ISA Server 2006 Overview

In this article I will try to give you a high level overview of the new features in Microsoft ISA Server 2006.



Let's begin
ISA Server 2006 is the next step in Microsoft’s Security Strategy. ISA Server 2006 is the successor of ISA Server 2004. ISA Server 2006 RTM is expected to be released at end of June 2006.
ISA Server 2006 contains all the features of ISA Server 2004 with SP2 except for the Message Screener. The Message Screener from ISA Server 2004 is no longer available in ISA Server 2006.

Please note:The SMTP Filter is still in ISA Server 2006.
If you want to try ISA Server 2006 Beta 1, you should download ISA Server 2006 Beta from the Microsoft Website. It is possible to download the English Standard and Enterprise Version of ISA Server 2006.


Figure 1: Download and install ISA Server 2006
Customer Feedback
After successful Installation of ISA Server 2006, you will see a new Customer Feedback Option in the ISA MMC and in the Properties of the ISA Server object in ISA MMC. This Customer Feedback is not new to ISA Server 2006 but was first seen with ISA Server 2004 SP2.


Figure 2: Customer Feedback in ISA Server 2006
If you do not want to participate in this Customer Experience Improvement Program click No, I don’t wish to participate.

New in Publishing
There are some enhancements in Webserverpublishing rules in ISA Server 2006. One of the interesting things in ISA Server 2006 is that it is now possible to Publish SharePoint Sites with an ISA Server 2006 Wizard. In the past you had to manually create a Publishing rule for SPS and you had to read the SPS Publishing Whitepaper on the Microsoft Website.


Figure 3: Sharepoint Portal Server Publishing

It is now also possible to Publish specific Exchange Mailserver versions. Exchange provides Publishing Wizards from Exchange 5.5 to Exchange V12.


Figure 4: Exchange version specific Publishing

ISA Server 2006 now also supports the Publishing of Load Balanced Web servers. Load Balanced Web servers are grouped in units called a Farm to provide continuous Access and performance improvements.


Figure 5: Publishing Load Balanced Web servers

The new Publishing Wizard provides better Support for Certificate Integration to provide SSL Bridging features and Client SSL Authentication. I will tell you more about this enhancement later.


Figure 6: Client Connection Security

The new Web listener Definition Wizard that listens for incoming Web requests has a new Icon (a “World ball”) and it is possible to select if ISA Server should compress the content through this defined Web Listener. The Compression feature first came with ISA Server 2004 SP2.


Figure 7: Web listener Publishing Wizard

The new Web Listener Definition Wizard allows you to select a single certificate for the specified Weblistener.


Figure 8: Certificate Selection

It is possible to assign a certificate for each IP address bound to the Adapter that the listener will use.

Please note:It is not possible to assign more than one certificate to a single IP Address. For more Information on this read the following statement from the ISA Server Product Team.
There is a new Certificate selection and verification console where it is possible to select certificates. You can see the Validity of the Certificates and the Issuing CA and the friendly name. Invalid certificates will be highlighted in red.


Figure 9: Certificate verification

One of the biggest changes in ISA Server 2006 is the built-in Support for different Authentication schemes.
Depending on the type of listener, you have the choice of the following Authentication Methods:

• HTML Client Certificate Authentication
• HTTP Authentication
• HTML Form Based Authentication
ISA Server can validate the credentials against:

• Active Directory
• Active Directory via LDAP (new in ISA Server 2006)
• RADIUS (OTP)
• RADIUS
• RSA SecurID

Figure 10: Authentication settings

ISA Server 2006 can now work with Kerberos constrained Delegation if ISA Server is a domain member.


Figure 11: Authentication Delegation

ISA Server 2006 now allows Single Sign On (SSO) for ISA Weblistener.


Figure 12: SSO Settings
Customizable Forms Based Authentication
With ISA Server 2006 it is now possible to create a customized HTML form instead of the default. With this feature you can customize the form to fulfil your Corporate Identity requirements.


