Introducing a New Era for ISA Server

As my first (of hopefully many) contributions to the ISA Server team blog, I want to first introduce myself to the community.  My name is David B. Cross and I am the new Product Unit Manager for the ISA Server engineering organization.  For many of the community who do not know me, I have spent my last 8 years in the Windows Security organization of the company working in several notable areas such as PKI, smartcards and Kerberos authentication.  If anyone is interested, Jeff Jones posted an interview with me some time back:

Now – on to why I am blogging today…Why is this a new era for ISA Server?  We have been very busy for the past year and we also have been fairly quiet on the messaging front of our plans.  Well, the time is over, and I am excited to say that we can announce what we have been up to!  Today we (publicly) announced our next-generation network security product, the Forefront Threat Management Gateway (TMG), a comprehensive network protection solution. Forefront TMG is the future version of the Microsoft Internet Security & Acceleration Server (ISA Server) and will extend the capabilities of ISA Server with new features and security technologies.  I know many of you have loved and embraced the ISA Server name and brand for a long time – but it is time for new naming, new logos, blogs, books and of course new technology directions.

Forefront TMG will be available as both a standalone solution but also part of new integrated suites to be released in the future such as the Microsoft Windows Essential Business Server, the recently announced server solution designed for mid-sized companies due out later this year as well as the Forefront “Stirling” suite announced today, a unified protection solution that combines Forefront client, server, and edge security solutions with a single management and policy layer. A “first look” preview of Stirling Beta 1 was shown at RSA this week.   It is also available for download.

Why am I so excited about this announcement?  To begin, it is the first version of ISA Server that will fully support the Windows Vista and Server 2008 platforms.  It also will natively support the 64-bit Windows Server platform which provides significant scalability and security capabilities to the Threat Management Gateway.  The three other main areas of enhancement we are announcing today are the following:

1.       Multiple Threat Protection:  We will enable numerous new protection technologies and capabilities, including integration of the Microsoft Anti-Virus Engine for protection against Internet-based malware and other threats. As part of Stirling, Forefront TMG will also include the “Dynamic Response” functionality to enable shared intelligence and response. This is a major step forward in how our customers rely upon the Microsoft gateway for protection and access to the Internet.


2.       Simplified Management: Forefront TMG will include new set-up wizards, improved management interface and enhanced reporting. As part of the Stirling suite, Forefront TMG will be part of the Stirling central visibility dashboard and policy control.


3.       Secure Connectivity: Forefront TMG will build on current ISA Server capability around secure Internet access and other connectivity features. 

More details about the features in Forefront TMG will be available with the public beta scheduled for the second half of 2008.  I wish I could share more details and plans now, but that will come with time.  I promise to personally keep you updated as our plans and product evolve to keep you updated here.  We really look forward to your feedback on our plans and our first beta.  I am sure you will be as excited as we are in finally announcing this next generation of our network security product line.  Stay tuned to this channel!


David B. Cross

Product Unit Manager

Comments (16)

  1. Anonymous says:

    Just want to point you to a few blog articles I have read recently just in case your search doesn’t reveal

  2. Regarding NTLM-fallback …

    This is more complex than it sounds, since the delegation auth options are somewhat dependent on the initial authenticaiton method.

    If FBA fallback includes NTLM, then the only delegation method available to you would be KCD.

    What you can do is use FBA/Basic auth at the listener and delegate using KCD or Negotiate/NTLM.

    I realize this doesn’t answer you request, but it should get you past the auth disparity between aqpplications.

  3. Anonymous says:

    Seit heute sind nun einige Informationen rund um die neu Forefront-Generation (Codename "Stirling"

  4. rhelmer says:

    It seems nothing was announced regarding how the recent changes around the Forefront brand affects IAG.  Will it be merged into TMG?  Is it being spun off?  Some guidance on the IAG product roadmap would be much appreciated.

    Thanks for the info on TMG!  Looks exciting. 🙂

  5. Anonymous says:

    News Microsoft Internet Security and Acceleration Server Forefront Threat Management Gateway, the Next

  6. Anonymous says:

    It requires some hacking, but you can make ISA do that.  I’m rolling out TS GW like that now.

    I’m excited and nervous about the change.  I would like to see ISA be able to dive further inside of the packet to do more intelligent application filtering, but I’m worried the product will begin to slide away from it’s original purpose.  Of course upon writing that, I realize original purpose was proxy so I guess I have to withdraw my argument hehe.

    Does MS ever hire Consultants for ISA only?  I’ve tried finding an opportunity as a MS consultant position and yet to find one.  

  7. IanC says:

    Regarding Whale IAG.  My understanding is that this will now be integrated in to the new TMG product.

    My question… Will Microsoft be showcasing TMG at the forthcoming Infosec Europe event in London?

    Ian Currie

  8. Anonymous says:

    News Microsoft Internet Security and Acceleration Server Forefront Threat Management Gateway, the Next

  9. anony.muos says:

    Just to be sure, this will still run on Server 2003 32-bit hosts right?

  10. Anonymous says:

    Hi all, As Forefront MVP I already know about it, but now (April 9th) it's public. "… the

  11. Anonymous says:

    На проходящей конференции RSA Security официально объявлено имя продукта, приходящего на смену межсетевому

  12. Anonymous says:


    Could you please share the details of how you got Forms-Based Auth to fallback to NTLM (or how you got TS GW deployed)?

    I have looked and haven’t seen much on that topic yet.

  13. Anonymous says:

    I’m not in the TAP and I didn’t see any other place to provide ISA feedback —

    Please allow for Forms-based Auth to use both Basic and NTLM authentication in the fallback mechanism.

    The main reason for this is to support publishing both TS Gateway and OWA using the same listener.  TS Gateway’s HTTP/RPC needs NTLM and Outlook’s HTTP/RPC can use NTLM.  ActiveSync needs Basic.  

    Currently deploying all of these services requires two listeners on two IP addresses.  One for FBA/Basic — everything except TS Gateway & Outlook Anywhere using NTLM, and the other using HTTP Auth / NTLM.  For a small business, or even a larger one, it would be far simpler if everything could be on a single listener on a single external IP.  The only thing standing in the way is that FBA can’t fallback to NTLM.

    I ask you to please strongly consider adding this.  



  14. someone:

    Server 2003 – no. Unfortunately, the differences in the networking/firewall integration hooks between Server 2003 and 2008 are too great for TMG to support both.

    32-bit – We may provide a 32-bit for evaluation and demo purposes, but it will not be supported for production. This is the same like Exchange2007.

  15. Anonymous says:

    I really hope that the funtionality of IAG (Internet Access Gateway) will be included in Forefront TMG (Threat Management Gateway)…

Skip to main content