Secure Remote and Outbound Internet Access Using ISA Server 2006 Web Proxy

Transcription

1 Secure Remote and Outbound Internet Access Using ISA Server 2006 Web Proxy White Paper Published: June 2006 For the latest information, please see 1

2 Table of Contents Introduction... 3 Meeting the Challenges of Secure Remote Access... 4 Assuring Security and Compliance Managers that Remote Access Connections Are Secure.. 4 ISA Server 2006 Solutions for Assuring Security and Compliance Managers that Remote Access Connections Are Secure... 5 HTTP Filter... 5 Pre-Authentication Support for Multiple Authentication Mechanisms... 6 SSL Bridging... 6 Real-Time Alerting... 6 Detailed Logging and Reporting... 7 Built-in Configuration Support for Microsoft Exchange Web Services... 7 Built-in Configuration Support for Windows SharePoint Services... 7 Comprehensive Support for Application-Layer Inspection Enhancement... 8 Performance Issues Due to Remote Access Connectivity... 8 ISA Server 2006 Solutions for Performance Issues Due to Distributed Workforce Remote Access Connectivity... 9 Web Proxy Caching... 9 SSL Bridging Web Farm Load Balancing ISA Server 2006 Solutions for Simplifying Deployment of an Application Security and Acceleration Solution ISA Server 2006 Solutions for Reducing Cost of Network Operations Meeting the Challenges of Secure Employee Internet Access and Increasing Employee Productivity Securing Employee Access to the Internet ISA Server 2006 Solutions for Employee Access to the Internet HTTP Filter Per-Site Access Controls Per-Group Access Controls Time of Day Access Controls Content Type Access Controls Comprehensive Logging and Reporting Increasing Employee Productivity by Accelerating the Internet ISA Server 2006 Solutions for Increasing Employee Productivity High Performance In-Memory and Disk Web Cache Cache Rules Content Download Jobs Web Proxy Chaining Rules HTTP Compression Quality of Service Controls for Web Connections Integrated Network Load Balancing Summary

3 Introduction Almost all companies today have a connection to the Internet that provides access to information on Web servers at partner and customer sites, as well as access to Web content at main offices from branch locations. Although the Internet and branch office networks provide employees the ability to quickly share and act on information, they also carry the risk of sharing and spreading dangerous exploits and attacks from hackers and malicious mobile code. Today s businesses must have a way to allow secure access to corporate Web servers for users located outside the enterprise network. The same solution must protect users on the company network from downloading information dangerous to employees, the company, and its information technology (IT) systems. A popular and powerful solution to the problems of secure Web access is a Web proxy. Web proxy devices help enable a company to control the flow of information moving over Web channels using the Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), and File Transfer Protocol (FTP) application protocols. Web proxy servers act as intermediaries between client and server. The Web proxy server can inspect the content of all Web communications and help prevent suspicious and potentially dangerous communications and code from traversing the corporate network edge. Web proxy devices can speed access to business content, make content available when the Web server is unavailable, and reduce bandwidth costs by employing Web caching technologies. A caching Web proxy server stores content closer to the user and sends it to the user without needing to pass requests to a Web server located across an unreliable Internet connection or a bandwidth-constrained dedicated wide area network (WAN) link. Microsoft Internet Security and Acceleration (ISA) Server 2006 is a Web proxy server that addresses these modern business problems. ISA Server helps provide secure remote access to information contained on corporate Web servers. ISA Server helps to secure and control Internet access for employees located on the corporate network. You can reduce total cost of network operations by deploying the ISA Server 2006 Web proxy server and improve employee productivity by using ISA Server 2006 Web proxy caching. Examples of how the ISA Server 2006 Web proxy can increase security and performance include: Pre-authenticating users before allowing access to corporate Web servers. Pre-authorizing users before allowing access to company data resources. Checking for potential attack code in the HTTP Web connection. Blocking access to sensitive corporate information. Caching Web content to improve the end-user experience. Controlling which content corporate users can connect to over the Internet. ISA Server 2006 provides two general types of Web proxy services: forward proxy and reverse proxy. A forward proxy intervenes between connections from users on the corporate network when they access information located outside the corporate intranet. A reverse proxy coordinates Web communications between users on the Internet and information located on the corporate network. The same device can provide both forward and reverse proxy services. This white paper explores how ISA Server 2006 provides enhanced security and application acceleration by acting as both forward and reverse Web proxy for your corporate network. In particular, this white paper discusses how ISA Server 2006 meets the challenges of a distributed workforce and controls access to Internet content for users located on the corporate network. 3

4 Meeting the Challenges of Secure Remote Access Companies are seeking more ways to utilize existing business intelligence to gain an advantage over the competition. To gain a competitive advantage, firms are seeking ways to position existing data assets so that the corporate workforce can access information from anywhere in the world. This anywhere access increases business agility by providing remote access to information hosted on the corporate network, which may be unavailable when employees leave the company facilities. Remote access refers to the ability to access information hosted on corporate servers even when users and their computers are not physically located on the corporate network. Remote access provides an increased array of options for positioning employees, while still making corporate information available to these employees. Examples include: Telecommuters With increased availability and adoption of high-speed Internet connections comes the home working option. Companies can benefit from reduced infrastructure costs by enabling telecommuting on a full-time or part-time basis. Sales force and executives Sales personnel require access to information on corporate servers. Mobile workers require access to Microsoft Office Word documents, Microsoft PowerPoint presentations, database information, and more. Executives also require real-time access to information when visiting with customers and partners. Corporate partners Companies forging strategic relationships with other firms need a secure and reliable method to share proprietary information. Shared parts lists, price quotes, order information, and other data enable businesses to quickly take advantage of time-sensitive opportunities. Secure remote access to corporate applications and data is a key factor to success in today s business environment. To take advantage of secure remote access, you need to rethink the definition of the corporate network. The corporate network is typically thought of as a separate entity, physically partitioned from the Internet, which is not secure, populated by hackers, malicious users, and other potential intruders. However, with the introduction of remote access connections, it is now clear that the boundaries of the corporate network extend to the entire Internet. There are four primary problems that need to be solved to take full advantage of the benefits provided by remote access to corporate data: Assure security and compliance managers that remote access connections are secure. Solve performance issues due to connections made by a remote workforce. Simplify deployment of an application security and acceleration solution. Reduce the cost of network operations related to remote connections. Assuring Security and Compliance Managers that Remote Access Connections Are Secure Although remote access connections can provide businesses with a strategic advantage, these same connections can increase the risk of information leaks and data theft. Most businesses have security and compliance concerns related to remote access connections because attackers can potentially use the same mechanisms employees use to legitimately access corporate information. 4

5 ISA Server 2006 addresses the following concerns of security and compliance managers: Prevent dangerous connections from hackers and intruders from reaching corporate Web sites Hackers on the Internet can access corporate information through the same channel provided for employee access. You need to stop potential attacks against your Web sites before intruders reach them. The ISA Server 2006 Web proxy is able to inspect all connections to corporate Web sites and stop potentially dangerous connections at the ISA Server computer. This allows employees to access the corporate data they need while stopping attacks before they ever reach the Web server. Prevent anonymous connections to corporate Web servers Many companies allow connections to corporate Web servers hosting Microsoft Exchange Server and Microsoft Office SharePoint Portal Server by configuring corporate firewalls to allow Internet-based users access to those servers. This can put the company s data at risk because the firewall is not able to identify the user before allowing the connection. This allows anonymous attackers to perform password, denial of service, and similar attacks against the Web server. When ISA Server 2006 is used as a Web proxy to protect the corporate Web sites, users must first successfully prove their identity before the connection to the corporate server is allowed. In addition, even after the users successfully prove their identities, only those users who have been granted permission to access those information resources are allowed to connect to the corporate server. SharePoint Portal Server is one example of a type of Web server that benefits from this type of protection. Prevent negative compliance impact due to remote user activity Corporate compliance officers need information about who connected to company data, when they accessed company data, and what they did when connected to the corporate network through a remote access connection. The ISA Server 2006 Web proxy helps solve compliance issues by comprehensively logging extensive user information for all connections made to corporate Web servers through the proxy. Log data can be used to create comprehensive reports on remote user activity. The ISA Server 2006 Web proxy logs can be queried to provide detailed information about resource usage and user activity. ISA Server 2006 Solutions for Assuring Security and Compliance Managers that Remote Access Connections Are Secure ISA Server 2006 includes a number of technologies that address the problems faced by security and compliance managers. These include: HTTP filter Pre-authentication support for multiple authentication mechanisms Secure Sockets Layer (SSL) bridging (SSL termination and initiation) Real-time alerting Detailed logging and reporting Built-in configuration support for Microsoft Exchange Web services Built-in configuration support for Microsoft Windows SharePoint Services Comprehensive support for application-layer inspection enhancement HTTP Filter Using the HTTP filter, you can view virtually all components of the Web traffic that is moving through the ISA Server computer, and make decisions about the relative risk those connections pose to the corporate Web servers. If the HTTP filter detects that a potential attack is being 5

6 launched against the corporate Web servers, the ISA Server 2006 Web proxy may be able to automatically block those connections. The threat of data theft or destruction is stopped at the Web proxy. In addition to the possibility of blocking incoming and outgoing attacks, the HTTP filter can be configured to block dangerous programs, such as some types of instant messaging, peerto-peer file sharing, and Voice over IP (VoIP) applications. The HTTP filter can be enabled for all Web connections made through the ISA Server 2006 Web proxy. There is a secure default configuration. The ISA Server 2006 administrator can customize the HTTP filter to provide specialized security for corporate Web servers, such as those hosting Microsoft Office Outlook Web Access, Exchange ActiveSync, Outlook 2003 remote procedure call (RPC) over HTTP, and Windows SharePoint Services. Pre-Authentication Support for Multiple Authentication Mechanisms Most organizations set access controls on corporate data. Access controls enable users to see information they require to perform their work, but prevent them from seeing sensitive or extraneous information. Access controls are typically set on servers throughout the organization, such as on file servers, Web servers, FTP servers, servers, and data collaboration servers. Because of the risk posed by anonymous attackers who can be located anywhere on the Internet, it s vital that users first identify themselves to the Web proxy before being allowed to gain access to corporate data. Pre-authentication is an access control method whereby the ISA Server 2006 Web proxy successfully identifies the user before allowing the connection to the corporate Web server. Access control includes more than authentication. Robust access control includes both authentication and authorization. The ISA Server 2006 Web proxy also pre-authorizes connections to the company s Web sites. Pre-authorization enables you to control which users are able to connect to company data through remote access connections, even if they have successfully identified themselves (authenticated) with the ISA Server 2006 Web proxy. SSL Bridging Secure Sockets Layer (SSL) is an encryption protocol used to secure HTTP traffic from eavesdropping or tampering. Intruders are unable to access the contents of an SSL secured HTTP payload because they are not able to decrypt the HTTP message. Although SSL secured Web connections provide privacy by encrypting the user name, password, and contents of the Web traffic, traditional network firewalls cannot protect corporate Web servers from attacks that might remain hidden inside the SSL encrypted content. Because the firewall can t read the contents of the connection, it can t recognize malicious content. The ISA Server 2006 Web proxy can correct the security weaknesses inherent in traditional network firewalls by decrypting and inspecting the contents of an SSL Web session. ISA Server 2006 can accomplish this by performing SSL bridging. SSL bridging allows the ISA Server 2006 Web proxy to decrypt the SSL traffic, inspect it for information that might be consistent with an attack, and drop the connection if it is suspicious. If it appears that the content is not harmful, ISA Server re-encrypts the content and forwards it to the appropriate Web server. Real-Time Alerting Network security officers and administrators need to know in real time the current status of the ISA Server 2006 Web proxy. Real-time alerts provide critical information required to respond to attacks, performance problems, system hardware failures, and Web proxy service issues. ISA Server 2006 administrators can receive real-time alerts about Web proxy server status via , pager, or system-wide alerts. ISA Server 2006 is fully supported by Microsoft Operations Manager (MOM) and enables ISA Server to be part of a centrally managed services environment. The ISA Server 2006 MOM pack provides the MOM server with the intelligence required to detect and interpret configuration, management, and security issues. It then alerts ISA Server 2006 and MOM administrators using MOM alerting. 6

7 For more information about Microsoft Operations Manager, see the MOM home page at the Microsoft Operations Manager Web site. Detailed Logging and Reporting Security and compliance managers must have detailed information about information users access through remote access connections. Detailed logging should include the name of the user accessing corporate information, the day and time the user accessed information, and the nature of the information that the user accesses during the remote access connection. This data must be available for network audits, forensic analysis, and industry standards compliance requirements. ISA Server 2006 Web proxy logging and reporting provides this information and much more. The default log settings enable the ISA Server 2006 Web proxy to gather detailed information about user activity, and then create reports using the ISA Server 2006 built-in reporting engine. Reports can be customized to provide summary information about user activity when connecting to the corporate Web server. Third-party reporting add-ins can be used to provide more targeted information about user activity through the ISA Server 2006 Web proxy. For more information about third-party enhancements to ISA Server 2006 reporting, see the Microsoft ISA Server 2006 Partners Web site. Built-in Configuration Support for Microsoft Exchange Web Services Configuring Web proxy devices to provide secure remote access to Microsoft Exchange Web services can be a complex undertaking. There are many important details involved with the configuration. A single error can make the Exchange Server Web services inaccessible or even allow connections that are not secure to the Exchange Web services. ISA Server 2006 was built to provide secure remote access to Exchange Server. To ensure that ISA Server 2006 Web proxy is configured in a correct and secure fashion, a powerful Mail Server Publishing Wizard automates the complex task that allows secure remote access connections to Exchange. The Publish Exchange Web Client Access Wizard configures ISA Server 2006 to provide secure remote access to the following Exchange Web services: Outlook Web Access Used by Web browsers to provide a rich user experience comparable to the full Outlook client application. Outlook Mobile Access Used by smart phones to enable access to user mailboxes. Exchange ActiveSync Used by Windows Mobile -enabled personal digital assistants and phones to provide an Outlook-like user experience. Outlook RPC over HTTP Used by Outlook 2003 to provide the full Outlook user experience even when the user is located behind a restrictive firewall. ISA Server 2006 configuration wizards make it easy for the administrator to quickly create rules providing secure and reliable access to all the Exchange Web services and do so in a minimum amount of time without high training costs. Built-in Configuration Support for Windows SharePoint Services SharePoint Portal Server enables enterprises to develop an intelligent portal that seamlessly connects users, teams, and knowledge so that people can take advantage of relevant information across business processes to help them work more efficiently. SharePoint Portal Server provides an enterprise business solution that integrates information from various systems into one solution 7

