Features

The following describes the key features available in Microsoft Internet Security & Acceleration (ISA) Server 2006 Standard Edition and ISA Server 2006 Enterprise Edition. To compare the features in each edition, see Comparison of Standard and Enterprise Editions for ISA Server 2006.

Secure Remote Access to Internal Microsoft Servers

Feature	Description
Firewall generated forms for forms-based authentication	Generate forms used by Outlook Web Access sites for forms-based authentication. This enhances security for remote access to Outlook Web Access sites by preventing unauthenticated users from contacting the Outlook Web Access server.
Remote access to Terminal Services using SSL	Computers running the Windows Server 2003 operating system support RDP over SSL to allow an SSL connection to Windows Server 2003 Terminal Services. More securely publish Windows Server 2003 Terminal Server using SSL technology.
Enforce Microsoft Exchange RPC connections from full Microsoft Outlook messaging and collaboration MAPI clients	Publishing rules give remote users connection to Exchange Server using the fully functional Outlook MAPI client over the Internet. The Outlook client must be configured to use secure RPC so that the connection is encrypted. RPC policy allows you to block all non-encrypted Outlook MAPI client connections.
Outlook Web Access Publishing Wizard	Clientless remote access through SSL connections form the core of SSL VPNs. Wizard walks you through creating a firewall rule and creates the Outlook Web Access SSL connection to your Exchange Server. All network elements can be created in the wizard.
SharePoint Server Publishing Wizard	New wizard publishes multiple Windows SharePoint Services sites simultaneously and provides for automatic link translation.
Integrated support for Exchange 2007	Built-in support for the Exchange 2007 feature set.

Virtual Private Networking (VPN)

Feature	Description
Branch Office VPN Connectivity Wizard	Automatically configures a site-to-site VPN connection between two separate offices.
Full integration of VPN with the Microsoft Firewall service	Includes a more fully integrated virtual private networking mechanism, which is based on the Windows Server 2003 and Windows 2000 Server functionality.
Stateful filtering and inspection for VPN	VPN clients configured as a separate network zone. Create distinct policies for VPN clients. The firewall rule engine discriminately checks requests from VPN clients. The engine statefully filters and inspects these requests and dynamically opens connections based on the access policy.
SecureNAT client support for VPN clients connected to ISA Server 2006 VPN server	Expands VPN client support by allowing SecureNAT clients to access the Internet without the Firewall Client installed on the client system. Enhances corporate network security by forcing user-based or group-based firewall policy on VPN SecureNAT clients.
Stateful filtering and inspection for communications moving through a site-to-site VPN tunnel	Control the resources that specific hosts or networks can access on the opposite side of the link. Use group-based or user-based to gain granular control over resource use with the link.
VPN Quarantine	Uses Windows Server 2003 VPN quarantine tools for deep VPN client inspection and integration of your firewall policy.
Publishing VPN servers	Publish IP protocols and PPTP servers. Smart PPTP application filter performs complex connection management. Publish the Windows Server 2003 NAT-T L2TP over IPSec VPN server using ISA Server 2006 server publishing.
IPSec tunnel mode support for site-to-site VPN links	Improves site-to-site link support using IPSec tunnel mode as the VPN protocol. Increases ISA Server 2006 interoperability with a wide array of third-party VPN solutions.

Management

Feature	Description
Ease of use management features	Includes management features that make it easier to improve security of networks by avoiding misconfigurations. User interface features include task panes, context-sensitive Help panes, and a Getting Started Wizard.
Easy-to-use wizards	New configuration wizards help publish Windows SharePoint Services, Exchange, and general Web sites. New Branch Office VPN Connectivity Wizard helps configure site-to-site VPN connections.
Export and import of configuration data	Export and import configuration information. Save configuration parameters to an .xml file, and then import the information from the file to another server.
Delegated Permissions Wizard for firewall administrator roles	Wizard helps you assign administrative roles to users and groups. These predefined roles delegate the level of administrative control users have over specified ISA Server 2006 services.
Centralized logging and reporting	Logs and reports traffic moving through all members of an enterprise array. Eliminates need to collect log file information from each firewall and organize it to create unified report information.
Centralized storage of firewall policy (Configuration Storage server)	Uses Active Directory Application Mode (ADAM) for firewall policy storage. ADAM storage enables you to place policy storage containers anywhere in the organization, allowing enhanced flexibility and availability for firewall policy redundancy and facilitated access.
Enterprise policy	Set security policies at enterprise levels for consistent control over security standards throughout your geographically diverse organization, with application of array-level policy and local policy, as appropriate.
Automatic array configuration	Dynamically add servers to your enterprise and arrays with a simple wizard. Automatically read the ADAM database for configuration and policy details.
ISA Server 2006 Microsoft Operations Manager (MOM) Management Pack	MOM Management Pack enables enterprise-level event monitoring and consolidation of common firewall activities.
Certificate Management	Utilize multiple certificates per Web listener and use different certificates per array member. Simplifies certificate management and reduces the total cost of ownership associated with using certificates when publishing Web sites.
Extensive SDK	Includes a comprehensive SDK for developing tools that build on ISA Server 2006 firewall, caching, and management features.
Broad vendor support	Independent vendors offer products, such as virus detection, management tools, and content filtering and reporting, that build on and integrate with ISA Server 2006.
Hardware-based ISA Server appliances	Now available in preconfigured hardware.
Propagation of enterprise-wide policy	Underlying architecture is improved to provide for more efficiency.

Monitoring and Reporting

Feature	Description
Real-time monitoring of log entries	View firewall, Web Proxy, and SMTP Message Screener logs in real time. ISA Server Management snap-in displays the log entries as they are recorded in the firewall’s log file.
Built-in log query facility	Query the log files using the built-in log query facility. Query logs for information contained in any field recorded in the logs. Limit the scope of the query to a specific time frame. Results appear in the ISA Server Management snap-in and can be copied to the Clipboard and pasted into another application for more detailed analysis.
Real-time monitoring and filtering of firewall sessions	View all active connections to the firewall. From a session view, you can sort or disconnect individual or groups of sessions. In addition, you can filter the entries in the session’s interface to focus on the sessions of interest using the built-in session filtering facility.
Connection verifiers	Verify connectivity by regularly monitoring connections to a specific computer or URL from the ISA Server 2006 computer using connection verifiers. You can configure which method to use to determine connectivity: Ping, TCP connect to a specific port, or HTTP GET. You can select which connection to monitor by specifying an IP address, computer name, or URL.
Customizing ISA Server 2006 reports	Includes an enhanced report customization feature for adding more information in the firewall reports.
Report publishing	Configure ISA Server 2006 to report jobs to automatically save a copy of a report to a local folder or network file share. Map folders or file shares to a Web site virtual directory so that other users can view the report. Manually publish reports that have not been configured to automatically publish after report creation.
E-mail notification after report creation	Configure a report job to send you an e-mail message after a report job is completed.
Customized time for log summary creation	Designed to create log summaries at 00:30 (12:30 A.M.). Reports are based on information contained in log summaries. You can easily customize the time when log summaries are created with ISA Server 2006. This gives you increased flexibility in determining the time of day reports are created.
Log to an MSDE database	In addition to .txt files and Microsoft SQL Server databases, logs can now be stored in an .mdb file. Logging to a local database enhances query speed and flexibility.
Enhanced SQL Server logging	Log to a computer running a SQL Server database located on another computer on the internal network. ISA Server 2006 SQL Server logging has been optimized to provide much higher performance.

Multi-Networking

Feature	Description
Multiple network configuration	Configure one or more networks, each with distinct relationships to other networks. Access policies are defined relative to the networks and not necessarily relative to a specific internal network. ISA Server 2006 extends the firewall and security features to apply to traffic between any networks or network objects.
Unique per-network policies	Better protect your network against internal and external security threats by limiting communication between clients even within your own organization. Multi-networking functionality supports sophisticated perimeter networks, also known as demilitarized zone (DMZ) or screened subnet scenarios, helping you to configure how clients in different networks access the perimeter network. Access policies between networks can then be based on the unique security zone represented by each network.
Route and NAT network relationships	Define routing relationships between networks, depending on the type of access and communication required between the networks. In some cases, you may want more secure, less transparent communication between the networks. For these scenarios, you can define a NAT relationship. In other situations, you want to simply route traffic through ISA Server. In these cases, you can define a route relationship. Packets moving between routed networks are fully exposed to ISA Server 2006 stateful filtering and inspection mechanisms.
Network Load Balancing	NLB provides real-time failover and load balancing of connections made through an ISA Server 2006 Enterprise Edition array. Real-time failover enables high availability for enterprise arrays, while load balancing evenly distributes connections across firewall array servers to prevent network slowdowns related to impacted firewalls.

Advanced Firewall Protection

Feature	Description
Multi-layer firewall	Provides three types of firewall functionality: packet filtering (also called circuit-layer), stateful filtering, and application layer filtering.
Application layer filtering	Provides deep content filtering through built-in application filters.
HTTP filtering on a per-rule basis	HTTP policy allows the firewall to perform deep HTTP stateful inspection (application layer filtering). Extent of the inspection is configured on a per-rule basis. With this capability, you can configure custom constraints for HTTP inbound and outbound access.
Block access to all executable content	HTTP policy enables you to block all connection attempts to the Microsoft Windows operating system executable content, regardless of the file extension used on the resource.
Control HTTP file downloads through file extension	HTTP policy enables you to define policy based on file extension, including ”allow all except a specified group of extensions” or “block all extensions except for a specified group.”
HTTP filtering is applied to all ISA Server 2006 client connections	HTTP policy allows you to control HTTP access for all ISA Server 2006 client connections.
Control HTTP access based on “HTTP Signatures”	HTTP inspection can help you create “HTTP Signatures” that can be compared to the Request URL, Request headers, Request body, and Response body. This gives you precise control over what content internal and external users can access through the firewall.
Control allowed HTTP methods	Control what HTTP methods are allowed through the firewall by setting access controls on user access to various methods. For example, you can limit the HTTP POST method to prevent users from sending data to Web sites using the HTTP POST method.
Extensive protocol support	Gain control over accessing and using any protocol, including IP-level protocols. Users can then use applications such as Ping and Tracert and can create VPN connections using PPTP. In addition, IPSec traffic can be enabled through ISA Server.
Support for complex protocols requiring multiple primary connections	Many streaming media and voice or video applications require that the firewall manage complex protocols. ISA Server 2006 can manage these protocols and has an easy-to-use New Protocol Wizard you can use to create protocol definitions.
Customizable protocol definitions	Control the source and destination port number for any protocol for which you create a firewall rule. This gives the ISA Server 2006 firewall administrator a high level of control over what packets are allowed inbound and outbound through the firewall.
FTP policy	The ISA Server 2006 FTP policy can be configured to let users upload and download through FTP, or you can limit user FTP access to download only.
Granular control over IP options	Configure IP options on a granular basis and only allow the IP options you require while blocking all others.
Firewall user groups	Create custom firewall groups comprised of pre-existing groups in the local accounts database or the Active Directory directory service domain. This increases your flexibility to control access based on user or group membership, because the firewall administrator can create custom security groups from these existing groups. This removes the requirement that the firewall administrator be a domain administrator to create custom security groups for inbound and outbound access control.
Microsoft Hotmail Web-based e-mail access through the firewall	HTTP filter enables users to access Hotmail through an easy-to-configure firewall rule without the need for special configuration on the client or firewall.
Network objects	Expand your ability to define network objects by creating computers, networks, network sets, address ranges, subnets, computer sets, and domain name sets. Use network objects to define source and destination settings for firewall rules.
Firewall Rule wizards	Rule wizards make it easier to create access policy. Create access policy with a sophisticated firewall rule that you can use to configure any required policy element. You do not need to leave the rule wizard to create a network object. Any network object or relationship can be created within the new wizard.
Firewall rules represent an ordered list	Firewall rules are represented in an ordered list in which connection parameters are first compared to the top listed rule. ISA Server 2006 moves down the list of rules until it finds a rule matching the connection parameters and enforces the matching rule’s policy. This approach to firewall policy makes it easier to determine why a specific connection is allowed or denied.
User-based or group-based access policy	Enhanced firewall rules allow you to define the source and destination for each protocol a user or group is able to access. This greatly increases flexibility for inbound and outbound access control.
FTP support	Gain access to Internet FTP servers, listening on alternate port numbers without requiring special configuration on the client or ISA Server 2006 firewall. The FTP server publishing on alternate port numbers requires nothing more than a simple FTP server publishing rule.
Port redirection for FTP server publishing rules	Receive a connection on one port number and redirect the request to a different port number on the published server.
Flood Resiliency	Flood Resiliency feature protects ISA Server 2006 from being permanently unavailable, compromised, or unmanageable during a flooding attack.
Enhanced remediation during attack	Flood Resiliency provides enhanced remediation during attacks through log throttling, control of memory consumption, and control of pending DNS queries.

