Improvements make the process easier
ISA Server 2006, the third edition of Microsoft's advanced firewall and proxy server, is due for release in the second half of 2006. New features in ISA Server 2006 include simplified branch office deployment, a new Microsoft Operations Manager (MOM) management pack, attack detection tools, worm flood protection, HTTP traffic compression, improved support for Background Intelligent Transfer Service (BITS), and new publishing tools and options. Although ISA Server 2006 promises to be an evolutionary, rather than revolutionary, version of the product, I find some of the revisions to be significant and worthy of investigation. In particular, if you've struggled to publish Exchange Web Client Access or Share-Point sites, or if Network Load Balancing (NLB) clusters mystify you, you'll find improvements in ISA Server 2006 much more admin-friendly. Let's focus here on the publishing tasks that debut in ISA Server 2006. We'll look at how to configure Web listeners and survey the options for publishing server farms, Exchange Web Client access, and SharePoint sites.
Configuring a Web Listener
Web listener is the name for technology that allows HTTP clients from outside an organization's network to connect to services hosted within the network. In general, an administrator configures a specific Web listener for each HTTP-based service (e.g., Exchange Web access, a Web site, a SharePoint site) that he or she wants to publish to external clients. Configuring Web listeners in ISA Server 2006 requires more effort than it does in ISA Server 2004, even though you configure-Web listeners from the Toolbox pane of the ISA Server Management console in both versions.
The first step, which is common to both ISA Server 2004 and 2006, is configuring a Web listener name. The second step is new to ISA Server 2006 and requires you to specify whether to publish services using only HTTPS or HTTP. If you choose to publish over HTTPS only, you must install a Secure Sockets Layer (SSL) certificate on the ISA Server 2006 computer before configuring the Web listener.
In the third step, you specify those ISA networks, with their IP addresses, that will be listening for incoming Web requests. The method for doing so is almost identical in ISA Server 2004 and 2006. On the SSL certificate management screen, you can choose to use a single certificate for the Web listener or individual certificates for each IP address you specified earlier. If you use multiple certificates, they must be installed before you begin this step.
Another new ISA Server 2006 addition to configuring Web listeners is the Authentication Settings page, which Figure 1 shows. The drop-down menu offers HTML Form Authentication, HTTP Authentication, SSL Client Certificate Authentication, or No Authentication. The validation options depend heavily on the authentication scheme you choose. For example, it's possible to collect user delegation credentials in a form, request an SSL certificate, and specify how ISA Server 2006 will validate credentials. Validation options are Active Directory (AD) Windows or LDAP, Remote Authentication Dial-In User Service (RADIUS), RADIUS One-Time Password (OTP), and RSA SecurID.
If you select HTML Form Authentication, the next screen lets you configure single sign-on (SSO) authentication. SSO allows single authentication for all sites that the ISA Server 2006 computer publisher configures for a particular Web listener. To configure SSO, you must enter the SSO domain name. If you don't choose HTML Form Authentication, SSO isn't an option.
In both ISA Server 2004 and 2006, the final screen summarizes the choices you've made. Clicking Finish enables use of the Web listener.
Load-Balancing Web Servers
ISA Server 2006 simplifies publishing load-balanced servers to such an extent that even the greenest Help desk technician can do it. The advantage over third-party appliances is that ISA Server 2006 makes it child's play to load-balance protected Web servers. Administrators need not implement NLB on the servers themselves, a task that isn't straightforward at the best of times. To take advantage of this new feature, you must use the Server Farm Definition Wizard to configure a new server farm. You can access the wizard by right-clicking the Server Farms object and selecting the New Server Farm option from the context menu. You can find the Server Farms object in the Network Object area under Web Listeners in the ISA Server Management console.
The first page of the wizard requires you to name the server farm. The second page lets you add the names or IP addresses of computers in the farm. Remember that ISA Server manages the load-balancing process: If you have existing NLB load-balanced Web servers, you need to publish the load-balanced cluster as a typical server.
