Understanding Security and Exchange Server 2007 Harold Wong [email_address] blogs.technet.com/haroldwong

Agenda Messaging security Antivirus Anti-spam Security enhancements with ISA Server 2006 Securing messages in transit

Messaging security

Antivirus

Anti-spam

Security enhancements with ISA Server 2006

Securing messages in transit

Security Threats to E-Mail The most common way for viruses to enter an organization is through e-mail Spam volume continues to trend upward over time Phishing scams have become more sophisticated and successful in a short period of time “… antivirus experts at SoftScan said that 89.5 per cent of all viruses scanned were classified as phishing malware” - Clement James, “Virus Levels Soar in August,” IT News.com.au, September 5, 2006 “ Spammers now generate an estimated 55 billion messages per day... A year ago that number was 30billion..” - Robert McMillian, “Spam’s New Image,” CIO.com, August 15, 2006

The most common way for viruses to enter an organization is through e-mail

Spam volume continues to trend upward over time

Phishing scams have become more sophisticated and successful in a short period of time

Choices for Exchange Message Filtering Exchange Hosted Filtering Anti-spam and antivirus protection in the cloud SLA backed e-mail security performance Exchange Server 2007 Edge Transport server role Anti-spam and antivirus protection in the perimeter Features customized and controlled on-premise Antivirus Filtering Anti-spam Filtering

Exchange Hosted Filtering

Anti-spam and antivirus protection in the cloud

SLA backed e-mail security performance

Exchange Server 2007 Edge Transport server role

Anti-spam and antivirus protection in the perimeter

Features customized and controlled on-premise

Comprehensive Antivirus, Anti-Spam Protection Choice: Hosted e-mail security Choices for Network Edge Protection Internet-based services protect against spam and viruses before they penetrate the network Comprehensive Enterprise-class Hosted Services for E-mail Security and Management Service for e-mail security with performance backed by SLAs Simplify E-mail Administration Offloading e-mail security allows IT to focus on other initiatives Firewall Mailbox Server Hub Transport Server Client Access Server SMTP Internet + On-Premise Software

Choices for Network Edge Protection

Internet-based services protect against spam and viruses before they penetrate the network

Comprehensive Enterprise-class Hosted Services for E-mail Security and Management

Service for e-mail security with performance backed by SLAs

Simplify E-mail Administration

Offloading e-mail security allows IT to focus on other initiatives

Features of Exchange Hosted Services Active Protection Protection against the latest threats before they reach your network Manage regulatory compliance requirements Provide e-mail that’s always available Enterprise-Class Reliability Global network of tier-one data centers that meet security audit standards Service availability and performance backed by SLAs Dedicated expertise and 24/7 network monitoring Simplified E-mail Administration Dedicate IT resources to other projects Activate services quickly with no additional equipment or software Integrate with your existing e-mail infrastructure

Protection against the latest threats before they reach your network

Manage regulatory compliance requirements

Provide e-mail that’s always available

Global network of tier-one data centers that meet security audit standards

Service availability and performance backed by SLAs

Dedicated expertise and 24/7 network monitoring

Dedicate IT resources to other projects

Activate services quickly with no additional equipment or software

Integrate with your existing e-mail infrastructure

Exchange Hosted Filtering Anti-spam, Antivirus, Content and Policy Enforcement, Disaster Recovery Only requires a simple MX record change Performance and uptime SLA Active multi-layer spam and virus protection Multi-engine virus filtering (Symantec, Trend Micro, Kaspersky Labs, Sophos) Flexible policy filter to enforce any e-mail-use rules E-mail queuing helps ensure mail is never lost

Only requires a simple MX record change

Performance and uptime SLA

Active multi-layer spam and virus protection

Multi-engine virus filtering (Symantec, Trend Micro, Kaspersky Labs, Sophos)

Flexible policy filter to enforce any e-mail-use rules

E-mail queuing helps ensure mail is never lost

Protection with Hosted Services Full e-mail encryption No public and private key management Gateway, policy-based e-mail encryption Uninterrupted e-mail accessibility Rapid recovery from unplanned disasters and network outages Thirty-day rolling historical e-mail store E-mail retention for help with compliance and e-discovery Customized report generation for help demonstrating compliance Fully indexed, searchable archive Real-time threat prevention features Multi-layer anti-spam and antivirus Customized content and policy enforcement

