+ Reply to Thread
Results 1 to 23 of 23
  1. Senior Member
    Join Date
    Apr 2008
    Location
    Seattle, WA
    Posts
    142

    Certifications
    MCSE 2003: Security, CCNA, CCNP
    #1

    Default ISA 2006 and Intelligent Application Gateway 2007

    Hello all,

    I have recently downloaded the 180 day trial of ISA 2006. It's cool, and serves its purpose, however, I'm looking for a different solution, and I believe IAG 2007 can help.

    I want to create an SSL-VPN connection. What I mean by this is that ALL traffic between the endpoint client PC and the Terminal Server endpoint ONLY communicated over TCP port 443.

    Can IAG 2007 do this? A similar product is available from SonicWALL called SSL-VPN, however, this is a hardware device. It operates on ONLY port 443. You can check it out here: https://sslvpn.demo.sonicwall.com

    PS: Is there a trial for Intelligent Application Gateway 2007 available?

    Thanks!
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #2
    Doesn't Server 2008 do SSL VPNs?

    You can also look at Open VPN.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Apr 2008
    Location
    Seattle, WA
    Posts
    142

    Certifications
    MCSE 2003: Security, CCNA, CCNP
    #3
    You are correct sir. I now see that windows server 2008 supports SSDP, which uses port 443 for its vpn tunnels. cool!
    Reply With Quote Quote  

  5. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #4
    It's SSTP - Secure Sockets Tunneling Protocol ---- not SSDP.

    IAG is a pretty cool product. I was fortunate enough to be able to set one up for both SSL VPN, RDP, and using multi-factor authentication. Too bad this was 1.5 years ago and I forgot how to configure it. :P

    Also, IAG is integrated into the new ISA edition called Forefront Threat Management Gateway. If you want the current IAG that's out, you need to get an appliance such as Network Engines. Since IAG requires ISA, these devices will have ISA installed that is only allowed to be used to support IAG.

    Since Server 2008 is out, and supports SSTP, if all you're looking for is SSL VPN functionality, I would go with Server 2008 depending on the costs. Network Engines might provide you with a cheaper solution if you plan on sticking with Server 2003 for a while. If you plan on going with Server 2008 soon, get a Server 2008 box and use SSTP which will help you get started in your process to moving to Server 2008.

    With IAG, you have a portal web interface that can be different depending on what user authentication (supports multiple layers of authentication). When the user authentications and gets to the interface, you can have that user launch an application, an RDP session to a specific server or any server you specify, and even an SSL VPN. IAG will automatically modify the ISA rules on its own when you configure IAG.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Apr 2008
    Location
    Seattle, WA
    Posts
    142

    Certifications
    MCSE 2003: Security, CCNA, CCNP
    #5
    Does IAG 2007 have a trial available? I couldn't find one.

    Hey royal, can you log into https://sslvpn.demo.sonicwall.com with a username of demo and a password of password. There is a link on there for Terminal Services. It opens an RDP client window and all traffic goes over port 443.

    I do SonicWALL support at work, and want to know if SonicWALL's SSL-VPN appliance is comparable to Microsoft's IAG 2007 software.

    Thanks!
    Reply With Quote Quote  

  7. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #6
    Like I said, IAG is currently only on an appliance such as Network Engines. The current beta of Forefront Threat Management Gateway is available for beta testing.

    I logged in and it looks pretty similar.

    I have contact info for one of the Sales Managers at Network Engines. I'll shoot him an e-mail and see if there's an online demo for their IAG appliances.

    Edit: Dang, NDR. Looks like he's no longer there. I would go ahead and try contacting them or another vendor:

    Vendors:
    http://www.microsoft.com/forefront/e...epartners.mspx

    Network Engines IAG:
    http://www.nei.com/default.asp?LINKNAME=IAG
    Reply With Quote Quote  

  8. Junior Member
    Join Date
    Jun 2008
    Posts
    2
    #7
    Network Engines is not the only company offering an IAG appliance.

    www.nappliance.com

    www.celestix.com
    Reply With Quote Quote  

  9. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #8
    Quote Originally Posted by Deviouz
    Network Engines is not the only company offering an IAG appliance.

    www.nappliance.com

    www.celestix.com
    Hence why I posted the following:

    Quote Originally Posted by royal
    Reply With Quote Quote  

  10. Junior Member
    Join Date
    Jun 2008
    Posts
    2
    #9
    My fault, read through too quickly.

    Looking at the hardware, Nappliance looks pretty beefy.

    http://www.nappliance.com/pdfs/Compa...sheet_ver4.pdf
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Apr 2008
    Location
    Seattle, WA
    Posts
    142

    Certifications
    MCSE 2003: Security, CCNA, CCNP
    #10
    royal, I really appreciate your quick response. thank you.

    On a side note, other than for security reasons, why wouldn't Microsoft allow IAG 2007 to be installed on a full featured Windows OS?

    thanks!
    Reply With Quote Quote  

  12. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #11
    Quote Originally Posted by _maurice
    royal, I really appreciate your quick response. thank you.

    On a side note, other than for security reasons, why wouldn't Microsoft allow IAG 2007 to be installed on a full featured Windows OS?

    thanks!
    No problem.

    They will, with Forefront Threat Management Gateway which is ISA and IAG integrated where it will be installable on your own server hardware.
    Reply With Quote Quote  

  13. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #12
    Quote Originally Posted by Deviouz
    My fault, read through too quickly.

    Looking at the hardware, Nappliance looks pretty beefy.

    http://www.nappliance.com/pdfs/Compa...sheet_ver4.pdf
    Those do indeed look pretty good. I wonder if you can load balance them to allow more concurrent connections. I would assume so but really seems unrealistic as you can allow 15,000 concurrent light users and 3,000 heavy users. How many users would a company have VPN'ing in at the same time.
    Reply With Quote Quote  

  14. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #13
    I know it's been a while, but I just picked the following book which talks about ISA 2006, Forefront Security for Exchange, and IAG.
    http://www.amazon.com/Integrating-Se...8917555&sr=8-3
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #14
    How good is the book?
    Reply With Quote Quote  

  16. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #15
    It seems decent. Taking a quick look at it, it seems like there's a couple chapters on ISA and then it's just a normal Exchange 2007 book. Because of that, I'll probably put it on hold and just read through the ISA/IAG/Forefront section and then use the rest as reference or when I need to reference a topic for work.
    Reply With Quote Quote  

  17. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #16
    Just went through some more the book. It is a really good book. It talks more form a real-world perspective. It shows how to properly set up NLB (Unicast vs Multicast) and shows diagrams on how to optimize incoming traffic vs outgoing traffic, takes a secure approach, etc.. For example, when you're doing OA, if you want to use NTLM through ISA, you have to set the listener for the client to authenticate directly. Well, this is not a secure approach and it explains that you can use kerberos constrained delegation and talks about how the SPNs should be set up, etc...

    So in short, the book is all about Security, Scalability, High Availability, Load Balancing, and Redundancy.

    I definitely recommend this book.
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #17
    Hmm... I'd buy and read it, but I'm not being tasked right now with a lot of Exchange 2007/ISA work unfortunately. I'll keep it in mind, though. I'm actually thinking about doing a deep dive into PowerShell. It's about time I learn how to do some scripting.
    Reply With Quote Quote  

  19. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #18
    What are you up to these days then?
    Reply With Quote Quote  

  20. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #19
    Continued in PM...
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #20
    Fine. I didn't want to know anyway
    Reply With Quote Quote  

  22. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #21
    LOL, fine...

    Currently, I'm doing some VMware VI3 and Enterprise Vault deployments mostly.
    Reply With Quote Quote  

  23. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #22
    Whoa, big secret. I can see why you wanted to keep that private.

    Sorry, I didn't mean to pry
    Reply With Quote Quote  

  24. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #23
    It was just derailing this thread from the intended subject.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks