Microsoft Releases ISA Server Feature Pack

Microsoft Corp. posted a downloadable Feature Pack 1 for ISA Server 2000 on Tuesday that pushes Microsoft's enterprise software firewall further up the security food chain into the role of application-layer filtering.

Feature Pack 1 for Internet Security & Acceleration Server 2000 provides additional security features for Exchange and IIS servers and adds new wizards to make common scenarios easier to lock down.

"Hackers are bypassing traditional firewalls," said Zachary Gutt, technical product manager for ISA Server. "Today Port 80 is being used for many, many things other than Web browsing," Gutt said, listing Outlook Web Access and Web services as two such common, legitimate uses for the port. "ISA is really optimized for application-layer filtering."

In addition to the packet filtering and stateful inspection functionality it shares with most firewalls, Microsoft is drilling into its understanding of Exchange, IIS and Outlook Web Access to make ISA protect such Microsoft infrastructure products better from the network edge. In fact, Microsoft's pitch to customers with firewalls in place is to deploy ISA in addition to get Microsoft-specific coverage.

"ISA Server Feature Pack 1 addresses three main customer pains that we've heard," Gutt said. One is providing external e-mail access without compromising network security, the second is securing Web sites and Outlook Web Access, and the third is providing wizards to make common usage scenarios easier to set up.

Microsoft's main push in enhancing Exchange security for remote users consists of improvements to the Exchange RPC Filter, which shipped with the original ISA Server 2000. "We've enhanced it to allow an administrator to force encryption between all communications between Outlook and Exchange," Gutt said. Because there's no switch in Exchange to require encryption, users must select encryption in Outlook. The enhanced filter allows an administrator to configure ISA to drop a connection if the client doesn't have encryption turned on. Gutt said the approach provides a nice alternative to the overhead of a VPN and the less secure Outlook Web Access options for administrators who want to give traveling users access to e-mail but not the rest of the network.

The ISA team has also included the URLscan tool developed by the IIS team and put it in ISA Server to protect Web servers from buffer overflows, directory traversals and other attacks. "By running it at the network edge, you don't allow these attacks to even get into your internal network. Plus you don't have to run it on every IIS and OWA server in your network," Gutt said. Another highlighted change in the ISA feature pack for securing traffic over Port 80 is support for RSA SecureID authentication.

In the area of ease of use, Microsoft has added wizards to Feature Pack 1 for setting up Outlook Web Access and Exchange RPC filters. Additional technical documentation and scenario guides are included with the feature pack.

The interim pack brings new features to a product that is more than two years old and for which a general timeline for a follow-on product hasn't been discussed. The pack includes published hotfixes since Service Pack 1 for ISA Server 2000, but doesn't include any new bug fixes, according to Gutt.

Microsoft has said previously that it will not create another version of Mobile Information Server after the 2002 release, and that the functionality is being split into Exchange and ISA. Exchange 2003, set for release later this year, is planned to include Outlook Mobile Access technology that previously was a feature of Mobile Information Server. The ISA feature pack is not the vehicle, however, for including the mobile network authentication functionality that Mobile Information Server provided, Gutt said. When asked if that functionality would be included in the next full release of ISA, Gutt said the feature set for the product has not been locked down.

Meanwhile, Microsoft is not promising a Feature Pack 2 or Feature Pack 3 for ISA. "We're definitely considering the possibility of more. It's not something we're ruling out," Gutt said.

Internet Security & Acceleration Server Feature Pack 1 is available here:

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.