Full e-mail encryption

No public and private key management

Gateway, policy-based e-mail encryption

Uninterrupted e-mail accessibility

Rapid recovery from unplanned disasters and network outages

Thirty-day rolling historical e-mail store

E-mail retention for help with compliance and e-discovery

Customized report generation for help demonstrating compliance

Fully indexed, searchable archive

Real-time threat prevention features

Multi-layer anti-spam and antivirus

Customized content and policy enforcement

Comprehensive Antivirus, Anti-Spam Protection Choice: On-premise protection Choices for Network Edge Protection On-premise software protects against spam and viruses before they penetrate the network Local Control of Data Antivirus, anti-spam and security policies can be customized to meet the needs of the organization Built-in Protection Protection for your data and your network that can expand as the organization grows Firewall SMTP Internet + On-Premise Software Mailbox Server Hub Transport Server Client Access Server Edge Transport Server

Choices for Network Edge Protection

On-premise software protects against spam and viruses before they penetrate the network

Local Control of Data

Antivirus, anti-spam and security policies can be customized to meet the needs of the organization

Built-in Protection

Protection for your data and your network that can expand as the organization grows

The Edge Transport Server Role Consistent Exchange management experience Perimeter deployment Not joined to Active Directory (AD) Limited AD information transferred securely from the Hub Transport server Utilizes information from AD for recipient filtering High availability for SMTP Secure SMTP configuration Address rewriting Relay control Smarthost Transport Layer Security (TLS)

Consistent Exchange management experience

Perimeter deployment

Not joined to Active Directory (AD)

Limited AD information transferred securely from the Hub Transport server

Utilizes information from AD for recipient filtering

High availability for SMTP

Secure SMTP configuration

Address rewriting

Relay control

Smarthost

Transport Layer Security (TLS)

Features Unique to Edge Transport Recipient Filtering based on AD information Outlook Safe Lists propagated to Edge Administrator managed spam quarantine

Recipient Filtering based on AD information

Outlook Safe Lists propagated to Edge

Administrator managed spam quarantine

Highly Available Messaging With Exchange Server 2007 Poison message detection SMTP back-pressure ESE backed queues

Poison message detection

SMTP back-pressure

ESE backed queues

Exchange 2007 Antivirus Support Native Scanning Infrastructure Multiple third-party antivirus vendors support Exchange Server 2007 Symantec Trend Micro Kasperksy Lab GFI Software McAfee VSAPI to enable scanning messages in the store Antivirus Stamp to minimize unnecessary rescanning Example of an Antivirus Stamp: X-MS-Exchange-Organization-AVStamp-Mailbox: VSKing;5;0;info VSKing: AV vendor name (8 characters) 5: Vendor version (32-bit unsigned integer) 0 (VIRSCAN_NO_VIRUS): Virus status (32-bit unsigned integer) Info: Optional Virus info (128 byte string)

Multiple third-party antivirus vendors support Exchange Server 2007

Symantec

Trend Micro

Kasperksy Lab

GFI Software

McAfee

VSAPI to enable scanning messages in the store

Antivirus Stamp to minimize unnecessary rescanning

Forefront Security for Exchange Server Antivirus Features Forefront server security solutions help businesses protect their messaging servers against viruses and worms Multiple scan engines at multiple layers throughout the corporate infrastructure provide maximum protection against e-mail and collaboration threats Advanced Protection Tight integration with Microsoft Exchange, Windows-based SMTP, SharePoint and Live Communications Servers maximizes availability and management control Availability & Control Ensures organizations can eliminate inappropriate language and dangerous attachments from internal and external communications Secure Content