8 through single sign on (SSO) and enterprise application integration capabilities, with flexible deployment options and management tools. Providing remote access to SharePoint Portal Server can be a security and compliance challenge because of the complexities inherent in configuring a Web proxy to support secure remote access to SharePoint Portal Server computers. Because of the highly confidential nature of the information stored on corporate SharePoint Portal Server computers, exceptional care is required when configuring the Web proxy because a single error can compromise data privacy and integrity. ISA Server 2006 was built to support secure and reliable remote access connections to SharePoint Portal Server. The SharePoint Portal Server Web Publishing Wizard, which is included with ISA Server 2006, makes it a simple task for any Windows-savvy administrator to quickly, accurately, and securely enable remote access connections to a company s SharePoint Portal Server information stores. Comprehensive Support for Application-Layer Inspection Enhancement Unlike conventional, stateful packet inspection only firewalls, the ISA Server 2006 Web proxy makes decisions that are more sophisticated than just allowing or denying by performing application-layer inspection. Application-layer inspection is an ISA Server 2006 feature that enables the Web proxy to make assessments about the validity and safety of the Web communications moving through the ISA Server Web proxy. One example of the ISA Server 2006 Web proxy application-layer inspection feature set is the HTTP filter, described earlier in this document. ISA Server 2006 includes strong application-layer inspection mechanisms. ISA Server 2006 is also a flexible and extensible solution so that you can significantly enhance application-layer inspection. Using third-party ISA Server 2006 Web proxy add-in filters, you can: Inspect Web traffic for viruses. Prevent malicious applications from tunneling through a normal Web connection. Enable ISA Server 2006 to inspect XML traffic. Perform additional security tasks. Extensions to the ISA Server 2006 Web proxy s application-layer inspection feature set can be found at the Microsoft ISA Server 2006 Partner Web site. Performance Issues Due to Remote Access Connectivity Employees, customers, and partners require fast and reliable access to data contained on corporate servers. Overloading the servers can cause a several second delay in data acquisition. When these several second delays are multiplied by hundreds or thousands of users over the course of hundreds of thousands of data access attempts, there is a potential for a significant loss of productivity because of poor server performance. Introducing remote access connectivity to corporate Web servers via a Web proxy can put extra load on those servers. Users located on the corporate network need to compete with data access attempts of new users located outside the corporate network. The increased number of users accessing the same data on the same servers not only increases the load on the corporate data servers themselves, but also increases the load on the entire corporate networking infrastructure. There are several ways companies can solve these problems. These include: Employing reverse caching to decrease corporate intranet traffic Web proxy devices often have the capability to cache or store information previously requested by other users. If a previous user has already requested information from the corporate Web server, that information can be stored in the cache located on the Web proxy device. When subsequent users request the same information, the Web proxy device can 8

9 return the information from its cache instead of forwarding the request to the corporate Web server. This reduces the traffic load on the intranet and also reduces the burden on the corporate Web server s processor and memory. Configuring a Web proxy to perform SSL offloading Secure Web connections using the SSL encryption method can tax processor resources on corporate Web servers. Remote access connectivity adds to the stress on the corporate Web servers because of the additional secure SSL Web connections introduced by remote users. This problem can be solved by using a method known as SSL offloading. SSL offloading makes it possible for external users to create secure SSL Web connections to the Web proxy and then have the Web proxy forward those connections as unencrypted connections to the corporate Web server. This reduces the burden of SSL encryption processing on the Web server while ensuring a secure SSL Web connection for the connection that travels over the Internet. Deploying a Web farm of servers performing the same roles or containing the same content A Web farm is a collection of Web servers that perform the same roles or contain the same content. Deploying a Web farm allows you to reduce the load on, and increase the performance of, each individual Web server in the Web farm by spreading the traffic across multiple computers (load balancing). A Web farm can also provide for increased reliability because it s possible to have connections automatically moved away from a disabled server to one in the Web farm that is still functional (fault tolerance). ISA Server 2006 Solutions for Performance Issues Due to Distributed Workforce Remote Access Connectivity ISA Server 2006 Web proxy capabilities can solve performance problems using the following technologies: Web proxy caching SSL bridging Web farm load balancing Web Proxy Caching The ISA Server 2006 Web proxy includes a powerful Web caching feature enabling it to store information previously requested by users on the ISA Server 2006 Web proxy device. Web proxy caching can reduce load on the corporate Web servers due to remote access connections. For example, consider a company with a SharePoint Portal Server computer containing a number of static Web pages, files, and graphics that are accessed by remote users. The Web server must respond each time a user located outside the corporate network makes a request for content when a caching Web proxy is not in use. When another user located outside the corporate network makes a request for the same content, the Web server must also respond to that request. If there are hundreds or thousands of users outside the corporate network making requests for the same information on the SharePoint Portal Server computer, the server must respond to each of these requests individually. This creates a duplication of effort. This repeated process can put strain on the SharePoint Portal Server computer, reducing performance for users located both inside and outside the corporate network. The ISA Server 2006 Web proxy caching solution improves performance by caching content already requested by previous users. In the SharePoint Portal Server scenario, a user outside the corporate network requests a file stored on the SharePoint Portal Server computer. A second user makes a connection through the ISA Server 2006 Web proxy and requests the same file. 9

