Presentation is loading. Please wait.

Presentation is loading. Please wait.

4/16/2017 11:19 AM Microsoft Internet Security and Acceleration (ISA) Server 2004 Powerful Protection for Microsoft Applications © 2003-2004 Microsoft.

Similar presentations


Presentation on theme: "4/16/2017 11:19 AM Microsoft Internet Security and Acceleration (ISA) Server 2004 Powerful Protection for Microsoft Applications © 2003-2004 Microsoft."— Presentation transcript:

1 4/16/ :19 AM Microsoft Internet Security and Acceleration (ISA) Server 2004 Powerful Protection for Microsoft Applications © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2 4/16/ :19 AM Learning Objectives Protecting Microsoft Applications with ISA Server 2004 This training will show the solutions, advantages, benefits, competitive landscape, and selling opportunities for Microsoft® ISA Server 2004, as well as provide customer-ready resources. Key Point: This training is designed to help partners learn about ISA Server 2004 and how to sell it to their customers. The information in this training is supplemented by other documents in the ISA Server 2004 Partner Guide. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

3 4/16/ :19 AM Agenda ISA Server 2004 Overview Advanced Protection, Ease of Use, Fast Secure Access (Slides 4–43) Protecting Microsoft Applications Technical Details (Slides 44–94) Selling Strategies and Partner Offerings (Slides 95–124) Introduction to Hands-on Labs (Slides ) ISA Server 2004 Overview Advanced Protection, Ease of Use, Fast Secure Access (Slides 4–43) Protecting Microsoft Applications Technical Details (Slides 44–94) Selling Strategies and Partner Offerings (Slides 95–124) Introduction to Hands-on Labs (Slides ) © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

4 4/16/ :19 AM 1. ISA Server 2004 Overview Advanced Protection, Ease of Use, Fast Secure Access © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

5 The State of Network Security
4/16/ :19 AM The State of Network Security Industry 14 billion devices on the Internet by 20101 35 million remote users by 20052 65% increase in dynamic Web sites3 Security 90% detected security breaches4 95% of all breaches avoidable with an alternative configuration5 Approximately 70% of all Web attacks occur at the application layer6 Key Point: Network security is an area of concern for most organizations today Many security breaches are due to configuration mistakes. You will learn how ISA Server 2004 makes firewall administration easy to help organizations avoid such mistakes. You will also learn how ISA Server 2004 can help protect networks against application layer attacks, which make up the majority of network attacks today. 1 Source: Forrester Research 2 Source: Information Week, November 26, 2001 3 Source: Netcraft summary 4 Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2002 5 Source: CERT, Source: Gartner © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

6 4/16/ :19 AM The Role of Firewalls Firewalls block attacks before they reach their target Firewalls can protect multiple systems Firewall protection can buy time before all protected servers are secured Firewalls can help protect client computers that are not properly protected Firewalls can act as a central access point Combined firewall and VPN gateway Firewalls provide centralized logging of network access Crucial component of defense-in-depth Key Point: Firewalls play an important role in network security. Firewalls provide security to networks in a number of ways. Primarily, they block attacks before they reach their intended targets, such as Web servers. Because they can protect multiple computer systems at the same time, they can be configured to block newly merging attacks than protecting each of the computer systems that they protect. When a firewall has VPN capabilities, it can act a a central point to control all access to corporate networks, including centralized logging. This simplifies administration of Internet connectivity. When used in conjunction with other methods of network protection, firewalls can provide defense in depth, a concept that is recommended by most network security professionals. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

7 Limitations of Traditional Firewalls
4/16/ :19 AM Limitations of Traditional Firewalls Wide open to advanced attacks Application-layer attacks: Code-Red, Nimda. Encryption to bypass detection: SSL. Hard to manage Security is complex. IT already overloaded. Performance vs. security tradeoff Bandwidth is limited and expensive. Traffic inspection reduces performance. Key Point: Traditional firewalls typically have limitations that restrict how companies can use them as part of their network security strategy. Traditional firewalls don’t effectively protect networks against application-layer attacks and attacks that are designed to bypass firewall inspection. Because may firewalls are hard to manage, firewalls are often configured in an insecure manner. Using traditional firewalls to increase security often leads to a reduction in network performance, decreasing user productivity, and firewalls that are not designed from the ground up for advanced traffic inspection cause a drop in performance when performing in-depth inspection of network traffic. Finally, traditional firewalls are not built for growth. Adapting a firewall to a growing business can be very expensive. Limited capacity for growth Growth requires new hardware; old hardware can’t be repurposed. Growth requires purchase of new license. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

8 4/16/ :19 AM What Is ISA Server 2004? Microsoft ISA Server 2004 is Microsoft’s flagship security product and a cornerstone of the company’s Trustworthy Computing initiative. ISA Server 2004 is an application-layer firewall, VPN, and Web-cache solution that provides advanced protection, fast and secure Web access, and is very easy to use. ISA Server 2004 can provide security as a perimeter firewall at the Internet edge, can be used to protect Microsoft applications such as Microsoft Exchange and other servers on the internal network, as well as be configured as a Web-caching server to ensure fast, secure Web access—all in one package. Key Point: ISA Server is a crucial element in securing a Microsoft network. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

9 ISA Server 2004 Top Benefits
4/16/ :19 AM ISA Server 2004 Top Benefits CUSTOMER PAIN VALUE PROVIDED BY ISA SERVER 2004 Threats to corporate assets create financial and legal risks Advanced Protection Application-layer security designed to protect Microsoft applications Securing the network is time consuming and expensive Ease of Use Efficiently deploy, manage, and use ISA Server 2004 Key Point: ISA Server 2004 is an ideal solution for common customer pains Advanced protection, ease of use, and fast secure access are the pillars that make ISA Server 2004 a crucial element of network security. The next slides will show how ISA Server 2004 accomplishes all of these goals. Securing networks impacts performance and productivity Fast, Secure Access Empowers you to connect users to relevant information on your network in a cost-efficient manner © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

10 Advanced Protection Limits of Traditional Firewalls (1)
4/16/ :19 AM Advanced Protection Limits of Traditional Firewalls (1) Traditional firewalls only examine headers Packet filtering, stateful inspection Most of today’s attacks are directed against applications Web servers (Code Red, Nimda) Web browsers (malicious Java applets) Mail clients (worms, Trojan horse attacks) Key Point: Traditional firewalls don’t inspect all components of network packets. A packet’s header contains information about the IP address the packet originates from and the IP address that it is sent to. A header also contains a source port and a destination port for TCP and UDP packets. The packet header is used to deliver the packet to the intended computer and the intended application on the computer. The payload is what the intended application (Web browser, mail server, etc) receives. Traditional firewalls only examine packet headers. Packet filtering can control the forwarding of packets based on information in the header. Stateful inspection can examine each packet in the context of a session. For example, it can protect against attacks that attempt to hijack a TCP connection. IP: Source address Destination address TCP: Source port 1121 Destination port 80 Payload: HTTP GET / Header © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

11 Advanced Protection Limits of Traditional Firewalls (2)
4/16/ :19 AM Advanced Protection Limits of Traditional Firewalls (2) Applications encapsulate traffic in HTTP traffic Examples: Peer-to-peer, instant messaging Encrypted traffic can’t be inspected by traditional firewalls Dynamic port assignments require too many incoming ports to be opened Examples: FTP, RPC Key Point: Traditional firewalls don’t inspect network traffic that is designed to bypass firewall security or that requires dynamic port assignments Packet filtering and stateful inspection are commonplace features in most firewalls and hackers have found ways to bypass them. They are not effective against most of today’s attacks. HTTP has become the “universal transport protocol,” allowing users to bypass traditional firewall restrictions Most traditional firewalls allow traffic that is directed to port 80 to pass through, and many applications are now using this port to bypass restrictions on other transport protocols. Firewalls also don’t allow for the inspection of encrypted traffic, such as SSL traffic. This allows attacks on Web servers to bypass firewall inspection. Applications that use dynamic ports require administrators of traditional firewalls to open a large number of ports. This makes it impractical to use these applications through a firewall. Packet filtering and stateful inspection are not enough to protect against today’s attacks! © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

12 Advanced Protection Application-Layer Filtering with ISA Server 2004
4/16/ :19 AM Advanced Protection Application-Layer Filtering with ISA Server 2004 Application-layer filtering in ISA Server 2004 examines the payload ISA Server 2004 blocks traffic that uses allowed ports but contains disallowed data Example: Traffic to a Web server that contains a Web server attack ISA Server 2004 allows you to use complex protocols across a firewall Key Point: ISA Server 2004 provides application-layer filtering to overcome the limitations of traditional firewalls. Application-layer inspection occurs after header inspection. Inspection of the payload requires the firewall to have information about a given application-layer protocol. For example, HTTP inspection requires information about HTTP syntax. Also, because application-layer requests or responses may span multiple IP packets, the firewall may have to assemble multiple packets and inspect them together. Also, application-layer filtering can make it practical to use complex protocols, such as RPC across a firewall. Application-layer filtering can monitor the secondary port setup between a client and a server and then allow the appropriate traffic. “To provide edge security in this application-centric world…application-level firewalls will be required….” —John Pescatore, Gartner © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

13 Advanced Protection ISA Server 2004: Proxy Architecture
4/16/ :19 AM Advanced Protection ISA Server 2004: Proxy Architecture Internet traffic never routed to the internal network ISA Server 2004 establishes separate connections to client and to server Proxy architecture protects against network layer attacks Built from the ground up for application layer filtering Great performance! Extensible architecture for plug-ins Key Point: ISA Server 2004 provides excellent application-layer security by using a proxy architecture. ISA Server 2004 performs packet filtering & stateful inspection, as well as application-layer filtering. This is imperative for network security today. Because ISA Server 2004 was built from the ground up to provide application layer filtering, it has the potential to detect and inspect traffic regardless of port. Its advanced proxy architecture ensures that Internet traffic is never routed to the internal network. ISA Server 2004’s extensible architecture for plug-ins ensures that you can add additional application-layer intelligence to ISA Server There is a large number of 30 partners that provide add-on products for sophisticated application-layer filtering that enhances ISA Server 2004’s built-in capabilities. These partners offerings are covered in more detail later in this presentation. ISA Server 2004 was built from the ground up to perform application-layer filtering and does this very efficiently. ISA Server 2004 performs most filtering in kernel mode, avoiding costly processor context switches. Because of this, ISA Server 2004 is the best Firewall for a Microsoft network. ISA Server 2004 also performs packet filtering and stateful inspection. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

14 Advanced Protection Web Publishing with Traditional Firewalls
4/16/ :19 AM Advanced Protection Web Publishing with Traditional Firewalls Traditional firewalls only evaluate incoming traffic based on IP address and port All Web traffic is sent to Web server, exposing it to all Web-based attacks Key Point: Web publishing with traditional firewalls does not provide application-layer inspection Traditional firewalls only evaluate IP addresses and port numbers. This means that they can block network traffic that is not intended for the published Web server and forward network traffic that is intended for it. Traditional firewalls can’t perform any inspection of the traffic that they do forward to ensure that it only contains allowed Web requests and responses. This means that published Web servers are vulnerable to all Web-based attacks. Any protection against such attacks must occur on the Web server itself. Web Server Incoming Traffic Internet © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

15 Advanced Protection Secure Web Publishing with ISA Server 2004
4/16/ :19 AM Advanced Protection Secure Web Publishing with ISA Server 2004 Inspection of Web request and responses and protection of Microsoft Internet Information Services (IIS) from exploits Blocking of malformed URLs to stop Web-based attacks Optional inspection of incoming SSL traffic Key Point: ISA Server 2004 publishing can defend Web Servers. Secure publishing performs reverse proxy functions. With secure publishing you make some of your resources, such as Web servers. available to the Internet. Because of its application-layer filtering capabilities, ISA Server 2004 is well suited for this task. This slide highlights a few key scenarios where ISA Server 2004 can be used as an application gateway doing application-layer filtering. In respect to IIS, ISA Server 2004 proxies HTTP requests, which allows it to inspect HTTP headers to detect commands that are designed to exploit the server or application. In addition, ISA Server can inspect the content of inbound SSL connections. Encrypted SSL traffic bypasses the inspection mechanism of traditional firewalls, but ISA Server can terminate the SSL connection, inspect the Web traffic, and optionally re-encrypt the traffic before sending it to the published Web server. Web Server Incoming Traffic Internet © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

16 Advanced Protection Exchange Publishing with Traditional Firewalls
4/16/ :19 AM Advanced Protection Exchange Publishing with Traditional Firewalls Firewall only evaluates incoming traffic based on IP address and port All traffic for ports using mail protocols is sent to Exchange Server Exchange Server is exposed to all application-layer attacks Key Point: Servers running Microsoft Exchange can’t be sufficiently protected by using traditional firewalls. Similar to Web publishing, traditional firewalls only provide limited protection for a Microsoft Exchange-based messaging infrastructure. Such firewalls make forwarding decisions based on IP addresses and port numbers, but they don’t examine the content of the messaging traffic. Exchange servers remain exposed to any application-layer attacks that use a mail protocol. Exchange Server Incoming Traffic Internet © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

17 Advanced Protection Secure Exchange Publishing with ISA Server 2004
4/16/ :19 AM Advanced Protection Secure Exchange Publishing with ISA Server 2004 ISA Server 2004 defends Exchange Server and enables secure client access Protection of all types of client access (Microsoft Outlook® Web Access [OWA], SMTP, POP, IMAP, RPC, RPC over HTTP) Increases OWA performance and enables application of firewall policy to OWA traffic Allows scanning of text and attachments Key Point: ISA Server 2004 publishing can defend mail servers running Microsoft Exchange. Because of its application-layer filtering capabilities, ISA Server 2004 is well suited for publishing Exchange and has been designed specifically for this scenario. You can publish Outlook Web Access (OWA), even provide MAPI access from the Internet without jeopardizing the security of your production mail servers, and provide access to Exchange using the SMTP, POP and IMAP protocols, protecting your entire messaging environment. ISA Server provides full support for OWA and enhances OWA authentication. ISA Server can also scan text and attachments for malicious content. Exchange Server Incoming Traffic Internet © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

18 Advanced Protection The Need to Provide Secure VPN Access
4/16/ :19 AM Advanced Protection The Need to Provide Secure VPN Access Companies need to provide remote access Branch offices Business partners Home offices and traveling users VPNs are a cost-effective way to leverage the Internet No dial-up connections or leased lines required VPNs use existing Internet connection VPNs create security concerns and increase administrative work VPNs create new administration tasks VPNs create new ways to access the corporate network Key Point: Providing remote connectivity presents unique challenges. Companies need to provide remote access Branch offices Home offices Traveling users Virtual Private Networks are a cost-effective way to leverage the Internet. No dial-up connections or leased lines required VPNs create security concerns and increase administrative work. The next slides will show how ISA Server 2004 can help with these problems. ISA Server 2004 simplifies VPN administration and provides VPN security © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

19 Advanced Protection How ISA Server 2004 Secures VPN Client Connections
4/16/ :19 AM Advanced Protection How ISA Server 2004 Secures VPN Client Connections All communications over the Internet are encrypted Broad protocol support PPTP and L2TP/IPSec IPSec NAT traversal (NAT-T) for connectivity across any network (requires Microsoft Windows Server™ 2003) Authentication Microsoft Active Directory® uses existing Microsoft Windows® accounts, supports PKI for two-factor authentication RADIUS uses non-Windows-based accounts databases with standards-based integration SecurID provides strong, two-factor authentication using tokens and RSA authentication servers Integration of VPN traffic into firewall policy Network access quarantine to ensure secure client configuration Key Point: ISA Server secures client connections that use a VPN. When clients connect to ISA Server 2004 by using a VPN, all network traffic across the Internet is encrypted. Broad protocol support ensures easy connectivity. When ISA Server 2004 is installed on Windows Server 2003, support for NAT-T ensures that clients can connect across a network infrastructure that includes Network Address Translation (NAT). Customers can choose an authentication mechanism that matches their requirements. ISA Server 2004 seamlessly integrates with an existing Windows domain-based authentication infrastructure. Support for RADIUS and SecurID allows customers to connect to other authentication mechanisms and to use two-factor authentication. Network traffic from VPN clients is controlled by ISA Server 2004’s firewall policy, allowing administrators to control network traffic by VPN clients. Quarantine features ensure that client computers meet corporate security requirements, such as having the latest virus signatures installed. Only client computers that meet these requirements are given full access to the corporate network. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

20 Advanced Protection How ISA Server 2004 Connects Networks
4/16/ :19 AM Advanced Protection How ISA Server 2004 Connects Networks Broad protocol support PPTP L2TP/IPSec IPSec tunnel mode for interoperability with existing VPN gateways: fully tested and supported Authentication and encryption Uses Windows RRAS capabilities Range of authentication methods Active Directory, RADIUS, passwords, certificates Configurable encryption methods help ensure confidentiality of communications Fine-grained control over traffic between networks Key Point: ISA Server 2004 provides secure connectivity between networks. ISA Server 2004 can provide secure connectivity to networks that are located at branch offices or partner networks. Broad protocol support ensures compatibility with existing VPN gateways. These gateways can be Windows-based, or they can be third-party gateways that use IPSec tunnel mode. Interoperability with leading third-party gateways has been tested and is fully supported. A range of authentication methods and encryption algorithms also ensures broad compatibility. Finally, because ISA Server 2004’s VPN features are fully integrated with the firewall policy, administrators can tightly control which type of network traffic is allowed between networks that are connected by a VPN. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

21 Summary: Advanced Protection
4/16/ :19 AM Summary: Advanced Protection ISA Server 2004 was designed with most common customer scenarios in mind ISA Server 2004 protects networks while enabling connectivity ISA Server 2004 is optimized for application-layer filtering A broad range of partner offerings extends protection capabilities Key Point: ISA Server provides advanced protection for Microsoft networks and applications. ISA Server 2004 is a crucial component in protecting Microsoft networks and applications © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

22 Ease of Use New, Easy-to-Use Administration Tools
4/16/ :19 AM Ease of Use New, Easy-to-Use Administration Tools ISA Server 2004 Management Console completely redesigned from previous version All tools for each task in one place Easy to learn Ease of use can reduce risk of security breaches due to misconfiguration Local or remote administration Use the same tool to configure and monitor the firewall, cache, and VPN gateway Key Point: ISA Server 2004 was designed to be easy to use. A completely redesigned user interface and firewall policy model helps keep administration costs low and reduce training costs. The unfired firewall policy allows administrators to view and administer all firewall rules in a single locations. The administration tools were designed to be easy to understand and to make it easy to perform common firewall administration task easily. The screen shot shows the main administrative interface of ISA Server 2004 for configuring the firewall policy. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

23 Ease of Use Overview Simplified administration tools
4/16/ :19 AM Ease of Use Overview Simplified administration tools Reduces training costs Helps prevent insecure configurations Unified firewall policy Helps keep administration costs low Key Point: ISA Server 2004 was designed to be easy to use. A completely redesigned user interface and firewall policy model helps keep administration costs low and reduce training costs. Making administration easy and intuitive reduces the risk of misconfiguration. Studies have shown that the majority of network intrusions are due to protection mechanisms that are not configured correctly. The unfired firewall policy allows administrators to view and administer all firewall rules in a single locations. The administration tools were designed to be easy to understand and to make it easy to perform common firewall administration task easily. The screen shot shows the main administrative interface of ISA Server 2004 for configuring the firewall policy. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

24 Ease of Use Task-based Administration
4/16/ :19 AM Ease of Use Task-based Administration Easy access to common tasks All tools for a task are accessible when needed Key Point: Task-based administration makes it easy for administrators to complete firewall configuration tasks. Task pads combine all tools for common tasks in one place, allowing administrators to configure rules and other settings quickly and efficiently. The screen shot shows the New Access Rule Wizard with all tools that are required to configure the rule in one place. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

25 Dashboard is starting point for monitoring
4/16/ :19 AM Ease of Use Monitoring Real-time monitoring for troubleshooting Variety of report formats summarizes Internet activity and performance Dashboard is starting point for monitoring Key Point: ISA Server 2004 allows administrators to easily and efficiently monitor most aspects of the firewall and to create detailed reports. Real-time reporting is crucial for troubleshooting and for detecting attacks against the network. ISA Server 2004’s dashboard allow administrators to see the most important performance indicators in a single place. Administrators can also see real-time firewall activity to aid in troubleshooting and to investigate suspected attacks. The screen shot shows the new dashboard that combines a number of important real-time indicators. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

26 Ease of Use Reporting Broad range of reporting options
4/16/ :19 AM Ease of Use Reporting Broad range of reporting options Key Point: ISA Server 2004 provides a broad range of reports that display the most important aspects of firewall activity. Reporting is crucial for detecting trends in firewall activity and for planning. ISA Server 2004 allows administrators to configure many settings for such reports. ISA Server 2004 can generate reports at specified intervals and place them in a location on the corporate network where administrators and management can view them by using a Web browser. A variety of report formats allows you to view statistics that show how users access the Internet, give you performance numbers, or highlight attempted security violations. The screen shot shows a report that contains information about recent firewall activity. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

27 Ease of Use Easy Deployment
4/16/ :19 AM Ease of Use Easy Deployment Multiple network support Works with your existing network infrastructure Leverages previous IT investments Broad client support Supports any device that uses TCP/IP Firewall Client adds features for Windows clients Key Point: ISA Server 2004 is easy to deploy. ISA Server 2004’s support for any number of networks and relationship between networks ensures that it will fit into your current network infrastructure without requiring a redesign. ISA Server 2004 supports most client computers. An ISA Server 2004 firewall can control network traffic to and from any computer or device that uses TCP/IP. In most cases no configuration of clients is required. Administrators can choose to install Firewall Client software on computers running Microsoft Windows to add user-based authentication for Internet access for non-Web requests. Authentication for Web requests is supported with most browsers. ISA Server 2004’s simple network configuration ensures low administrative overhead both during the initial deployment and during network maintenance. Low administrative overhead during initial deployment and network maintenance. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

28 Ease of Use Adjusts to Network Changes
4/16/ :19 AM Ease of Use Adjusts to Network Changes Flexibility to support most network types Templates to simplify deployments Key Point: ISA Server 2004 easily adjusts to a changing network infrastructure. Today’s networks are not static, but they constantly change. ISA Server 2004 can easily adapt to a changing network infrastructure. You don’t have to change your network to adjust to ISA Server ISA Server 2004 has the felicity to support most network types. It also works with a wide range of client computers. You can control Internet connectivity for any computer or device that uses the TCP/IP suite of protocols, including computer running Windows, UNIX, or Macintosh. ISA Server 2004 contains several pre-configured network templates that correspond to typical network configurations. Administrators can use these templates to quickly configure ISA Server 2004 to work with an existing network design or to configure ISA Server 2004 to work with a changed network design. The screen shot shows the network wizards. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

29 Ease of Use Easy Scalability
4/16/ :19 AM Ease of Use Easy Scalability Scale up Upgrade to faster hardware and repurpose existing server(s) without the need to purchase a different ISA Server 2004 license Scale out Easily copy configuration settings with XML export Maintain existing rules and settings Key Point: Easy scalability of ISA Server 2004 ensures that your firewall doesn’t become obsolete as your company grows. ISA Server 2004 can easily scale up as your network traffic grows. You can move your ISA Server 2004 installation to faster hardware and re-purpose the existing server hardware. This is in contrast to many traditional firewalls that require you to purchase a new firewall or incur additional license costs to adjust to growing firewall needs. You can also scale out ISA Server 2004 by copying configuration settings of one ISA Server 2004 computer to other computers. For example, you can export the configuration of ISA Server 2004 at one branch office to an Extensible Markup Language (XML) file and then import these configuration settings to computers running ISA Server 2004 at all other branch offices. ISA Server 2004 gives you a wide range of options to grow with the needs of your company. Choice of options to grow with company needs. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

30 Ease of Use Alerting Alerts for large number of events
4/16/ :19 AM Ease of Use Alerting Alerts for large number of events Flexible alerting options New: Connectivity Verification Key Point: ISA Server 2004 can alert administrators of potential problems. ISA Server 2004 includes alerts for a large number of events. Administrators can be alerted of issues that may indicate a network problem, an intrusion attempts, or a security problem. Flexible alert options allow administrators to choose how they are alerted when such an event occurs. Because a loss of connectivity often needs immediate attention, administrators can configure connectivity verification settings to receive an alert when connectivity to the Internet or an internal network has been lost. Administrators can monitor whether ISA Server 2004 can communicate with a computer, or connect to a specific service on a computer. ISA Server 2004 can then issue an alert when connectivity has not been restored within a preconfigured time frame. The screen shot shows the Connectivity Verifier Wizard. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

31 Ease of Use User-based Access Control
4/16/ :19 AM Ease of Use User-based Access Control Prevalence of DHCP on internal networks makes IP-based access control obsolete ISA Server 2004 supports the use of native Windows security credentials to build highly granular firewall access rules RADIUS for universal integration with non-Windows user accounts and for authentication in perimeter networks Credentials are passed transparently, eliminating need for additional tedious logon procedures at firewall Key Point: ISA Server 2004 transparently uses Windows 2000 security credentials to enforce access control. The prevalence of DHCP on internal networks makes IP-based access control obsolete. Effective control over users’ network activity requires that the firewall associates each outgoing network request with a user. ISA Server 2004 supports the use of native Windows security credentials to build highly granular firewall access rules. It also supports RADIUS-based authentication for use in a perimeter network, or for integration with non-Windows user account databases. Credentials are passed transparently, eliminating need for additional tedious logon procedures at the firewall. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

32 Ease of Use Easy Extensibility
4/16/ :19 AM Ease of Use Easy Extensibility Adding functionality Easy customization by in-house developers Wide range of partner solutions Application Filters Caching and Distributions Content Security High Availability and Load Balancing Intrusion Detection Monitoring and Administration Network Utilities Reporting SSL Acceleration and Key Management Security Resellers Security Solution Providers URL Filtering User Authentication Key Point: Extending the functionality of ISA Server 2004 is easy. ISA Server 2004 has a wide range of partners that provide additional functionality, such as advanced content filtering and intrusion detection. Partners include industry leaders in their respective categories. In addition, developers for companies with specialized needs can perform their own customization by using a simple yet powerful software development kit (SDK). Note: Explain to your audience some of the solution categories on the slide. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

33 Ease of Use Extensible Open Platform
4/16/ :19 AM Ease of Use Extensible Open Platform Most administrative tasks can be scripted Scripting automates tasks Scripting saves time and ensures consistency SDK provides access to easy-to-use procedures for scripting Custom Web and application filters Custom filters allow secondary inspection and manipulation of traffic Examples: Advanced content inspection, advanced authorization, etc. Easy object model ensures quick results Key Point: Scripting and customizations allow in-house developers to build on ISA Server 2004’s feature set. The ISA administration object model gives developers a mechanism to extend ISA Server 2004’s functionality. Scripting allows you to use the ISA administration COM objects to access and control any ISA server within an organization. The administration objects allow for automation of everything done using the ISA Server 2004 administration tool. This capability allows administrators to create scripts to automate repetitive tasks requiring the use of the administration tool; these scripts can then be included in batch files. By programming with the same administration objects that ISA Server itself uses, developers can provide persistent, and configurable, data storage for their programs, and can have the ISA Server 2004 notify programs when the configuration data has changed. To meet the specific security and performance needs of its customers, ISA Server 2004 includes a comprehensive SDK. The SDK includes a full application programming interface (API) and many sample filters. Developers can use the SDK to write Web and application filters for ISA Server 2004 to monitor content streams. Based on the criteria programmed into the filter, various actions can be executed when defined thresholds are crossed. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

34 4/16/ :19 AM Summary: Ease of Use ISA Server 2004 tools make firewall administration easy Easy configuration can help prevent configuration mistakes ISA Server 2004 adapts to existing network configurations and changes Extensive logging, monitoring, and reporting capabilities ISA Server 2004 is a crucial component in protecting Microsoft networks and applications © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

35 Fast, Secure Access Integrated VPN
Secure site-to-site connections Secure remote access conections Broad protocol support

36 Fast, Secure Access Web-Caching Benefits
4/16/ :19 AM Fast, Secure Access Web-Caching Benefits Frequently requested Web content is cached for local delivery Users get faster access to frequently requested Web content Existing bandwidth is used more efficiently Key Point: ISA Server 2004 includes state-of-the art Web caching to provide fast, secure Internet access. In a typical organization many users request identical Web pages and graphics. For example hundreds of employees may access a business partner’s Web site on a given day. Normally, each such access creates traffic to the Internet. With Web caching, ISA Server 2004 maintains copies of previously viewed Web pages and sends this locally cached version to users’ Web browsers when the same page is requested again. This results in faster response times for users. Cached Web pages are displayed almost instantaneously. Also, because ISA Server 2004 doesn’t need to download cached Web pages, unless they have changed on the Web server, less Internet traffic is created, and less bandwidth is required. This allows companies to save money on Internet bandwidth. ISA Server 2004 is the only major firewall with built-in, state-of-the-art Web caching © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

37 Fast, Secure Access Internet Access Without Caching
4/16/ :19 AM Fast, Secure Access Internet Access Without Caching Internet Object is sent from Internet 2 Object is sent from Internet 4 Existing Firewall Key Point: Without caching each requested object is retrieved from the Internet. Without caching, when users request an object, such as a Web page or a graphic, from the Internet, the object is retrieved for each request, even if the object has not changed. This is not an efficient use of existing bandwidth to the Internet. GET 1 GET 3 Client 2 Client 1 Each client requests causes Internet traffic © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

38 Fast, Secure Access How Does Caching Work?
4/16/ :19 AM Fast, Secure Access How Does Caching Work? Internet GET 3 Object is sent from Internet and placed in cache 4 Access controls are enforced 2 Object is sent from cache 6 ISA Server 2004 Key Point: When a user requests a Web object that has previously been requested, ISA Server 2004 causes no additional Web traffic. In this example, Client 1 requests a webpage that is not currently stored in the ISA Server 2004 cache. ISA Server 2004 repeats the get command and retrieves the content from the origin server. Now that the content is stored in cache, subsequent access requests can be fulfilled without accessing the Web server on the Internet. This is also helpful if the Web server is not available or in inaccessible. ISA Server 2004 uses Time-To-Live (TTL) values in the cached content to represent the rules of freshness for HTTP content. Time-To-Live groups the explicit and heuristic rules as well as the no-cache options together for easier administration. Time-To-Live also provides methods for enforcing local rules for content such as a minimum age before content is considered stale. GET 1 GET 5 Client 1 Client 2 Client requests for cached content cause no Internet traffic © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

39 Fast, Secure Access Effects of Caching
4/16/ :19 AM Fast, Secure Access Effects of Caching Reduces bandwidth requirements Requests from multiple users for an object only require one download from Internet Reduces server workload Request for published Web content are served from the cache without additional requests to the published server Distributes bandwidth Most frequently accessed content can be downloaded during off hours and before users request it Ensures that objects are up-to-date ISA Server requests an updated version when the object has changed on the Web server Key Point: ISA Server 2004’s caching makes more efficient use of resources. Caching reduces the bandwidth requirements because it reduces the number of Web downloads over the Internet. When used in conjunction with Web publishing, an organization can also reduce the load on its Web servers. ISA Server 2004 also can make more efficient use of bandwidth by proactively downloading content to its cache during off-peak hours. When caching Web content, ISA Server honors Web site settings for content expiration. This ensures that users receive updated content if there have been changes to it on the Web server. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

40 Fast, Secure Access Business Benefits of Caching
4/16/ :19 AM Fast, Secure Access Business Benefits of Caching Improved productivity Many Web pages are displayed faster No waiting for Web objects that are cached Better resource utilization No need to purchase additional bandwidth Fully integrated, minimal administration Key Point: Web caching increases productivity and allows for better utilization of your company’s Internet connection. Caching can change the Web experience for users and make them more productive because wait time for accessing Web content is minimized. In addition, organizations can save money on their cost for connecting to the Internet because ISA Server can eliminate the need to purchase additional bandwidth. Caching is fully integrated into ISA Server 2004 and requires only minimal administration. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

41 Fast, Secure Access Scaling Caching for the Enterprise
4/16/ :19 AM Fast, Secure Access Scaling Caching for the Enterprise Downstream server requests content from upstream server Upstream server retrieves content from Internet Content can be cached in both locations Security settings are enforced centrally No direct Internet requests required from branch offices Cache (upstream) Corporate Network Internet Cache (downstream) Cache (downstream) Branch Office Branch Office Key Point: ISA Server 2004 contains functionality to allow it to scale its caching functionality for large enterprises. Enterprises can extend the caching capabilities of ISA Server by using a system of upstream and downstream servers. This ensures that branch offices retrieve Web content from the cache at the main office, reducing overall Internet access and encforcing centralized access control rules. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

42 Fast, Secure Access Granular Access Control
4/16/ :19 AM Fast, Secure Access Granular Access Control Full control over Internet access by users Enforce corporate policies Control access by protocol, user, location, destination, schedule Fine-grained control of Web content Partner solutions extend access control All network traffic blocked unless specifically allowed Flexible firewall policy Easy to create broad rules or detailed policy Unified firewall policy makes it easy to review and troubleshoot access rules Key Point: ISA Server 2004 allows administrators to control users’ Internet access. With ISA Server 2004 administrators can enforce corporate policies. Fine-grained access control mechanisms allow administrators to allow or block any type of Internet access. Rules can be a broad as allowing all Web access for all users, or they can be more detailed, for example, denying access to a specific Web site for a single user during non-business hours. Partner solutions can extend this access control. For example, some partner solutions allow administrators to block access to certain types of Web sites. ISA Server 2004’s flexible firewall policy makes it easy to adjust to most corporate requirements and to review and troubleshoot access rules. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

43 Summary: Fast, Secure Access
4/16/ :19 AM Summary: Fast, Secure Access Integrated VPN for secure site-to-site and remote access connections Optimized for application-layer filtering Caching accelerates access to frequently used Web content Granular rules allow a high level of Internet access control Additional filtering is possible with third-part solutions provided by Microsoft partners Key Point: ISA Server 2004 is a crucial component in protecting Microsoft networks and applications. ISA Server 2004 accelerates access to Web content and allows administrators to control users’ Internet access. ISA Server 2004 is a crucial component in protecting Microsoft networks and applications © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

44 2. Protecting Microsoft Applications Technical Details
4/16/ :19 AM 2. Protecting Microsoft Applications Technical Details © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

45 Protecting Microsoft Applications
4/16/ :19 AM Protecting Microsoft Applications Secure Application Access Help secure access to IIS, Microsoft SharePoint®, and other application servers Secure Access to Allow access to Exchange servers while protecting them Remote Connectivity Connecting offices, partners, and users by using ISA Server 2004 and Windows Server 2003 Key Point: ISA Server 2004 helps with common scenarios. ISA Server 2004 provides solutions for small-to-medium businesses, and the larger enterprise. This sectioncovers four common scenarios in which ISA Server can help organizations. Integrated Branch Office Solution Branch office security © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

46 Secure Application Access
4/16/ :19 AM Secure Application Access Business Need Risk to Organization Provide fast, secure access to internal Web resources Web servers are exposed to attacks that threaten business resources Attacks can bypass traditional firewalls by using the same protocols as legitimate Web traffic Placing a firewall in front of public Web servers can slow down access to Web resources Provide access to SharePoint-based resources Allowing access to existing resources requires costly redesign or duplication of network infrastructure Same risks as providing access to all Web servers Key Point: ISA Server 2004 can help organizations accomplish crucial business needs while reducing the risk to the organization. This slide illustrates the risks associated with common business needs. The slides that follow will show how ISA Server 2004 can mitigate each of these risks. Maintain confidentiality of communications Confidentiality requires encryption, which defeats traffic inspection at the firewall Attackers may gain access to network even though a firewall is installed © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

47 A Traditional Firewall’s View of a Packet
4/16/ :19 AM A Traditional Firewall’s View of a Packet Only packet headers are inspected Application-layer content appears as a “black box” IP Header: Source Address, Destination Address, TTL, Checksum TCP Header: Sequence Number Source Port, Destination Port, Checksum Application-Layer Content: ??????????????????????????????? Forwarding decisions based on port numbers Legitimate traffic and application-layer attacks use identical ports Key Point: A traditional firewall only examines packet headers. Traditional firewalls can’t inspect the payloads of network packets. The problem with this is that when a firewall only inspects packet headers, it can’t determine whether they payload is legitimate or represents disallowed content. For example, when a traditional firewall allows network traffic to port 80 on a Web server, the traffic that is allowed may constitute legitimate HTTP traffic, unexpected HTTP traffic, attacks against the Web server, or even non-HTTP traffic. Expected HTTP Traffic Unexpected HTTP Traffic Incoming Traffic Internet Web Server Attacks Non-HTTP Traffic Web Server © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

48 ISA Server 2004’s View of a Packet
4/16/ :19 AM ISA Server 2004’s View of a Packet Packet headers and application content are inspected IP Header: Source Address, Destination Address, TTL, Checksum TCP Header: Sequence Number Source Port, Destination Port, Checksum Application-Layer Content: GET Forwarding decisions based on content Only legitimate HTTP traffic is sent to Web server Key Point: ISA Server 2004 inspects both packet headers and packet payload ISA Server 2004 examines all parts of network packets. It can also combine multiple packets for protocols that require deep content inspection, such as HTTP. This allows ISA Server to examine Web requests and distinguish between expected traffic and traffic that should be blocked before reaching the Web server. Expected HTTP Traffic Unexpected HTTP Traffic Incoming Traffic Web Server Attacks Internet Web Server Non-HTTP Traffic © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

49 Traditional Web Publishing
4/16/ :19 AM Traditional Web Publishing All traffic using TCP port 80 sent to Web server One Web server per IP address Key Point: Traditional Web publishing requires a separate IP address for each published Web server. With traditional Web publishing, all Web requests are forwarded to the published Web server. For example, worms that connect to Web servers by cycling through IP addresses can connect to a Web server without having to specify the name of the Web site. Traditional Web publishing allows all Web requests, including Web based attacks. Because client computers expect to connect to a Web server on port 80, organizations need a separate routable IP address for each Web server that must be accessible from the Internet. All traffic arriving for port 80 of each of these addresses is forwarded to a single published Web server. Traditional firewalls can’t make forwarding decisions based on the content of the Web request. Note: Web servers can use ports other than TCP port 80. However, such a configuration is often not practical for publicly accessible Web servers. Incoming Traffic Internet Web Server © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

50 ISA Server 2004 Web Publishing
4/16/ :19 AM ISA Server 2004 Web Publishing ISA Server 2004 inspects HTTP request Only allowed requests are forwarded ISA Server 2004 can publish multiple servers Key Point: ISA Server 2004 can publish multiple Web servers and protect all of them. ISA Server’s Web publishing allows organizations to use a single IP address to publish multiple Web servers and to control which Web traffic is forwarded to the appropriate Web server. For example, ISA Server 2004 can block requests that don’t specify the name of the Web site, contain disallowed HTTP methods. ISA Server 2004 can also determine which Web server to send the Web request to based on the contents of the request. This allows a Web farm to appear as a single Web server to users. ISA Server 2004 provides excellent protection of Internet Information Services (IIS). Incoming Traffic Internet Web Servers ISA Server protects IIS © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

51 How ISA Server 2004 Secures SSL Traffic
4/16/ :19 AM How ISA Server 2004 Secures SSL Traffic SSL: Confidentiality but No Traffic Inspection SSL Bridging: Client on Internet encrypts communications ISA Server 2004 decrypts and inspects traffic ISA Server 2004 sends allowed traffic to published server, re-encrypting it if required Key Point: ISA Server 2004 can protect Web servers by inspecting incoming SSL traffic. Secure Sockets Layer (SSL) is designed to ensure the confidentiality of Web communications across the Internet. This prevents hackers from eavesdropping on confidential Web communications. At the same time, this encryption prevents application-layer inspection. ISA Server 2004 overcomes this limitation by decrypting Web communications between clients and a published Web server at the firewall. This allows ISA Server 2004 to inspect the traffic. ISA Server 2004 can then optionally re-encrypt the traffic between it and the Web server on the internal network. Termination of the encrypted data stream at the firewall is possible because administrators have access to the private key associated with the Web server’s certificate. SSL bridging ensures confidentiality of information that is sent across the Internet while providing application layer inspection at the same time. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

52 Web Publishing Details
4/16/ :19 AM Web Publishing Details ISA Server 2004 HTTP content inspection is a crucial element of a strategy that employs defense-in-depth ISA Server 2004 provides a a central location to block disallowed Web requests based on signatures or generic attack patterns ISA Server only processes allowed URLs Unified view of Web resources ISA Server 2004 can redirect Web requests to one or more internal servers ISA Server 2004 can protect server farms or entire networks User authentication Active Directory, RADIUS, or SecurID needed for access to intranet or extranet resources Credentials can be forwarded to a published server for logging and customizing content Key Point: ISA Server 2004 is a crucial element in protecting servers running IIS and other Web servers. ISA Server 2004 provides administrators with tools to block specific Web attacks based on attack signatures or based on generic attack patterns. Because ISA Server 2004 only processes allowed URLs, Web servers never receive prohibited requests. ISA Server 2004 is ideal for providing access to server farms or entire networks because it can present a unified view of Web resources to the Internet while hiding the actual Web server structure and server identities. ISA Server 2004 can authenticate users that request access to Web servers. This feature allows for centralized authentication when accessing intranet or extranet resources from the Internet. Web publishing rules can specify that only allowed users are given access to published Web servers. ISA Server 2004 can optionally forward user credentials to the published Web server. This allows the Web server to log access based on users and to customize content for specific users. No IIS deployment is complete without ISA Server 2004 © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

53 External Access to Internal Links
4/16/ :19 AM External Access to Internal Links Absolute references to internal servers cause problems Client can’t resolve name to address Web Page Key Point: Teams Key Point: Traditional Web publishing can fail when Web pages contain absolute links. Sometimes Web pages on published servers have links that contain the names of the Web server or other Web servers. If clients on the Internet can’t resolve these names, access to the linked content fails. Most often this problem occurs when these absolute links point use names that are only valid on the internal network, such as NetBIOS names. Web site developers can sometimes avoid this problem by carefully designing their Web site. Other times network configurations make this problem unavoidable. The problem occurs most often when companies must make resources simultaneously available from their internal network and the Internet. Internet External Client HREF= Teams? © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

54 ISA Server 2004 Link Translation
4/16/ :19 AM ISA Server 2004 Link Translation Link translation solves problems with absolute references Web Page Teams Key Point: Link translation solves problems stemming from absolute references. Link translation is a method used by ISA Server 2004 to overcome problems caused by absolute links. Link translation makes changes to Web pages that contain such links after receiving them from the published Web server and before sending the pages to the client. These changes replace an internal name of a published server with a name that an external client can resolve. Internet External Client HREF= HREF= © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

55 Link Translation Details
4/16/ :19 AM Link Translation Details Link translation is crucial for providing simultaneous internal and external access to SharePoint sites Translates hyperlinks within Web responses from published server Translates intranet computer names to names that can be externally resolved Can replace  for SSL bridging Automatic translation sufficient for most scenarios, administrator-defined translation for extended functionality Key Point: Link translation is crucial for providing simultaneous internal and external access to SharePoint Sites. SharePoint Portal Server frequently uses absolute links. When providing internal access to SharePoint sites, clients can resolve these names. To provide simultaneous external access to these sites, link translation is crucial. In most cases ISA Server 2004 performs link translation automatically, but it also supports administrator-defined translation dictionaries for more advanced scenarios. No SharePoint deployment is complete without ISA Server 2004 © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

56 Easy Configuration and Administration of Application Access
4/16/ :19 AM Easy Configuration and Administration of Application Access Key Point: Web publishing is easy to configure and administer. Web publishing wizards allow for easy configuration of Web publishing rules. Administrators can further customize these rules for specialized scenarios. ISA Server 2004’s monitoring tools allow administrators to easily view Web usage and access to published Web sites. The dialog boxes on the slide show the New Web Publishing Rule Wizard and a dialog box with advanced HTTP filtering settings for a Web publishing rule. Web Publishing Wizards make configuration easy and prevent configuration mistakes, monitoring tools show Web usage © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

57 How ISA Server 2004 Enables Access to Non-Web Resources
4/16/ :19 AM How ISA Server 2004 Enables Access to Non-Web Resources Access to some corporate resources requires protocols other than HTTP FTP servers for access to files Database servers in perimeter network or internal network Public DNS servers to locate company’s servers Server publishing allows secure access to non-Web resources ISA Server 2004 supports all IP-based protocols Application-layer filtering for selected protocols: SMTP, FTP, DNS, RPC, etc. Key Point: ISA Server 2004 can provide secure access from the Internet to application servers. In addition to providing access to Web-based resources, ISA Server can also provide access to other resources, such as FTP servers or DNS servers. ISA Server 2004 uses server publishing to accomplish this. ISA Server 2004 supports all IP-based protocols for secure publishing. Filters for selected protocols provide additional application layer protection for these protocols. ISA Server provides packet filtering and circuit-level protection for all protocols when you publish a server. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

58 Summary: Secure Application Access
4/16/ :19 AM Summary: Secure Application Access Access to internal Web resources ISA Server 2004 protects corporate Web resources and acts as a central gateway to allow centralized traffic inspection. Access to SharePoint-based resources ISA Server 2004 makes access to existing internal SharePoint-based resources easy. No network redesign is required. Key Point: ISA Server provides all tools that companies need to provide secure application access, reducing the risks associated with providing external access to internal resources. Confidentiality of communications ISA Server 2004 can provide confidentiality of Web traffic and protection of resources at the same time. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

59 Protecting Microsoft Applications
4/16/ :19 AM Protecting Microsoft Applications Secure Application Access Help secure access to IIS, Microsoft SharePoint®, and other application servers Secure Access to Allow access to Exchange servers while protecting them Remote Connectivity Connecting offices, partners, and users by using ISA Server 2004 and Windows Server 2003 Key Point: Many organizations must provide access from the Internet to their Microsoft Exchange-based mail resources. ISA Server 2004 helps with this scenario. Integrated Branch Office Solution Branch office security © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

60 Secure Access to E-Mail
4/16/ :19 AM Secure Access to Business Need Risk to Organization Receive and send Traditional firewalls can limit what network traffic is allowed to the mail server, but don’t perform deep content inspection. Attacks can succeed by masquerading as legitimate mail traffic. Mail servers are the only defense against SMTP-based attacks. Users need access to regardless of their location Allowing access from the Internet also opens the network to potential attacks from the Internet. Mail servers are the only defense against attacks that use client protocols, such as HTTP, POP, RPC. Key Point: ISA Server 2004 can help organizations accomplish crucial business needs while reducing the risk to the organization. This slide illustrates the risks associated with common business needs. The slides that follow will show how ISA Server 2004 can mitigate each of these risks. Maintain confidentiality of Traditional client protocols, such as POP and IMAP are unencrypted. Most firewalls can’t provide native Outlook access to Exchange servers in a secure manner. Encrypting Web access to , such as OWA, defeats traffic inspection at the firewall. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

61 E-Mail Access: Traditional Firewall
4/16/ :19 AM Access: Traditional Firewall Allow: Port 25 (SMTP) Internet Allow: Port 110 (POP3) Allow: Port 25 Allow: Port 443 (SSL) Exchange Server Firewall rules open ports to allow traffic to and from mail server Incoming connections on mail server for SMTP, POP3, OWA (using SSL) Outgoing connections from mail server for SMTP Limitation Control over what channels are opened, but no control over what type of network traffic is sent to mail server over these channels Key Point: Traditional firewalls provide limited protection of mail servers and traffic. Traditional firewalls provide access to resources by only allowing incoming and outgoing traffic based on ports used by the mail server. This method provides no application layer protection of mail-related traffic. The following slides will show the impact of this limitation on how various mail protocols are processed and how ISA Server 2004 can overcome these limitations. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

62 Outlook Web Access: Traditional Firewall
4/16/ :19 AM Outlook Web Access: Traditional Firewall OWA Traffic Password Guessing Internet SSL Tunnel Web Server Attacks Exchange Server Web traffic to OWA is encrypted Standard SSL encryption Security against eavesdropping and impersonation Limitation OWA server is only defense against application-layer attacks Key Point: Traditional firewalls don’t adequately protect Outlook Web Access Traffic. Outlook Web Access uses HTTP traffic that is encrypted by using SLL to provide browser-based client access to an Exchange Server. While encryption of this traffic ensures confidentiality and protects against Web server impersonation, Traditional firewalls can’t inspect the encrypted SSL traffic. This leaves the Exchange server that is configured as an OWA server as the only defense against Web based attacks that pass through traditional firewalls. Concept of defense-in-depth requires inspection of OWA traffic at firewall © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

63 How ISA Server 2004 Protects OWA
4/16/ :19 AM How ISA Server 2004 Protects OWA OWA Traffic Password Guessing SSL Tunnel Internet Web Server Attacks Inspection Authentication Exchange Server Authentication Unauthorized requests are blocked before they reach the Exchange Server Enforces all OWA authentication methods Enhanced forms-based authentication prevents caching of credentials Inspection Invalid HTTP requests or requests for non-OWA content are blocked Inspection of SSL traffic before it reaches Exchange Server Confidentiality Ensures encryption of traffic over the Internet Can prevent the downloading of attachments to client computers Key Point: ISA Server 2004’s application layer protection secures OWA traffic and servers. Because ISA Server 2004 can use SSL bridging as part of Web publishing, it can inspect and authenticate access to the OWA server. ISA Server 2004 can authenticate users before they are allowed access to the OWA Server. ISA Server supports all authentication methods that OWA uses and adds enhanced support for forms-based authentication, preventing the caching of user credentials on the client computer and the storing of attachments on client computers. This is an important requirement when users use a public computer to access their . Application layer inspection allows ISA Server 2004 to block Web-based attacks against the Exchange server. Because ISA Server 2004 was designed specifically with OWA in mind, it provides the best firewall protection for Exchange Server and OWA. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

64 How RPC Works 1 2 3 4 RPC Server (Exchange)
4/16/ :19 AM How RPC Works RPC Server (Exchange) The RPC server maintains a table of Universally Unique Identifiers (UUID) and assigned port 1 The client connects to TCP port 135 on the server to query for the port associated with a UUID 2 Port 4402: Data Server: Port 4402 TCP 135: Port for {0E4A… ? The server responds with the associated port 3 The client reconnects to server on the designated port to access Exchange 4 Internet Key Point: The Remote Procedure Calls (RPC) Protocol uses dynamic port assignments. Native Outlook client access to an Exchange Server uses the RPC protocol. The RPC protocol uses dynamic port assignments. The slides that follow will show why this is security risk when using a traditional firewall and how ISA Server 2004 overcomes this limitation. Service UUID Port Exchange Info Store {0E4A0156-DD5D-11D2-8C2F-00CD4FB6BCDE} 4402 Active Directory {E B06-11D1-AB04-00C04C2DCD2} 3544 Performance Monitor {A00C021C-2BE2-11D2-B F87A8F8E} 9233 RPC Client (Outlook) © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

65 RPC and Traditional Firewalls
4/16/ :19 AM RPC and Traditional Firewalls RPC Server (Exchange) Open port 135 for incoming traffic Open every port that RPC might use for incoming traffic Port 4402: Data Server: Port 4402 TCP 135: Port for {0E4A… ? Internet Key Point: Allowing RPC traffic through a traditional firewall creates security risks. Because RPC can use any one of many secondary ports, an administrator of a traditional firewall would have to open thousands of ports to allow native access from an Outlook client to an Exchange server. While it is possible to configure Exchange Server to use a smaller range of ports, there is still the need to open a number of ports. This is an insecure configuration. Traditional firewalls can’t provide secure RPC access RPC Client (Outlook) © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

66 How ISA Server 2004 Protects RPC Traffic
4/16/ :19 AM How ISA Server Protects RPC Traffic RPC Server (Exchange) Initial connection Only allows valid RPC traffic Blocks non-Exchange queries Secondary connection Only allows connection to port used by Exchange Enforces encryption Port 4402: Data Server: Port 4402 TCP 135: Port for {0E4A… ? Internet Key Point: ISA Server 2004 enables secure remote access by using Outlook. ISA Server 2004 provides application layer filtering for RPC. It can inspect RPC traffic and ensure protocol compliance. It can also ensure that secondary connections are only allowed after a client and the server have negotiated a port. ISA Server can ensure that traffic is only allowed from valid clients and only on the port that Exchange Server uses. While this port may change if Exchange services are restarted, connections are still limited to a single secondary port. Some versions of Outlook allow a user to disable RPC encryption, presenting a security risk for the company. ISa Server 2004 can enforce RPC encryption to ensure confidentiality of access. ISA Server 2004 enables secure remote access by using Outlook RPC Client (Outlook) © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

67 4/16/ :19 AM How RPC over HTTP Works RPC over HTTP encapsulates RPC traffic inside HTTP Internal Web server (RPC proxy) extracts RPC traffic from HTTP Advantage: Most firewalls allow HTTP traffic Problem: Traditional firewalls leave RPC proxy exposed to Web-based attacks RPC Traffic HTTP Traffic Key Point: RPC over HTTP allows native Outlook access by encapsulating RPC traffic inside HTTP traffic. Exchange Server 2003 and Outlook 2003 add a new method for native Outlook access to an Exchange Server that encapsulates RPC traffic inside HTTP traffic. This method can be particularly useful when using Outlook in a location that only allows HTTP outbound traffic. When using RPC over HTTP, an internal Web server, acting as an RPC proxy extracts the RPC traffic from the HTP traffic. This server is often the Exchange server, but it can be a different server. Traditional firewalls leave this server exposed to Web-based attacks because they don’t provide any application layer protection for Web traffic. Internet Web Server Attacks © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

68 How ISA Server 2004 Protects RPC over HTTP
4/16/ :19 AM How ISA Server 2004 Protects RPC over HTTP ISA Server 2004 terminates SSL tunnel Inspects HTTP traffic for protocol compliance Blocks requests for all URLs except No direct connections from Internet to Exchange Server Application-layer protection for HTTP traffic Key Point: ISA Server 2004 provides application layer protection for RPC over HTTP traffic. ISA Server 2004 uses SSL bridging and HTTP inspection to prevent Web-based attacks against a server that perfoms RPC proxy functions. RPC Traffic Internet Web Server Attacks © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

69 How ISA Server 2004 Protects SMTP Traffic
4/16/ :19 AM How ISA Server 2004 Protects SMTP Traffic SMTP-based Attacks Invalid, overly long, or unusual SMTP commands to attack a mail server or to gather recipient information Attacks against recipients by including malicious content, such as worms ISA Server 2004 Protects Mail Servers Enforces compliance of SMTP commands with standards Blocks disallowed SMTP commands Blocks messages with disallowed attachment types, content, recipient, or sender Blocks non-SMTP traffic Key Point: ISA Server 2004 protects SMTP traffic by using application layer inspection. ISA Server 2004’s application layer inspection includes protection of SMTP traffic. ISA Server2004 can block unwanted SMTP commands and other SMTP-based attacks. In addition, the SMTP Filter, a component of ISA Server 2004, can block messages based on a number of criteria, such as sender, sender’s domain, keywords, attachments types, attachment names, or attachment size. The message Screener can stop unwanted or dangerous at the network edge before it reaches the Exchange Server. No Exchange Server deployment is complete without ISA Server 2004 © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

70 Easy Configuration and Administration of E-Mail Access
4/16/ :19 AM Easy Configuration and Administration of Access Key Point: ISA Server 2004 makes it easy to configure and administer secure access to . Mail publishing wizards allow for easy configuration of publishing rules. Administrators can further customize these rules for specialized scenarios. ISA Server 2004’s monitoring tools allow administrators to easily monitor access to published Exchange servers. The dialog boxes on the slide show the New Mail Server Publishing Rule Wizard and a dialog box with SMTP Filter settings. Mail Publishing Wizard makes configuration easy and prevents configuration mistakes © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

71 Summary: Secure Access to E-Mail
4/16/ :19 AM Summary: Secure Access to Receive and send ISA Server 2004 stops attacks against servers by enforcing proper traffic patterns at the application level. Access to from any location ISA Server 2004 protects mail servers from malformed commands that might expose vulnerabilities or reveal too much information. Key Point: ISA Server provides all tools that companies need to provide secure application access, reducing the risks associated with providing external access to resources. Confidentiality of ISA Server 2004 can require that all traffic be encrypted. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

72 Protecting Microsoft Applications
4/16/ :19 AM Protecting Microsoft Applications Secure Application Access Help secure access to IIS, Microsoft SharePoint®, and other application servers Secure Access to Allow access to Exchange servers while protecting them Remote Connectivity Connecting offices, partners, and users by using ISA Server 2004 and Windows Server 2003 Key Point: Many organizations must provide remote connectivity to connect to partner network and remote offices, and to provide remote user access to the corporate network. This section covers first how ISA Server enables connectivity between network and then how it enables secure connectivity for remote users. Integrated Branch Office Solution Branch office security © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

73 Remote Connectivity—Partner Access
4/16/ :19 AM Remote Connectivity—Partner Access Business Need Risk to Organization Enable connectivity between networks Allowing connections for partners requires partially opening corporate networks to the Internet Lack of interoperability may make connectivity difficult or impossible Difficult configuration may lead to mistakes that threaten security Provide network access to partner organization Employees of partner organization may access inappropriate information on internal network Segregating allowed and disallowed resources may require network redesign Key Point: ISA Server 2004 can help organizations accomplish crucial business needs while reducing the risk to the organization. This slide illustrates the risks associated with common business needs. The slides that follow will show how ISA Server 2004 can mitigate each of these risks. Maintain confidentiality of communications When partners access information across the Internet, eavesdropping may occur © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

74 Traditional Partner Connectivity
4/16/ :19 AM Traditional Partner Connectivity Full access from partner network to all corporate resources May include access to confidential information Alternative: Extranet Synchronization required Extranet VPN Gateway Key Point: Traditional access to the corporate network by partner organizations involves either full access to the corporate network or the administrative overhead of maintaining an extranet. Many companies want to give partners access to parts of their network. Normally this involves VPN connectivity with the partner network. The problem with this solution is that partners get access to all resources on the corporate network unless they have been individually secured. Because of the security implications o f this many companies have chosen to use extranets for this purpose. However, maintaining an extranet can be time consuming and difficult, especially when information must be synchronized between the internal network and the extranet. Internet Partner Network Internal Network VPN Gateway © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

75 Partner Connectivity with ISA Server 2004
4/16/ :19 AM Partner Connectivity with ISA Server 2004 Controlled access from partner network to selected corporate resources Can limit access to specific servers and applications Full application-layer protection Third-party compatibility Key Point: ISA Server 2004 can enable controlled access from the partner network to the internal network. ISA Server 2004 allows companies to set up secure connections between corporate networks. ISA Server 2004’s firewall policy allows administrators to restrict what type of network access is allowed and what resources can be accessed from the partner network. ISA Server also provides its full range of application layer protection to such connections. In addition, ISA Server has tested and supported compatibility with popular third-party VPN gateways to ensure connectivity with partner organizations using such gateways. Internet Partner Network Internal Network ISA Server 2004 © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

76 Summary: Remote Connectivity—Partner Access
4/16/ :19 AM Summary: Remote Connectivity—Partner Access Connectivity between networks ISA provides interoperability with existing VPN equipment. Network access for partner organization Access and routing policies limit what resources one partner’s clients can access on the other partner’s network. Key Point: ISA Server provides all tools that companies need to provide connectivity with the networks of partner organizations. Confidentiality of communications ISA Server 2004 VPN uses encryption and authentication to ensure that all traffic between sites is kept confidential and remains unmodified. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

77 Connectivity—Remote User Access
4/16/ :19 AM Connectivity—Remote User Access Business Need Risk to Organization Enable remote users to connect to corporate network Allowing connections for remote users requires partially opening corporate networks to the Internet Difficult configuration may lead to mistakes that threaten security Confidentiality of corporate information may be compromised Provide remote access to selected corporate resources Employees may access inappropriate information on internal network Segregating allowed and disallowed resources may require network redesign Key Point: ISA Server 2004 can help organizations accomplish crucial business needs while reducing the risk to the organization. This slide illustrates the risks associated with common business needs. The slides that follow will show how ISA Server 2004 can mitigate each of these risks. Protect corporate resources Unmanaged remote clients may introduce viruses or worms Insecurely configured remote clients may be used by attackers to gain access to corporate resources © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

78 Traditional VPN Infrastructure
4/16/ :19 AM Traditional VPN Infrastructure VPN gateway and firewall separate devices VPN clients get full access to internal network May require additional client software Optional protection of network through separate firewall Key Point: Traditional VPN infrastructures are difficult to configure and maintain. Traditionally, firewalls and VPN gateways are separate devices. After clients connect to the corporate network by using a VPN connection, they have full access to this network. Such a configuration enables productivity but it ignores that remote client computers can't be trusted as much as computers connected directly to the local network. Companies can restrict access by VPN clients by adding a separate firewall between the VPN gateway and the internal network. Such a solution is difficult and time-consuming to administer. Internet VPN Gateway Internal Network Firewall © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

79 ISA Server 2004 VPN Infrastructure
4/16/ :19 AM ISA Server 2004 VPN Infrastructure Includes VPN gateway and firewall functionality VPN clients get controlled and protected access to internal network VPN client software included in all recent versions of Windows Key Point: ISA Server 2004 combines firewall and VPN gateway functionality. ISA Server 2004 functions both as a gateway and a firewall. Both functions are tightly integrated to provide secure remote client access. ISA Server’s firewall policies allow administrators to control what resources on the corproate network and the Internet VPN clients can access. Internet Internal Network ISA Server 2004 © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

80 Protecting Networks with ISA Server 2004 Network Access Quarantine
4/16/ :19 AM Protecting Networks with ISA Server 2004 Network Access Quarantine Client script checks whether client meets corporate security policies Personal firewall enabled? Latest virus definitions used? Required patches installed? If checks succeed, client gets full access If checks fail client gets disconnected after time-out period Key Point: Network Access Quarantine allows network administrators to prevent connections from insecure clients. Network administrators only have limited control over how VPN clients are configured. These clients may be home computers or laptop computers that don’t connect to the corporate network for extended periods. When running on Windows Server 2003, ISA Server 2004 can use Network Access Quarantine to ensure that only those client computers that meet corporate security policies can connect to the corporate network. For example, these policies may require that the latest virus definitions are installed or that certain patches are installed. Network Access Quarantine uses a script that administrators have created and that checks the client computer configuration upon connecting. If the script determines that the client meets the security policy, it is given full VPN client access. Firewall policies determine which resources this includes. If the check fails, the client is notified and disconnected after a timeout period expires. Goal: Prevent VPN clients that don’t meet security requirements from accessing network © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

81 VPN Quarantine Process (1)
4/16/ :19 AM VPN Quarantine Process (1) ISA Server 2004 assigns client to Quarantined VPN Clients network, allowing access to limited resources 2 Quarantine Resources Internal Network Script on client computer checks configuration settings 3 ISA Server 2004 assigns client to VPN Clients network, providing access to internal network 5 Key Point: When a securely configured client connects, the client is given access to the corporate network. After a VPN client connects and has been authenticated it is only given access to limited resources, such as a DNS server for name resolution or a server that contains virus definitions. Once the script has determined that the client is securely configured, ISA Server 2004 grants full access. Script sends “success” notification to ISA Server 2004 4 VPN Client 1 Client computer connects © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

82 VPN Quarantine Process (2)
4/16/ :19 AM VPN Quarantine Process (2) ISA Server 2004 assigns client to Quarantined VPN Clients network, allowing access to limited resources 2 Quarantine Resources Script on client computer checks configuration settings 3 ISA Server 2004 disconnects client after time-out expires 5 Key Point: When an insecurely configured client connects, the client is disconnected from the corporate network. After a VPN client connects and has been authenticated it is only given access to limited resources, such as a DNS server for name resolution or a server that contains virus definitions. If the script does not determine that the client is securely configured, ISA Server 2004 disconnects the client computer. Script does not send “success” notification to ISA Server 2004 4 VPN Client 1 Client computer connects © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

83 Ease of Use for VPNs 4/16/2017 11:19 AM
Key Point: ISA Server 2004 allows administrators to easily configure VPN connections. ISA Server 2004 allows administrators to perform most VPN administration tasks using the familiar ISA Server 2004 administration console. Wizards help administrators to configure VPN settings quickly and to avoid configuration mistakes. The screen shots show the VPN Task Pane and VPN configuration dialog boxes. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

84 Monitoring VPN Connections
4/16/ :19 AM Monitoring VPN Connections ISA Server 2004 tools Dashboard view for big picture Detailed information for all aspects of network traffic Key Point: ISA Server 2004 allows administrators to easily and efficiently monitor network traffic by VPN clients. Real-time reporting is crucial for troubleshooting and for detecting attacks against the network. Because ISA Server 2004’s firewall and VPN functions are integrated, you can use ISA Server’s monitoring tools to monitor VPN traffic. The screen shot shows the new dashboard that combines a number of important real-time indicators. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

85 Summary: Connectivity—Remote User Access
4/16/ :19 AM Summary: Connectivity—Remote User Access Remote connectivity ISA Server 2004 allows remote access to the corporate network from anywhere. Access to selected corporate resources ISA Server 2004 allows control over which resources corporate resources remote users can access. Key Point: ISA Server provides all tools that companies need to provide connectivity for remote users. Protection of corporate resources ISA Server 2004 protects the corporate network and the VPN clients. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

86 Protecting Microsoft Applications
4/16/ :19 AM Protecting Microsoft Applications Secure Application Access Help secure access to IIS, Microsoft SharePoint®, and other application servers Secure Access to Allow access to Exchange servers while protecting them Remote Connectivity Connecting offices, partners, and users by using ISA Server 2004 and Windows Server 2003 Key Point: Many organizations must enable connectivity between branch offices and the company’s main office. ISA Server 2004 helps with this scenario. Integrated Branch Office Solution Branch office security © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

87 Integrated Branch Office Solution
4/16/ :19 AM Integrated Branch Office Solution Business Need Risk to Organization Connect branch office networks to the main network Branch office connections must be established across an insecure network and confidentiality of corporate information may be compromised Equipment from multiple vendors may not work with each other Site-to-site connectivity can be difficult to configure Provide secure Internet access from branch offices Employee access at branch offices may expose the network to worms, viruses, and hacker attacks Employees at branch offices may access inappropriate content Maintaining a consistent configuration is difficult Key Point: ISA Server 2004 can help organizations accomplish crucial business needs while reducing the risk to the organization. This slide illustrates the risks associated with common business needs. The slides that follow will show how ISA Server 2004 can mitigate each of these risks. Utilize limited bandwidth at the branch office efficiently Branch office connectivity may not be sufficient to allow for efficient Internet access Bandwidth used for Internet access can slow down access to corporate network © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

88 How ISA Server 2004 Enables Branch Office Connections
4/16/ :19 AM How ISA Server 2004 Enables Branch Office Connections Broad protocol support PPTP L2TP/IPSec IPSec tunnel mode for interoperability with existing VPN gateways: fully tested and supported Authentication and encryption Leverages Windows remote access capabilities Range of authentication methods Active Directory, RADIUS, passwords, certificates Configurable encryption methods help ensure confidentiality of communications Fine-grained control over traffic between networks Key Point: ISA Server 2004 provides secure connectivity with branch offices. ISA Server 2004 can provide secure connectivity to networks that are located at branch offices. Broad protocol support ensures compatibility with existing VPN gateways. These gateways can be Windows-based, or they can be third-party gateways that use IPSec tunnel mode. Interoperability with leading third-party gateways has been tested and is fully supported. A range of authentication methods and encryption algorithms also ensures broad compatibility. Finally, because ISA Server 2004’s VPN features are fully integrated with the firewall policy, administrators can tightly control which type of network traffic is allowed between networks that are connected by a VPN. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

89 Easy Configuration and Administration of Branch Office Connections
4/16/ :19 AM Easy Configuration and Administration of Branch Office Connections Administrators can duplicate existing ISA Server 2004 configuration using XML export/import Easy-to-use wizards simplify administration for branch office administrators Remote administration using MMC, Terminal Services, or Remote Desktop Connection Full integration with Active Directory Easy-to-use monitoring tools Unified policy user interface allows administration of all network access in one location Key Point: ISA Server 2004 allows administrators to quickly and easily configure secure branch office connections. ISA Server 2004 makes the configuration and administration of remote office connections easy. To connect multiple branch offices, administrators can duplicate existing connections by using ISA Server’s export/import functionality. Remote administration tools allow configuration of the branch office firewall from the main office. Because ISA Server 2004 provides firewall, VPN, and Web caching functions, administrators can use a single tool to administer all of these functions. Administrators can use one tool to control all network traffic at branch office © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

90 Ease of Use for Branch Office Connections
4/16/ :19 AM Ease of Use for Branch Office Connections Key Point: ISA Server 2004 allows administrators to easily configure branch office connections. ISA Server 2004 allows administrators to perform most administration tasks using the familiar ISA Server 2004 administration console. Wizards help administrators to configure VPN settings quickly and to avoid configuration mistakes. The screen shots show the New Site-To-Site Network Wizard, the Remote Sites Task Pane and the IPSec configuration dialog box. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

91 4/16/ :19 AM Firewall Integration ISA Server 2004 controls network traffic to and from branch offices VPN rules integrated with other firewall rules Key Point: ISA Server provides full firewall protection for branch office connections. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

92 Fast, Secure Network Access from Branch Offices
4/16/ :19 AM Fast, Secure Network Access from Branch Offices Caching Keeps local copies of frequently requested content Transparent to clients Easy to configure Key Point: ISA Server’s caching capabilities extend to branch office connections. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

93 Integrated Solution Realize savings through integration
4/16/ :19 AM Integrated Solution Realize savings through integration One-stop solution for Internet access Provides firewall, access control, publishing, and VPN in a single solution Provides centralized administration and logging ISA Server 2004 can easily scale as organization grows Ideal solution for branch offices Key Point: ISA Server 2004 can provide a one-stop solution for Internet access, allowing comoanies to realize savings through integration. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

94 Summary: Integrated Branch Office Solution
4/16/ :19 AM Summary: Integrated Branch Office Solution Branch office network connectivity ISA Server 2004 is uniquely positioned to deliver an integrated firewall, VPN, and cache solution. Secure Internet access from branch offices ISA Server 2004 can protect against advanced attacks. Key Point: ISA Server provides all tools that companies need to provide connectivity for branch offices. Utilize limited bandwidth efficiently ISA Server 2004 helps corporations lower bandwidth costs and improve user productivity. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

95 3. Selling Strategies and Partner Offerings
4/16/ :19 AM 3. Selling Strategies and Partner Offerings © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

96 ISA Server 2004 Sales Opportunities When to Recommend
4/16/ :19 AM ISA Server 2004 Sales Opportunities When to Recommend Recommend ISA Server 2004 to customers who: Need a new or supplemental firewall Use IIS, SharePoint Portal Server, Exchange Server, or Windows Server 2003 Experience slow network performance Run ISA Server 2000 Run Microsoft Small Business Server (SBS) Key Point: There are some common sales opportunities for ISA Server 2004 based on the current customer environment. This section covers some specific situations where you should recommend ISA Server 2004 to customers. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

97 ISA Server 2004 Sales Opportunities New or Supplemental Firewall
4/16/ :19 AM ISA Server 2004 Sales Opportunities New or Supplemental Firewall Advanced Protection Advanced application-layer filtering Ease of Use Quick and easy to configure Fits into existing Microsoft environment Fast, Secure Access Implement Internet access control Achieve bandwidth and network efficiency Immediate security and savings Key Point: ISA Server 2004 provides immediate benefits as an organization’s primary firewall or in conjunction with an existing third-party firewall. Because ISA Server 2004 can be easily and simply integrated into an existing Microsoft infrastructure, and because it supports all commonly deployed network infrastructures, customers can immediately benefit from its protection and realize immediate security and savings. ISA Server 2004 provides the best protection for Microsoft-based networks © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

98 ISA Server 2004 Sales Opportunities New or Supplemental Firewall
4/16/ :19 AM ISA Server 2004 Sales Opportunities New or Supplemental Firewall Use as main firewall ISA Server 2004 provides all the protection customers expect from a firewall, VPN, and caching solution Add new functionality to existing firewalls Caching Access control Application-layer inspection Defense-in-depth by using multiple firewall products Key Point: ISA Server 2004 can provide value by itself of additional value in environment where other firewalls are already in use. While ISA Server 2004 can provide all the functionality that traditional firewalls provide, it can also add functionality to existing traditional firewalls. Many organizations use multiple firewall products as part of a defense in depth security strategy. ISA Server can work as the external or internal firewall in this scenario. ISA Server 2004 adds value by itself or when used in conjunction with an existing traditional firewall © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

99 Pricing and Licensing Flexible Pricing and Licensing
4/16/ :19 AM Pricing and Licensing Flexible Pricing and Licensing TBD ISA Server 2004 Enterprise Edition U.S.$1,499 ISA Server 2004 Standard Edition One-time per processor licensing Upgrade hardware for performance at no additional software cost No recurring licensing fees No separate client licenses required Requires Windows 2000 Server or Windows Server 2003 license Wealth of integrated features ISA Server 2004 contains many integrated features, including VPN functionality, reporting, caching, URL screening, and multi-processor support These must be purchased as expensive add-ons with other firewalls. Key Point: ISA Server 2004 pricing and licensing is simple and includes many features that cost extra with competitive products. One-time per processor licensing Allows organizations to scale up for performance at no additional cost and scale out only when availability becomes a priority. Wealth of integrated features Many integrated features of ISA Server 2004, including load balancing, reporting, caching, bandwidth prioritization, URL screening, and other modules must be purchased as expensive add-ons to other firewalls. Note: The pricing for ISA Server 2004 Enterprise Edition are to be determined. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

