ISA 2006 and Intelligent Application Gateway 2007

Hello all,

I have recently downloaded the 180 day trial of ISA 2006. It's cool, and serves its purpose, however, I'm looking for a different solution, and I believe IAG 2007 can help.

I want to create an SSL-VPN connection. What I mean by this is that ALL traffic between the endpoint client PC and the Terminal Server endpoint ONLY communicated over TCP port 443.

Can IAG 2007 do this? A similar product is available from SonicWALL called SSL-VPN, however, this is a hardware device. It operates on ONLY port 443. You can check it out here: https://sslvpn.demo.sonicwall.com

PS: Is there a trial for Intelligent Application Gateway 2007 available?

Thanks!

Find more posts tagged with

Comments

dynamik

Doesn't Server 2008 do SSL VPNs?

You can also look at Open VPN.

_maurice

You are correct sir. I now see that windows server 2008 supports SSDP, which uses port 443 for its vpn tunnels. cool!

royal

It's SSTP - Secure Sockets Tunneling Protocol ---- not SSDP.

IAG is a pretty cool product. I was fortunate enough to be able to set one up for both SSL VPN, RDP, and using multi-factor authentication. Too bad this was 1.5 years ago and I forgot how to configure it. :P

Also, IAG is integrated into the new ISA edition called Forefront Threat Management Gateway. If you want the current IAG that's out, you need to get an appliance such as Network Engines. Since IAG requires ISA, these devices will have ISA installed that is only allowed to be used to support IAG.

Since Server 2008 is out, and supports SSTP, if all you're looking for is SSL VPN functionality, I would go with Server 2008 depending on the costs. Network Engines might provide you with a cheaper solution if you plan on sticking with Server 2003 for a while. If you plan on going with Server 2008 soon, get a Server 2008 box and use SSTP which will help you get started in your process to moving to Server 2008.

With IAG, you have a portal web interface that can be different depending on what user authentication (supports multiple layers of authentication). When the user authentications and gets to the interface, you can have that user launch an application, an RDP session to a specific server or any server you specify, and even an SSL VPN. IAG will automatically modify the ISA rules on its own when you configure IAG.

_maurice

Does IAG 2007 have a trial available? I couldn't find one.

Hey royal, can you log into https://sslvpn.demo.sonicwall.com with a username of demo and a password of password. There is a link on there for Terminal Services. It opens an RDP client window and all traffic goes over port 443.

I do SonicWALL support at work, and want to know if SonicWALL's SSL-VPN appliance is comparable to Microsoft's IAG 2007 software.

Thanks!

royal

Like I said, IAG is currently only on an appliance such as Network Engines. The current beta of Forefront Threat Management Gateway is available for beta testing.

I logged in and it looks pretty similar.

I have contact info for one of the Sales Managers at Network Engines. I'll shoot him an e-mail and see if there's an online demo for their IAG appliances.

Edit: Dang, NDR. Looks like he's no longer there. I would go ahead and try contacting them or another vendor:

Vendors:
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx

Network Engines IAG:
http://www.nei.com/default.asp?LINKNAME=IAG

Deviouz

Network Engines is not the only company offering an IAG appliance.

www.nappliance.com

www.celestix.com

royal

Deviouz wrote:

Network Engines is not the only company offering an IAG appliance.

www.nappliance.com

www.celestix.com

Hence why I posted the following:

royal wrote:

Vendors:
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx

Deviouz

My fault, read through too quickly.

Looking at the hardware, Nappliance looks pretty beefy.

http://www.nappliance.com/pdfs/Compare/NetGateway_mIAG_Compare_Product_Datasheet_ver4.pdf

_maurice

royal, I really appreciate your quick response. thank you.

On a side note, other than for security reasons, why wouldn't Microsoft allow IAG 2007 to be installed on a full featured Windows OS?

thanks!

royal

_maurice wrote:

royal, I really appreciate your quick response. thank you.

On a side note, other than for security reasons, why wouldn't Microsoft allow IAG 2007 to be installed on a full featured Windows OS?

thanks!

No problem.

They will, with Forefront Threat Management Gateway which is ISA and IAG integrated where it will be installable on your own server hardware.

royal

Deviouz wrote:

My fault, read through too quickly.

Looking at the hardware, Nappliance looks pretty beefy.

http://www.nappliance.com/pdfs/Compare/NetGateway_mIAG_Compare_Product_Datasheet_ver4.pdf

Those do indeed look pretty good. I wonder if you can load balance them to allow more concurrent connections. I would assume so but really seems unrealistic as you can allow 15,000 concurrent light users and 3,000 heavy users. How many users would a company have VPN'ing in at the same time.

royal

I know it's been a while, but I just picked the following book which talks about ISA 2006, Forefront Security for Exchange, and IAG.
http://www.amazon.com/Integrating-Server-2006-Microsoft-Exchange/dp/1597492752/ref=pd_bbs_sr_3?ie=UTF8&s=books&qid=1218917555&sr=8-3

HeroPsycho

How good is the book?

royal

It seems decent. Taking a quick look at it, it seems like there's a couple chapters on ISA and then it's just a normal Exchange 2007 book. Because of that, I'll probably put it on hold and just read through the ISA/IAG/Forefront section and then use the rest as reference or when I need to reference a topic for work.

royal

Just went through some more the book. It is a really good book. It talks more form a real-world perspective. It shows how to properly set up NLB (Unicast vs Multicast) and shows diagrams on how to optimize incoming traffic vs outgoing traffic, takes a secure approach, etc.. For example, when you're doing OA, if you want to use NTLM through ISA, you have to set the listener for the client to authenticate directly. Well, this is not a secure approach and it explains that you can use kerberos constrained delegation and talks about how the SPNs should be set up, etc...

So in short, the book is all about Security, Scalability, High Availability, Load Balancing, and Redundancy.

I definitely recommend this book.

HeroPsycho

Hmm... I'd buy and read it, but I'm not being tasked right now with a lot of Exchange 2007/ISA work unfortunately. I'll keep it in mind, though. I'm actually thinking about doing a deep dive into PowerShell. It's about time I learn how to do some scripting.

royal

What are you up to these days then?

HeroPsycho

Continued in PM...

dynamik

Fine. I didn't want to know anyway

HeroPsycho

LOL, fine...

Currently, I'm doing some VMware VI3 and Enterprise Vault deployments mostly.

dynamik

Whoa, big secret. I can see why you wanted to keep that private.

Sorry, I didn't mean to pry

HeroPsycho

It was just derailing this thread from the intended subject.