Figure 13: Customized Forms
Please Note:In an upcoming Beta Version of ISA Server 2006 it should be possible to provide an integrated Password change feature for OWA users. Currently you must activate this feature manually on Exchange side and there is no easy way to activate the Password Change feature in the FBA process on ISA site.
Link Translation
The Link Translation feature in ISA Server 2006 has completely changed. The Link Translation feature supports additional Character Sets and is automatically activated when you create a Web server Publishing rule.


Figure 14: Link Translation
LDAP Authentication
ISA Server 2004 came with support for RADIUS in Webserverpublishing Rules and for VPN so that ISA Server must not be a member of the Active Directory Domain.
Implementing RADIUS Authentication has some pros and cons so Microsoft now Support native LDAP Authentication in ISA Server 2006 in form of an LDAP Authentication Webfilter.


Figure 15: LDAP Authentication Webfilter

You can specify the Active Directory Servers to use and you can choose to use a Global Catalog Server. If you want to secure the communication with the Active Directory Server you can use LDAPS (Secure LDAP).


Figure 16: Specify LDAP Server
VPN changes in ISA Server 2006
ISA Server 2006 supports the following VPN protocols:

• L2TP over IPSEC
• PPTP
• Pure IPSEC
There are no significant changes in ISA Server 2006 VPN support in Beta I. An interesting change in ISA Server2006 VPN Support is the ISA Server Branch Office Connectivity Wizard.
Some of you had used the VPN Site to Site Wizard in ISA Server 2000 where it was possible to create the required VPN Connection and, after creation, save the configuration to a Floppy Disc. With this Floppy disc it was possible to end the VPN Setup at the other Site where the counterpart ISA Server resides.
With ISA Server 2006 this Wizard lives again.


Figure 17: ISA Server Branch Office Connectivity Wizard

The VPN Branch Office Wizard will help you to create a VPN connection between a Branch Office and a Headquarter. After completing the Wizard all information could be written to disc or other removable media, transferred to the Branch and at this site you can finish the VPN Implementation by inserting the Media, starting the VPN Wizard and specify the Import file.

Please note:This feature in Beta 1 is only available for ISA Server Enterprise Edition and requires a manually start of the AppCfgwzd.exe located on the ISA Files.
Flood Mitigation
ISA Server 2004 capability to limit DoS and Worm attacks and to fight against flooding is very limited. With ISA Server 2006 Microsoft has implemented a new feature called Flood Mitigation.
With the help of Flood Mitigation it is possible to limit the number of concurrent TCP and UDP Sessions per IP address, the number of HTTP requests per Minute, per IP address, the number of TCP connections request per Minute, per IP address and many more.
To get the best out of the new Flood Mitigation feature you must carefully monitor your network to distinguish between Flood Attacks and Worms and normal legitimate processes from your Applications in your network.


Figure 18: Flood Mitigation feature
Conclusion
I hope this article was useful for you to see what has changed and improved in ISA Server 2006. If you look into the details of ISA Server 2006 I’m sure you will find many more changes. ISA Server 2006 has several evolutionary enhancements with an emphasis in Publishing, Certificate Management and Authentication. In my opinion Microsoft could name ISA Server 2006 – ISA Server 2004 R2. ISA Server 2006 is a stopover to the next version of Microsoft ISA Server.


The Author — Marc Grote

What is the ISA 2006 Firewall?

The goal of this article is to let you know about the ISA firewall and help you define its features and capabilities.

I’ve had a number of encounters with customers and consultants lately that remind me of a situation that I’ve been aware of for years. Did you know that most people don’t actually know what the ISA firewall is and what it does? I think some of the confusion is related to the name of the product. First, there is the “Internet Security and Acceleration” which doesn’t really give you a good idea as to the product’s purpose and function, and second, appending the term “Server” at the end of the product name is confusing, because most people don’t associate firewalls as “firewall servers”.

Of course, people could go to the Microsoft Web site and try to figure out what the ISA firewall is and does. But like most of the home pages on the Microsoft.com Web site, it’s very hard to determine what the product is and does from the information on those pages. You see it promoted as a “security gateway”, which is the latest buzz term in the business. You also see it promoted as a “secure application publishing” solution. OK, what’s that in the big scheme of things? The problem that customers and consultants have is that they don’t understand the marketing speak and just need to know what the ISA firewall is and does.

