ISA Server 2006 VPN support in Beta I. An interesting change in ISA Server2006 VPN Support is the ISA Server Branch Office Connectivity Wizard.

Some of you had used the VPN Site to Site Wizard in ISA Server 2000 where it was possible to create the required VPN Connection and, after creation, save the configuration to a Floppy Disc. With this Floppy disc it was possible to end the VPN Setup at the other Site where the counterpart ISA Server resides.

With ISA Server 2006 this Wizard lives again.


Figure 17: ISA Server Branch Office Connectivity Wizard

The VPN Branch Office Wizard will help you to create a VPN connection between a Branch Office and a Headquarter. After completing the Wizard all information could be written to disc or other removable media, transferred to the Branch and at this site you can finish the VPN Implementation by inserting the Media, starting the VPN Wizard and specify the Import file.

Please note:
This feature in Beta 1 is only available for ISA Server Enterprise Edition and requires a manually start of the AppCfgwzd.exe located on the ISA Files.

Flood Mitigation

ISA Server 2004 capability to limit DoS and Worm attacks and to fight against flooding is very limited. With ISA Server 2006 Microsoft has implemented a new feature called Flood Mitigation.

With the help of Flood Mitigation it is possible to limit the number of concurrent TCP and UDP Sessions per IP address, the number of HTTP requests per Minute, per IP address, the number of TCP connections request per Minute, per IP address and many more.

To get the best out of the new Flood Mitigation feature you must carefully monitor your network to distinguish between Flood Attacks and Worms and normal legitimate processes from your Applications in your network.


Figure 18: Flood Mitigation feature

Conclusion

I hope this article was useful for you to see what has changed and improved in ISA Server 2006. If you look into the details of ISA Server 2006 I’m sure you will find many more changes. ISA Server 2006 has several evolutionary enhancements with an emphasis in Publishing, Certificate Management and Authentication. In my opinion Microsoft could name ISA Server 2006 – ISA Server 2004 R2. ISA Server 2006 is a stopover to the next version of Microsoft ISA Server.

Related Links

ISA Server 2006 Overview

Download the ISA Server 2006 Trial

ISA Server 2006 Reviewers Guide

About Marc Grote

Marc Grote is a MCSA/MCSE Messaging & Security and Microsoft Certified Trainer. He is working as a freelance IT Trainer and Consultant in the north of Germany. He is specialized in ISA, SMS, Exchange, Security on Windows 2000 and Windows Server 2003 designs, migrations and implementations and Citrix Metaframe / Cisco implementations. His efforts have earned him recognition as a Microsoft MVP for ISA Server. You can visit his homepage on

for Marc Grote's section.

Check out these recent articles by Marc Grote

  • Mar 02, 2006,
  • Feb 16, 2006,
  • Dec 01, 2005,
  • Nov 24, 2005,
  • Nov 10, 2005,

for more articles by Marc Grote.

Get new article updates in your Inbox

Get all the ISA Server articles, tutorials and guides delivered directly to your mailbox as and when they are released on ISAserver.org. Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update below.

* Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy!

Featured Links*

阅读(2689) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~