What's New and Improved in ISA Server 2004
Internet Security and Acceleration (ISA) Server 2004 is the advanced application-layer firewall, virtual private network (VPN), and Web-cache solution that enables you to easily maximize existing IT investments by improving network security and performance. ISA Server 2004 offers the following new or improved features:
Advanced Protection
- Application-layer filtering
- Security and firewall
Ease of Use
- Multinetworking
- Monitoring and reporting
- Management
Fast and Secure Access
- Secure remote access to Microsoft servers
- Virtual private networks
- Web cache and Web proxy
Advanced Protection
Application Layer Filtering
| New or Improved | Feature | Description |
|---|---|---|
New |
HTTP filtering on a per-rule basis |
The ISA Server 2004 HTTP policy allows the firewall to perform deep HTTP stateful inspection (application-layer filtering). The extent of the inspection is configured on a per-rule basis. With this capability, you can configure custom constraints for HTTP inbound and outbound access. |
New |
Block access to all executable content |
You can configure ISA Server 2004 HTTP policy to block all connection attempts to the Microsoft Windows operating system executable content, regardless of the file name extension used on the resource. |
New |
Control HTTP file downloads through file name extension |
The ISA Server 2004 HTTP policy enables you to define policy based on file name extension, including "allow all except a specified group of extensions" or "block all extensions except for a specified group." |
New |
HTTP filtering is applied to all ISA Server 2004 client connections |
With the ISA Server 2004 HTTP policy, you can control HTTP access for all ISA Server 2004 client connections. |
New |
Control HTTP access based on "HTTP Signatures" |
ISA Server 2004 deep HTTP inspection can help you create "HTTP Signatures" that can be compared to the Request URL, Request headers, Request body, and Response body. This gives you precise control over what content internal and external users can access through the ISA Server 2004 firewall. |
New |
Control allowed HTTP methods |
You can control which HTTP methods are allowed through the firewall by setting access controls on user access to various methods. For example, you can limit the HTTP POST method to prevent users from sending data to Web sites using the HTTP POST method. |
New |
Enforce secure Microsoft Exchange Server remote procedure call (RPC) connections from full Microsoft Outlook messaging and collaboration MAPI clients |
ISA Server 2004 Secure Exchange Server Publishing Rules give remote users' connection to their Exchange server using the fully functional Outlook MAPI client over the Internet. However, the Outlook client must be configured to use secure RPC so that the connection is encrypted. With the ISA Server 2004 RPC policy, you can block all nonencrypted Outlook MAPI client connections. |
New |
FTP policy |
You can configure the ISA Server 2004 File Transfer Protocol (FTP) policy to let users upload and download through FTP, or you can limit user FTP access to download only. |
New |
Link translator |
Some published Web sites may include references to internal names of computers. Because only the ISA Server 2004 firewall and external namespace, and not the internal network namespace, are available to external clients, these references appear as broken links. ISA Server 2004 includes a link translation feature that you can use to create a dictionary of definitions for internal computer names that map to publicly known names. |
New |
Granular control over IP options |
With ISA Server 2004, you can configure IP options on a granular basis and allow only the ones you require while blocking all others. |
Security and Firewall
| New or Improved | Feature | Description |
|---|---|---|
New |
Extensive protocol support |
ISA Server 2004 gives you control over accessing and using any protocol, including IP-level protocols. Users can then use applications such as ping and tracert to create VPN connections using PPTP. In addition, IPSec traffic can be enabled through ISA Server. |
New |
Support for complex protocols requiring multiple primary connections |
Many streaming media and voice/video applications require that the firewall manage complex protocols. You can use the new ISA Server 2004 New Protocol Wizard to help manage these protocols and to create protocol definitions. |
New |
Customizable protocol definitions |
With ISA Server 2004, you can control the source and destination port number for any protocol you create a firewall rule for. This allows the ISA Server 2004 firewall administrator a high level of control over which packets are allowed inbound and outbound through the firewall. |
New |
Firewall user groups |
You can use ISA Server 2004 to create custom firewall groups that consist of preexisting groups in the local accounts database or the Active Directory directory service domain. This increases your flexibility to control access based on user or group membership, because the firewall administrator can create custom security groups from these existing groups. This removes the requirement that the firewall administrator be a domain administrator, to credit custom security groups for inbound or outbound access control. |
Improved |
Authentication |
Users can be authenticated using built-in Windows, RADIUS, or RSA SecurID authentication Enters or other namespaces. Rules can be applied to users or user groups in any namespace. Third-party vendors can use the software development kit (SDK) to extend these built-in authentication mechanisms. |
New |
Firewall client credentials forwarded to the Web Proxy service |
ISA Server 2004 allows firewall clients to access the Web cache with the HTTP filter without requiring separate authentication with the Web Proxy service. |
Improved |
Hotmail Web-based e-mail access through the firewall |
Improved HTTP filter enables users to access Hotmail through an easy-to-configure firewall rule without the need for special configuration on the client or firewall. |
Improved |
Network objects |
You can greatly expand your ability to define network objects by creating computers, networks, network sets, address ranges, subnets, computer sets, and domain name sets. These network objects are used to define source and destination settings for firewall rules. |
Improved |
Firewall rule wizards |
ISA Server 2004 includes a new set of rule wizards that make it easier than ever to create access policy. You can create access policy or configure required policy elements "on the fly" with a sophisticated firewall rule. And, you do not need to leave the rule wizard to create a network object; any network object or relationship can be created in the new wizard. |
Improved |
Firewall rules represent an ordered list |
Firewall rules are represented in an ordered list in which connection parameters are first compared to the top listed rule. ISA Server 2004 moves down the list of rules until it finds a rule matching the connection parameters and enforces the matching rule's policy. This approach to firewall policy makes it much easier to determine why a specific connection is allowed or denied. |
Improved |
User/group-based access policy |
With the enhanced firewall rules, you can define the source and destination for each protocol a user or group is able to access. This greatly increases flexibility for inbound and outbound access control. |
Improved |
Outlook Web Access Publishing Wizard |
Clientless remote access through secure SSL connections form the core of SSL VPNs. The ISA Server 2004 Outlook Web Access Publishing Wizard walks you through creating a firewall rule and creates the Outlook Web Access SSL connection to your Exchange server. All network elements can be created "on the fly" and you never need to leave the wizard to create a policy element. |
Improved |
FTP support |
ISA Server 2004 gives you access to Internet FTP servers, listening on alternate port numbers without requiring special configuration on the client or ISA Server 2004 firewall. The FTP server publishing on alternate port numbers requires nothing more than a simple FTP server publishing rule. |
Improved |
Port redirection for FTP server publishing rules |
Using ISA Server 2004, you can receive a connection on one port number and redirect the request to a different port number on the published server. |
Improved |
Secure Web publishing |
You can place servers behind the firewall, either on the corporate network or on a perimeter network (also known as a demilitarized zone [DMZ] or screened subnet), and securely publish their services. With the improved secure Web Publishing Wizard, you can easily create a rule that lets users' secure SSL remote access to published Web servers. |
Ease of Use
Multinetworking
| New or Improved | Feature | Description |
|---|---|---|
New |
Multiple network configuration |
You can configure one or more networks, each with distinct relationships to other networks. Access policies are defined relative to the networks and not necessarily relative to a particular internal network. ISA Server 2004 extends the firewall and security features to apply to traffic between any networks or network objects. |
New |
Unique per-network policies |
The new multinetworking features of ISA Server 2004 enable you to protect your network against internal and external security threats by limiting communication between clients even in your own organization. Multinetworking functionality supports sophisticated perimeter network scenarios, helping you to configure how clients in different networks access the perimeter network. Access policies between networks can then be based on the unique security zone represented by each network. |
New |
Routed and NAT network relationships |
You can use ISA Server 2004 to define routing relationships between networks, depending on the type of access and communication required between the networks. In some cases, you may want more secure, less transparent communication between the networks. For these scenarios, you can define a NAT relationship. In other situations, you want to route traffic through ISA Server. In these cases, you can define a routed relationship. Packets moving between routed networks are fully exposed to ISA Server 2004 stateful filtering and inspection mechanisms. |
New |
Network templates |