ISA Server 2006 is Microsoft’s newest version of its Internet Security and Acceleration Server product line. Initially introduced in December 2000, ISA Server 2000 was the first version of the ISA Server product. A major revamp of ISA Server was released in May 2004 and christened ISA Server 2004. This major overhaul included significant improvements and put it on par with other major firewall and security gateway products, such as Check Point NG, Cisco PIX/ASA and Blue Coat. ISA Server 2006 was released to the general public in August of 2006.

ISA Server 2006 is a multi-featured and multi-purpose product that can be deployed in a variety of ways to meet the unique requirements of virtually any organization. As an integrated firewall, Web proxy and VPN server and gateway, ISA Server 2006 can be configured to act in each of these roles or be set up to provide only a subset. This flexibility enables you to introduce ISA Server into your network with minimal disruption to your current infrastructure and provide the security services you need.

In order to help you understand what ISA Server or an NS9200 series security gateway appliance can do for you in securing your core network applications and servers, we’ll discuss the following topics:

• What is ISA Server 2006?
• What’s new and improved in ISA Server 2006
• What’s the difference between ISA Server 2006 Standard Edition and Enterprise Edition?

What is ISA Server 2006?

ISA Server 2006 is many products in one. In a single software package you get:

• A network layer firewall
• An application layer inspection security gateway
• Forward and reverse Web proxy and caching server
• Remote access VPN server
• Site to site VPN gateway

A Network Layer Firewall

ISA Server 2006, like Check Point NG and the Cisco PIX/ASA firewall product lines, is a stateful packet inspection firewall. A stateful packet inspection firewall is able to look at the IP (Internet Protocol) information and make sure that attackers don’t take advantage of inherent security vulnerabilities at the network layer. ISA 2006 is able to check and prevent prevalent network layer attacks so that attackers on the Internet, or even in your own organization, are not able to disable or take over the ISA 2006 firewall.

Stateful packet inspection firewalls were state of the art in the 1990s. However, the threat landscape has changed significantly since that time. While malicious users at the end of the 20th century were interested in disabling the firewall and defacing Web sites for personal ego gratification, modern day hackers are more interested in obtaining or destroying corporate information for personal gain. Today’s network criminal is not interested in attacking the firewall or defacing a Web server; he’s more interested is “going under the radar” to steal, change, or destroy data.

Application Layer Inspection Security Gateway

Stateful packet inspection firewalls are unable to determine if there is an attack against a Web server, mail server, FTP server or any other kind of network application. All the stateful packet inspection-only firewall can do is protect you against simple network layer attacks. For this reason, an application layer inspection firewall or security gateway is required.

After ISA Server 2000 was released in December 2000, it quickly became the thought leader in application layer inspection space. Prior to the release of ISA Server 2000, the Gold Standard for firewalls was the Cisco PIX. The PIX was a simple stateful packet inspection firewall and could not protect networks against complex application layer attacks that modern hackers were using to steal, change and destroy corporate data.

ISA 2006 continues in the tradition of ISA Server as the leading edge application layer inspection firewall and security gateway. In fact, you’ll see ISA Server described as a “secure gateway” instead of a firewall, because the term firewall is losing it’s luster due to it’s heritage as a stateful packet inspection-only device. The ISA 2006 firewall takes both stateful packet inspection and application layer inspection and combines them into a powerful network security gateway solution.

Forward and Reverse Web Proxy and Caching Server

A Web proxy server is a machine that accepts Web connections from Web browsers and other Web enabled applications and forwards those connections to the destination Web server on the behalf of the user making the request. The Web proxy server can accept connections from users on your corporate network and forward them to an Internet Web server or it can accept incoming connections to Web servers and services on your corporate network and forward them to company servers.

When the ISA Server 2006 firewall acts as a Web proxy server, it has full knowledge of the communications being made through it. This enables the ISA firewall’s Web proxy services to provide a significant level of security for Web connections and protects your network from viruses, worms, hacking attempts and more, including identifying and authorizing users before allowing Web connections through the ISA firewall and Web proxy and caching server.