The subsequent dialog lets you configure server monitoring. Rather than configuring network load-balancing heartbeats, ISA Server 2006 determines whether a server in the cluster is no longer responding either by sending an HTTP/HTTPS "GET" request, a Ping request, or a TCP connection to a specified port. Although these methods determine whether a server is responding or not, they don't check the server's current load, a feature of the more-complicated-to-configure NLB.
After you've configured the server farm, you need to publish the Web sites. To do so, select Publish Web Sites from the Tasks pane in the ISA Server Management console. The wizard that initiates is similar to the wizard in ISA Server 2004â€”until you encounter the Publishing Type page, which Figure 2 shows. You need to specify to ISA Server whether to publish a single Web site or external load balancer (such as NLB), a server farm of load-balanced Web servers, or multiple individual Web sites.
On the Internal Publishing Details page, you specify the internal site name, whether ISA Server will use SSL to connect to this site (and encrypt the traffic over the demilitarized zoneâ€”DMZ), and whether the original host header will be forwarded to the site. This page also lets you specify a particular folder on the target Web server. Clicking Next calls a dropdown menu from which you can either select the Web listener for the server farm you want to publish or initiate the process of configuring a Web listener for a new server farm if you didn't follow the steps I mentioned earlier. When you select a server farm Web listener, you can configure how ISA Server will load-balance the incoming requests on the Specify Server Farm page, which Figure 3 shows. If you select Cookie-based Load Balancing, clients are issued a cookie that informs ISA Server 2006 which of the servers within the server farm should continue to handle a particular client's session. Source IP-based load balancing attempts to maintain session consistency according to client IP address.
The Public Name Details page will be familiar if you've published Web servers with ISA Server 2004. On this page, you specify the Fully Qualified Domain Name (FQDN) or IP address that external users will use to access the published site. On the subsequent page, you need to specify a Web listener. On the third page, you can select an authentication delegation method. The available methods are
- No delegationâ€”allow end-to-end authentication
- No delegationâ€”don't allow end-to-end authentication
- Basic authentication
- NTLM authentication
- Negotiate (Kerberos/NT LAN Managerâ€”NTLM)
- Kerberos constrained delegation
This list varies according to the authentication methods you configured with the Web listener. If you select Kerberos constrained delegation or Negotiate, you'll need to enter the Service Principle Name (SPN), which ISA Server uses for Kerberos authentication. On the subsequent page, you configure the user sets that can access the published server.
Although most experienced administrators shouldn't find configuring load balancing on Web servers to be a particularly onerous task, the load-balancing options in ISA Server 2006 make setting up a server farm even easier. The drawback to using ISA Server rather than NLB is that load balancing in ISA Server doesn't monitor actual server load but allocates client requests in a round-robin fashion.
Publishing Exchange Web Client Access
Administrators who have configured a third-party firewall and proxy appliance to mediate access between external users and internal Outlook Web Access servers know that the task is far from simple. Many administrators find the process complicated even with ISA Server 2004. ISA Server 2006 makes publishing Outlook Web Access servers to clients on the Internet significantly simpler. Publish Exchange Web Client Access is now a separate section of the Firewall Policy Tasks list in the ISA Server 2006 Management console.
Prior to starting the publishing process, you need to configure a Web listener. Then, click on Publish Exchange Web Client Access in the Firewall Policy Tasks list to initiate the New Exchange Publishing Rule Wizard. Enter a name for the rule and click Next. The Select Services screen, which Figure 4 shows, lets you select which Web client mail services you will publish via ISA Server 2006. You can also select among Exchange Server 5.5, Exchange 2000, Exchange 2003, and Exchange 2007. The Web client mail services vary with each version of Exchange (e.g., Exchange 2007 doesn't support Outlook Mobile Access). If you've configured the Web listener to use forms-based authentication, you won't be able to provide Exchange ActiveSync.
