Background
Microsoft’s Interet and Acceleration Server (ISA) launched by Microsoft in 2000 is now in its third release with the latest version, ISA 2006, available from Microsoft.
Microsoft ISA Server has a hybrid proxy-firewall architecture which makes it a dual purpose product in that it acts as a proxy cache for users browsing the internet and as a firewall protecting those users from external threats. The product also allows for deep packet inspection from the application layer through to the physical layer making it a noteworthy product for your organisation’s security.
Challenges
To date ISA has had to compete directly with appliance firewalls. ISA has always been at a slight cost disadvantage in that it required a dedicated server with a Microsoft Windows Server license and of course the ISA license. Appliance based firewalls were in essence a single cost for all three these components and trying to convince customers that it was in their best interests to move to ISA, was often a difficult task.
Virtualisation
The virtualisation of server and their associated applications on platforms, such as Microsoft’s Hyper-V, is now widely accepted as the enterprise standard for deployment. The utilisation of this technology allows the operation of a number of different ‘virtual’ servers on a single physical piece of server hardware. Naturally this leads to efficiencies in hardware procurement and management. The greatest benefit however is the ability to roll-back from a Disaster Recovery situation in a very short space of time, due to the fact that your servers are now software files and can be copied from backup media and restored immediately.
ISA Virtualisation
With the release of Service Pack 1 for ISA 2006, Microsoft now supports ISA on virtualised platform. ISA can now be run on a Hyper-V server along with other virtual servers allowing efficient use of hardware resources as well as the ability to recover from a disaster quickly. To deploy ISA on a Hyper-V host you must have at least two network cards on the server and assign them both as external Network Interfaces. The physical network interface, generally connected to your external router, must be mapped to the virtual external ISA interface. All protocols on that interface must be disabled; especially TCP/IP and the Hyper-V host must be hardened as if it were an internet facing device.
Threat Management Gateway
The next release of ISA Server, named Microsoft Forefront Threat Management Gateway (TMG), has embedded Anti-Virus, Web Content filtering and advanced Malware protection for users visiting websites that may be infected with malicious code. TMG is currently in an RC state and is also capable of being virtualised. It is a promising sign that the continued virtualisation support for perimeter protection products is part of Microsoft’s long-term strategy.