When the ISA firewall’s Web proxy service intercepts Web connections, it can perform many security checks to protect your network. Some of these include:

• Pre-authenticating the user at the ISA firewall and Web proxy and caching server for incoming connections to corporate Web and mail servers. When pre-authentication is enforced by the ISA firewall, it prevents anonymous users on the Internet from connecting to your corporate assets. Since attackers don’t have access to legitimate user credentials, they are unable to attack your Web servers
• Transparently authenticate users on the corporate network before their connections are allowed to the Internet. This allows the ISA Server to record the user names for all connections made through the ISA firewall and includes this information in logs and reports for forensics and regulatory purposes
• Perform deep application layer inspection on all the Web connections made through the ISA firewall using ISA’s HTTP Security Filter. This application layer inspection filter enables the ISA firewall to “scrub” Web sessions to make sure suspicious and potentially dangerous HTTP commands and data do not compromise your network
• Control what Web sites users are allowed to access, the time of day the users are able to connect, and even control the types of information users can download from the Web. For example, you can use the ISA firewall’s Web proxy features to block access to executable files, streaming media, and documents, such as Microsoft Word files
• Cache information requested by users to accelerate the Internet experience. When a user on the corporate network requests a Web page, ISA 2006 places that Web page in its Web cache. The ISA firewall stores that information and when another user makes a request for the same Web page, the Web page is returned to the user from the Web cache. This removes the requirement of having to connect to the Internet Web server to retrieve the same page again and reduces the amount of bandwidth needed on the Internet connection and provides users much faster access to the information.

This is just a short list of what the ISA 2006 Web proxy and caching component can do for your company. For comprehensive information on how the ISA firewall’s Web proxy component can secure and accelerate your organization, please see the document Secure Remote and Outbound Internet Access Using ISA Server 2006 Web Proxy.

Remote Access VPN Server

An increasing number of employees need access to information contained on the corporate network when they’re out of the office. Employees need to access Word documents, PowerPoint files, databases and more when on the road or when working from home. Even more important to business continuity is the ability to provide off-site workers access to corporate information in the event of an emergency, when workers might not be able to leave their homes. One of the most secure ways you can provide employees access to this information is by using a remote access VPN server.

A VPN (virtual private networking) server allows users outside the office to connect to the corporate network from a laptop or workstation from anywhere in the world. Once the user creates the secure VPN connection, that user’s computer is like a computer located at the office and can potentially access information from any server within the corporate network.

One of the drawbacks of traditional VPN solutions sold by major VPN server vendors is that once the user connects to the VPN server, that user has access to any resource on the corporate network. The problem with this is that the computers remote access users used to connect to the corporate network are typically not managed machines and therefore are at a higher liability for worm, virus and trojan infection.

The ISA Server 2006 plugs this security hole found in typical “hardware” VPN servers using three powerful methods:

• Strong user/group-based access control and least privilege access for remote access VPN connections
• Application layer inspection on all remote access VPN connections
• ISA 2006 VPN Quarantine Control

Strong User/Group based Access and Least Privilege for Remote Access VPN Connections

ISA 2006 allows you to control user access based on the user account or the users group membership. Access policy is enforced on the user so that, in contrast to traditional “hardware” VPN servers, users are allowed access only to applications the user is given permission to use and no more. VPN users aren’t allowed free access to the entirety of the corporate network – only to resources they require to get their work done

Application Layer Inspection on all Remote Access VPN Connections

Survivors of the Blaster worm might recall that they had a false sense of security when they configured their Internet firewalls to block the worm from gaining entry to their network from the Internet. These companies were still infected by Blaster, not from the Internet, but from VPN users. These companies used traditional “hardware” remote access VPN servers that could not perform application layer inspection on the VPN users.

In contrast to the traditional remote access VPN server, ISA 2006 performs both stateful packet and application layer inspection on all traffic moving over the VPN link. Worms like Blaster cannot infect the corporate network over ISA 2006 VPN connection because the ISA firewall’s smart RPC application layer inspection filter blocks the worm traffic. This ability to inspect application traffic enables the ISA firewall to protect you against compromised VPN client computers in the same way that it protects you from Internet based exploits.

ISA Server 2006 VPN Quarantine Control

For a comprehensive remote access VPN client defense in depth solution, the remote access VPN server should be able to pre-qualify the security status and general system health of the machine connecting through the remote access VPN link. This enables you to be more confident that even unmanaged machines meet minimal security configuration requirements before being allowed to connect to the corporate network.

ISA Server 2006 solves this problem by implementing Remote Access VPN Quarantine (VPN-Q). The VPN-Q feature allows you to configure a set of parameters that the VPN client systems must meet before being allowed to access resources on the corporate network. If the VPN client system is not able to pass these security and health checks, you can configure the VPN-Q feature to automatically update and configure the VPN clients so that they pass inspection and then allow them into the system. If the VPN clients are unable to be completely updated, then the connection is dropped. This protects your company from fatally flawed and compromised computers that could attack and destroy your company’s core information assets.

Site to Site VPN Gateway

We all hope that our companies grow large enough to require branch offices. But with the expansion into branch offices is the increased complexity and expense required to connect those branch offices to the main office network’s resources.

There are a number of options available to provide branch office connectivity to the main office, these include:

• Dedicated WAN links provided by telco providers
• Managed VPN networks provided by telco providers and ISPs
• Corporate managed VPN site to site VPN networks terminated at company VPN gateways
• Limited connectivity via “publishing” of corporate resources

Dedicated WAN links and managed VPNs are a good solution for companies who are immune from cost considerations. These options can be prohibitively expensive and organizations who are interested in cost-control prefer to use corporate managed site to site VPN connections between corporate managed VPN gateways.

A VPN gateway allows you to connect your main office to all of your branch offices over inexpensive Internet connections and do so in a secure fashion. Each ISA firewall and security gateway, at the branch offices and the main office, enforce strong stateful packet and application layer inspection over the information moving over the site to site VPN links. In addition, all connections made by branch office users is logged and recorded so that you have a comprehensive history of what users at the branch offices have been doing with main office resources.

The ISA 2006 site to site VPN feature set is an integral part of the ISA 2006 branch office gateway role. For a detailed discussion of the using ISA 2006 as a branch office security gateway, please refer to the white paper Securing and Accelerating Branch Office Communications Using ISA Server 2006.

What’s New and Improved in ISA Server 2006?

ISA Server’s roots were originally in Microsoft Proxy Server 2.0. ISA Server 2000 represented a major revamp of the Microsoft Proxy Server product and transformed it from a simple proxy server to a full featured network firewall and application layer security gateway. Another major reconstruction of the ISA firewall product line took place, with over 100 improvements and changes, with the introduction of the ISA 2004 firewall. In contrast to previous versions of ISA Server, the new ISA 2006 firewall and Web proxy and caching product represents an incremental change.

The major improvements included with ISA 2006 are focused on secure Web publishing, enhanced branch office performance and reliability and worm/flood protection. Table 1 provides some details of these improvements.

New and Improved in ISA 2006	Details
Secure Web Publishing	ISA 2006 includes a number of improvements in providing secure remote access to Web servers and services on the corporate network. Some of these include: New SharePoint Portal Server Publishing Wizard Improved Outlook Web Access (OWA), Outlook Mobile Access (OMA), Exchange ActiveSync (EAS) and Outlook 2003+ RPC/HTTP Web Publishing Wizard Increased options for two factor authentication, including SecureID and RADIUS One-time passwords New Kerberos constrained delegation enables remote users with laptops and Windows mobile-enable devices to use secure user certificates to authenticate to the ISA firewall New LDAP authentication allows ISA 2006 to be placed in a high security DMZ and leverage Active Directory users/groups Web farm load balancing. This new feature enables you to publish a collection of Web servers that perform the same function or contain the same content and have the ISA 2006 firewall automatically load balance the connections. ISA Server is about to do this without requiring NLB or an hardware load balancer, with great increases the simplicity of deployment and greatly reduces the cost by removing the hardware load balancer
Branch office security gateway	ISA 2006 includes a number of new and improved features that makes it the ideal selection for a branch office security gateway. These include: HTTP compression of the link connecting the branch office to the main office Diffserv Quality of Service (QoS) enables the ISA firewall to participate in Diffserv service groups and provide preferential treatment to connections to mission critical servers BITS caching reduces the cost and the load on links connecting the main office to the branch office by reducing the number of requests required for Microsoft updates The new site to site VPN wizard makes it easy for a non-technical user to provision a branch office ISA firewall with the help of an answer file created by the main office ISA firewall administrator
Worm and flood protection	ISA 2004 included a basic worm and flood protection feature that prevented the ISA firewall and ISA firewall protected networks from being compromised by worm flood attacks. The ISA 2006 firewall builds on this flood protection and increases the level of security against network flooding by adding many new configurable worm flood protection settings.