10 The ISA Server 2006 Web proxy has a copy of the file that the first user requested in its Web cache, and it sends this copy to the second user. The SharePoint Portal Server computer need never be contacted for the second request. This prevents redundant requests to the Web server and reduces server load. Companies can benefit from the intelligence built into the ISA Server 2006 Web caching feature. The ISA Server 2006 administrator can customize how the Web proxy caches content so that some content is always cached, some content is never cached, and some content is cached based on settings on the Web server. The ISA Server Web proxy administrator can also control whether content served over a secure SSL Web connection is cached. This is an important security feature that is not available in many other Web proxy solutions. SSL Bridging Using the ISA Server 2006 Web proxy unique SSL bridging feature, you can reduce resource consumption on the corporate Web server by allowing external users to establish a secure SSL connection to the ISA Server 2006 Web proxy and then have the Web proxy forward the connection as an unencrypted HTTP connection. This enables secure connections over the Internet while reducing processing on the corporate Web server (SSL offloading). SSL offloading can be difficult to configure with some Web proxy solutions. Mistakes can lead to failed remote access connections to corporate Web servers and potential security compromises. ISA Server 2006 reduces the danger of deploying SSL offloading. The ISA Server Web publishing wizards make it easy to properly configure and secure connections from remote access users to the corporate Web servers. Web Farm Load Balancing Companies can reduce the load and increase performance on corporate Web servers by creating Web farms. Servers participating in the Web farm act in the same role or contain duplicated content. For example, your firm might want to increase reliability and performance for remote access connections to Exchange Web services by creating a Web farm of front-end Exchange servers. In another example, your company may want to host a Web farm of SharePoint Portal Server computers that are designed to contain duplicated content. Web farms not only increase performance by reducing load on each server in the Web farm, they also increase availability. If one server in the Web farm is disabled (such as being taken offline for maintenance), other servers in the Web farm take over, so remote access users are never aware of the offline server. The challenge to taking full advantage of Web farms is to have a Web proxy that can load balance connections across the multiple servers and provide failover for offline servers. ISA Server 2006 includes a new Web farm publishing feature, which allows companies to take full advantage of their Web farms. ISA Server 2006 can automatically load balance connections to members of a Web farm so that no server in the Web farm receives more connections than any other, effectively randomizing connections among all the servers in the farm. If one server in the Web farm becomes unavailable, the ISA Server 2006 Web proxy can automatically detect the situation and transparently redirect connections to online servers. Users are never affected by the disabled server and connections continue without interruption. ISA Server 2006 Web farm publishing makes it possible. ISA Server 2006 Solutions for Simplifying Deployment of an Application Security and Acceleration Solution Adding a new application protection device to the network can potentially strain networking infrastructure team resources. Unlike adding a new server or workstation, Web application security devices like ISA Server 2006 can potentially impact the workload of the network infrastructure team and increase network complexity. 10

11 The corporate networking team needs solutions compatible with their network infrastructure. The following is a common scenario encountered when introducing new application security devices to a network: The company already has a comprehensive firewall infrastructure in place and does not want or need to replace it. The corporate networking infrastructure team has an established routing and switching infrastructure and does not want to introduce an inline device requiring changes to the corporate IP addressing scheme. Employees responsible for application security are often not part of the network infrastructure team. This can cause delays in Web application security deployment and potential conflict among the teams. ISA Server 2006 solves the Web application security and the network infrastructure team s problems by supporting a Web proxy only setup. Although ISA Server 2006 can be configured to be a powerful inline application inspection firewall, this is not a requirement. With the Web proxy only configuration, the ISA Server 2006 Web proxy can be set up with a single network interface card (NIC) and dropped onto the network like a file server, print server, or server. ISA Server 2006 Solutions for Reducing Cost of Network Operations Caching Web proxy servers can be used to reduce the overall cost of network operations. Unlike many other IT-related capital infrastructure investments, a caching Web proxy server can significantly reduce hard-coded costs related to network bandwidth usage as well as potential costs related to a security breach. ISA Server 2006 can save bandwidth costs when deployed in the following scenarios: When the ISA Server Web proxy provides users on the corporate network forward proxy services When the ISA Server 2006 Web proxy cache stores information from requests made by users connecting to Internet Web sites, it makes that information available to users who subsequently request the same information. Each time the ISA Server 2006 Web proxy cache responds without requiring the connection to be forwarded to the Internet Web server represents Internet bandwidth cost savings. This may be a direct cost savings for companies paying for metered bandwidth, or an indirect savings in terms of increased performance or productivity for companies with unlimited access plans. When the ISA Server Web proxy provides forward proxy services for branch offices ISA Server 2006 Web proxy caching can reduce bandwidth on dedicated WAN links connecting main and branch offices. When a user at the branch office requests content from Web servers located either on the Internet or on the main office network, that content is stored in the branch office Web proxy cache. Subsequent requests for the same information are returned from the Web proxy cache instead of from the Internet or main office server. This can significantly reduce bandwidth costs related to WAN link usage. When the ISA Server Web proxy provides reverse proxy services for branch offices A variation of the previous configuration has the ISA Server 2006 Web proxy located at a branch office performing reverse proxy services. In this scenario, the ISA Server computer caches content from secure SSL Web servers and performs application-layer inspection on the otherwise unreadable SSL encrypted data. Because ISA Server 2006 Web proxy caches the information, repeated requests to the main office Web servers are not required, reducing bandwidth required on the WAN link and reducing costs related to tiered WAN pricing. Proactively cache content on branch office Web proxy servers 11

12 Many organizations have large amounts of content stored on main office Web servers. Users at branch offices need to have continuous access to this content, but access to content is often hampered by slow or unreliable WAN links. ISA Server 2006 can pre-load that content on each branch office server so that connections to main office Web servers are initiated only when content has changed. This increases employee productivity. It can also provide profound bandwidth savings. For a detailed analysis of the cost savings that can be realized by deploying a Web caching ISA Server 2006 proxy on the corporate network, see the Reducing Network Operating Expenses with ISA Server 2004 white paper at the ISA Server 2004 White Papers Web site. 12

13 Meeting the Challenges of Secure Employee Internet Access and Increasing Employee Productivity Companies have typically allowed employees to access Internet sites without restrictions. This is no longer a viable option because employees may inadvertently download viruses, worms, remote access Trojan horses, rootkits, and other forms of malicious software (malware). Employees may deliberately access inappropriate content (pornography, pirated software, or songs) that can make the company civilly liable or even involve it in a criminal investigation. Unlimited access to the Internet creates an unacceptable security risk and significantly increases the likelihood that the company will fall outside of industry compliance guidelines. Employees are under increased pressure to complete work quickly and efficiently. Most companies depend on fast and reliable Internet access to reach this goal. If access to information is impaired, the company can suffer thousands of dollars per hour in lost productivity. Deploying an ISA Server 2006 Web proxy server can help mitigate the security risks of malicious code and inappropriate content, and improve employee productivity. Securing Employee Access to the Internet In a report published in 2004, technology market intelligence service IDC identified the following risks to corporate networks from uncontrolled access to the Internet: Rising number of Web-based viruses and blended threats, such as NIMDA, Code Red, and Blaster. Increasing use of peer-to-peer (P2P) file-sharing applications, which can be used to download copyrighted material, transfer infected files, and share proprietary corporate information to anyone in the world. Increasing prevalence of spyware, which can be used to capture user information such as user names and passwords, and can even include key logging software that records each keystroke made on the infected computer. Growing number of phishing attacks that rely on the naiveté of users to collect private information entered into forms on Web sites, which is subsequently used for identity theft or other fraudulent purposes. Expanding number of employees who download and install software from untrusted sources, which can potentially contain malicious software that can disable the users computers or expose the company to fines due to unlicensed software use. Increasing problem of reduced employee productivity due to the expansion of online gaming, gambling, news, social networking, and other non-business related sites. All of these exploits can be executed over Web connections using the HTTP, HTTPS, or FTP protocols. A Web proxy device can be used to prevent these exploits in the following ways: Control the downloading of Web-based viruses and other exploit code such as Trojan horses and rootkits by setting the Web proxy to disallow access to executable files and prevent connections to Web sites known for posting malicious code. Block access to P2P applications by configuring the Web proxy to block access to key logon sites required for the P2P applications and by inspecting characteristics of the HTTP communications to identify these applications. Stop phishing attacks by denying access to sites that post phishing pages. 13

