- Products and Services
Download PDF (112 kb)FAQs - ISA Server or IAG Appliances or both?
Frequently Asked Questions
TopQuestion: What is the Microsoft ISA Server 2006 Solution from nAppliance?
Microsoft ISA (Internet Security and Acceleration) Server 2006 is an enterprise-grade application firewall that also provides web proxy, VPN (client and site to site) and caching software.
nAppliance delivers ISA Server 2006 on fully integrated, cost-effective appliance platforms, ready to deploy. nAppliance ISA appliance solutions include:
There are two versions of Microsoft ISA Server 2006:
Additional information on the differences between Standard and Enterprise Editions can be found at: www.nAppliance.com/products/ISA-IAG-DeploymentScenarios.asp
Software licensing from Microsoft: ISA appliance is licensed as a gateway product; there are no additional per user or per client access license seats needed.
Note: Microsoft ISA Firewall is a popular choice for Edge Security deployments, and offers easy and seamless integration into both Microsoft and non-Microsoft IT Infrastructure environments. It has never been compromised and has no security issues reported on the security tracking website www.secunia.com . This is not true for many other software or hardware firewall vendors.
TopQuestion: What is the Microsoft IAG 2007 SSL/VPN Solution from nAppliance?
Microsoft IAG (Intelligent Application Gateway) 2007 is an enterprise-grade SSL VPN solution that enables secure remote access to both web-based and non-web-based applications. In addition IAG 2007 includes a limited implementation of Microsoft ISA Server 2006.
Microsoft acquired Whale Communications in Mid- 2006 and rebranded its SSL VPN Software (version 3.7) as Microsoft IAG 2007. Since early 2007 IAG has been available only as an appliance from select hardware partners such as nAppliance. Microsoft IAG cannot be purchased as a software-only solution.
The nAppliance mIAG appliances ship as fully integrated, ready to deploy and cost effective solution for SSL VPN access. They also include:
nAppliance offers 6+ advance appliance configuration under the brand name of mIAG .
Software licensing from Microsoft: IAG is not licensed as a gateway product. Each nAppliance appliance model includes 10 Client Access Licenses (CALs), additional CALs are priced at MSRP of US $22 . Each CAL user is a named user.
For more info please visit: www.microsoft.com/forefront/edgesecurity/howtobuy.mspx
TopQuestion: I am only looking for a device to provide SSL VPN Access, can I only buy IAG and not buy ISA?
Yes, the nAppliance IAG appliance provides everything you need to deploy a enterprise grade SSL VPN solution.
TopQuestion: If I only buy an IAG Appliance, can I make use of all the features of ISA 2006 Server as well?
No, Microsoft licensing prohibits this. It is true that the IAG appliance contains a full implementation of ISA software, but the ISA license that is provided with an IAG appliance limits usage to those functions required for supporting packet filtering for SSL VPN traffic. This is a licensing and not a technical limitation.
TopQuestion: So if I want to use ISA for complete perimeter security, and IAG for SSL VPN access, how do I achieve this?
nAppliance recommends that you purchase two appliances, an ISA appliance, and an IAG appliance. The illustration below depicts using both an IAG and an ISA appliance.
TopQuestion: I only have budget for one appliance, how do I choose which is best for my environment?
The decision on whether to get an ISA Firewall versus an IAG is not always a straightforward one, but the decision isn't as hard as it might seem. Here are some key considerations:
- What is Primary Purpose of IAG: The IAG is designed as an inbound access gateway for SSL VPN, PPTP VPN and IPSec VPN. It can also be used as a site to site VPN gateway. The IAG is not designed for outbound access control.
- What is Primary Purpose of ISA: The ISA Firewall is designed to be a network stateful packet and application layer inspection firewall, VPN server and site to site VPN gateway, Web proxy and caching server, and secure application publishing server. The ISA Firewall is designed to perform strong user/group access controls for both inbound and outbound access.
- Web Publishing: Both the ISA Firewall and the IAG can be configured to provide strong inbound access control via Publishing Rules.
- Network Access Control: For Web Publishing scenarios, the IAG supports granular policy controls, so that user access is customized based on what type of device is connecting; application functionality can also be controlled based on the security state of the connecting machine, as the IAG has a very powerful endpoint checking feature (probably the best endpoint checking feature in the SSL VPN industry). The ISA Firewall does not perform any type of endpoint checks for Web Publishing scenarios; endpoint checking is only supported for VPN connections using Remote Access Quarantine Control, which is complex to configure and typically requires a third party application such as Winfasoft VPN-Q 2006 or Fred Esnouf's QSS v4
- SSL VPN: The IAG supports three types of "SSL VPN". The first supports web publishing of web-enabled and non web-enabled applications such as Exchange, SharePoint, CRM etc) using web portals. The second VPN type is socket and/or port forwarding. The third SSL VPN type is network layer VPN connectivity over an SSL tunnel (called the "network connector", similar to what SSTP will provide with Longhorn Server and Vista SP1). The ISA Firewall does not support SSL port/socket forwarding or network level SSL VPN. The overall cost of IAG is more expensive (you have to add the cost of additional CAL’s) than the ISA Firewall.
Based on some of the observations above, we can come up with the following conclusions:
If you need strong inbound and outbound access control and the highest level of security for both, then you should purchase both an ISA Firewall and an IAG appliance
- Section Name: