The Microsoft Intelligent Application Gateway 2007 (IAG 2007) is an SSL VPN gateway that supports all types of SSL VPNs. We’ve covered the IAG 2007 a bit on this site and look forward to even more comprehensive coverage in the future. One of the issues that have hamstrung our efforts to popularize the IAG is that no software version of the solution was available.

That’s where today’s good news comes in. At the Interop conference in Las Vegas today, Microsoft announced the upcoming release of the Microsoft Forefront Unified Access Gateway or UAG. The Forefront UAG is positioned to be the “one-stop shop” for secure remote access to corporate applications by bringing together all of the remote access methodologies available for Microsoft networks today.

However, UAG will  not be limited to supporting just Microsoft applications; the Forefront UAG will continue in the great tradition of the IAG in supporting secure remote access to non-Microsoft applications. This will help carry on the universal appeal that the IAG had to the upcoming UAG.

While the details of the improvements and new features haven’t been officially announced, some of the improvements noted at Interop include:

• Easy product and licensing upgrades from either IAG 2007 or ISA 2006
• Improvements in end point security and cache clean up, including application awareness regarding how application data is cached
• Tight integration with Network Access Protection (NAP)
• More wizards to further simplify Forefront UAG configuration which reduces the cost of steep learning curves typically associated with SSL VPN solutions
• Improved positive and negative logic filtering, which protects against both known and unknown exploits (zero-day attack protection)
• Application optimizers for SharePoint will be improved to fully support the SharePoint Alternate Access Mapping (AAM) feature and enable a fully transparent end-user exporter for all remote SharePoint users

Margaret Dawson, Group Product Manager for the Forefront Edge products (which includes the next version of the ISA Firewall, the Forefront Threat Management Gateway or TMG, and the Forefront UAG) stated  “We wanted to update our naming and branding, and the vision you will see us better over time is the integration and alignment with multiple access solutions across Microsoft. We will do a better job of integrating with SharePoint, OWA, mobile, Windows Server…This integration with our products and other solutions provides easier management and [better] user experience,”

The ISA Firewall has always been a thought leader in the application layer inspection firewall space, and the IAG’s major advantage over other SSL VPN solutions was its primary focus on security, though the use of very sophisticated positive and negative logic filters for Web applications.

Margaret Dawson reinforces the commitment to application layer inspection as the gold standard for network security “One of the biggest differentiators we have today and will continue to build on is application intelligence.. In remote access, there are two approaches — a network-centric view and an application view. Not surprisingly, we have an application focus… to our access solution”

For more information about today’s release, check out:

http://www.darkreading.com/document.asp?doc_id=152...ews2_1

http://blogs.technet.com/forefront/archive/2008/04...y.aspx

http://www.microsoft.com/forefront/prodinfo/roadma...g.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Last week I told you guys about “Stirling”, the sophisticated new technology that Microsoft will use to tie together all of the products that participate in the Forefront Security line of products, as well as some of Windows Server 2008 platform security technologies (such as NAP). I also provided a link to the Stirling download. However, one thing I didn’t make clear in the blog post was that part of the Stirling Package was the Beta 1 version of the new ISA Firewall, which is now named the Forefront Threat Management Gateway (or Forefront TMG or TMG).

I’ve downloaded and installed the TMG this week and there are a few interesting changes, and a couple of very nice new features! Remember, this is a Beta 1 release and that the product is far from complete. So if some of your favorite features aren’t included, don’t worry! They might be included in future Betas of the TMG. I tell you this because I don’t want you to judge the TMG’s feature set by what you see now and get disappointed. MS is listening to you and your feature requests and there’s a good chance that some of the features you want will be included in future versions.

You can download only the TMG bits, or you can download all of the Forefront products and test out Stirling.

The download link is at:

http://technet.microsoft.com/en-us/evalcenter/cc33...9.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Looking to add X-Forwarded-For functionality to your ISA Server proxy infrastructure like Squid, Apache, F5 Big-IP, Blue Coat, Cisco Cache Engine, Netcache etc? Now you can! Winfrasoft X-Forwarded-For for ISA Server adds the ability to track the source IP address of a client PC through a proxy server chain. This is very useful for log analysis when branch offices connect to the Internet via a head office proxy server, and many other scenarios where multiple proxy server layers are used.

