What s New in ISA Server 2004 ISA Server 2004 contains a fullfeatured,

Transcription

1 Microsoft Internet Security and Acceleration (ISA) Server 2004 is the advanced application-layer inspection firewall, VPN, and Web cache solution that enables enterprise customers to maximize existing IT investments by improving network security and performance in high traffic and distributed environments. A member of the Microsoft Windows Server System, ISA A member of the Microsoft Windows Server System, ISA Server 2004 is a secure, easy-touse, cost-effective solution that helps IT professionals combat new and emerging security threats. Microsoft Internet Security and Acceleration (ISA) Server 2004 provides advanced protection, ease of use, and fast and secure access for all types of networks. What s in ISA Server 2004 ISA Server 2004 contains a fullfeatured, application-layer inspection firewall that helps protect enterprises from attack by both external and internal threats. ISA Server 2004 performs stateful packet inspection and deep application-layer filtering of multiple Internet protocols, such as HTTP, which enables it to detect many threats that traditional firewalls cannot detect. ISA Server 2004 provides unique levels of protection for Microsoft Outlook Web Access, including: Web publishing rules that enforce secure forms-based authentication. Secure Sockets Layer (SSL) bridging, enabling SSL traffic to be statefully inspected for malicious code. Multifactor authentication, providing authentication whether the remote mail scenarios use Remote Authentication Dial-In User Service (RADIUS) or RSA SecurID. Attachment blocking and session time-out, ensuring that users sessions cannot be left open indefinitely for others to use and sensitive attachments cannot be saved to unmanaged devices. The integrated firewall and virtual private network (VPN) architecture supports stateful packet inspection and stateful application-layer filtering for all VPN traffic. ISA Server 2004 provides VPN client inspection for VPN quarantine solutions, helping to protect networks from attacks through a VPN connection. In addition, a completely new user interface, wizards, templates, and a host of management tools simplify setup, deployment, and management, helping administrators avoid common security configuration errors. Advanced Protection The application-layer security built into ISA Server 2004 is particularly well suited for protecting networks that are running Microsoft applications, such as Microsoft Internet Information Services (IIS), Microsoft Office SharePoint Portal Server, Routing and Remote Access, Active Directory directory service, and others. Key capabilities include the following: Multi-layer inspection provides comprehensive and flexible policies to control application-specific traffic with application, command, and data-aware filters. By intelligently filtering VPN, HTTP,