14 Enhance employee productivity by limiting sites that users are allowed to access and controlling how long they can access those sites. ISA Server 2006 Solutions for Employee Access to the Internet ISA Server 2006 Web proxy can solve Internet access control problems using multiple technologies. These include: HTTP filter Per-site access controls Per-group access controls Time of day access controls Content type access controls Comprehensive logging and reporting HTTP Filter As mentioned earlier in this white paper, the ISA Server 2006 HTTP filter can help prevent malicious users from sending illegal commands to corporate Web servers. When used in a forward proxy environment, the ISA Server 2006 HTTP filter can help block executable files that launch dangerous code such as spyware, worms, and viruses. The HTTP filter can also be configured to block dangerous file types, Web page extensions, and pages containing keywords considered inappropriate in a corporate computing environment. Per-Site Access Controls Blocking all Internet access is not feasible. The ISA Server 2006 Web proxy enables a company to create allow lists of sites approved by corporate security and compliance teams. Employees are able to use the Internet to complete their work but are blocked by the ISA Server 2006 Web proxy from seeing content on unapproved sites. If the company has a less restrictive Internet access philosophy, the ISA Server 2006 Web proxy can be configured to block known dangerous or non-work related sites while enabling access to all other Internet content. Per-Group Access Controls Not all users require the same level of Internet access. Some users require access to a very limited set of Web sites. Other groups of users need access to a much broader range of Web sites, and still other groups may require unrestricted access to Internet content. ISA Server 2006 enables you to configure custom rules so that Internet access can be granted on a per-user or per-group basis, enabling all employees the access they require and nothing more. Time of Day Access Controls Many companies do not allow Internet access except for certain times of day or particular days of the week. Other companies allow access to work-related sites at all times of day and all days of the week, but restrict access to other sites to specific times of day or days of the week. ISA Server 2006 enables you to have fine-tuned control over sites that employees access, and when they can access them. Content Type Access Controls Companies require strong access controls to prevent downloading of high risk or productivity draining content. ISA Server 2006 includes comprehensive controls for restricting content access. ISA Server 2006 enables the administrator to allow or deny access to the following types of content: Applications Application data files Audio files and streaming content 14

15 Documents HTML documents Images Macro documents Text Video Virtual Reality Modeling Language (VRML) ISA Server 2006 enables the company to create Web proxy policies so that content controls can be applied on a per-site, per-user, per-time of day, or day of week basis. Using the ISA Server 2006 Web proxy provides your company robust access control over all information moving over Web connections. Comprehensive Logging and Reporting ISA Server 2006 Web proxy logging and reporting provides comprehensive information about user Internet access. Default log settings enable ISA Server to gather detailed information about user Web access and create illustrative reports using the ISA Server 2006 built-in reporting engine. You can customize reports to provide detailed information about user Web access. Thirdparty reporting applications can be used to provide even more detailed reports about user activity through the ISA Server 2006 Web proxy. For more information about third-party enhancements to ISA Server 2006 reporting, see the Microsoft ISA Server 2006 Partners Web site. Increasing Employee Productivity by Accelerating the Internet Employees require fast and reliable Internet access to complete work quickly and efficiently. Companies can suffer from low employee productivity due to slow or unreliable access to data in a number of situations. Some of these include: Slow or offline Internet Web servers The Internet is not a reliable network. There are many points of passage between corporate Internet users and the Internet Web site. If any critical link between the corporate network and the Web site becomes unavailable, users may not be able to complete vital work-related tasks. Web proxy servers cache content from mission-critical Web sites so that even if the Web sites are slow to respond or offline, that content can still be delivered to the user from the Web proxy cache. Saturated Internet links As Internet use becomes increasingly critical for information access, the demands on the corporate Internet link increase. With increased usage of the existing corporate Internet connection comes the prospect of bandwidth saturation. High speed, reliable Internet connections are expensive. Upgrading Internet connections not only incurs the increased expense inherent in the service, but possibly additional costs related to hardware and software upgrades necessary to support the new connection. Companies can either avoid or reduce the costs of upgraded links by introducing a caching Web proxy. Unavailable Intranet Web servers Users at branch offices often require access to large amounts of information contained on corporate Web servers. Access to this information is critical for almost every employee on the network. If these mission-critical Web servers should become unavailable for any reason, workflow could stop. Branch offices are at risk of being unable to access essential information because they often use relatively unstable dedicated WAN links or site-to-site virtual private 15

16 network (VPN) connections to connect to the main office. Introducing a caching Web proxy server at the branch office enables branch office employees access to copies of the data contained on the main office Web server even when the WAN or Internet links are unavailable. Slow branch office WAN links Branch office employees can still suffer reduced productivity even when the links to the main office are available. Branch office WAN links can become saturated by the increasing burden of application traffic moving over them. The end-user experience becomes frustrating and time consuming due to these slow connections. A caching Web proxy server can help solve this problem by bringing content closer to branch office users and making it available to them at local network speed even when the WAN link is saturated. ISA Server 2006 Solutions for Increasing Employee Productivity ISA Server 2006 Web proxies solve employee productivity problems using the following technologies: High performance in-memory and disk Web cache Cache rules Content download jobs Web proxy chaining rules HTTP compression BITS caching Quality of Service controls for Web connections Integrated Network Load Balancing (NLB) High Performance In-Memory and Disk Web Cache ISA Server 2006 includes a high performance in-memory and disk-based Web caching system. The in-memory cache allows the ISA Server computer to hold the most popular and most recently accessed Web content in ultra-fast RAM memory. Less popular and older Web content is stored in the hard disk-based cache. The combination of in-memory and disk-based caches enables the ISA Server computer to return gigabytes of cached Web content at near wire speed. Cache Rules There is a wide variety of content from Internet and corporate Web servers that can be cached. However, a company may not want to cache all cacheable content. For example, the company may choose to cache only work-related information. The company may want to cache static content but not dynamic content. Another company may want to cache all content, even if the Web server hosting the content does not indicate that the content is cacheable. ISA Server 2006 provides your firm a high level of control over which content is cached, how long content is cached, the maximum size of cached Web objects, the total amount of content that can be cached over a period of time, and much more. Content Download Jobs Critical content should always be available, even if the Internet connection or the Web server hosting the content fails. ISA Server 2006 helps make content available continuously using the ISA Server content download job feature. A content download job can be configured to automatically download into the Web proxy cache information that must always be available. Content download jobs can also be scheduled on a custom basis so that the Web proxy cache is automatically updated with the latest version of required content. 16