100 Pricing and Licensing Editions
4/16/ :19 AM Pricing and Licensing Editions ISA Server 2004 Standard Edition Provides enterprise-class firewall security and Web caching capabilities for small businesses, workgroups, and departmental environments. Provides robust security, fast Web access, intuitive management, and excellent price-to-performance for business-critical environments. Limited to four processors. Each server is administered separately. ISA Server 2004 Enterprise Edition Designed to meet the performance, management, and scalability needs of high-volume Internet traffic environments. Available: Later in 2004 Key Point: ISA Server 2004 Enterprise Edition allows for better scaling and for enterprise-wise administration. ISA Server 2004 comes in two editions, Standard Edition and Enterprise Edition. Both share most of the same rich feature set, although Standard Edition is a stand-alone server supporting a maximum of four processors and is limited to server-by-server administration. For large scale deployments, server array support, multi-level policy, and computers with more than four processors, you may need ISA Server 2004 Enterprise Edition. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

101 Customer Benefits Technical and Business Value Feature Technical Value
4/16/ :19 AM Customer Benefits Technical and Business Value Feature Technical Value Business Value Secure Internet Connectivity Protect against hackers, viruses, and unauthorized access Control outgoing Internet access Defend Web servers and server Revenue + Customer retention + Liability - Fast Web Access Faster browsing Reduce network bandwidth costs Reduce stress on Web servers More reliable data access Performance + Customer satisfaction + Capital expense - Integrated VPN Single point of control at network perimeter Operating cost - Customer satisfaction + Simple Management Access control to management tasks Reduced management complexity, reduced staff/server ratio Reduced time to manage Extensible Open Platform Flexible, customizable solution Key Point: ISA Server 2004 is provides a unique technical and business value propositions in several key areas. Use this chart to determine which values to stress with technical and business-oriented customers. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

102 Customer Benefits Key Messages Customer Message
4/16/ :19 AM Customer Benefits Key Messages Customer Message Rock-solid firewall security and high-performance Internet connectivity that’s easy to manage IT Professional Business Decision Maker Increase performance and security and reduce costs Reduce liability and enforce corporate Internet access policies in real time HR Manager Key Point: When selling ISA Server 2004, highlight different arguments as you are talking to different types of customers. Protect critical information and manage information access with a single, scalable, easy-to-manage solution CTO © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

103 ISA Server 2004 Sales Opportunities Use with IIS and SharePoint
4/16/ :19 AM ISA Server 2004 Sales Opportunities Use with IIS and SharePoint Built from the ground up to support Web protocols Efficient content checking Protection of critical resources Allows controlled, authenticated external access to SharePoint resources Key Point: ISA Server 2004’s native support for application-layer filtering provides optimal security for Web and SharePoint publishing. No IIS or SharePoint deployment is complete without ISA Server 2004 © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

104 ISA Server 2004 Sales Opportunities Use with IIS and SharePoint
4/16/ :19 AM ISA Server 2004 Sales Opportunities Use with IIS and SharePoint No IIS or SharePoint deployment is complete without ISA Server 2004 protection CUSTOMER PROBLEM SOLUTION Evolving Internet threats put Web servers at risk. Port 80 is being used more and more. Need fast access to Web sites at all times. SSL traffic is encrypted, introducing additional risk. Difficult to provide external access to internal SharePoint resources Application-layer security is necessary to protect Web servers from evolving types of attacks. Caching speeds access and increases availability. Inspection of SSL traffic improves network security. Link translation automatically changes Web pages Key Point: ISA Server 2004 is the only firewall that solves all the customer problems associated with securing an IIS or SharePoint deployment. ISA Server 2004 provides comprehensive protection for making internal Web and SharePoint-based resources available over the Internet while protecting the customer network. The unique selling points for protecting IIS and SharePoint are application layer security, caching, inspection of SSL traffic, and link translation. The ISA Server 2004 advantage Only ISA Server 2004 solves all of these customer problems Other firewalls are less capable and often more expensive © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

105 ISA Server 2004 Sales Opportunities Use with Exchange Server
4/16/ :19 AM ISA Server 2004 Sales Opportunities Use with Exchange Server Support for OWA Secures and accelerates access Support for secure access to Exchange Server using the native Outlook protocols Users can use their regular client Support for all major mail protocols Content checking to reduce unwanted and dangerous Key Point: ISA Server 2004 has built-in support for all mail protocols that Exchange offers. No Exchange deployment is complete without ISA Server 2004 © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

106 ISA Server 2004 Sales Opportunities Use with Exchange Server
4/16/ :19 AM ISA Server 2004 Sales Opportunities Use with Exchange Server No Exchange Server deployment is complete without ISA Server 2004 protection CUSTOMER PROBLEM SOLUTION Unwanted messages are plaguing my network Productivity is a tradeoff for secure communication Concerned about the security of Exchange OWA Eliminate unwanted by filtering it at the edge Enable secure, remote Outlook access without a VPN Inspect SSL-encrypted OWA Key Point: ISA Server 2004 is the only firewall that solves all the customer problems associated with securing an Exchange Server deployment. ISA Server 2004 provides comprehensive protection for making internal Web and SharePoint-based resources available over the Internet while protecting the customer network. The unique selling points for protecting IIS and SharePoint are application layer security, caching, inspection of SSL traffic, and link translation The ISA Server 2004 advantage: Only ISA Server 2004 solves all of these customer problems Other firewalls are more expensive, don’t effectively secure all Exchange protocols, or are incapable of filtering © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

107 ISA Server 2004 Sales Opportunities Use with Windows Server 2003
4/16/ :19 AM ISA Server 2004 Sales Opportunities Use with Windows Server 2003 Integrates with Active Directory Uses existing user accounts for access control Centralized, easy administration Builds on security features of Windows Server 2003 Full-featured VPN capabilities with the ease of use of ISA Server 2004 Security templates and Group Policy to lock down computers ISA Server 2004 is built for Windows protocols Support for Network Access Quarantine Key Point: ISA Server 2004 integrates well with Windows Server 2004 and is the best firewall for a Windows-based network. ISA Server 2004 takes advantage of the capabilities of Windows Server 2003, such as its VPN capabilities and enhances them. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

108 ISA Server 2004 Sales Opportunities Use with Windows Server 2003
4/16/ :19 AM ISA Server 2004 Sales Opportunities Use with Windows Server 2003 No Windows Server 2003 deployment is complete without ISA Server 2004 protection CUSTOMER PROBLEM SOLUTION Difficult to enforce security policies for VPN clients VPN clients have full access to corporate network Authentication for user-based Internet-access policy difficult Network access quarantine Firewall policy applies to VPN clients Integration with Active Directory provides transparent authentication Key Point: ISA Server 2004 is the only firewall that solves all the customer problems associated with securing a Windows Server 2003 deployment. ISA Server 2004 provides comprehensive protection for deploying Windows Server 2003 as part of a customer network infrastructure. The ISA Server 2004 advantage: Only ISA Server 2004 solves all of these customer problems Other firewalls are more expensive and don’t provide network quarantine filtering, VPN client policies, or Active Directory integration © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

109 ISA Server 2004 Sales Opportunities Slow Network Performance
4/16/ :19 AM ISA Server 2004 Sales Opportunities Slow Network Performance ISA Server 2004 provides immediate performance enhancements Caching increases response time for Web requests, increasing user productivity Caching reduces bandwidth requirements, saving money Can be implemented easily and without interruption in service Does not require network reconfiguration Key Point: ISA Server 2004 can provide immediate performance improvements and savings. Note: For more information about competitive performance, see the ISA Server Web site at Immediate, measurable benefits for existing networks © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

110 4/16/ :19 AM ISA Server 2004 Sales Opportunities Reasons to Upgrade from ISA Server 2000 Improve on ISA Server 2000 More advanced application-layer protection Improved ease of use High performance Support for more protocols Packet filtering on all interfaces Better RPC publishing New authentication options Real-time monitoring Easier administration tools Multiple network support New policy model Application-layer filtering Better performance Integrated policy enforcement for VPN clients VPN client quarantine Key Point: If you are currently using ISA Server 2000, you can get significant improvements and new features by upgrading to ISA Server 2004. Major improvements in ISA Server 2004 give you better protection of your network, for example by allowing more detailed filtering of requests. ISA Server 2004 also allows for easier administration, for example new wizards and new, more intuitive and effective administration tools. Another major selling point is the added flexibility through the new multiple network support. These are just some highlights of improvements in the current version of ISA Server Note that many of these new features make it easier to administer and use ISA Server Other features add new functionality to improve the protection that ISA Server 2004 provides or to make ISA Server 2004 work in more environments. For more information about new features and their benefits, see the What’s New Summary document in the Partner Guide. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

111 Added protection for small businesses
4/16/ :19 AM ISA Server 2004 Sales Opportunities Use with Microsoft Small Business Server ISA Server 2004 is included only with SBS Premium Edition SBS Standard Edition only includes very limited firewall functionality SBS limited to 75 users As organization grows, investment in SBS can be leveraged by moving firewall policies to a separate server that is running the same firewall software Moving ISA Server 2004 to a separate computer increases security Many customers want firewall to be separate from SBS Many security professionals recommend moving the firewall functionality to a separate computer to increase security Key Point: ISA Server 2004 can be sold as an enhancement to SBS or as customers outgrow SBS. Microsoft Small Business Server Premium Edition includes ISA Server 2004 as part of its integrated suite of products. ISA Server 2004 is the logical step up as customers move past the 75-user limitation on Small Business Server. ISA Server 2004 can also act as a separate firewall for customers how don’t feel comfortable with connecting SBS directly to the Internet. Added protection for small businesses © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

112 4/16/ :19 AM ISA Server 2004 Partner Products (1) Enhance existing features and add new features Application Filters Improve security and interoperability for other protocols with application-layer inspection Caching and Distribution Improve the caching capabilities of ISA Server or create content distribution networks that store content closer to end users and provide centralized delivery, management, and support for different content types. Content Security Intercept viruses, malicious code or other inappropriate content at your network's Internet gateway . High Availability and Load Balancing Enhance ISA Server with network-level scalability, fault tolerance, and load balancing. Intrusion Detection Recognize and react in real time to hacking attempts. Monitor incoming traffic, and trigger responses according to alarms and events. Monitoring and Administration Extend the maintenance and management features of ISA Server to make day-to-day monitoring and administration tasks easier. Key Point: Partners provide many add-on products and services to enhance the functionality and usefulness of ISA Server 2004. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

113 4/16/ :19 AM ISA Server 2004 Partner Products (2) Enhancing existing features and add new features Reporting Review traffic through ISA Server, and develop reports that can be used for calculating departmental charge-backs, identifying inappropriate usage, and categorizing Internet use SSL Acceleration and Key Management Use these hardware add-ons to improve the performance of SSL communications and the security of private keys used in creating SSL sessions, server identification, and PKI components Security Resellers Purchase ISA Server from authorized resellers who have technical product expertise Security Solution Providers Engage with authorized service partners to help build your Microsoft secure-connected infrastructure URL Filtering Restrict access to non-work-related sites, and filter sites that have objectionable or restricted content User Authentication Provide support for additional authentication methods and technologies for ISA Server VPN and Web access Key Point: Partners provide many add-on products and services to enhance the functionality and usefulness of ISA Server 2004. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

114 4/16/ :19 AM A Community of Partners Many Partners Have ISA Server 2000 Track Record Key Point: There is a strong and diverse community of partners that has a strong track record with for ISA Server Many of these partners have updated their products to support ISA Server 2004 or are in the process of doing so. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

115 ISA Server 2004 Partners (1) A Growing Community
4/16/ :19 AM ISA Server 2004 Partners (1) A Growing Community ActivCard AAA Server deployed with ISA Server 2004 is expected to help enterprise customers further protect their digital assets by ensuring and tracking user identities across a network from anywhere, at any time. Akonix plans to use the application-layer filtering capabilities of ISA Server 2004 to direct all instant messaging traffic to Akonix’s award-winning L7 Enterprise IM gateway to implement usage policies, content filtering, virus scanning, logging, and compliance programs Authenex plans to integrate AOne™, a two-factor authentication and Web access control solution, with ISA Server 2004 to deliver a powerful, all-in-one suite of two-factor network security applications. The combination of Cerberian Web Manager and ISA Server 2004 will provide ISA Server 2004 customers with three additional levels of dynamic Internet content-filtering services via Cerberian’s database of more than five million ratings and domains, and Cerberian’s Dynamic Real-Time Rating and Dynamic Background Rating technologies. Fast Scout VirtualWeb Internet filtering and monitoring software will support ISA Server 2004. Key Point: There is a growing community of ISA Server 2004 partners. Note: This list only represents the initial list of partners that have announced products or services for ISA Server Check the ISA Server partners Web site at for a complete list. * This page is based on pre-release information. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

116 ISA Server 2004 Partners (2) A Growing Community
4/16/ :19 AM ISA Server 2004 Partners (2) A Growing Community Forum Systems will offer integration of its XWall™ Web Services Firewall with ISA Server 2004. DynaComm i:filter from FutureSoft is a reliable, feature-rich enterprise Internet filtering solution for Microsoft ISA Server 2004. GFI DownloadSecurity for ISA Server 2004 enables you to assert control over what files your users download from HTTP and FTP sites. nCipher hardware security modules (HSMs) will interoperate with ISA Server 2004 to more securely and more efficiently handle the advanced security functions performed by ISA Server 2004. Network Associates McAfee SecurityShield for Microsoft ISA Server 2004 is designed to provide anti-virus protection, virus outbreak management, content scanning and, as part of an optional upgrade, anti-spam protection for Microsoft ISA Server 2004. Panda Software Panda ISASecure Antivirus module has been designed to help further protect Internet traffic passing through ISA Server 2004. Key Point: There is a growing community of ISA Server 2004 partners. Note: This list only represents the initial list of partners that have announced products or services for ISA Server Check the ISA Server partners Web site at for a complete list. * This page is based on pre-release information. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

117 ISA Server 2004 Partners (3) A Growing Community
4/16/ :19 AM ISA Server 2004 Partners (3) A Growing Community RainConnect from Rainfinity, provides continuous or always-on Internet access by distributing traffic among multiple independent ISP links. SurfControl Web Filter puts you in control of Internet usage with a range of flexible, scalable, and high-performance solutions to best fit your Internet content-filtering needs. Venation V-WEB 4 provides a powerful and cost-effective platform for accelerating business-critical applications and content. WebSpy facilitates the effective management of an organization's Internet resources. Whale Communications is planning to use the advanced functionality in the ISA Server 2004 to produce a prototype of a next-generation secure-access appliance. Key Point: There is a growing community of ISA Server 2004 partners. Note: This list only represents the initial list of partners that have announced products or services for ISA Server Check the ISA Server partners Web site at for a complete list. * This page is based on pre-release information. Check for an up-to-date list of available solutions © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

118 ISA Server 2004–Based Appliances More Options for Customers
4/16/ :19 AM ISA Server 2004–Based Appliances More Options for Customers Extending ISA Server 2004 Benefits Hardened configuration for reduced attack surface Easy to purchase, set up, and deploy Benefits of both a hardware and software solution Added Value and Customer Choice Out-of-box configuration tools Web-based administration Customized and fully integrated deployment options New Worldwide Industry Partnerships Celestix Networks, Hewlett-Packard, and Network Engines Additional future partners Key Point: Appliances based on ISA Server 2004 combine the benefits of hardware-based solutions with the full-featured functionality of ISA Server 2004. All ISA Server 2004-based appliances offer the benefits that ISA Server 2004 provides. Added value and features differ by manufacturer. For details of each ISA Server 2004-based appliance, contact the vendor. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

119 4/16/ :19 AM Competitive Benefits Best Integration with Microsoft Windows and Microsoft Solutions More Technologies Built-in More Advanced Filtering Integrated Firewall and Caching Provides Better Security Better, More Broad Support Faster Learning Curve Lower Total Cost of Ownership Key Point: ISA Server has distinctive competitive advantages. Note: See the Competitive Quick Guide that is included with the Partner Guide for more details on each of the competitive points. ISA Server 2004 is a viable solution to common security and Web performance problems, with distinct advantages over other available solutions © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

120 Detailed Competitive Analysis Competitive Chart (1)
4/16/ :19 AM Detailed Competitive Analysis Competitive Chart (1) Microsoft ISA Server 2004 Standard Edition Competitive Quick Guide Feature ISA Server 2004 Check-Point NG/Nokia 350 Cisco PIX 515E Netscreen 50 SonicWall Pro 230 Watch-Guard V80 Symantec 5420 Architecture Software or Appliance Appliance Appliance1 Operating System Windows 2000 or Windows Server 2003 IPSO; also runs on Microsoft Windows NT® /2000, Solaris, Linux, AIX PIX OS (based on IOS) ScreenOS SonicOS (2 versions, simple and enhanced) Proprietary Proprietary1 Concurrent Sessions Unlimited 250,000 130,000 8,000 30,000 128,000 64,000 Firewall Throughput Tested up to 1.59 Gbps 350 Mbps 188 Mbps 170 Mbps 190 Mbps 200 Mbps Interfaces No software limit 4 10/100 6 10/100 (10 virtual) 3 10/100 4 10/100 2 HA ports 6 VPN Tunnels 1,000 (Standard) 16,000+ PPTP, 30,000 L2TP 2 12,500 2,000 100 500 * VPN Support PPTP, L2TP, IPSec, SSL IPSec, SSL, L2TP IKE/IPSec, L2TP, PPTP IPSec, SSL IPSec, PPTP IPSec, L2TP (other models support PPTP) IPSec VPN Client Free with all Windows OS Proprietary or Microsoft L2TP client3 Proprietary, Microsoft L2TP, PPTP3 Proprietary, costs extra Proprietary, bundled (10) Proprietary, per-tunnel license Key Point: Microsoft ISA Server 2004 leads the competition in most areas. Notes: This table spans 3 slides. Green boxes indicate a competitive advantage for a product. Red boxes indicate a competitive disadvantage for a product, or that a feature is not available. Gray boxes indicate that the product is comparable to most of its competitors. Footnotes are located at the end of this table. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

121 Detailed Competitive Analysis Competitive Chart (2)
4/16/ :19 AM Detailed Competitive Analysis Competitive Chart (2) Microsoft ISA Server 2004 Standard Edition Competitive Quick Guide Feature ISA Server 2004 Check-Point NG/Nokia 350 Cisco PIX 515E Netscreen 50 SonicWall Pro 230 Watch-Guard V80 Symantec 5420 IDS Based on technology licensed from ISS ISS Real Secure IDS; inline/passive inspection of TCP stream Protects against 55 attacks; separate IDS appliance available IDS included based on OneSecure; IDP available extra DoS attack detection and prevention IDS, IDP included, protocol anomaly detection Hybrid anomaly IDS/IDP (Recourse) Integrated Microsoft Exchange Support Yes No Application-Layer Filtering Deep application -layer including character string filtering; HTTP, SMTP, DNS, FTP, POP3, IMAP NG App Layer Intelligence; includes application proxies, content filtering using UFP Fixups; ASA; URL filtering with WebSense or N2H2; CF blocks Java/Microsoft ActiveX® HTTP, POP3, IMAP, SMTP, FTP, DNS, supports WebSense CFS subscription service SMTP, HTTP proxies Attack signatures; HTTP, FTP, and SMTP sent to virus scan, content filtering Management User Interface Familiar Windows MMC for local and remote management, CLI, Terminal Service, or remote desktop CLI, SNMP, FTP,Telnet, SSH, Web: Voyager (local) Horizon Manager (remote) PIX Device Manager (PDM); CLI, Telnet, SSH, console port, Ciscoworks centralized management (optional) Web (HTTP, HTTPS), CLI, Telnet, SSH,Global Pro (option) Web UI, CLI, SNMP, Global Management System (centralized) Java-based GUI; CLI; Multi-box management (CPM) optional Web-based (SSL) UI, Symantec Management console Web Caching Included at no extra cost; forward /reverse Not included; add-on product Not included; Cisco Content Engine costs extra Not included With CFS subscription Key Point: Microsoft ISA Server 2004 leads the competition in most areas. Notes: This table spans 3 slides. Green boxes indicate a competitive advantage for a product. Red boxes indicate a competitive disadvantage for a product, or that a feature is not available. Gray boxes indicate that the product is comparable to most of its competitors. Footnotes are located at the end of this table. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

122 Detailed Competitive Analysis Competitive Chart (3)
4/16/ :19 AM Detailed Competitive Analysis Competitive Chart (3) Microsoft ISA Server 2004 Standard Edition Competitive Quick Guide Feature ISA Server 2004 Check-Point NG/Nokia 350 Cisco PIX 515E Netscreen 50 SonicWall Pro 230 Watch-Guard V80 Symantec 5420 High Availability Uses load balancing, failover included in Windows 2000 /2003 at no extra cost Clustering not supported on this model Failover with purchase of second appliance (at much lower cost) Supports active/ passive mode only (A/A on other series) Hardware failover is a “value-added service” Supports active/ passive (A/A optional at extra cost) A/A, A/P, LB (maximum cluster size 8) Spam Filtering Yes, can filter by keywords or character strings Does not filter by keyword Can be done with add-ons Third party Third party Not included Included in AV Add-ons (extra cost options) Wide variety third-party add-ons for extensibility Management, IDS, cluster, content filtering, reports, caching Content engine (caching), IDS, anti-virus, content filtering IDP, spam filtering (SurfControl), AV AV, content filtering add-on; GSM for multi-management A/A HA, virus scan, live security update services AV, content filtering, additional VPN clients, HA/LB Key Point: Microsoft ISA Server 2004 leads the competition in most areas. Notes: This table spans 3 slides. Green boxes indicate a competitive advantage for a product. Red boxes indicate a competitive disadvantage for a product, or that a feature is not available. Gray boxes indicate that the product is comparable to most of its competitors. Footnotes are located at the end of this table. 1 Symantec Enterprise Firewall software that runs on 5400 series appliances can also be purchased as a software firewall that will run on Windows or Solaris. 2 Windows Server 2003 Standard edition supports 1,000 PPTP and 1,000 L2TP connections. Windows Server 2003 Enterprise and Datacenter editions theoretically support unlimited VPN connections but registry restricts PPTP to 16,384 and L2TP to 30,000 on these editions. 3 Although Microsoft client software can be used, the proprietary client is required for advanced features such as enforcement of VPN configuration requirements. *Information unavailable. Additional details included in Partner Guide © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

123 Partner Guide Resources
4/16/ :19 AM Partner Guide Resources Plan Review the Partner Revenue Opportunities with ISA Server 2004 document to determine areas of specialization. Learn about the advantages that ISA Server 2004 brings to Exchange Server, IIS, SharePoint, and Windows Server 2003 deployments. View case studies to learn about the benefits that ISA Server 2004 has brought to customers. Market/Sell Utilize tools and resources to help you sell ISA Server products and services. Leverage Microsoft’s customer-ready materials to incorporate into your own presentations and distribute to your customers. Read and leverage various datasheets, sales presentations, telesales scripts, and other marketing materials that will help you communicate the benefits of deploying and using ISA Server 2004. Service/Support Leverage the ISA Server 2004 Configuration Guide, deployment kits, and white papers to get the background information you need to plan ISA Server 2004 deployments, complete with the step-by-step procedures needed for proper installation and configuration. Install the ISA Server 2004 evaluation software to test the benefits of ISA Server in a production environment. Train/Enable Complete the Hands-on Labs on CD 2. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

124 Web Resources ISA Server 2004 official site ISA Server 2004 partners
4/16/ :19 AM Web Resources ISA Server 2004 official site ISA Server 2004 partners Partner Campaign Kits ISA Server 2004 user community (not affiliated with Microsoft) © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

125 4. Introduction to Hands-on Training
4/16/ :19 AM 4. Introduction to Hands-on Training © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

126 Hands-on Labs Six Scenarios
4/16/ :19 AM Hands-on Labs Six Scenarios Lab A: What's New in ISA Server 2004 Lab B: Configuring Outbound Internet Access Lab C: Publishing Web Servers Lab D: Publishing an Exchange Server Lab E: Enabling VPN Connections Lab F: Using Monitoring, Alerting, and Logging Key Point: The Partner Guide contains step-by-step instructions and all required files for six hands-on labs. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

127 Hands-on Labs Format Hands-on Training uses Microsoft Virtual PC
4/16/ :19 AM Hands-on Labs Format Hands-on Training uses Microsoft Virtual PC Four virtual computers: Internal computer (Domain Controller, Exchange Server) ISA Server 2004 Web server in perimeter network External computer Setup guide and instructions included on Partner CD Each scenario can be completed independently in about minutes Each scenario contains detailed explanations Each scenario presents a complete solution Key Point: The labs use Microsoft Virtual PC and can be completed on a single computer with Microsoft Virtual PC installed, Note: Refer to the Partner Guide for system requirements and setup instructions. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

128 © 2003-2004 Microsoft Corporation. All rights reserved.
4/16/ :19 AM © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.


Download ppt "4/16/2017 11:19 AM Microsoft Internet Security and Acceleration (ISA) Server 2004 Powerful Protection for Microsoft Applications © 2003-2004 Microsoft."

Similar presentations


Ads by Google