The evolution of Microsoft ISA Server over the years reflects the growth of Web-based commerce and the shift in
attack focus from the network to the application layer. As the well-financed and poorly conceived dot-coms of the late '90s gave way to the ubiquitous use of the Internet for everything from retail sales to digital communications to managing supply lines, criminals began exploiting the Web on a massive scale.
The next iteration of ISA Server, Forefront Threat Management Gateway (TMG), now in Beta 2, adds substantial Web security gateway capabilities to the venerable platform and a perimeter deployment option with integrated management for Forefront Security for Exchange. This allows organizations to deploy antispam and email antivirus on the edge, where it belongs, instead of on the Exchange Server.
It will integrate tightly with other products under the upcoming Forefront Security Suite, code-named "Stirling," which will provide a centralized console for security configuration and visibility.
"My clients are most jazzed about being able to integrate disparate systems for controlling malware, said Amy Babinchak, owner of Michigan-based Harbor Computer Services Inc., which caters to SMBs and is a partner with Third Tier, which provides consulting to other IT firms. "It let them bring everything together into one package for ease of management in the network."
Final release of TMG is expected sometime in Q4.
The changes in TMG compared with the current ISA Server 2006 are perhaps the most significant since ISA Server 2000 supplanted Proxy Server, adding a full-fledged application firewall, with stateful packet inspection and VPN.
"It's another sea change, like Proxy Server to ISA Server" said Babinchak. "It's more of a total threat management product."
She expects most of her clients to migrate to TMG as Microsoft moves towards a unified security solution.
"Business owners are very concerned about controlling costs, and concerned about data loss," she said.
TMG will inspect HTTP and HTTPS traffic for malware and viruses. In its position as a proxy, TMG acts as a trusted intermediary, decrypting SSL or TLS traffic, inspecting it for malware, resigning it and finally re-encrypting it. TMG also introduces the Network Inspection System (NIS), part of its application layer IPS defense, which uses signatures of known vulnerabilities from the Microsoft Response Center. The idea is to give you time for testing and deploying patches.
This level of inspection will require more muscle than ISA Server 2006, so TMG is built on a 64-bit architecture to meet the increased performance demands. This shouldn't be a problem unless you're running ISA Server on some pretty old hardware, in which case you'll have to upgrade to newer servers.
TMG will also require Windows Server 2008 (ISA Server runs on Windows Server 2003), so be prepared for that change.
URL filtering will be included, though this will not be available until Beta 3, expected in Q3.
"If you look at where all the threats are coming from today, there's been a total shift," said Bill Jensen, TMG product marketing manager. "Everyone was focusing on the network layer. But now, they're coming at the Web layer, at the application layer, and that's where TMG can really help them. Its sweet spot has always been the midmarket."
Like ISA Server, TMG will be offered in both a Standard Edition, geared for SMBs and Enterprise Edition, which includes features such as load balancing and high-availability. ISA Server users who have Microsoft's Software Assurance subscription can receive TMG as an upgrade. No pricing has been announced for new customers, but ISA Server Standard costs $1,500. Either way, expect to add annual subscriptions for antimalware and URL filtering updates.
A less complete version of TMG is already available with Microsoft's Essential Business Server (ESB), which is aimed at organizations with fewer than 300 employees. Those customers will have to wait for a future ESB release to get the full TMG version.