Forefront server security solutions help businesses protect

their messaging servers against viruses and worms

Anti-spam Feature Comparison by Exchange Release Anti-spam Feature Exchange 2003 RTM Exchange 2003 SP1 Exchange 2003 SP2 Exchange 2007 RTM IP Allow And Deny Lists Yes Yes Yes Yes IP DNS Block Lists Yes Yes Yes Yes Recipient Filtering Yes Yes Yes Yes Sender Filtering Yes Yes Yes Yes Content Filtering (Smartscreen) Yes Yes Yes Content Filter Updates (Smartscreen) Bi-weekly Daily Sender ID Yes Yes IP Safe Lists (aka Bonded Sender) Yes Outlook Postmark Validation Yes Protocol Analysis Data Gathering Yes Protocol Analysis Sender Reputation Yes Open Proxy Validation Yes Dynamic Spam Data Update Service Yes Per User/OU Spam Settings Yes Admin Quarantine Yes Automatic DNS block lists Yes

How Spam is Filtered Connection filtering Real Time Block Lists Global accept / deny and exception lists SMTP Filtering Layer Sender and Recipient Filtering Sender ID SMTP Command Tar-pitting Content Filtering Outlook Safe List Aggregation Anti-Spam/Anti-Phishing SCL Per-user/OU Spam preferences International Domain Support Outlook Postmark Validation Quarantine and Spam Reporting Incoming Internet E-mail Outlook Mailbox Inbox Junk E-mail 1 Connection Filtering 3 Content Filtering 2 Sender & Recipient Filtering 1 2 3 1 3 2

Robust Anti-Spam Reporting Performance counters Exchange Management Shell data feeds Microsoft Operations Manager graphical displays

Performance counters

Exchange Management Shell data feeds

Microsoft Operations Manager graphical displays

Forefront Security for Exchange Server Updates: Anti-Spam Continuous stream of spam and virus filter updates Published on the Microsoft Update (MU) infrastructure No administrator intervention required to keep Edge filters fresh Windows Server Update Service supported Updates include Daily IMF content filter updates Multiple intra-day IP reputation updates Multiple intra-day spam signatures

Continuous stream of spam and virus filter updates

Published on the Microsoft Update (MU) infrastructure

No administrator intervention required to keep Edge filters fresh

Windows Server Update Service supported

Updates include

Daily IMF content filter updates

Multiple intra-day IP reputation updates

Multiple intra-day spam signatures

Security enhancements with Internet Security and Acceleration Server 2006

Securing Exchange Server 2007 with ISA Server 2006 External Web Server Intranet Web Server Exchange Active Directory SharePoint Administrator DMZ User Internet ISA 2006 Appliance HEAD QUARTERS Internal Network Integrated Security Improved idle-based time-outs for session mgmt NEW Smartcards & one-time password support NEW Customized logon forms for most devices & apps NEW LDAP authentication for Active Directory NEW Authentication delegation (NTLM, Kerberos) NEW Efficient Management Web publishing load balancing NEW Exchange & SharePoint publishing tools NEW Enhanced certificate administration NEW Fast, Secure Access Single sign-on for multiple resource access NEW Automatic translation of embedded internal links NEW

Enhancing Exchange Server 2007 Security DMZ Ready Exchange Server 2007 CAS must be in DMZ and must be domain member Lower security and higher TCO Pre-authentication None External packets from unknown source reach the servers Feature Without ISA With ISA Server Only ISA Server in DMZ Can operate in Workgroup (auth via LDAP / RADIUS) OWA Outlook/RPC/HTTP Mobile / ActiveSync (Mobile with Cert) Authentication strength Single factor (username+password) 3rd party solutions (SecureId) Two factor (credentials + certificate/OTP) SecureID Access to links (from OWA & from Outlook) SharePoint documents (ReadOnly) SharePoint Document library (ReadOnly) No access to other web applications UNC Full access to all SharePoint capabilities (documents, document libraries, calendar, admin etc) Access to other web applications UNC (same) Content / traffic inspection Load balancing an array of OWA None (Forefront inspects only SMTP) Yes (HTTP) NLB (IP based only) or external LB device for cookie based LB IP and Cookie based LB are part of ISA

Exchange Server 2007 CAS must be in DMZ and must be domain member

Lower security and higher TCO

None

External packets from unknown source reach the servers

Only ISA Server in DMZ

Can operate in Workgroup (auth via LDAP / RADIUS)

OWA

Outlook/RPC/HTTP

Mobile / ActiveSync (Mobile with Cert)

Single factor (username+password)

