My experiments with IAG 2007, Part 2

by Shijaz Abdulla on 02.09.2007 at 08:53

In my earlier post on Intelligent Application Gateway (IAG 2007), I explained how we can download a fully-functional VHD image that simulates the IAG appliance and how to get started with it.

One of the interesting features in IAG that I came across is the ability to verify how secure the endpoint is (endpoint: client computer from which the user establishes the SSL-VPN session). The administrator can define endpoint policies that define the minimum security requirements that the client computer must have, in order to be able to connect to a particular internal application or service via IAG.

For instance, users may connect from home PCs or internet kiosks to access file servers while out of office. In order to secure file servers from possible malware attacks, we can require that all client computers that request access to file servers should have anti-malware software installed, failing which connections should be disallowed.

Lets take a closer look:
In the IAG console, under the portal for HTTPS connections, I open the properties page for File Access and specify an Endpoint Policy that requires that Windows Defender be installed on any endpoint that requires access to file servers.

On an external client machine that does not have Windows Defender installed, I try to access the IAG portal. I note that even before showing me the login form, the portal quickly gathers and sends information to IAG to verify compliance with endpoint policy.
Now I login to the IAG Portal:

And – as expected – I find that File Access is disabled!

If I click Details, I am informed why my endpoint is not allowed to connect to this service.

This is indeed a very nice feature. Reminds me of quarantined VPN clients in ISA Server.

If you have read my earlier post on extending access to file servers from OWA, you will note that this amount flexibility of endpoint security compliance check is not available while allowing direct file access through OWA. In OWA, you can only set separate policies for ‘Public’ and ‘Private’ computers, as selected by the user on the login form. And of course, this can be over-ridden by the user when he/she logs in, so it really isn’t much of an enforcement.

Publishing internal file servers through OWA

by Shijaz Abdulla on 24.08.2007 at 13:46

Outlook Web Access (OWA) on Exchange Server 2007 now supports direct file access, which means users can connect to internal file servers over the web using the standard OWA interface.

Readers of my earlier posting on Intelligent Application Gateway 2007 will agree that, if SSL is configured on Outlook Web Access (OWA) with internal file server access enabled, and it is published using ISA Server 2006, this gives you the equivalent of a browser-based SSL-VPN connection to the file server! Think about it.

This is good news for organizations who want to publish their file servers securely for home users but cannot afford a secure VPN solution.

Similarly, users can access internal Sharepoint sites from OWA if this is enabled on Exchange Server 2007. Certainly good news for organizations that tried to publish both OWA and SharePoint server over SSL on the same ISA Server installation — and then daunted away because it meant replacing the SSL certificate a wildcard certificate (which offers weaker encryption than a normal SSL certificate).

For step-by-step instructions on how to configure direct file access, see my article Configuring direct file server access from Outlook Web Access in Exchange Server 2007

My experiments with IAG 2007

by Shijaz Abdulla on 28.07.2007 at 14:06

Intelligent Application Gateway 2007 (IAG) is Microsoft’s new addition to the ForeFront Edge Security family. IAG provides web-based SSL-VPN connections for secure access to applications from outside the organization’s network perimeter. IAG 2007 was previously known as Whale SSL VPN before Microsoft acquired Whale Communications.

I had always wanted to get my hands on an IAG appliance, but appliances are costly, and the only way to work on one was to get my company to buy one of those babies. However, I was excited when I saw that the IAG VHD is available for download! It’s a scenario-based demo, which involves a virtual machine image (VHD) running DC/Exchange 2007/SPS 2007 and another virtual machine running the IAG appliance itself. Also, there were two client machine VHDs – one ‘managed’ and the other an ‘unmanaged’ client.

I downloaded the whole demo lab, and put it together on my 64-bit Virtual Server 2005 R2. I got a preview of the IAG features, but found that the Network Connector feature (the one that lets a remote client connect to the corporate network – ‘VPN-style’) wasn’t working. Upon closer examination, I found that the “Whale Network Connector Server” service was not running on the IAG virtual machine. When I tried to manually start the “Whale Network Connector Server” service, i got the message that the service stopped after starting. My repeated attempts to start the service were in vain.

So I opened the IAG Configuration console, and navigated to Admin > Network Connector Server option. IAG appliance has two physical network cards – one sticking in to the internal network and the other sticking in to the external network. There is a third network interface named Whale Network Connector (a virtual NIC), which appears to be “unplugged”. I made sure that the correct network interface card was selected (it should be the NIC thats on the internal network), and then de-activated Network Connector by de-selecting the “Activate Network Connector” checkbox. Then, I applied my changes by clicking File > Activate.

Once again, I navigated to Admin > Network Connector Server. This time I selected the “Activate Network Connector” and click OK. Once again I applied my changes by clicking Activate. In a few moments, the “Whale Network Connector Server” services started and a third network interface (Whale Network Connector) started showing status as “Active”.

In short, I just de-activated and re-activated the Network Connector Server after making sure that the correct internal NIC is configured on it. So if you’ve downloaded the IAG demo lab, hope this helps you!