Table 1: New and Improved Features in ISA 2006

Standard Edition or Enterprise Edition?

There are two versions of ISA Server 2006. These are:

• ISA Server 2006 Standard Edition
• ISA Server 2006 Enterprise Edition

ISA 2006 Standard Edition is aimed at the small and medium sized business market of 75-500 users. ISA 2006 Standard Edition is comparable to a PIX or ASA firewall that is being used at a single site either in a lone firewall configuration or a lone firewall with a hot or cold standby. Management of ISA 2006 Standard Edition firewalls is done on a per machine basis.

In contrast, ISA 2006 Enterprise Edition is designed with medium to enterprise sized businesses in mind, where there are several ISA firewalls located at the main office and potentially thousands of ISA firewall located in branch offices all over the world servicing 500-100,000 users. The Enterprise Edition of the ISA 2006 firewall and Web proxy and caching server provides features required for medium and enterprises sized business alike, including centralized management and configuration, throughput in the multi-gigabyte range, and intelligent load balancing and caching leading to optimal uptime and performance for even the largest enterprise environments.

Summary

The goal of this article was to let you know about the ISA firewall and help you define its features and capabilities. The ISA firewall is a comprehensive network security solution that provides network edge and perimeter firewall, remote access VPN server, site to site VPN gateway, and Web proxy and caching in a single product.

All of these features can be deployed at the same time on a single device, or you can deploy the ISA firewall using only one or two of these roles. At it’s core, the ISA firewall is a network firewall on par with Cisco PIX/ASA or Check Point, but with the additional Web proxy and caching functionality that the Cisco and Check Point offerings do not have (unless you want to pay rapacious licensing fees).

The ISA firewall is also a high performance solution, easily supporting over 1.5Gbps stateful packet inspection and over 300Mbps Web proxy application layer inspection. ISA firewalls come in two versions: a Standard Edition for mid-sized businesses without branch offices or HA requirements, and Enterprise Edition, designed for mid-sized to enterprise businesses, who require centralized support for deployment, configuration and management of a globally distributed firewall and Web proxy/caching solution.

The Author — Thomas Shinder

Exploring ISP Redundancy in Forefront Threat Management Gateway (TMG) 2010

Exploring the ISP-R feature in detail; looking at different operating modes, explaining the load balancing algorithm, investigating the dead link detection process and various deployment scenarios where ISP-R is implemented. Introduction One of the many new features in TMG that has long been requested by ISA firewall administrators is its ability to support multiple external network connections. ISP Redundancy (ISP-R) now provides this capability. With support for two unique ISPs (or more accurately, external network connections), we can now have fault tolerance and redundancy for our Internet or WAN connections. In this article we will explore the ISP-R feature in detail, look at the different operating modes, explain the load balancing algorithm, and investigate the dead link detection process. We will also discuss various deployment scenarios and considerations to be made when designing and implementing ISP-R. Operating Modes ISP-R in TMG has two operating modes – Load Balancing and Failover. In Load Balancing mode, connections are balanced between two external networks evenly (by default) or unevenly (configurable by the administrator). If either external connection goes down, all communication will be sent over the remaining available connection. In Failover mode, one external network is configured as the primary connection, and the other is configured as the secondary connection. All communication is sent over the primary connection. If the primary connection goes down, all communication will be diverted to the secondary connection. Once the primary connection is available again, all communication will again be sent over the primary connection. Preparing the Network Interfaces ISP-R supports only two external network connections, and each connection must be on a unique subnet. For proper operation and optimum performance, both external network interfaces should be configured identically (pay special attention to your NIC driver’s offload settings). Ideally the network interface cards should be the same model. Begin by giving each network interface a descriptive name (e.g. External_Sprint and External_Verizon). Configure the first external network interface with an IP address, subnet mask, and default gateway. If your TMG firewall is not a member of a domain and does not communicate with any internal network resources by name, you can specify your ISP’s DNS servers here. If your TMG firewall is a domain member, do not specify ISP DNS servers here (Internal DNS servers are configured on the internal network interface only). Once complete, click the Advanced… button.

