Secure Remote Access
Publishing Web, Client/Server, and Other Applications and Resources
Securely Publish Your Content for Remote Access
Businesses need to provide employees, partners, and customers with secure remote access to applications, documents, and data from any PC or device at any location.
Secure application publishing and secure socket layer (SSL) virtual private network (VPN) enable organizations to make their key end-user focused IT infrastructure components—such as computers running Microsoft Exchange Server, Microsoft SharePoint Portal Server, file shares, and other resource servers—accessible to remote users over a fully protected application-layer connection. By pre-authenticating users before they gain access to any published servers, inspecting even encrypted traffic at the application layer in a stateful manner, and providing automated publishing tools, Forefront edge security and access products make it easier to provide security for corporate applications accessed over the Internet.
Together, Microsoft Internet Security and Acceleration (ISA) Server 2006 and Microsoft’s Intelligent Application Gateway (IAG) 2007 form a Microsoft Windows-based platform for enabling secure user access from virtually any device or location.
Optimized for Enterprise Resources
ISA Server, with its broad-based network edge protection, and IAG with its application-centric, policy-based access and granular Web application firewall security, deliver enhanced access control, application publishing, and comprehensive endpoint and application security.
Growing mobility: Need to enable browser-based access | • | Traditional VPNs are inadequate and hard to manage, with all-or-nothing policy that doesn’t work behind other firewalls | | • | Access to more and different types of applications than ever before | | • | Intranet and extranet access from more users, locations and devices |
| Secure application access
Unified SSL VPN, application-layer filtering, and endpoint security management provides employees with optimized intranet access to critical applications, documents, and data from a broad range of devices and locations. |
Increased threats: Must block malicious traffic and attacks | • | My applications and data resources are vulnerable to exploits | | • | Full network access increases risk | | • | Poor integration with applications and services exposes infrastructure | | • | Legacy applications not “Internet-ready” |
| Customizable enterprise security
Flexible and differentiated access to extranet resources for employees and partners to Web and legacy applications, while protecting infrastructure through easily adaptable application-specific security. |
Complex policy requirements: Need to drive policy compliance | • | Changing legal and business guidelines require information usage restrictions to limit exposure and liability | | • | I need to prove better ROI on security and access infrastructure (with fewer helpdesk calls) |
| Granular information protection
Internet-based and mobile access from unmanaged endpoints that enforces proper information usage with granular identity-based policies, helping the business to comply with legal and regulatory guidelines. |
Choose a Solution that Makes Sense for Your IT Environment
Your choice of access mechanism should be dictated by both business and security needs. Microsoft’s goal is to provide a broad solution that can easily adapt to a variety of usage and deployment scenarios. The table below will help you identify which solution makes the most sense in your IT environment.
| • | Publish, secure, and pre-authenticate access to specific Web applications (Exchange Server, SharePoint Server) |
| | • | Differentiated and policy-driven access to almost any application (both Microsoft and third-party), network, server, or data resources | | • | Flexible application-intelligent SSL VPN from any device or location | | • | Highly granular access and security policy, including intra-application controls | | • | Customizable, identity-based Web portal experience |
|
| • | Network edge protection through stateful packet inspection | | • | Application protection with advanced protocol filtering and validation |
| | • | Deep application content inspection and filtering with input validation and granular upload and download controls | | • | Adaptable Web application firewall enforces application-specific filtering to protect applications from unmanaged PCs and networks | | • | Integration with enterprise infrastructure helps ensure the integrity and safety of network resources and applications | | • | Extensive monitoring and logging helps drive policy compliance by tracking user activity and data usage |
|
| • | Full IPsec VPN network connectivity integrated with the firewall engine for managed-PC access |
| | • | Browser-based full network access | | • | Strong endpoint security management and verification helps ensure endpoint health compliance and session control | | • | More granular control at the browser over users’ access to Web and non-Web resources | | • | Helps meet corporate information usage guidelines through client-side cleanup |
|
How ISA Server and IAG 2007 Help Improve the Security of Your IT Resources
The following table provides a more detailed view of how ISA Server provides baseline secure application publishing for Microsoft Exchange and SharePoint Portal technologies and how IAG 2007 enables customizable SSL VPN-based access with endpoint security management.
| General application access from Web-enabled clients when content-specific policy is not required. | Highly customizable and differentiated application access based on user identity, content and file attributes, URL, and client security state. |
Exchange Server, SharePoint Portal Server | | • | Protocol validation and filtering | | • | Pre-authentication | | • | OWA-specific content inspection | | • | Application and user-level policy | | • | SharePoint link translation | | • | Simple publishing wizards |
| | • | Comprehensive pre-authentication and single sign-on | | • | Application-specific data protection | | • | Block specific functions or areas within applications based on endpoint profile | | • | Endpoint security verification | | • | Client-side cache and session clean-up (Attachment Wiper) | | • | Multiple policy-based portal configurations with link translation | | • | Flexible and customizable portal experience with automated application launch | | • | Native SharePoint services support |
|
File Share Access | | | • | Secure socket layer (SSL) virtual private network (VPN)-based server share and full network access | | • | Access to user's home directory and shared file folders (Web access) | | • | File-level security and policy controls | | • | Session management and security (clean-up) |
|
Client/Server | | • | Native Outlook and Microsoft Office Outlook 2003 |
| | • | SSL VPN-based access using almost any client-side application or server proxy | | • | Policy based on endpoint profile with application-specific session control | | • | Seamless support of Microsoft Office on the client | | • | Identifies client executables; allows only specific applications to tunnel | | • | Secure Telnet and native Terminal Services client support |
|
Mobile | | • | Outlook Mobile Access and Exchange ActiveSync publishing | | • | Certificate-based authentication |
| | • | Browser-specific micro-portal pages with custom login and logout | | • | OMA command and URL filtering | | • | Automatic device detection; supports e-mail push |
|
Other | | • | Web-based applications | | • | Generic server publishing | | • | IPsec VPN quarantine |
| | • | Customizable Web portal | | • | Supports any Web-enabled application with full content security | | • | Single sign-on against multiple directories | | • | Instantly publishes almost any non-Web application | | • | Comprehensive monitoring and logging to track information usage |
|
Review our broad array of product information, technical resources, tools, and labs—designed to help you gain a better understanding of ISA Server 2006 and IAG 2007.
Forefront Edge Security and Access Deployment Scenarios
Related Technical Documentation
Downloads
Virtual Lab
