ISA 2006 and Intelligent Application Gateway 2007
_maurice
Member Posts: 142
Hello all,
I have recently downloaded the 180 day trial of ISA 2006. It's cool, and serves its purpose, however, I'm looking for a different solution, and I believe IAG 2007 can help.
I want to create an SSL-VPN connection. What I mean by this is that ALL traffic between the endpoint client PC and the Terminal Server endpoint ONLY communicated over TCP port 443.
Can IAG 2007 do this? A similar product is available from SonicWALL called SSL-VPN, however, this is a hardware device. It operates on ONLY port 443. You can check it out here: https://sslvpn.demo.sonicwall.com
PS: Is there a trial for Intelligent Application Gateway 2007 available?
Thanks!
I have recently downloaded the 180 day trial of ISA 2006. It's cool, and serves its purpose, however, I'm looking for a different solution, and I believe IAG 2007 can help.
I want to create an SSL-VPN connection. What I mean by this is that ALL traffic between the endpoint client PC and the Terminal Server endpoint ONLY communicated over TCP port 443.
Can IAG 2007 do this? A similar product is available from SonicWALL called SSL-VPN, however, this is a hardware device. It operates on ONLY port 443. You can check it out here: https://sslvpn.demo.sonicwall.com
PS: Is there a trial for Intelligent Application Gateway 2007 available?
Thanks!
Comments
-
_maurice Member Posts: 142You are correct sir. I now see that windows server 2008 supports SSDP, which uses port 443 for its vpn tunnels. cool!
-
royal Member Posts: 3,352 ■■■■□□□□□□It's SSTP - Secure Sockets Tunneling Protocol ---- not SSDP.
IAG is a pretty cool product. I was fortunate enough to be able to set one up for both SSL VPN, RDP, and using multi-factor authentication. Too bad this was 1.5 years ago and I forgot how to configure it. :P
Also, IAG is integrated into the new ISA edition called Forefront Threat Management Gateway. If you want the current IAG that's out, you need to get an appliance such as Network Engines. Since IAG requires ISA, these devices will have ISA installed that is only allowed to be used to support IAG.
Since Server 2008 is out, and supports SSTP, if all you're looking for is SSL VPN functionality, I would go with Server 2008 depending on the costs. Network Engines might provide you with a cheaper solution if you plan on sticking with Server 2003 for a while. If you plan on going with Server 2008 soon, get a Server 2008 box and use SSTP which will help you get started in your process to moving to Server 2008.
With IAG, you have a portal web interface that can be different depending on what user authentication (supports multiple layers of authentication). When the user authentications and gets to the interface, you can have that user launch an application, an RDP session to a specific server or any server you specify, and even an SSL VPN. IAG will automatically modify the ISA rules on its own when you configure IAG.“For success, attitude is equally as important as ability.” - Harry F. Banks -
_maurice Member Posts: 142Does IAG 2007 have a trial available? I couldn't find one.
Hey royal, can you log into https://sslvpn.demo.sonicwall.com with a username of demo and a password of password. There is a link on there for Terminal Services. It opens an RDP client window and all traffic goes over port 443.
I do SonicWALL support at work, and want to know if SonicWALL's SSL-VPN appliance is comparable to Microsoft's IAG 2007 software.
Thanks! -
royal Member Posts: 3,352 ■■■■□□□□□□Like I said, IAG is currently only on an appliance such as Network Engines. The current beta of Forefront Threat Management Gateway is available for beta testing.
I logged in and it looks pretty similar.
I have contact info for one of the Sales Managers at Network Engines. I'll shoot him an e-mail and see if there's an online demo for their IAG appliances.
Edit: Dang, NDR. Looks like he's no longer there. I would go ahead and try contacting them or another vendor:
Vendors:
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
Network Engines IAG:
http://www.nei.com/default.asp?LINKNAME=IAG“For success, attitude is equally as important as ability.” - Harry F. Banks -
Deviouz Member Posts: 2 ■□□□□□□□□□Network Engines is not the only company offering an IAG appliance.
www.nappliance.com
www.celestix.com -
royal Member Posts: 3,352 ■■■■□□□□□□Deviouz wrote:Network Engines is not the only company offering an IAG appliance.
www.nappliance.com
www.celestix.com
Hence why I posted the following:royal wrote:“For success, attitude is equally as important as ability.” - Harry F. Banks -
Deviouz Member Posts: 2 ■□□□□□□□□□My fault, read through too quickly.
