The primary difference between ISA Server 2000 and ISA Server 2004 is in the way in which networks are defined. With ISA Server 2000, there was a somewhat binary system in which all computers inside the company had to be defined by IP address ranges within the Local Address Table (LAT). Everything that was not defined in the LAT was considered external to the firewall.
With ISA Server 2004, the ability to define different networks is greatly improved. Now you can identify any range of IP addresses as a network, which opens up the possibility to allow or deny access between groups of machines inside the company as well as between machines inside and outside the company. Table 1-1 describes other features introduced in ISA Server 2004. For the complete listing of new features in ISA Server 2004, check out http://www.microsoft.com/isaserver/evaluation/features/.
Feature Name | Description |
---|---|
Multinetworking | Replaces the LAT from ISA Server 2000, allowing you to create and configure multiple networks. You are no longer limited to a binary approach in which the LAT contains internal addresses and everything else is considered external addresses. Instead, you have a relative LAT, which allows the configuration of multiple networks based on IP address ranges. |
Per-network policies | Allows you to control how the clients within specified networks will communicate with one another. |
Network relationships: Routed or NAT | Allows you to control how the networks will communicate with one another: Network Address Translation (NAT) or routed. |
Built-in network templates | Allows you to easily configure your firewall policies based on the location of your ISA Server. |
Advanced HTTP policies | Allows the ability to perform real OSI Layer 7 application inspection on a per-rule basis, control downloads by file extension, and control access for every connection, as well as blocking of unwanted content based on exploit and common application signatures. |
Advanced FTP policies | Allows the ability for users to upload and download using File Transfer Protocol (FTP) while giving administrators the ability to selectively filter FTP requests. |
Link translation | Provides a dictionary of internal server names mapped to external accessible names to prevent broken links by external users. This feature was available with the installation of ISA Server 2000 Feature Pack 1, but is now built-in. |
Network Access Quarantine Control | Segregates clients onto a separate network to ensure predefined conditions have been met before allowing access to the internal network. |
Port Redirection | Allows ISA server to accept connections for internal resources on a different port than that used by the internal server. |
Advanced VPN Functions | Allows stateful filtering and inspection, monitoring, and logging, as well as support for Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol/IP Security (L2TP/IPSec), strong authentication, and virtual private network (VPN) quarantine. |
Because of low levels of use, performance degradation, or potential security risks, Microsoft removed some of the features included with ISA Server 2000. Table 1-2 describes the features no longer available in ISA Server 2004.
Feature Name | Description |
---|---|
H.323 gateway | Allowed call handling and routing of H.323 Voice over IP (VoIP) calls. |
Live media split streaming | Allowed organizations using Windows Media Technology to split the media streams, improving bandwidth for video and audio. |
Bandwidth control | Allowed prioritization of connections based on the quality of service (QoS) packet scheduling service. |
Active caching | Allowed the cache to manage the most commonly used items in the cache, and refresh itself as needed. In ISA Server 2004 Standard Edition, even though the functionality was removed, the tab will appear until ISA Server SP1 is applied. |
Some features are available (or supported) only on ISA Server 2004 Enterprise Edition. See Table 1-3 for a list of these features and their functions.
Feature Name | Description |
---|---|
Enterprise policies | Enterprise policies apply to a range of ISA servers, allowing centralized management of many ISA Server computers. Enterprise policies can override lower level policies. |
Enterprise networks | Enterprise networks are composed of IP address ranges, and are global to all arrays in the enterprise. |
Enterprise rule elements | In the Enterprise Policy node, you can configure protocols, users, content types, schedules, and network objects that are available to all permitted array members. |
NLB support | Network Load Balancing (NLB) supports the ability to scale the use of ISA Server to more and more clients by using a single IP address to support several physical computers. |
Site-to-site VPN failover | When VPNs are used with NLB, one array member is assigned as the connection owner. If the owner server becomes unavailable, the VPN connection is re-established with another array member. |
CARP | Cache Array Routing Protocol (CARP) allows cached data to be stored on, and retrieved from, specific ISA servers throughout the enterprise without duplicating cache content. |
Array reporting | ISA Server 2004 Enterprise Edition can combine the log files from different ISA servers (array members) and create a combined report summary. |
In this section you've seen some of the new features included in ISA Server 2004, old features that are no longer available, and some of the capabilities available only in the Enterprise Edition of the ISA Server product.