Comparing ISA Server and Internet Connection Firewall

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft Windows XP and Windows Server 2003, Standard and Enterprise Editions, each have Internet Connection Firewall (ICF) built in, helping to secure the individual workstation or laptop computer against incoming hacker and virus threats. Internet Security and Acceleration (ISA) Server 2000 is Microsoft's enterprise-class firewall, built from the ground up to defend entire networks. ISA Server is a multilayered firewall that is optimized for application-layer filterning and designed to protect large, medium, and small businesses. ICF provides home users and small business users (fewer than five people) with baseline protection against incoming attacks.

The following table illustrates how these two technologies complement each other to help provide customers with a secure computing environment.


ISA Server



Standalone product. Ships in standard and enterprise editions. Runs on Windows 2000 Server and Windows 2000 Advanced Server.

Included in Windows XP Home Edition; Windows XP Professional; and Windows Server 2003, Standard and Enterprise Editions.

Target audience

Extensible, multilayer firewall securing large, medium, and small enterprises.

Personal firewall securing home users and small businesses.


ICSA certified.

No security certification.


  • Packet-, circuit-, and application-level filtering.

  • Stateful packet filtering.

  • Broad application support.

  • Integrated virtual private networking (VPN).

  • System hardening.

  • Integrated intrusion detection.

  • Smart application filters.

  • Transparency for all clients.

  • Advanced authentication.

  • Secure server publishing.

  • Offload Secure Sockets Layer (SSL) traffic for Outlook Web Access and enable full MAPI access for Microsoft Exchange.

  • Stateful packet filtering.

  • Static port mapping.

  • No application-level filtering.

  • No outbound packet inspection, except for checking the source IP address.

Deployment scenarios

  • Perimeter firewall to protect the internal network.

  • Controlling user access outbound to the Internet.

  • VPN server.

  • Securing the perimeter network (also known as DMZ or demilitarized zone).

  • SSL acceleration for Outlook Web Access and full MAPI Exchange over the Internet.

  • Forward or reverse proxy/cache.

  • Protects a single PC (or small LAN behind PC with Internet Connection Sharing) connected directly to the Internet.

  • Limited baseline protection for a home or small business network.

Access control

Enforce Internet usage policy by controlling access by IP address, users, groups, Microsoft Active Directory users and groups, destination, schedule, and content type.

No outbound access control.

Secure server publishing

Enable secure access to internal servers from the Internet without compromising the security of the internal network. This way, internal servers are never exposed directly to external (Internet) users.

No server publishing.

Log file format

  • W3C extended file format.

  • ISA Server text file format.

  • Any Open Database Connectivity (ODBC)–compliant database.

W3C extended file format.


Highly extensible.

  • A number of third-party plug-ins are available to extend core functionality in areas including content filtering, anti-virus, intrusion detection, load balancing, monitoring, and reporting (see the For More Information section following this table).

  • Includes the ISA Server Software Development Kit (SDK), allowing anyone to extend ISA Server with application filters, Web filters, management tools, user interface extensions, and more.

Not extensible.

Cache/proxy functionality

Also an enterprise-class cache and proxy server.


For More Information

To locate additional information on this and other security issues, visit the following pages: