Secure Application Access with Internet Security and Acceleration Server 2006 and Intelligent Application Gateway 2007
Mobile access to corporate resources such as applications and data accounts for a significant portion of overall IT operations and management costs, and costs are steadily increasing as these demands rise. In addition, extending access to unmanaged endpoints increases a business’ risk profile due to unauthorized access.
Businesses need to enable browser-based access by employees to a defined set of messaging and collaboration resources from a broad range of endpoints to improve productivity, while ensuring that users are authenticated and helping protect the network from threats on unmanaged devices.
Together, Microsoft Internet Security and Acceleration (ISA) Server 2006 and Microsoft’s Intelligent Application Gateway (IAG) 2007 can help businesses more easily provide security for corporate applications accessed over the Internet.
| • | Secure application publishing to remote users by pre-authenticating users before they gain access to any published servers, inspecting even encrypted traffic at the application layer in a stateful manner. |
| • | Unified secure socket layer (SSL) virtual private network (VPN), application-layer filtering and endpoint security management provides employees with optimized intranet access to critical applications, documents, and data from a broad range of devices and locations. |
Secure Application Access
IAG 2007 secures access through a single point of entry from multiple access points to enterprise line-of-business applications—including Web, client/server, and legacy applications—while enforcing user authentication and authorization over a policy-defined application-layer connection.
| Key IT Administrator Concerns | ISA Server 2006 Provides | IAG 2007 Provides |
| Control Access | ||
Users (employees, partners and customers) need simple browser-based access to business-critical applications and data, without creating multiple logins and increasing my risk from password leaks. | Smooth user experience for published Web applications, document libraries, and content with single sign-on and automatic link translation help ensure secure and consistent access. | Simplified user experience with an easy to use, customizable SSL VPN portal defined by user identity, including multiple portal configurations. Single sign-on to multiple and custom directories (with integrated password management) and strong/two-factor authentication (such as SecurID and X.509) helps reduce the threat of password attacks. |
Need to enforce policy and enhance IT asset control, and make better use of Active Directory-based authentication while enabling a wide array of different access devices. | Enhanced multi-factor authentication (smartcards, one-time passwords), flexible integration with Microsoft Windows Server Active Directory (lightweight directory access protocol [LDAP] authentication support), and customizable forms-based pre-authentication for almost any Web application and client device, increasing security and deployment flexibility for Web application servers throughout the organization. | Microsoft Windows Active Directory integration, with full support for LDAP and RADIUS. IAG can also combine authentication against one repository (such as RSA SecurID) with authorization data from another (such as Active Directory). |
Business rules dictate stronger authentication methods for servers. Mobile users often connect and then walk away without logging off. | Compatability with your existing authentication infrastructure through enhanced authentication delegation (including NT LAN Manager [NTLM], Kerberos, and SecurID), and provides more access control with improved session management that detects non-user traffic through automatic idle-based timeouts. | Custom authentication schemas enable tight access security while allowing users to enter all credentials on the same page. Multi-factor custom forms and script support includes X.509 client certificates and smartcards, as well as two-factor authentication schemas such as RSA SecurID, VASCO Digipass, and Swivel PINsafe. |
| Protect Assets | ||
Need to ensure proper application behavior and protect infrastructure from malicious Internet traffic. | Application-layer firewall with protocol validation and command filtering helps protects Outlook Web Access (OWA), Microsoft SharePoint, and other Web-based applications from intrusions. | Policy-driven access to intranet tools, resources, and files with ACL-level control. A Web application firewall with application-specific content, command, and URL filtering helps block malformed HTTP requests and data inputs. In addition, .EXE identification and policy control help prevent malware from being uploaded to application servers. |
Configuring settings for publishing servers is cumbersome. For example, I frequently do not know if certificates are valid while configuring SSL. | Automated tools for Microsoft Exchange Server, SharePoint and other Web servers to simplify the process of securely publishing multiple sites, and enhanced certificate administration to avoid configuration errors. | Simple tools for configuring ‘URL Restricted zones’ definitions, file upload and download controls, and positive and negative-logic filtering rules reduce Internet attack surface by introduced by complex setups. |
| Safeguard Information | ||
My business is at risk legally and financially if sensitive data is compromised or exploited. | Application filters for HTTP and RPC include command filtering to prevent unauthorized server requests. | Security-enabled session termination and inactivity timeouts, combined with on-the-fly content validation and manipulation that controls data displayed to the end user, helps protect vulnerable information. |
I don’t always know what devices are connecting … protect my network from compromised clients. | Windows Server-based IPsec VPN quarantine provides control over client health and remediation before granting network access. | Endpoint compliance check and client state monitoring and clean-up (browser history, user ID, …) helps reduce risk of information leaks. |
I need an adaptable portal that can be used from a wide variety of PC and mobile devices. | Customizable forms-based authentication can be used as a simple gateway to intranet tools and applications such as OWA and SharePoint Portal Server. | An endpoint policy-defined micro-portal for mobile devices, with automatic detection of the client browser, increases usability for low-bandwidth or limited devices. |
I need to limit exposure to data threats by controlling what a user can do through the portal if I don’t trust the client’s network. | Per-network routing policies give macro-level control over intranet access. | Comprehensive access policy, monitoring and logging help ensure network integrity by restricting client access based on endpoint security profile, up to and including policy controls over actions within an application. |
Application Security
ISA Server 2006 and IAG 2007 were both designed for a high level of application-layer security, with a focus on delivering specific security enhancements and optimization on a per-application basis. Read the table below for detailed information on differentiating the value that ISA Server 2006 and IAG 2007 each bring for certain types of infrastructure access.
| Key IT Administrator Concerns | ISA Server 2006 Provides | IAG 2007 Provides | ||||||||||||||||||||||||||||
| General application access from Web-enabled clients when content-specific policy is not needed | Highly customizable and differentiated application access based on user identity, content/file attributes, URL, and client security state | ||||||||||||||||||||||||||||
Exchange Server, SharePoint Portal Server |
|
| ||||||||||||||||||||||||||||
File Share Access | Via full IPsec VPN |
| ||||||||||||||||||||||||||||
Client/Server | Native Outlook, Outlook 2003, and Outlook 2007 support |
| ||||||||||||||||||||||||||||
Mobile |
|
| ||||||||||||||||||||||||||||
Other |
|
|
