Frequently Asked Questions

• What is the Microsoft ISA Server 2006 Solution from Iron Networks?
• What is the Microsoft IAG 2007 SSL/VPN Solution from Iron Networks?
• I am only looking for a device to provide SSL VPN Access, can I only buy IAG and not buy ISA?
• If I only buy an IAG Appliance, can I make use of all the features of ISA 2006 Server as well?
• So if I want to use ISA for complete perimeter security, and IAG for SSL VPN access, how do I achieve this?
• I only have budget for one appliance, how do I choose which is best for my environment?

TopQuestion: What is the Microsoft ISA Server 2006 Solution from Iron Networks?

Microsoft ISA (Internet Security and Acceleration) Server 2006 is an enterprise-grade application firewall that also provides web proxy, VPN (client and site to site) and caching software.

Iron Networks delivers ISA Server 2006 on fully integrated, cost-effective appliance platforms, ready to deploy. Iron Networks ISA appliance solutions include:

• Hardware Platform built using latest x86 processor technology, highest performance, redundancy and remote system management options
• Operating System (a hardened version of Microsoft Windows Embedded Server 2003 R2)
•  ISA Software (Microsoft ISA Server 2006)
• Iron Networks integrated appliances also include several key enhancements such as FFRS (Flash-based Field Recovery System) for backups and restore to factory-settings or from last good known state, Oneface (Web-based System Manager) and LCD based Network Management
• Pre-loaded 3rd Party Applications (such as Web Filtering from Websense, Webwasher, Surf Control, NAC from  Winfrasoft, and many other packages such as AV, AS, Authentication etc)
• A variety of hardware replacement, help desk and software update support options, and more are all available from Iron Networks

There are two versions of Microsoft ISA Server 2006:

• Microsoft ISA Server 2006 Standard Edition. Iron Networks offers 6+ appliance configurations under the brand name of mISA . For more info visit: www.ironnetworks.com/products/nGatewaymISA
• Microsoft ISA Server 2006 Enterprise (and Branch) Edition. Iron Networks offers  6+ appliance configurations which can be deployed at main corporate office under the brand name of mISAE . Iron Networks additionally offers  6+ appliance configurations which can be deployed at branch offices under the brand name of mISAE/B. For more info visit: www.ironnetworks.com/products/nGatewaymISA

Additional information on the differences between Standard and Enterprise Editions can be found at: www.ironnetworks.com/products/ISA-IAG-DeploymentScenarios

Software licensing from Microsoft: ISA appliance is licensed as a gateway product; there are no additional per user or per client access license seats needed.

Note: Microsoft ISA Firewall is a popular choice for Edge Security deployments, and offers easy and seamless integration into both Microsoft and non-Microsoft IT Infrastructure environments. It has never been compromised and has no security issues reported on the security tracking website www.secunia.com . This is not true for many other software or hardware firewall vendors.

TopQuestion: What is the Microsoft IAG 2007 SSL/VPN Solution from Iron Networks?

Microsoft IAG (Intelligent Application Gateway) 2007 is an enterprise-grade SSL VPN solution that enables secure remote access to  both web-based and non-web-based applications. In addition IAG 2007 includes a limited implementation of Microsoft ISA Server 2006.

Microsoft acquired Whale Communications in Mid- 2006 and rebranded its SSL VPN Software (version 3.7) as Microsoft IAG 2007. Since early 2007 IAG has been available only as an appliance from select hardware partners such as Iron Networks. Microsoft IAG cannot be purchased as a software-only solution.

The Iron Networks mIAG appliances ship as fully integrated, ready to deploy and cost effective solution for SSL VPN access. They also include:

• Hardware Platform built using latest x86 processor technology, highest performance, redundancy and remote system management options
• Operating System (Hardened version of Microsoft Windows Embedded Server 2003 R2) + Software (Microsoft ISA Server 2006*) + Microsoft IAG 2007
• Iron Networks integrated appliances also include several key enhancements such as FFRS (Flash-based Field Recovery System) for backups and restore to factory-settings or from last good known state, Oneface (Web-based System Manager) and LCD based Network Management
• Iron Networks provides a variety of hardware replacement, help desk and software update support options

Iron Networks offers 6+ advance appliance configuration under the brand name of mIAG .

