Thomas Shinder Blog RSS

All Blogs  »  Thomas Shinder Blog  »  ISA Central  »  Blog article: What is an IAG 2007 SSL VPN?

What is an IAG 2007 SSL VPN?

We spend a lot of time on the IAG 2007 SSL VPN during out MVP week at the main Microsoft campus in Redmond. It was time well spent, as many of the ISA Firewall MVPs weren’t aware of what the IAG was, and what an SSL VPN had to offer.

First off, the IAG 2007 SSL VPN has the ISA Firewall 2006 installed on it. Microsoft decided to do this so that the IAG can be protected from attack and so that it can be placed at the edge of the network. Since the ISA Firewall was designed to be an edge firewall, and has never been compromised, it makes sense to put the ISA Firewall on the IAG to protect the device itself.

One thing the IAG is not is an outbound access device. The IAG is all about inbound access, using either it’s SSL VPN feature or it’s PPTP or L2TP/IPSec remote access VPN capabilities.

I asked about whether the IAG would be supported in a site to site VPN scenario. That is to say, if I called PSS and asked about problems with a site to site VPN between an IAG and an ISA firewall, or between two IAG devices, they would support me.

The goal of the IAG SSL VPN is to provide you remote access to all your corporate applications without having to worry about problems associated with typical remote access VPN connections, such as network numbering problems, or firewalls that block outbound PPTP or L2TP/IPSec and NAT-T.

But the IAG goes much farther than that. It provides three types of SSL VPN capabilities, including:

  • Traditional Reverse proxy
  • Port and socket forwarding
  • Network level VPN over SSL (TCP over TCP like VPN)

In addition, the IAG provides very robust client side checking. This checking can be done to evaluate the level of access the client has to the corporate network, or if the client is allowed to connect at all. You can also change the application experience based on the client configuration — such as hiding the “attachment” button if it’s detected that the user is connecting from a Kiosk.

You probably want the details, and I’ll provide those details in a feature article in two weeks. Until then, I highly recommend that you visit the Microsoft site and check out a VM of the IAG at www.microsoft.com/forefront/edge

HTH,

Tom

tshinder@isaserver.org

This entry was posted on Friday, March 16th, 2007 at 12:06 pm and is filed under ISA Central. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “What is an IAG 2007 SSL VPN?”

  1. Stefaan Pouseele Says:

    March 18th, 2007 at 7:52 am

    Hi Tom,

    after looking at the IAG 2007 product I think that the ‘Network level VPN over SSL’ will be overruled by the SSTP (Secure Socket Tunneling Protocol) available in Vista SP1 and Longhorn. Check out http://blogs.technet.com/rrasblog/search.aspx?q=ss...mp;p=1 for more info.

    Nevertheless, I wonder how well the other two components ‘Traditional Reverse proxy’ and ‘Port and socket forwarding’ will be integrated in the next ISA Server version. In any case, I do hope they will!

    Thanks,
    Stefaan

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 5 chars within 0..9 and A..F, and submit the form.

  

If CAPTCHA image is missing or you cannot read the characters above, please generate a




Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Solution Center