Introduction

 Occasionally you find the combination of two things that result in something better than the sum of the individual parts. Some combinations that come to mind are peanut butter and chocolate, steak and lobster, and ISA Server 2006 and IAG 2007. You can’t eat ISA and IAG but combined in the IAG 2007 product they create an awesome SSLVPN with rich features. Just like a good soup, IAG 2007 benefits from high quality ingredients. For more information on this “better together” approach review the articles below:

http://www.microsoft.com/forefront/edgesecurity/iag/en/us/secure-remote-access.aspx

http://www.microsoft.com/Forefront/edgesecurity/iag/en/us/faq.aspx

 Real World Experience

 Recently, I began seeing questions about the addition of ISA 2006 SP1 on customers IAG 2007 systems. After some research it turned out that Windows update was detecting the lack of ISA 2006 SP1 and prompting administrators to install the service pack on their IAG 2007 servers. If you are familiar with IAG 2007 predecessor eGap 3.6 you will remember that the internal server was protected by a SCSI interface that shuttled between the external and internal servers. In IAG 2007 the external server and SCSI interconnect have been removed and replaced by ISA 2006. In this configuration ISA 2006 protects the external interface of IAG 2007 amongst other things.

Since SP1 for ISA 2006 includes feature updates as well as security updates, just like any other windows application it is essential to make sure there is no security vulnerability that might affect the ISA application. Hence it is important to make sure the ISA server is also updated from time to time.

When you first initialize the IAG 2007 system you will notice that ISA server 2006 is installed as well. As applications are added to the portal trunk, rules are created in ISA 2006 to allow the specific traffic types that IAG 2007 will publish. If IAG 2007 is configured for automatic updates or you visit the Windows update site, SP1 for ISA 2006 will be queued for installation if it is not already installed. You can review the benefits of SP1 for ISA 2006 by following this link: http://blogs.technet.com/isablog/archive/2008/05/23/isa-server-2006-service-pack-1-features.aspx

As you can see from reading the list we fixed a few things in ISA 2006 with SP1. In addition, patch management is part of the Desktop, Device, and Server security process best practices that IT professionals should be following. Recently, while testing IAG 2007 SP2 our product group tested with ISA 2006 SP1 installed and found no issues related to this service pack. So go ahead and add ISA 2006 SP1 to your IAG 2007 system. I bet you will find it’s a great combination and is a high quality ingredient in your security soup.

Author
Dan Watson
Security Support Engineer –IAG Team
Microsoft – NC

Technical Reviewers
Yuri Diogenes
Security Support Engineer – ISA/IAG Team
Microsoft – Texas

Mohit Saxena
Security Technical Lead – ISA/IAG Team
Microsoft – Washington

Today at Citrix Synergy™, the event where virtualization, networking and application delivery meet, Citrix Systems, Inc. (NASDAQ:CTXS) and Microsoft Corp. (NASDAQ:MSFT) announced the immediate availability of Citrix Branch Repeater™, an innovative new line of branch office appliances developed and marketed as part of a strategic alliance between the two companies. By staging the delivery of applications and Windows services closer to branch office users, Citrix Branch Repeater helps make branch office computing faster and more cost-effective for companies of all sizes....(read more)

If you haven't had a chance to check out the Beta 1 version of the new Forefront Threat Management Gateway (TMG), then make a note for yourself to take some time and test it out in your lab. The Forefront TMG is the next version of the ISA Firewall, and the TMG should be released some time next year if everything goes OK during the development. more...

"Microsoft is winning the NAC war, expert says"

Taken from the article:

"...the key is that people seem to be willing to let Microsoft take a leading role in NAC (Network Access Control). So we really focused on that: what comes built-in with XP SP3 and Vista? And then how do you extend things if you don't like what's built-in? We definitely had other policy decision points besides MS NPS---Cisco, Avenda Systems, Juniper, and Radiator, plus FreeRADIUS sort-of. Even on the client side, there are interesting things. For example, you can add more system health agents/verifiers, or you can go for other supplicants, or you can do non-Windows or pre-XPSP3 operating systems, or you can worry about other devices, like cameras and VoIP phones and printers. What we ended up with was about a dozen demonstrations, all showing what you need for a complete NAC solution. And it really focused on "let's start with Microsoft and work out from there."

