ISA 2006 versus IAG - Which one to use?

  • Article

If you read the only two places where ISA is compared to IAG, it doesn't really give a simple and clear comparison. I hope to do so now in this post. Please post comments if you find other comparison information out there.

The two comparisons I found are:
Secure Remote Access
IAG Frequently Asked Questions

(now updated) other comparison links from https://www.isaserver.org

Should You Get an ISA Firewall or the IAG 2007?

What's the ISA Firewall-based Microsoft IAG About?

To compare the two products, I am going to break it down into 3 major functionality categories: Forward Proxy, Reverse Proxy / Publishing, and VPN. Please keep in mind that you can run ISA and IAG independently or together in the same environment AND when you purchase IAG (you can only buy IAG via appliance vendors), it includes the standard edition of ISA.

**Forward Proxy**This section is very simple to explain; IAG isn't a forward proxy at all. so if you need clients to get out to the internet through a proxy server you'll need to use ISA 2006. Along those lines, it also doesn't do web content caching for forward proxy or reverse. To learn more about ISA 2006's forward proxy and caching features, check out:
About ISA Server Clients
Caching and CARP in ISA Server 2006

**Reverse Proxy / Publishing**This is where it gets tricky. Both ISA and IAG can securely publish resources, but the capabilities and ways it is done varies greatly between the two products. To compare the two it is easiest to break this down via a table. Of course, this isn't a comprehensive comparison - just some of the advantages that I see each product have over each other.

Publishing type:

ISA Advantages

IAG Advantages

WebSharepointOWA

·         Can check service state of website (WPLB)

·         Can cache published content

·         Compression capabilities

·         Can set granular access policies (User profiles, client validation – i.e. browser type, if running software, etc)

·         Client side cache clean-up and Attachment Wiper

·         Document upload/download policy controls

·         Portal makes it easier to switch between sites and applications

Exchange

·         Supports RPC / RPC over HTTP for exchange server only

·         Supports secure publishing for SMTP traffic (port 25)

·         Supports RPC / RPC over HTTP for any application or website.

·         Supports mobile device webpage support for portal and websites.

Non-HTTP(S) Apps

·         Have to server publish the ports directly back to the server. More limited with amount of security granularity/control available compared to IAG. Exchange publishing does have more configuration/security than other non-HTTP(S) protocols.

·         Protocol inspection for some non-HTTP(S) protocols

·       Allows anonymous connections if desired

• Access to user's home directory and shared file folders using the built-in File Access application as a Web Part• Session management and security • Integrated Password Management• Supports almost any client-side application or server-side proxy• Policy based on endpoint profile• Application-specific session control• Seamless support of MS Office on the client, plus Web Services through host address translation and SharePoint-specific reroute actions• Can compute the MD5-hash of a client executable; only applications that match this hash are allowed push traffic through the SSL VPN tunnel

So what is my summary here? If you want real granular control over securely publishing your internal client applications - especially non-HTTP(s) ones, then IAG is definitely the way to go. It's great because even if the internal app your company uses is on a non-HTTP(s) port, a client can gain access through the stanadard 80 (HTTP) or 443 (HTTPS) ports that are open pretty much anywhere you're at that has internet access. The area where ISA wins with publishing is with Exchange (not OWA) and other applications that you would like to have open anonymous to the public (such as FTP and HTTP).

VPN
IAG is strictly a SSL VPN solution whereas ISA is only an IPSec VPN solution. The SSL VPN is nice because you can access anything on the internal network by only using the standard HTTPS port which will get around many internet connection issues. On the flip side, the IPSec VPN offers many more options with security.

Also, IAG does not have any site-to-site capabilites (SSL VPN tunnelling) and ISA does (IPSec VPN tunnelling). It's also worth noting that if you want to do any form of client-side checking with ISA this must all be done via custom scripting utilizing CMAK. IAG has a ton of pre-configured and customizable options for validating if the client is compliant (i.e. has AV that is installed and up to date, only certain OS or browser, etc).