Includes five network templates that correspond to common network topologies. After you use one of the templates to configure firewall policy, ISA Server 2004 will automatically create the necessary firewall policy and network relationships. |
New |
Network Load Balancing (Enterprise Edition only) |
Provides real-time failover and load balancing of connections made through an ISA Server 2004 Enterprise Edition array. Real-time failover enables high availability for enterprise arrays, while load balancing evenly distributes connections across firewall array servers to prevent network slow downs related to impacted firewalls. |
Monitoring and Reporting
| New or Improved | Feature | Description |
|---|---|---|
New |
Real-time monitoring of log entries |
With ISA Server 2004, you can see firewall, Web Proxy, and SMTP Message Screener logs in real time. The monitoring console displays the log entries as they are recorded in the firewall's log file. |
New |
Built-in log query facility |
You can query the log files by using the built-in log query facility. Logs can be queried for information contained in any field recorded in the logs. You can limit the scope of the query to a specific time frame. The results appear in the ISA Server 2004 console and can be copied to the Clipboard and pasted into another application for more detailed analysis. |
New |
Real-time monitoring and filtering of firewall sessions |
You can view all active connections to the firewall. From a session view, you can sort or disconnect individual sessions or groups of sessions. In addition, you can filter the entries in the session's interface to focus on the sessions of interest using the built-in sessions filtering facility. |
New |
Connection Verifiers |
You can verify connectivity by regularly monitoring connections to a specific computer or Uniform Resource Locator (URL) from the ISA Server 2004 computer using Connection Verifiers. You can configure which method to use to determine connectivity: Ping, Transmission Control Protocol (TCP) connected to a specific port, or HTTP GET. You can select which connection to monitor by specifying an IP address, computer name, or URL. |
Improved |
Customizing ISA Server 2004 reports |
ISA Server 2004 includes an enhanced report customization feature for adding more information to the firewall reports. |
New |
Report publishing |
You can configure ISA Server 2004 report jobs to automatically save a copy of a report to a local folder or network file share. The folder or file share the reports are saved in can be mapped to a Web site virtual directory so that other users can view the report. You can also manually publish reports that have not been configured to automatically publish after report creation. |
New |
E-mail notification after report creation |
You can configure a report job to send you an e-mail message after a report job is completed. |
New |
Customized time for log summary creation |
ISA Server 2004 is hard-coded to create log summaries at 12:30 A.M. Reports are based on information contained in log summaries. You can easily customize the time when ISA Server 2004 creates log summaries, giving you increased flexibility in determining the time of day reports are created. |
Improved |
Enhanced SQL Server logging |
You can log to a computer running a SQL Server database located on another computer on the internal network. ISA Server 2004 SQL Server logging has been optimized to provide much higher performance. |
New |
Log to an MSDE database |
Logs can now be stored in MSDE format. Logging to a local database enhances query speed and flexibility. |
Management
| New or Improved | Feature | Description |
|---|---|---|
Improved |
Management |
ISA Server 2004 includes new management features, making it easier to secure your networks. New user interface features include Task Panes, Help Panes, an improved Getting Started Wizard, and a new look for the Firewall Policy Editor. |
New |
Export and import |
ISA Server 2004 introduces the ability to export and import configuration information. You can use this feature to save configuration parameters to an .xml file, and then import the information from the file to another server. |
New |
Delegated permissions wizard for firewall administrator roles |
The Administration Delegation Wizard helps you assign administrative roles to users and groups. These predefined roles delegate the level of administrative control users have over specified ISA Server 2004 services. |
Improved |
Centralized logging and reporting (Enterprise Edition only) |
ISA Server 2004 logs and reports on traffic moving through all members of an enterprise array. There is never a need to collect log file information from each firewall and collate it to create unified report information. |
New |
Centralized storage of firewall policy (Enterprise Edition only) |
ISA Server 2004 uses Active Directory Application Mode (ADAM) for firewall policy storage. ADAM storage enables you to place policy storage containers anywhere in the organization, allowing enhanced flexibility and availability for firewall policy redundancy and facilitated access. |
Improved |
Enterprise Policy (Enterprise Edition only) |
Gain consistent control over security standards throughout your geographically diverse organization by setting security policies at the enterprise level, with application of array level and local policy, as appropriate. |
New |
Automatic array configuration (Enterprise Edition only) |
Dynamically add new servers to your enterprise and arrays with a simple wizard. ISA Server automatically reads the ADAM database for configuration and policy details. |
Improved |
Administration Pack for Microsoft Operations Manager (MOM) |
A newly-designed MOM pack for ISA Server 2004 enables enterprise-level event monitoring and consolidation of common firewall activities (available for separate download). |
Fast and Secure Access
Secure Remote Access to Microsoft Servers
| New or Improved | Feature | Description |
|---|---|---|
New |
Firewall generated forms for forms-based authentication |
ISA Server 2004 can generate the forms used by Microsoft Outlook Web Access sites for forms-based authentication. This enhances security for remote access to Outlook Web Access sites by preventing unauthenticated users from contacting the Outlook Web Access server. |
New |
Remote access to Terminal Services using SSL |
Computers running the Microsoft Windows Server 2003 operating system support RDP over SSL to allow secure SSL connection to Windows Server 2003 Terminal Services. With ISA Server 2004, you can securely publish your Terminal Server using secure SSL technology. |
Virtual Private Networks
| New or Improved | Feature | Description |
|---|---|---|
Improved |
VPN administration |
ISA Server 2004 includes a more fully integrated VPN mechanism, which is based on the Windows Server 2003 and Windows 2000 Server functionality. |
New |
Stateful filtering and inspection for VPN |
VPN clients are configured as a separate network zone. Therefore, you can create distinct policies for VPN clients. The firewall rule engine discriminately checks requests from VPN clients The engine statefully filters and inspects these requests and dynamically opens connections based on the access policy. |
New |
SecureNAT client support for VPN clients connected to ISA Server 2004 VPN server |
ISA Server 2004 expands VPN client support by allowing SecureNAT clients to access the Internet without the firewall client being installed on the client system. You can also enhance corporate network security by forcing a user/group-based firewall policy on VPN SecureNAT clients. |
New |
Stateful filtering and inspection for communications moving through a site-to-site VPN tunnel |
ISA Server 2004 introduces stateful filtering and inspection for all communications moving through a site-to-site VPN connection. As a result, you can control the resources that specific hosts or networks can access on the opposite side of the link. You can use User/group-based access policies to gain detailed control over resource use with the link. |
New |
VPN quarantine |
ISA Server 2004 takes advantage of Windows Server 2003 VPN Quarantine tools for deep VPN client inspection and integration of your firewall policy. |
New |
Publishing VPN servers |
Use ISA Server 2004 server publishing rules to publish IP protocols and PPTP servers. The ISA Server 2004 smart PPTP application filter performs the complex connection management. In addition, you can easily publish the Windows Server 2003 NAT-T L2TP/IPSec VPN server. |
New |
IPSec tunnel mode support for site-to-site VPN links |
ISA Server 2004 improves site-to-site link support when using IPSec tunnel mode as the VPN protocol. IPSec tunnel mode support greatly increases ISA Server 2004 interoperability with an array of third-party VPN solutions. |
Web Cache and Web Proxy
| New or Improved | Feature | Description |
|---|---|---|
Improved |
Cache rules |
With the centralized ISA Server Cache Rule mechanism, you can configure how objects stored in the cache are retrieved and served from the cache. |
Improved |
Path mapping for Web publishing rules |
ISA Server 2004 significantly improves the flexibility of Web publishing because you can redirect the path sent to the firewall by the user to any path of choice on the published Web server. |
New |
RADIUS support for Web Proxy client authentication |
With ISA Server 2004, you can authenticate users in Active Directory and other authentication databases by using RADIUS to query Active Directory. Web publishing rules can also use RADIUS to authenticate remote access connections. |
New |
Delegation of basic authentication |
Published Web sites are protected from unauthenticated access by requiring the ISA Server 2004 firewall to authenticate the user before forwarding the connection to the published Web site. This prevents exploits from unauthenticated users from reaching the published Web server. |
New |
Preservation of source IP address in Web publishing rules |
ISA Server 2004 gives you a choice on a per-rule basis whether the firewall should replace the original IP address with its own or forward the original IP address of the remote client to the Web server. |
New |
CARP-enabled Web caching arrays (Enterprise Edition only) |
ISA Server 2004 Enterprise Edition Cache Array Routing Protocol (CARP)-enabled Web caching arrays significantly extend the bandwidth saving and performance-enhancing Web cache included in all versions of ISA Server 2004. Web caching arrays provide load balancing and failover for Web access from any Web browser. |
[Topic Last Modified: 09/20/2007]