Figure 1

Uncheck the box marked Automatic metric, and then enter 1 in the Interface metric: box.

Figure 2 

 Repeat these steps to configure the second external network interface, this time using an Interface metric: value of 2. Be sure to configure a default gateway on this second external interface. Generally this is not recommended, and Windows will complain when you attempt to do this.

Figure 3 

 In this scenario it is safe to disregard this warning and select Yes to proceed. Note: If your ISPs use DHCP to assign addresses, you will not be able to configure multiple default gateways. In this case you will create default persistent static routes before configuring ISP-R. In our example here, those routes would be configured as follows: route add –p 0.0.0.0 mask 0.0.0.0 131.107.54.46 route add –p 0.0.0.0 mask 0.0.0.0 207.213.91.214 Configuring ISP Redundancy Once the initial network interface configuration is complete, open the TMG management console and in the console tree highlight Networking, then select the ISP Redundancy tab.

Figure 4 

 In the Tasks pane, click Configure ISP Redundancy.

Figure 5 

 Choose Next, then select the ISP redundancy mode that meets your requirements. For demonstration purposes we’ll select the default option Load balancing with failover capability.

Figure 6 

 Specify the ISP connection name:, and then select a network adapter from the drop-down list.

Figure 7 

 Confirm that the gateway address and subnet mask are correct. If your TMG firewall is not a member of a domain and does not communicate with any internal network resources by name, you can specify your ISP’s DNS servers here. If your TMG firewall is a domain member, do not specify ISP DNS servers here (Internal DNS servers are configured on the internal network interface only).

Figure 8 

 In some cases there will be external servers that can only be reached via a specific external link. An example of this would be an ISP’s DNS server or mail server. If required, enter those servers here. You have the option to specify specific computers, computer sets, or address ranges.

Figure 9 

 Repeat the steps above for the second external network connection, and then select the distribution percentage by moving the slider accordingly. If both external links have the same bandwidth, you can safely leave this setting at 50%. If one link has more bandwidth than the other, configure that link to receive a greater percentage of traffic.

Figure 10 

 Choose Finish to complete the ISP-R configuration.

Figure 11 

 If you have configured DNS servers on the external network interfaces, be sure to create corresponding persistent static routes to ensure that requests for those resources are routed through the correct network interface.

Figure 12 

 In our example here, those routes would be configured as follows: route add -p 131.107.54.200 mask 255.255.255.255 131.107.54.46 route add -p 207.213.91.2 mask 255.255.255.255 207.213.91.214 Once configured, the TMG management console will display information about each ISP connection, along with the currently configured redundancy mode.

Figure 13 

 After configuring ISP-R, to make configuration changes to a specific ISP connection you can right-click the connection and choose Properties.

Figure 14 

 Here you can change the name of the connection, alter the IP address/subnet mask information, enable or disable the connection, modify the load balancing ratio, or add, change, or remove dedicated servers.

Figure 15 

 Changing ISP-R Operating Mode In this example we configured ISP-R for Load Balancing. If you wish to change the ISP-R operating mode, click Change ISP Redundancy Mode to Failover in the Tasks pane.

Figure 16 

 When switching from Load Balancing mode to Failover mode, be sure to edit the connection properties and select the appropriate connection role for the connection. Remember, in Failover mode all traffic will be sent over the primary external connection and the secondary connection will only be used if the primary connection is unavailable.

Figure 17 

Monitoring ISP-R To view the status of each ISP connection, highlight Dashboard in the console tree.

Figure 18 

 The status for each ISP link will be displayed in the Network Status frame.

Figure 19 

 If a link becomes unavailable, the connection status will display an alert.

Figure 20 

 Additionally you will see a Connections Unavailable alert under the Alerts tab.

Figure 21 

 When the connection is back online, TMG will raise an informative alert indicating that the connection is once again available.

Figure 22 

 There are a number of ISP-R specific alerts to keep the TMG firewall administrator informed of the status and health of their external network connections.

Figure 23 

Load Balancing and Dead Link Detection

It is important to understand that ISP-R distributes connections, not load. The manner in which ISP-R decides which external interface to distribute traffic to is determined by performing a hash of the source IP address and the destination IP address. The result is a number between 0 and 100. If the result is below the percentage configured for the first ISP connection, TMG will use this connection. If it is not, TMG will use the other external connection. This ensures session affinity – all connections for a specific source/destination address pair will be delivered through the same external network interface. The hash is computed for each outgoing connection.

To determine the availability of a particular ISP connection, TMG performs dead link detection by randomly polling one of the thirteen Internet root DNS servers on TCP port 53 (when TMG is deployed as a back firewall, make certain that TCP port 53 is open to the Internet). If the selected root DNS server responds, TMG considers the connection available. If it does not respond, TMG will poll additional root DNS servers at one minute intervals. If no replies are received after three consecutive attempts, TMG considers the connection unavailable and raises an alert. Once TMG identifies a connection as unavailable, it will wait for five minutes before attempting to poll again. Once it receives a response, TMG will continue polling at one minute intervals. When three consecutive responses have been received, TMG will consider the connection available.

Deployment Scenarios

The choice of ISP-R operating modes is influenced primarily by the types of Internet or WAN connections you have. For example, if you have two similar Internet connections in terms of bandwidth, Load Balancing mode is a good choice. If you have one high bandwidth connection and one low bandwidth connection, then Failover mode would be more appropriate. Although this technology is called ‘ISP’ redundancy, it is not limited to Internet-connected links. ISP-R can be used to provide load balancing and failover for WAN links between a branch office and a main office (see considerations below).

Additional Considerations

There are a few considerations to be made when designing and deploying ISP-R.

• Works with NAT only – ISP-R will only provide load balancing and failover for traffic originating from TMG protected networks and destined for the default External network, and will only work when the network relationship is configured as NAT. If the network relationship is configured as route, ISP-R will not function. This is important because traffic originating from the TMG firewall itself will not be processed by ISP-R, as the network relationship between the Local Host network and the External network is route.
• E-NAT overrides ISP-R – For traffic processed by a network rule configured with Enhanced NAT (E-NAT), E-NAT takes precedence and will override any routing decisions made by ISP-R.
• Load balancing is not perfect – The load balancing mechanism in ISP-R does not distribute traffic perfectly. Since traffic is distributed by connections, not load, the potential exists for some connections to consume more bandwidth than others, skewing the distribution percentage.

When ISP-R is configured to provide load balancing or failover for branch office WAN connections, the default dead link detection mechanism may not be appropriate. If you recall, TMG will randomly poll Internet root DNS servers to verify connectivity. If, for example, the TMG firewall is configured to NAT traffic between a branch office and a main office and the main office Internet connection is unavailable, TMG will report both of its WAN connections as being unavailable, when in fact they are.

In some cases, branch office TMG firewalls may not have direct connectivity to the Internet, which will prevent TMG from polling Internet root DNS servers. In this branch office firewall scenario it would be better to poll services located directly on the other side of the WAN connection. To change the default link detection parameters and to make changes to polling frequency, please refer to this article [http://blogs.technet.com/isablog/archive/2009/11/26/tmg-isp-redundancy-unleashed.aspx] on the Forefront TMG product team blog.

Conclusion

ISP Redundancy is a valuable new feature in TMG that provides fault tolerance and redundancy for external network connections; for ISP connections in the case of an edge firewall deployment, or WAN links in a branch office firewall scenario. Load Balancing and Failover operating modes provide flexible configuration options to match any external network configuration, and verbose alerting capabilities keep the TMG firewall administrator informed on the external network connection status.

 The Author — Richard Hicks