Looking at the hardware, Nappliance looks pretty beefy.
http://www.nappliance.com/pdfs/Compare/NetGateway_mIAG_Compare_Product_Datasheet_ver4.pdf -
_maurice Member Posts: 142royal, I really appreciate your quick response. thank you.
On a side note, other than for security reasons, why wouldn't Microsoft allow IAG 2007 to be installed on a full featured Windows OS?
thanks! -
royal Member Posts: 3,352 ■■■■□□□□□□_maurice wrote:royal, I really appreciate your quick response. thank you.
On a side note, other than for security reasons, why wouldn't Microsoft allow IAG 2007 to be installed on a full featured Windows OS?
thanks!
No problem.
They will, with Forefront Threat Management Gateway which is ISA and IAG integrated where it will be installable on your own server hardware.“For success, attitude is equally as important as ability.” - Harry F. Banks -
royal Member Posts: 3,352 ■■■■□□□□□□Deviouz wrote:My fault, read through too quickly.
Looking at the hardware, Nappliance looks pretty beefy.
http://www.nappliance.com/pdfs/Compare/NetGateway_mIAG_Compare_Product_Datasheet_ver4.pdf
Those do indeed look pretty good. I wonder if you can load balance them to allow more concurrent connections. I would assume so but really seems unrealistic as you can allow 15,000 concurrent light users and 3,000 heavy users. How many users would a company have VPN'ing in at the same time.“For success, attitude is equally as important as ability.” - Harry F. Banks -
royal Member Posts: 3,352 ■■■■□□□□□□I know it's been a while, but I just picked the following book which talks about ISA 2006, Forefront Security for Exchange, and IAG.
http://www.amazon.com/Integrating-Server-2006-Microsoft-Exchange/dp/1597492752/ref=pd_bbs_sr_3?ie=UTF8&s=books&qid=1218917555&sr=8-3“For success, attitude is equally as important as ability.” - Harry F. Banks -
royal Member Posts: 3,352 ■■■■□□□□□□It seems decent. Taking a quick look at it, it seems like there's a couple chapters on ISA and then it's just a normal Exchange 2007 book. Because of that, I'll probably put it on hold and just read through the ISA/IAG/Forefront section and then use the rest as reference or when I need to reference a topic for work.“For success, attitude is equally as important as ability.” - Harry F. Banks
-
royal Member Posts: 3,352 ■■■■□□□□□□Just went through some more the book. It is a really good book. It talks more form a real-world perspective. It shows how to properly set up NLB (Unicast vs Multicast) and shows diagrams on how to optimize incoming traffic vs outgoing traffic, takes a secure approach, etc.. For example, when you're doing OA, if you want to use NTLM through ISA, you have to set the listener for the client to authenticate directly. Well, this is not a secure approach and it explains that you can use kerberos constrained delegation and talks about how the SPNs should be set up, etc...
So in short, the book is all about Security, Scalability, High Availability, Load Balancing, and Redundancy.
I definitely recommend this book.“For success, attitude is equally as important as ability.” - Harry F. Banks -
HeroPsycho Inactive Imported Users Posts: 1,940Hmm... I'd buy and read it, but I'm not being tasked right now with a lot of Exchange 2007/ISA work unfortunately. I'll keep it in mind, though. I'm actually thinking about doing a deep dive into PowerShell. It's about time I learn how to do some scripting.Good luck to all!
-
royal Member Posts: 3,352 ■■■■□□□□□□What are you up to these days then?“For success, attitude is equally as important as ability.” - Harry F. Banks
-
HeroPsycho Inactive Imported Users Posts: 1,940LOL, fine...
Currently, I'm doing some VMware VI3 and Enterprise Vault deployments mostly.Good luck to all! -
dynamik Banned Posts: 12,312 ■■■■■■■■■□Whoa, big secret. I can see why you wanted to keep that private.
Sorry, I didn't mean to pry -
HeroPsycho Inactive Imported Users Posts: 1,940It was just derailing this thread from the intended subject.Good luck to all!