I work with ISA 2006 on a on and off basis. Its one of those products we don’t necessarily focus on, but we often run into cases where customers need additional security and authentication functionality beyond that which can be (easily) provided in their applications. More often than not, we find that ISA 2006 turns out to be a great solution to meet these kinds of needs.
That being said, I’ve come to learn in my conversations with customers that there is a general lack of knowledge of the capabilities and benefits ISA 2006 provides, so I thought it would be useful to briefly articulate why one should consider using ISA 2006 to publish any application that requires external access.
1. Authenticated and Authorized Traffic Only. ISA 2006 can authenticate web traffic before sending anything to published servers. Additionally, authenticated connections can be associated to different groups, which in turn can be applied to ISA rules to dictate what the authenticated user can and cannot do. Again, this is applied before traffic even hits the application. Ensuring that only authenticated and authorized traffic even gets to your application in the first place adds a great deal of additional security and helps reduce the amount of authentication work your web servers are performing. In ISA 2006, this is typically (but not necessarily) implemented using a logon form, which can be customized (branded) to meet a certain look and feel. If desired, the logon form can even be enhanced to allow for “forgot password” or “new user sign-up” functionality. By the way, after successfully authenticating, the users’ browser gets a cookie, which is used to link the user’s identity to the session. This cookie can be configured to be either persistent or have a certain lifetime.
2. Single Sign-On (SSO). Many people don’t realize it, but ISA 2006 is a great tool for SSO. In many cases, solutions based on SharePoint consist of multiple, distributed applications and web services like SQL Server Reporting Services, each requiring some kind of authentication. Often, this is presented to the browser using an IFrame or something similar. More often than not, this results in external users being prompted to authenticate repeatedly. Not good. Fortunately, ISA 2006 provides Single Sign On (SSO) functionality to ensure users only need authenticate once using the aforementioned logon form. Subsequent authentication requests from published applications are handled by ISA on behalf of the user via a process known as Delegated Authentication. From the published servers’ perspective, it appears the user is connected to the internal LAN. Oh, by the way. You say your application requires Kerberos? No problem. ISA 2006 fully supports Kerberos constrained delegation. We recently set up SSO for a customer using ISA to publish a portal consisting of both SharePoint and a 3rd party dashboard application (single portal – multiple servers) and it worked great.
3. Link Translation. This will be a short, but important one. ISA 2006 has built-in support for SharePoint Alternate Access Mapping (AAM) and many more capabilities to provide customized link translation. Last year, I blogged about some of these capabilities. This functionality offers application designers a high amount of control over what end users see in their browsers and offers more opportunities for custom branding.
4. Its a Darn Good Application Layer Firewall. In the past, there’s been a fair amount of bias against ISA out there in the networking community, partially (I suspect) due to Microsoft’s past track record with security. However, I’ve been noticing this trend has diminished greatly. The truth is that ISA 2006, when properly configured, is a very high quality application layer firewall. In fact, if you look ISA 2006 up on Secunia, you’ll find a grand total of ONE (1) advisories for ISA 2006. Both vulnerabilities were disclosed in 2009 and patches were available at the same time as the announcement. Compare that with Cisco PIX 7.x and Cisco PIX 8.x. Now, I’m not foolish enough to claim ISA 2006 is “more secure” than other products like PIX / ASA. My point is that ISA 2006 is proven to be a trustworthy component of an overall security infrastructure. And because its an application layer firewall, it provides unique functionality to protect Microsoft products like SharePoint and Exchange server from potential application-specific vulnerabilities. This is critical when you consider that recent studies show that around 70% of attacks today are targeting applications, not operating systems. For example, on its own SharePoint can’t defend itself against things like HTTP Distributed Denial of Service attacks. And that’s just one example. By inspecting HTTP (and even HTTPS) traffic, ISA 2006 ensures HTTP connections are legitimate, correctly formed, and fit within safe parameters. This translates to higher availability and better performance for your end-users. Of course, a full listing of the security features included with ISA 2006 is available on TechNet.
5. High Availability (and Scalability). I don’t think many folks out there realize that ISA 2006 can be installed and configured in a load balanced array. We’ve done this a couple of times and have always found it to work quite well. If you don’t have a hardware load balancing solution available or don’t want to mess with that stuff, its actually fairly straightforward to set up two or three servers and distribute traffic between them. This way, a failure (or scheduled downtime) on one ISA server won’t impact the availability of your published web servers to end-users. This load balancing capability thus provides high availability, better performance, and scalability. Additionally, a load-balanced ISA array can in turn publish internal web servers in a round-robin fashion. And connections can be configured to be “sticky” to support those highly dynamic, interactive web based apps we all know and love. All this allows you to accomplish more with less.
So there are my top five reasons. I can already think of a few more…..cost and ease-of-use come to mind. Anyhow, a few quick Google (ahem) Microsoft Live searches will reveal a very passionate and dynamic community out there for this product. If you’re developing any sort of custom web application, particularly one based on the Microsoft collaboration platform,I highly recommend you check it out. And as always let me know if you have any questions.
