One of my favorite features of all time is RPC Over HTTP. Most of you are familiar with it because it allows Outlook to encapsulate RPC calls inside a HTTP packet or frame. That frame must of course travel across the internet to your “Front-End” server or proxy. All of that voodoo just makes it trivial for users to check email without first having to deal with a RAS/VPN infrastructure. RPCHTTP rocks and everyone knows it. But, if you’re like most of the geeks I know, you probably cracked the joke about wanting HTTP Over HTTP (HoH).
Guess what? It’s coming. Well, sort of. It isn’t really HTTP Over HTTP. Think of it more like fine grained control of multi factor authentication across HTTP.
This week I started testing our internal implementation of this new set of technologies using ISA Server 2006 and it’s ability to provide access to Microsoft internal LOB applications.
I was able to access my team’s SharePoint site, our expense reporting website, the security and email distribution list maintenance site, the bug reporting site, our timecard website and a few other pilot sites. SharePoint is of course pretty easy to publish with ISA Server 2004. However, until ISA 2006 and this pilot, access to many of the other sites required me to use a VPN connection. This also meant that the machine must be part of the Microsoft corporate Active Directory (AD) Forest in order to allow the IPSEC policies to work their magic. Several of my home machines are not part of the corporate forest, so access to the applications wasn’t an option. This is no longer true.
I recently purchased a new Dell Latitude D820. It’s my personal machine and I have no intention of adding it to the corporate forest and allowing SMS to control it. With this pilot however, I was able to simply pop my smartcard into the D820 built-in smartcard slot and go hit the portal website (see login screen shot). I modified the screenshot and removed our DNS name. Sorry.
The first time I went to this website, IE7 complained about the SSL certificate presented. Since my machine is not part of the corp forest, it doesn’t have the root CA certs already installed so the certificate path wasn’t trusted. This is of course easily fixed by installing the cert, which I did.
I should also mention that before being presented this screen, you are prompted for the pin to the local smartcard cert. Ah, multi-factor is a good thing.
After logging in, we get a custom webpage with the listing of supported websites. It isn’t wide open so I am not able to access resources like the daily Windows Vista .iso’s or another personal SharePoint web I have.
I did submit my expense reports Thursday across the connection. It was very nice to not have to VPN. Ok, I’m lazee.
I’ll be really impressed if we can rethink access to our product servers. Today, most of the beta’s I download are via a VPN connection using the SMB protocol. I would jump up and down for joy if I could use HTTP to grab the Windows Vista DVD .iso file from our internal servers. I’m guessing I’d see a huge improvement in performance by doing that. Improvement equals time. Time is money.
So where do you get more information on how to work this magic?
You should definitely check out the small whitepaper on ISA Server 2006 Web Proxy. That’s the official name. Download the whitepaper at http://www.microsoft.com/isaserver/2006/prodinfo/Web_Proxywp.mspx. It’s about twenty pages and will give you some decent descriptions of the HTTP filtering process, SSL bridging, the event and alert models, proxy caching, etc.
Next, make sure to check the TechNet resources on your subscription or at the http://www.microsoft.com/technet/prodtechnol/isa/2006/beta.mspx location. This link will of course change when ISA Server 2006 ships and considering it’s already in release candidate status, that isn’t too far off.
By all means download the product and install it. See http://www.microsoft.com/isaserver/2006/beta.mspx for access to the release candidate bits. The Enterprise and Standard Editions are siting there begging you to try them. Don’t forget you can test a wide variety of scenarios using our Virtual PC or Virtual Server 2005 R2 products. Virtual Server 2005 R2 is free so what’s your excuse?
That’s not all !!!
Don’t want to download and install? Don’t!!! Go to http://www.microsoft.com/technet/traincert/virtuallab/isa.mspx and run the virtual labs to see how to do secure application publishing.