The next page in the wizard queries whether you want to publish a single Web site/external load balancer or whether you want to have ISA Server 2006 load-balance Web servers. After making your choice, you specify the internal site name. You can also configure SSL for the connection to the Exchange site. If you specify SSL, you must have the appropriate certificates installed.
After clicking Next, you encounter the Public Name Details page, which requires you to designate whether requests will be handled for a specific FQDN or IP address, or for any FQDN. Most situations require only a single mail server name.
On the subsequent page, you specify the Web listener. When you do so, you'll receive a warning if you might encounter conflicts between your Web listener and the Exchange Web Client Access configuration. As I mentioned, if your Web listener uses forms-based authentication with SSO, you won't be able to use Exchange ActiveSync. Clicking Next brings up the Authentication Delegation screen. This screen is identical to the one discussed in the Load Balancing Web Servers section, as is the All Authenticated Users screen. The primary benefit to publishing Exchange Web Client access in ISA Server 2006 is that all of the finicky configuration settings that were required to get things working in ISA Server 2004 are hidden from the administrator and dealt with automatically in ISA Server 2006.
Publishing SharePoint Sites
Given the proliferation of Microsoft SharePoint and the necessity of providing remote clients access to Share-Point sites, it isn't a surprise that a Publish SharePoint Sites task has been added to the ISA Server 2006 Tasks pane. To publish a SharePoint site, first configure a Web listener. Then start the SharePoint Publishing Rule Wizard from the Tasks pane by clicking Publish SharePoint Sites. Enter a name for the site and click Next. Select Publish a single website or an external loadbalancer and click Next. Provide an internal site name and determine whether you want the communication between the ISA Server 2006 computer and the SharePoint server to be encrypted via SSL. On the next page, select the FQDN or IP address from which external requests will be routed to the internal server. Next, select the Web listener you created for the SharePoint site. Remember when requesting SSL certificates for different listeners that the certificate names must match the public name. If you requested an SSL certificate for mail.contoso.com, don't use the same certificate for sharepoint.contoso.com or you'll receive an error message informing you of the mismatch. After you've specified the Web listener, you select an authentication method. In the next-to-last screen, select which users can access the published service, click Next, check the summary, and click Finish.
Although the SharePoint Publishing Rule Wizard doesn't contain much that is new as compared with the ISA Server 2004 Web publishing wizard, it is the internals that matter. A check of forum posts indicates that many ISA Server 2004 administrators find configuring the proper authentication and publishing of SharePoint sites to be a somewhat arcane procedure. The primary difference between publishing a typical Web site and a SharePoint site is SharePoint's functionality. SharePoint is far more interactive than a typical Web site, and configuring all the necessary protocols to support SharePoint requires significantly more work. If you're interested in a comparison, you can read about the process of publishing Windows Share-Point Services by using ISA Server 2004 at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/isawss.mspx. Reducing several involved pages of specific instructions to a simple wizard is a compelling argument for waiting for ISA Server 2006 if you want to publish SharePoint sites.
Stay or Upgrade?
If you have significant expertise in using ISA Server 2004 Service Pack 4 (SP4) to publish Exchange Web clients and SharePoint sites, and if you find load-balancing Web sites a breeze, you're unlikely to find the case for moving to ISA Server 2006 compelling. Although there are new features in ISA Server 2006, these features seem more appropriate to a service pack than to a new release (in fact, the improvements to BITS and HTTP compression are found in ISA Server 2004 SP2). Worm flood control and easier branch office deployment are cool features, but they might not be enough to push experienced ISA administrators toward an upgrade. As I mentioned, ISA Server 2006 appears more to be an evolution of the product rather than something revolutionary and different. But because one of the core advantages of ISA Server over competing solutions is its ease of administration, the simplification of administrative tasks can strengthen the argument for choosing ISA Server 2006.