17 Web Proxy Chaining Rules Businesses often deploy multiple layers of Web proxy servers. Web proxy servers can be connected to other Web proxies in a communications chain allowing downstream Web proxies to benefit from upstream Web caches. An example of this type of Web proxy communications network is the branch office Web proxy linked to a main office Web proxy. In most cases, the main office Web proxy has a much larger Web cache than that of the branch office. This enables the branch office Web proxy to receive content from the main office Web proxy. The company saves the cost of Internet bandwidth that would otherwise be required to obtain the content from the Internet Web server. ISA Server 2006 allows you to create Web proxy chaining rules to create high performance Web proxy networks. HTTP Compression You can transport less data faster than more data over a network connection. ISA Server 2006 takes advantage of this fact by reducing the size of the information crossing the network over a Web connection. Using industry standard methods of HTTP compression, ISA Server 2006 compresses information it sends and receives over the network. HTTP compression reduces the bandwidth required to communicate over the intranet to the Internet and over branch office WAN links. Because less bandwidth is required, users are able to connect to information resources much more quickly to complete their work. Quality of Service Controls for Web Connections Network routers, firewalls, switches, and other network devices make best effort attempts to deliver data over the network. This means all connections are treated equally. Many companies recognize that data transfers to and from some servers are more important than others. Quality of Service (QoS) controls allow you to prioritize communications to key corporate assets. ISA Server 2006 includes a built-in QoS feature enabling you to give higher priority to connections to key servers. Users connecting to these servers receive information faster than when connected to servers that do not receive preferential treatment. ISA Server 2006 QoS enables you to streamline communications to essential sites while providing best effort connections to other sites. Integrated Network Load Balancing Although ISA Server 2006 technologies discussed in this section help accelerate access to the Internet, NLB makes Internet access highly available. ISA Server 2006 Enterprise Edition can be configured in an NLB array of servers. When a member server in an NLB array goes offline or becomes unavailable due to maintenance, other servers in the array take over that server s duties to ensure that employees can access Internet information. Only when all array members are offline will employees not be able to access business-critical information on the Internet. 17

18 Summary Almost all companies have a connection to the Internet. The Internet connectivity enables employee access to information on Internet Web servers, Web servers located at partner sites, and Web content hosted on the corporate intranet. Although the Internet improves the ability to share and act on information, these connections also carry the risk of spreading dangerous exploits and attacks from hackers and other malicious individuals. Companies need a way to allow secure connections to corporate Web servers from users located outside the corporate network, and mechanisms to prevent users on the corporate network from downloading dangerous or inappropriate information. A popular solution to the problem of secure Web access is a Web proxy. Web proxies help companies to control the flow of information moving over Web channels using the HTTP, HTTPS, and FTP protocols. Web proxies act as intermediaries between client and server, whether that client is on the corporate network and the server is on the Internet, or the client is located on the Internet and the server is on a corporate intranet. By acting as an intermediary, Web proxies can inspect Web communications moving through it, and help prevent suspicious and dangerous communications and code from traversing the Web proxy. Web proxies can speed access to work-related content, provide content availability when content servers are unavailable, and reduce bandwidth costs by employing Web caching technologies. A caching Web proxy can store content closer to the user and return content without requiring the request to be passed to a Web server on an unreliable Internet connection or a bandwidth constrained dedicated WAN link. This white paper discussed how ISA Server 2006 can be used as a Web proxy that helps to solve security and reliability problems encountered by today s businesses. Specific solutions include how to provide more secure remote access to information contained on corporate Web servers, how to better secure and control Internet access for employees located on the corporate network, how to reduce total cost of network operations by deploying the ISA Server 2006 Web proxy server, and how to improve employee productivity by using ISA Server 2006 Web proxy caching. This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Server, Exchange, Internet Security and Acceleration (ISA) Server 2006, Microsoft Operations Manager, Outlook, PowerPoint, SharePoint, Windows Mobile, are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. 18