Version 2.0 of X-Forwarded-For for ISA Server introduces some key new features asked for by our customers, this includes:

• Added support for reverse proxy scenarios
• Works with both HTTP and SSL connections for Web Publishing
• Supports proxy chains longer than two servers in both directions
• Integrates with other 3rd party products that support the X-Forwarded-For de facto standard
• Runs on ISA Server 2004

For more information, check out:

http://www.winfrasoft.com/X-Forwarded-For.htm

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

There have been a lot of changes to the MVP program this year, no more so than for ISA Firewall MVPs. Earlier this year, all of the ISA Firewall MVPs were moved from ISA Server MVPs to Forefront MVPs. It’s a major change, but one that presents a lot of opportunities for ISA Firewall MVPs, as they moved from the old ISA Firewall to the upcoming Forefront Threat Management Gateway (the next version of the ISA Firewall). Combining the ISA/TMG MVPs with the rest of the Forefront MVPs will allow us all to communicate with one another about the entire family of MS Security Products that belong to the Forefront line of security products.

However, to get the project going, we need to identify all of our English speaking ISA Firewall MVPs so that we can get you all up to speed on what’s happening in the Forefront MVP world. I’ve been able to find email addresses for most of you, but there are still a few of you that I can’t find. If you find your name on the following list, can you please send me an email with your preferred email address? That way, I can let you know what’s happening with the MS Forefront MVP group and get you involved with the process and connected to the Forefront product group.

My ISA Firewall MVPs missing in action are:

Marc Grote

Tamas Gal

Moez MezGhani

Carlos Zapata

Hugo Rodriguez

Shijaz Abdulla

Emerson Gonzalaz

Emre Aydin

Raul Moros Pena

Thanks!

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

If you haven’t already heard about this from reading the industry news that took place last week at the RSA conference, this will come as a surprise to you. It was announced at RSA that the ISA Firewall’s life will end with ISA Server 2006. As an ISA 2006 firewall admin, you are now administering the last version of the ISA Firewall. In the future, the ISA Firewall will be renamed the Forefront Threat Management Gateway, or TMG.

I’ve been with you from the beginning of the life of the ISA Firewall. We here at ISAserver.org supported ISA 2000 from the start, got you up to speed when ISA 2004 introduced wide sweeping changes to the ISA Firewall’s networking architecture, and then moved you up to the latest rev of the ISA Firewall, ISA Server 2006.

It’s a bit sad for me to share this news with you. I’ve lived and breathed ISA for the last 8 years. I’ve worked hard to help you understand the ISA Firewall and how to configure it in the most secure fashion, so that you could show the network guys that the ISA Firewall is the most secure firewall on the market today.

With the changes coming with the upcoming Forefront TMG, we might need to start rethinking how we deploy the TMG. For example, should we think of the TMG as a firewall? Is it something else? Should it be on the edge? Should be use it as an internal firewall/gateway to protect network security zones from other network security zones?

These are hard questions to answer, because the full feature set of the TMG isn’t in the public domain. I can tell you that I had the opportunity to learn quite a bit about what’s coming in the future for the TMG and the upcoming upgrade of the IAG 2007 product while visiting the MS Research and Development facilities for both the ISA/TMG and IAG products, and I can tell you that you will definitely see original methods of significantly increasing the security of your network by upgrading. While I wish I could share with you all the details, I cannot because all this information is under a non-disclosure agreement. However, as soon as I get the OK to share, you will be the first ones to know!

The TMG is also part of a larger effort, which is code named “Stirling”. I also had a chance to learn a LOT about the Stirling security solution, and it’s truly amazing. You might have heard about the concept of the “Dynamic Systems Initiative” in the past, but we really never saw anything that looked very dynamic until Stirling. From what I’ve seen of Stirling, I think you’ll find that it will significantly reduce administrator overhead for dealing with network security events and will also provide you with a much clearly view of your current network security status.

If you want to check out Stirling, you can download it at:

http://technet.microsoft.com/en-us/evalcenter/cc33...9.aspx

To learn more about TMG and the future of the ISA Firewall, check out the ISA Server Team Blog for what David Cross has to say about it at:

https://blogs.technet.com/isablog/archive/2008/04/...r.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)