I'm really looking forward to more and more 3rd parties writing their own Security Health Agents and Security Health Validators to extend the default configuration and capability of NAP, especially with non-PCs, like Mobile devices, cameras and printers.  I blogged about the Forefront team doing just that, in this video, where they have written a Forefront Security Health Validator for NAP, to extend the functionality to a more granular level.

Last Tuesday Microsoft announced the new generation of IAG, now called UAG (Unified Access Gateway). For more information check the Forefront Team Blog site:

http://blogs.technet.com/forefront/archive/2008/04/29/microsoft-announces-its-next-generation-secure-remote-access-solution-the-forefront-unified-access-gateway.aspx

…or the UAG page:

http://www.microsoft.com/forefront/prodinfo/roadmap/uag.mspx

Keep watching the evolution of this product; it is becoming ever more powerful, secure and flexible.

LAS VEGAS, Nevada.  - April 29, 2008 --  At the Interop conference today, Microsoft announced its next-generation secure remote access gateway product, Forefront Unified Access Gateway (UAG), available in the first half of 2009. Forefront Unified Access Gateway is the evolution of Microsoft's current solution, Intelligent Application Gateway (IAG 2007), and moves the successful product under the Forefront brand.  UAG will bring new features and functionality to make remote access easier than ever for all users and IT professionals.          

In addition to investing strongly in its next-generation solutions, Microsoft is continuing to provide increased customer value with the products in the market today by launching an updated SharePoint Optimizer, providing enhanced functionality and manageability for secure remote access to SharePoint by all mobile users.

Built on Windows Server 2008, UAG is designed to offer one solution to fit all remote access needs through centralized management and policy control across all users, devices, and network resources.  More details about the features in Forefront UAG will be available with a public beta scheduled for later this calendar year.  Microsoft will provide an easy product and licensing upgrade path from IAG 2007 or customers using ISA 2006 for remote access to Forefront UAG, and IAG customers that have or buy Microsoft Software Assurance can be confident of receiving strong value with Forefront UAG. 

Forefront UAG will add further features to a comprehensive end point security assessment and cache cleanup, which is tailored to the specific application and access environment.  Tightly integrated with Microsoft Network Access Protection, this ensures only secure devices and authenticated users can access network resources and that no data is compromised during or after the sessions.

 Forefront UAG adds more ease of use with wizard driven configuration, easy to use policies and highly intuitive user experience.  This solution ensures a fast and easy deployment allowing employees, partners and vendors simple and secure access, via customized and dynamic user portals.  Ongoing management and control is simplified via updates to application and endpoint policies.

The IAG pioneered the concept of Application Intelligence, or the ability to control what resources are presented to the user, and transparently enforcing policies based on a deep understanding of how an application functions.  Forefront UAG builds on the current competitive differentiation around application intelligence, with broad application support for Microsoft and third party applications, granular access controls, and customizable application protection through Application Optimizers.

Microsoft latest Application Optimizers is an updated SharePoint Optimizer for the IAG 2007, providing enhanced functionality and performance for remote access to SharePoint by all mobile users.  The updated IAG 2007 SharePoint Optimizer leverages SharePoint Alternate Access Mapping (AAM) to provide an easier, more secure and productive user experience when accessing SharePoint remotely.

With this new Optimizer, IAG provides more seamless access to the complete functionality of SharePoint, including Explorer View, Datasheet View, integrating InfoPath forms and access to multiple office documents from multiple server locations, without the overhead and security risks associated with tunneling and application rewriting.

Microsoft's IAG 2007 already provides the easiest to use and manage remote access to SharePoint today, as it is the only complete remote access solution to integrate its user experience into SharePoint, allowing organizations to keep a simple, one-portal, user experience for employees accessing applications internally or externally. The IAG 2007 SharePoint Optimizer will be available for download in May.