2 FTP, SMTP, POP3, DNS, H.323 conferencing, streaming media, and RPC traffic, ISA Server 2004 can accept, reject, redirect, and modify traffic based on its contents. Advanced stateful applicationlayer filtering and inspection helps protect corporate data by performing deep HTTP inspection, with the depth of the inspection configured on a per-rule basis. This approach enables administrators to configure custom constraints for both inbound and outbound access. Unified firewall and VPN policy management, deep content inspection, and VPN quarantine integration make it easier to secure inbound traffic and protect your network from inside attacks through VPN client access control. Integrated multinetworking capabilities, network templates, and stateful routing and inspection capabilities enable you to deploy ISA Server 2004 into existing IT environments as an edge, departmental, or branch office firewall without changing your network architecture. Enhanced high performance Web access and caching provided by ISA Server 2004 Enterprise Edition Cache Array Routing Protocol (CARP)-based caching arrays increase speed and availability of Internet Web content. Increased uptime and high availability for Internet access through integrated support for Network Load Balancing (NLB). ISA Server 2004 Enterprise Edition enhances Windows NLB with bidirectional affinity support for all Internet protocols. Unified logging and reporting for enterprise arrays simplifies log collection and analysis for determining network baselines and for forensic analysis. Easy to Use A new user interface provides intuitive management tools for VPN and firewall management. ISA Server 2004 includes intuitive network templates, policy wizards, and powerful troubleshooting tools. These ease-of-use features can lower cost of ownership and help avoid configuration errors. With ISA Server 2004 Enterprise Edition, you can: Shorten ramp-up time for new firewall administrators with simplified management tools that help prevent security breaches due to firewall misconfiguration. Minimize network access downtime by enabling secure remote management of firewall and Web cache services. Save on bandwidth costs by reducing Internet traffic and providing content of your Web servers and e-commerce applications closer to your customers. Help secure corporate applications, users, and data using ISA Server 2004 integration with Active Directory, third-party VPN solutions, and in-place infrastructure. Obtain support and information from the active community of partners, users, and Web resources supporting ISA Server Fast and Secure Access ISA Server 2004 enables you to connect users to information in a fast and cost-effective manner. With ISA Server 2004, you can: Provide fast, secure, anywhere anytime access to corporate applications and data, such as , calendar, and contact information stored on Microsoft Exchange Server. Establish a safe, reliable, and high performance infrastructure between multiple networks. Enable reduced sign-on with multiple Internet-standard authentication mechanisms to verify user identity. Bolster network security with an integrated, single-server solution running only necessary services firewall service, VPN, and Web cache at the edge of the network. Scale out your security infrastructure as your networking needs grow by taking advantage of enterprise arrays that provide a distributed, flexible, multinetwork architecture. Enhance network performance and reduce bandwidth costs by using ISA Server 2004 Enterprise Edition CARP-enabled Web caching arrays in corporate data centers and branch offices. Balance network resources by using Network Load Balancing in ISA Server 2004 Enterprise Edition. Ideal for Agile Enterprises For large, distributed enterprises, ISA Server 2004 Enterprise Edition protects and extends an investment in Microsoft technologies. ISA Server 2004 is well suited for branch offices, enabling companies to save money by using a centralized management interface to control and configure hundreds of geographically distributed firewalls. Flexible Solution ISA Server 2004 meets customer demand for a single, integrated solution that can be used in a variety of scenarios. Possible uses include: Enabling remote employees access to corporate and data. Enabling partners access to only selected information within the corporate network or extranet. Enabling branch office communication with the main office in a secure and costeffective manner. Controlling and monitoring employee Internet browsing. Boosting network performance through CARP-enabled caching arrays. Protecting against modern threats.

3 Product Highlights Feature Benefit Guard sensitive corporate applications and data Multilayered stateful application and content inspection Diverse application integration Integrated VPN functionality Comprehensive authentication mechanisms Easily manage network security policies and firewall configuration Multi-networking capabilities and templates Unified firewall and VPN management interface Enhanced troubleshooting Speed access and improve efficiency Enhanced firewall architecture Faster, lower-cost Internet access Includes advanced stateful packet and application-layer inspection firewall to help protect IT assets against hackers and viruses and block undesirable traffic, while enabling complex application traffic to travel over the Internet. Provides users with faster, more secure access to applications and services, including Microsoft Exchange Server, SharePoint Portal Server, and Internet Information Services-based services. Helps secure inbound traffic and protect your network from inside attacks made through VPN gateway and VPN remote access client connections. Built-in Internet Protocol security (IPsec) tunnel mode support enables you to easily connect site-to-site VPNs. Authenticates network users through built-in Windows or RADIUS namespaces, using a variety of credentialing mechanisms, including RSA SecurID. Enables you to quickly deploy ISA Server 2004 into your existing IT environment as an edge, departmental, or branch office firewall without changing your network topology or infrastructure. Provides easy-to-use management tools, including an enhanced and intuitive firewall management console, to shorten the learning curve and minimize security breaches related to firewall misconfiguration. Includes a new monitoring dashboard with a real-time log viewer for all servers in an enterprise array, enabling you to view summarized firewall status information or to drill down into details. Increases network efficiency by enabling authorized traffic to pass through the firewall faster. Stateful packet and application-layer inspection, central control cached object storage, and retrieval policies in ISA Server 2004 Enterprise Edition CARP-enabled arrays and integrated Network Load Balancing improve network performance. Improves user productivity and saves on bandwidth costs by using the ISA Server 2004 Enterprise Edition Web caching arrays to serve content locally. Product Feature Details Feature Benefit Multi-network support Multiple-network configuration Unique per-network policies Stateful inspection of all traffic Route and network address translation (NAT) relationships Statefully inspects traffic between any defined networks. Using ISA Server 2004, you can configure one or more networks, each with distinct routing relationships to the others, and then define access policies that control traffic to each network. Helps protect your network against internal and external security threats by limiting communication between clients even within your own organization. Examines data crossing the firewall in the context of its protocol and connection state, no matter what its source or destination. Defines relationships between networks, depending on the type of access and communication allowed between them. Network templates Includes five network templates that correspond to common network topologies. After you use one of the templates to configure firewall policy, ISA Server 2004 will automatically create the necessary firewall policy and network relationships. Virtual private networking Network Load Balancing (Enterprise Edition only) Provides real-time failover and load balancing of connections made through an ISA Server 2004 Enterprise Edition array. Real-time failover enables high availability for enterprise arrays, while load balancing evenly distributes connections across firewall array servers to prevent network slowdowns related to affected firewalls. Improved VPN administration Includes fully integrated VPN capabilities, based on Microsoft Windows Server 2003 Routing and Remote Access. ISA Server 2004 can assign Internet Protocol (IP) addressing information to VPN clients