Authentication

Feature	Description
Authentication	Authenticate users with built-in Windows, LDAP, RADIUS, or RSA SecurID authentication. Separate front-end and back-end configuration provides for more flexibility and granularity. Supports single sign-on for authentication to Web sites. Apply rules to users or user groups in any namespace. Third-party vendors can use the SDK to extend built-in authentication mechanisms.
Firewall client credentials forwarded to the Web proxy service	Allows Firewall clients to access the Web cache with the HTTP filter without requiring separate authentication with the Web proxy service.
RADIUS support for Web Proxy client authentication	Authenticate users in Active Directory and other authentication databases by using RADIUS to query Active Directory. Web publishing rules can also use RADIUS to authenticate remote access connections.
Delegation of basic authentication	Help protect published Web sites from unauthenticated access by requiring the ISA Server 2006 firewall to authenticate the user before the connection is forwarded to the published Web site. This prevents exploits from unauthenticated users from reaching the published Web server.
SecurID authentication for Web Proxy clients	Authenticate remote connections using SecurID two-factor authentication. This provides a high level of authentication security because a user must know something and have something to gain access to the published Web server.
Single sign-on	Allow users to access a group of published Web sites without being required to authenticate with each Web site.
Forms-based authentication	Forms-based authentication is now available for all published Web sites, and not just for Outlook Web Access.
Session management	Includes improved control of cookie-based sessions to provide for better security.
Support for LDAP authentication	LDAP authentication allows ISA Server to authenticate to Active Directory without being a member of the domain.

Server Publishing

Feature	Component
Secure Web publishing	Place servers behind the firewall, either on the corporate network or on a perimeter network, and publish their services. With the improved secure Web Publishing Wizard, you can create a rule that lets users have SSL remote access to published Web servers.
Path mapping for Web publishing rules	Improves the flexibility of Web publishing because you can redirect the path sent to the firewall by the user to any path of choice on the published Web server.
Preservation of source IP address in Web publishing rules	Gives you a choice on a per-rule basis whether the firewall should replace the original IP address with its own or forward the original IP address of the remote client to the Web server.
Link translation	Includes a link translation feature that you can use to create a dictionary of definitions for internal computer names that map to publicly known names. Implements link translation automatically during Web publishing.
Cross-Array Link Translation	Allows links in Web content containing an internal server name to be translated to the public name, even if the Web content is published in a different array.
SSL bridging support	To guard against embedded attacks in HTTP traffic, SSL bridging allows SSL protected packets to be decrypted by ISA Server 2006, inspected, and re-encrypted.

Performance

Feature	Component
Secure Web publishing	Place servers behind the firewall, either on the corporate network or on a perimeter network, and publish their services. With the improved secure Web Publishing Wizard, you can create a rule that lets users have SSL remote access to published Web servers.
Path mapping for Web publishing rules	Improves the flexibility of Web publishing because you can redirect the path sent to the firewall by the user to any path of choice on the published Web server.
Preservation of source IP address in Web publishing rules	Gives you a choice on a per-rule basis whether the firewall should replace the original IP address with its own or forward the original IP address of the remote client to the Web server.
Link translation	Includes a link translation feature that you can use to create a dictionary of definitions for internal computer names that map to publicly known names. Implements link translation automatically during Web publishing.
Cross-Array Link Translation	Allows links in Web content containing an internal server name to be translated to the public name, even if the Web content is published in a different array.
SSL bridging support	To guard against embedded attacks in HTTP traffic, SSL bridging allows SSL protected packets to be decrypted by ISA Server 2006, inspected, and re-encrypted.

Product Details

Take a closer look

Try It

Try a virtual lab online

Download the trial software