3rd party solutions (SecureId)

Two factor (credentials + certificate/OTP)

SecureID

SharePoint documents (ReadOnly)

SharePoint Document library (ReadOnly)

No access to other web applications

UNC

Full access to all SharePoint capabilities (documents, document libraries, calendar, admin etc)

Access to other web applications

UNC (same)

None (Forefront inspects only SMTP)

Yes (HTTP)

NLB (IP based only) or external LB device for cookie based LB

IP and Cookie based LB are part of ISA

Pre-Authentication Basics Supports proxy of Outlook Anywhere (RPC/HTTP), Outlook Web Access, and Exchange ActiveSync Ensure no un-authenticated HTTP traffic reaches the intranet Pre-authentication is done by a reverse proxy in the perimeter network Numerous authentication choices Client Access Server Firewall ISA 2006 Firewall HTTPS Mailbox Server Active Directory

Supports proxy of Outlook Anywhere (RPC/HTTP), Outlook Web Access, and Exchange ActiveSync

Ensure no un-authenticated HTTP traffic reaches the intranet

Pre-authentication is done by a reverse proxy in the perimeter network

Numerous authentication choices

Confidential Messaging Features in Exchange 2007 Client Features Client to Server Server to Server Server to Perimeter Perimeter to Perimeter Clients Internal Network Perimeter Network Internet Perimeter Network

Client Features

Client to Server

Server to Server

Server to Perimeter

Perimeter to Perimeter

Security and Exchange Server 2007 Exchange Server 2007 provides improved security out of the box Message filtering is enhanced with Forefront Security for Exchange Server Exchange Hosted Filtering ISA Server 2006 helps provide secure client access

Exchange Server 2007 provides improved security out of the box

Message filtering is enhanced with

Forefront Security for Exchange Server

Exchange Hosted Filtering

ISA Server 2006 helps provide secure client access

Appendix June 1, 2009

Security Environment Need for filtering Viruses Spam Phishing Need for security Compliance Confidentiality

Need for filtering

Viruses

Spam

Phishing

Need for security

Compliance

Confidentiality

Enterprise Topology Enterprise Network Other SMTP Servers Routing Hygiene Routing Policy I N T E R N E T Applications OWA Protocols ActiveSync, POP, IMAP, RPC / HTTP … Programmability Web services, Web parts Mailbox Public Folders Voice Messaging Fax PBX or VoIP Edge Transport Hub Transport Client Access Mailbox Unified Messaging

EdgeSync Overview Edge Server Features depend on data in Active Directory Edge Servers MUST operate in perimeter networks EdgeSync Publishes outbound to Edge Servers Subscribes an Edge Server to an AD Site Configures Security and Routing

Edge Server Features depend on data in Active Directory

Edge Servers MUST operate in perimeter networks

EdgeSync

Publishes outbound to Edge Servers

Subscribes an Edge Server to an AD Site

Configures Security and Routing

The New Edge Transport Server Role Feature Rich Perimeter E-mail Defense Industry-leading anti-spam technology Comprehensive antivirus protection with Microsoft Forefront Security for Exchange Server Consistent Administration EdgeSync allows management alongside AD connected servers Local administration through the Exchange Management Console or the Exchange Management Shell

Industry-leading anti-spam technology

Comprehensive antivirus protection with Microsoft Forefront Security for Exchange Server

Consistent Administration

EdgeSync allows management alongside AD connected servers

Local administration through the Exchange Management Console or the Exchange Management Shell

EdgeSync Published Data Recipient SMTP Addresses Used to reject mail at the edge destined to non-existent addresses Includes primaries / contacts / proxies Addresses are one-way hashed to protect from exposure Outlook Safe Senders Users safe sender lists Applied per recipient (one persons safe sender is not another’s) A message from a safe sender to a recipient will bypass anti-spam content Does NOT bypass IP blocklists

Recipient SMTP Addresses

Used to reject mail at the edge destined to non-existent addresses

Includes primaries / contacts / proxies

Addresses are one-way hashed to protect from exposure

Outlook Safe Senders

Users safe sender lists

Applied per recipient (one persons safe sender is not another’s)

A message from a safe sender to a recipient will bypass anti-spam content

Does NOT bypass IP blocklists

Subscribing Edge Servers A “Subscription” is created on the Edge box The Subscription is imported on a HUB Server In the Site with best network connectivity to the perimeter network The HUB will provision certificates to secure Edge to BH connection Routing is configured On an hourly schedule, the Hub Server publishes recipient data to Edge Server Data is hashed to prevent leakage

A “Subscription” is created on the Edge box

The Subscription is imported on a HUB Server

In the Site with best network connectivity to the perimeter network

The HUB will provision certificates to secure Edge to BH connection

Routing is configured

On an hourly schedule, the Hub Server publishes recipient data to Edge Server

Data is hashed to prevent leakage

Forefront Security for Exchange Server 2007 Incremental background scanning Periodic scanning of the store with updated signatures provides another layer of security Incremental Background Scanning combines security and performance considerations Various background scanning options Scan all messages Scan only messages delivered in the past 1, 2, 3, 4, 5, 7, 30 days Scan only messages with attachments Scan only messages that have never been scanned before

Periodic scanning of the store with updated signatures provides another layer of security

Incremental Background Scanning combines security and performance considerations

Various background scanning options

Scan all messages

Scan only messages delivered in the past 1, 2, 3, 4, 5, 7, 30 days

Scan only messages with attachments

Scan only messages that have never been scanned before

Antivirus Antivirus stamp X-header protected by the Header Firewall AV vendors stamp scan result and consult stamps generated upstream to decide if to skip AV scanning on current server Example: X-MS-Exchange-Organization-AVStamp-Mailbox: VSKing;5;0;info VSKing: AV vendor name (8 characters) 5: Vendor version (32-bit unsigned integer) 0 (VIRSCAN_NO_VIRUS): Virus status (32-bit unsigned integer) Info: Optional Virus info (128 byte string)

X-header protected by the Header Firewall

AV vendors stamp scan result and consult stamps generated upstream to decide if to skip AV scanning on current server

Example:

X-MS-Exchange-Organization-AVStamp-Mailbox:

VSKing;5;0;info

VSKing: AV vendor name (8 characters)

5: Vendor version (32-bit unsigned integer)

0 (VIRSCAN_NO_VIRUS): Virus status (32-bit unsigned integer)

Info: Optional Virus info (128 byte string)

Managing Exchange Anti-spam Configuration Setting Actions for SCL levels Setting Remote Edge Server Lists Per-recipient/OU anti-spam configuration Ability to configure exceptions/bypassed recipients Diagnostics and monitoring Spam Stamp Intuitive UI part of ESM for most common tasks Events, alerts, reporting via MOM ExBPA tool will help IT Pros keep up with best practices

Configuration

Setting Actions for SCL levels

Setting Remote Edge Server Lists

Per-recipient/OU anti-spam configuration

Ability to configure exceptions/bypassed recipients

Diagnostics and monitoring

Spam Stamp

Intuitive UI part of ESM for most common tasks

Events, alerts, reporting via MOM

ExBPA tool will help IT Pros keep up with best practices

Configuring SCL thresholds Set Actions based on the SCL level assigned to a message Thresholds can be set on a per-recipient basis

Set Actions based on the SCL level assigned to a message

Thresholds can be set on a per-recipient basis

Spam Quarantine Messages over a set SCL are delivered to a Spam Quarantine Store Exchange 2007 mailbox Send Again and Search Delivered as NDRs, allowing “send again” functionality Quarantine Viewed/Searched with Outlook / OWA Message is placed in the original format in the mail stream. Quarantine is admin managed, no end-user view OWA/Outlook junk folder is for end users

Messages over a set SCL are delivered to a Spam Quarantine Store

Exchange 2007 mailbox

Send Again and Search

Delivered as NDRs, allowing “send again” functionality

Quarantine Viewed/Searched with Outlook / OWA

Message is placed in the original format in the mail stream.