4 Security policies and stateful inspection for VPN connecting to the network and can apply policy on all remote access VPN client and VPN gateway traffic. Enables you to configure VPN clients as a separate network and create distinct access policies for each VPN client. The rules engine uses the access policy to check requests from VPN clients, statefully inspect these requests, and dynamically open connections between the VPN clients and the network. Security infrastructure Interoperability with third-party IPsec VPN solutions Supports the industry-standard IPsec tunnel-mode VPN protocol. This means that ISA Server 2004 can plug into environments with mixed VPN infrastructures, including infrastructures employing IPsec tunnel mode site-to-site VPN connections. Improved Application filtering ISA Server 2004 enables you to choose from a variety of new application filtering capabilities and server publishing scenarios. One new filtering capability, enhanced HTTP filtering, is specifically designed for Exchange Server, Outlook Web Access, and Internet Information Services. Improved Extensive protocol support Authentication mechanisms You can use more than 100 predefined protocols to integrate ISA Server 2004 with major Internet applications. In addition, ISA Server 2004 enables you to control access to any protocol and usage of any protocol, including IP-level protocols and IPsec traffic by configuring your own custom protocol definitions. You can authenticate users using built-in Windows, RADIUS, or RSA SecurID authentication types or namespaces, applying rules to users or user groups in any namespace. Improved Simplified policy model ISA Server 2004 now uses a single, ordered rules engine that provides detailed mechanisms for managing traffic and enforcing policy. Using this rules engine, administrators can control network and Internet access by user, group, application, content type, schedule, and destination. Dynamic packet filtering (stateful packet inspection) ISA Server 2004 reduces the risk of external attacks by opening ports only when needed and allowing only valid traffic through statefully monitored ports. Improved Smart application filters Data-aware application filters inspect application-layer commands and data that enable you to control application-specific traffic, such as and streaming media. Improved Updated Firewall Client Transparency for all clients Firewall Client enables you to integrate transparent authentication, automatic Web proxy configuration, and role-based security through user and group-based firewall policy. Other key enhancements include better optimized connectivity for complex protocols, multiple user account support, and encrypted communications between the Firewall Client and ISA Server ISA Server 2004 is compatible with clients and application servers on all platforms, through SecureNAT client configuration, which requires no client software or manual configuration network hosts. Improved Publishing ISA Server 2004 enables you to place servers behind the firewall, either on the corporate network or a perimeter network, and securely publish their services to the Internet. Cache Link translation Link translation functionality in ISA Server 2004 allows for intelligent translation of internal links into publicly accessible sites and hides the actual names of corporate servers. Improved Cache rules A centralized mechanism for cache policy rules enables you to configure how objects stored in cache are retrieved and served. Management Efficient content distribution High performance Web caching Smart caching CARP-enabled Web caching arrays (Enterprise Edition only) You can improve response times and cut bandwidth costs by distributing and caching Web sites and e-commerce applications locally, to bring Web content closer to users. Web caching provides users with accelerated Web access and saves network bandwidth. You can proactively cache popular objects to ensure the freshest content for each user. You can also preload the cache with entire Web sites on a defined schedule. ISA Server 2004 Enterprise Edition CARP-enabled Web caching arrays significantly extend the bandwidth saving and performance enhancing Web cache included in all versions of ISA Server Web caching arrays provide load balancing and failover for Web access from any Web browser. Improved Management management features make it easier to secure your networks. ISA Server 2004 offers new user interface features, such as task panes, help panes, and a new look for the firewall policy editor, including drag-and-drop capabilities. Export and import ISA Server 2004 introduces the ability to export and import configuration information between ISA Server computers through an.xml file, enabling you to easily replicate firewall configurations for multisite

5 deployment. Dashboard A single view presents a summarized version of key monitoring information. If you see a problem, you can easily drill down into other monitoring viewers for more information. Log viewer A log viewer lets you display the firewall logs in real time either in an online real-time mode or in a historic review mode. You can also apply filtering to log fields to identify specific entries. Improved Centralized logging and reporting (Enterprise Edition only) Centralized storage of firewall policy (Enterprise Edition only) ISA Server 2004 logs and reports on traffic moving through all members of an enterprise array. There is never a need to collect log file information from each firewall and collate it to create unified report information. ISA Server 2004 uses Active Directory Application Mode (ADAM) for firewall policy storage. ADAM storage allows you to place policy storage containers anywhere in the organization, allowing enhanced flexibility and availability for firewall policy redundancy and facilitated access.

6 Specifications To use ISA Server 2004, you need: PC with a 550 MHz Pentium III or higher processor (ISA Server 2004 Standard Edition supports up to four CPUs on one server) Microsoft Windows Server 2003, Standard Edition or Enterprise Edition, Windows 2000 Server or Windows 2000 Advanced Server with Service Pack 4 or later, or Windows 2000 Datacenter Server. Windows Server 2003, Standard Edition or Enterprise Edition is required for ISA Server 2004 Enterprise Edition 256 megabytes (MB) or more of RAM (recommended) NTFS-formatted local partition with 150 MB of available hard-disk space Additional space required for Web cache content Network adapter that is compatible with the computer's operating system for communication with the Internal network; one additional network adapter, modem, or ISDN adapter for each additional network connected to the ISA Server computer One additional network adapter required for ISA Server 2004 Enterprise Edition integrated NLB for intra-array communications CD-ROM or DVD-ROM drive VGA or higher-resolution monitor Keyboard and Microsoft mouse or compatible pointing device Notes: If you install ISA Server 2004 Standard Edition on a Windows 2000 Server operating system, you must install Windows 2000 Service Pack 4 or later and Internet Explorer 6 or later. If you are using the Windows 2000 Server or Windows 2000 Advanced Server with Service Pack 4, you must install the hotfix specified in Microsoft Knowledge Base Article ( We recommend that all customers deploy current security implementation best practices as outlined on the Microsoft Security Web site ( Additional hotfixes may be recommended. Actual system requirements will vary based on your deployment configuration, expected load time, and the features you choose to install. For more information about ISA Server 2004, visit TO ORDER: To order ISA Server 2004, or to receive a reseller referral in the United States or Canada, call (800) , Dept. A334DS. Outside the United States and Canada, please contact your local Microsoft subsidiary. Customers who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services by calling (800) in the United States or (905) in Canada Microsoft Corporation. All rights reserved. This data sheet is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, Outlook, SharePoint, Windows, Windows Server, and Windows Server System are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.