Software licensing from Microsoft: IAG is not licensed as a gateway product. Each Iron Networks appliance model includes 10 Client Access Licenses (CALs), additional CALs are priced at MSRP of US $22 . Each CAL user is a named user.
For more info please visit: www.microsoft.com/forefront/edgesecurity/howtobuy.mspx

TopQuestion: I am only looking for a device to provide SSL VPN Access, can I only buy IAG and not buy ISA?

Yes, the Iron Networks IAG appliance provides everything you need to deploy a enterprise grade SSL VPN solution.

TopQuestion: If I only buy an IAG Appliance, can I make use of all the features of ISA 2006 Server as well?

No, Microsoft licensing prohibits this. It is true that the IAG appliance contains a full implementation of ISA software, but the ISA license that is provided with an IAG appliance limits usage to those functions required for supporting packet filtering for SSL VPN traffic. This is a licensing and not a technical limitation.

TopQuestion: So if I want to use ISA for complete perimeter security, and IAG for SSL VPN access, how do I achieve this?

Iron Networks recommends that you purchase two appliances, an ISA appliance, and an IAG appliance. The illustration below depicts using both an IAG and an ISA appliance.

Usage Scenarios: Microsoft ISA Standard, Microsoft Enterprise and IAG based Appliances

Usage Scenarios: Microsoft ISA Standard, Microsoft Enterprise and IAG based Appliances

TopQuestion: I only have budget for one appliance, how do I choose which is best for my environment?

The decision on whether to get an ISA Firewall versus an IAG is not always a straightforward one, but the decision isn't as hard as it might seem. Here are some key considerations: 

1. What is Primary Purpose of IAG: The IAG is designed as an inbound access gateway for SSL VPN, PPTP VPN and IPSec VPN. It can also be used as a site to site VPN gateway. The IAG is not designed for outbound access control.
2. What is Primary Purpose of ISA: The ISA Firewall is designed to be a network stateful packet and application layer inspection firewall, VPN server and site to site VPN gateway, Web proxy and caching server, and secure application publishing server. The ISA Firewall is designed to perform strong user/group access controls for both inbound and outbound access.
3. Web Publishing: Both the ISA Firewall and the IAG can be configured to provide strong inbound access control via Publishing Rules.
   • For Web Publishing Rules, the IAG is orders of magnitude more sophisticated and more secure than the ISA Firewall.
   • The IAG does not support Server Publishing Rules, so an ISA Firewall would be preferred in this scenario, as it performs application layer inspection on these connections.
4. Network Access Control: For Web Publishing scenarios, the IAG supports granular policy controls, so that user access is customized based on what type of device is connecting; application functionality can also be controlled based on the security state of the connecting machine, as the IAG has a very powerful endpoint checking feature (probably the best endpoint checking feature in the SSL VPN industry). The ISA Firewall does not perform any type of endpoint checks for Web Publishing scenarios; endpoint checking is only supported for VPN connections using Remote Access Quarantine Control, which is complex to configure and typically requires a third party application such as Winfasoft VPN-Q 2006 or Fred Esnouf's QSS v4
5. SSL VPN: The IAG supports three types of "SSL VPN". The first supports web publishing of web-enabled and non web-enabled applications such as Exchange, SharePoint, CRM etc) using web portals. The second VPN type is socket and/or port forwarding. The third SSL VPN type is network layer VPN connectivity over an SSL tunnel (called the "network connector", similar to what SSTP will provide with Longhorn Server and Vista SP1). The ISA Firewall does not support SSL port/socket forwarding or network level SSL VPN. The overall cost of IAG is more expensive (you have to add the cost of additional CAL’s) than the ISA Firewall.

Based on some of the observations above,  we can come up with the following conclusions: 

• If you already have a firewall, but need to add inbound access control and SSL VPN capabilities, then the IAG 2007 is the product of choice.
• If you only need perimeter firewall capability, then the ISA Firewall is the product of choice.
• If you need only strong outbound access control, or both strong inbound and outbound access control, then the ISA Firewall is the product of choice.
• If you need application layer inspection for non-Web protocols, then ISA Firewall is the product of choice

If you need strong inbound and outbound access control and the highest level of security for both, then you should purchase both an ISA Firewall and an IAG appliance