Quarantine is admin managed, no end-user view

OWA/Outlook junk folder is for end users

Monitoring Antispam Activity Performance counters Messages Per SCL level Total Messages sent to Quarantine, Deleted, Rejected Aggregated in Exchange 2007 Server MOM Reports Hit Rate for Block Lists Top spam sender domain, top spam sending IP Top targeted domain/recipient

Performance counters

Messages Per SCL level

Total Messages sent to Quarantine, Deleted, Rejected

Aggregated in Exchange 2007 Server MOM

Reports

Hit Rate for Block Lists

Top spam sender domain, top spam sending IP

Top targeted domain/recipient

Connection Filtering IP allow lists, IP deny lists Block or allow connections before accepting message content Supports public deny and allow list providers Overrides all other spam features Received Chain Analysis - Can be configured to operate behind mail relays Requires message headers be accepted Microsoft IP Reputation Service Sender Reputation built from Hotmail Data Distributed via Microsoft Updates Packages

IP allow lists, IP deny lists

Block or allow connections before accepting message content

Supports public deny and allow list providers

Overrides all other spam features

Received Chain Analysis - Can be configured to operate behind mail relays

Requires message headers be accepted

Microsoft IP Reputation Service

Sender Reputation built from Hotmail Data

Distributed via Microsoft Updates Packages

Internet Sender Authentication Sender ID and DKIM (formerly Domain Keys) detect spoofing Detecting spoofing helps detect spam and phishing Sender ID and DKIM provide internet scale authentication for business-to-consumer messaging

Sender ID and DKIM (formerly Domain Keys) detect spoofing

Detecting spoofing helps detect spam and phishing

Sender ID and DKIM provide internet scale authentication for business-to-consumer messaging

Sender Id Identify forged mail from Sender Id compliant domains Identifies likely sender with Purported Responsible Address (PRA) algorithm Queries Domain Name Servers (DNS) for the Sender Id record, which returns the list of acceptable outbound mail servers IP Addresses Checks incoming IP against acceptable list Mail from other IPs considered a fail Admins may configure to Reject message Tag and Pass - Contributes to Content Filtering Score

Identify forged mail from Sender Id compliant domains

Identifies likely sender with Purported Responsible Address (PRA) algorithm

Queries Domain Name Servers (DNS) for the Sender Id record, which returns the list of acceptable outbound mail servers IP Addresses

Checks incoming IP against acceptable list

Mail from other IPs considered a fail

Admins may configure to

Reject message

Tag and Pass - Contributes to Content Filtering Score

Protocol Filtering Recipient filtering EdgeSync maintains the recipient list on the Edge server Multi-forest deployments require that addresses be synched to forest to which Edge servers are “subscribed” Protocol analysis Learns locally from the connections and messages that are seen on the specific server Builds server local reputation and blocking targeted spam attacks. Based on average spam rating, open proxy checks, protocol anomalies

Recipient filtering

EdgeSync maintains the recipient list on the Edge server

Multi-forest deployments require that addresses be synched to forest to which Edge servers are “subscribed”

Protocol analysis

Learns locally from the connections and messages that are seen on the specific server

Builds server local reputation and blocking targeted spam attacks.

Based on average spam rating, open proxy checks, protocol anomalies

Intelligent Message Filter v3.0 Machine learning Generates a Spam Confidence Level (SCL) value based on Message Characteristics Authenticated domain reputation Very good and very bad domains Catch spammers that use Sender Id Spam signatures block specific spam campaigns. Effective against minispam Outlook E-mail postmark validation Aka Presolved Puzzle Validation Increase deliverability of Outlook email

Machine learning

Generates a Spam Confidence Level (SCL) value based on Message Characteristics

Authenticated domain reputation

Very good and very bad domains

Catch spammers that use Sender Id

Spam signatures

block specific spam campaigns.

Effective against minispam

Outlook E-mail postmark validation

Aka Presolved Puzzle Validation

Increase deliverability of Outlook email

Intelligent Message Filter v3.0 Anti-phishing Most critical phishing attacks/complaints aggregated from Hotmail and a number of 3rd party reputation services leveraged on Edge (via MU) Phishing Confidence Level stamped on Edge, is used by OWA/Outlook 2007 to drive Junk Folder user experience Links are disabled Content is “flattened” Custom weight lists good and “naughty” words Affect the score set by the filter Used rarely for tuning

Anti-phishing

Most critical phishing attacks/complaints aggregated from Hotmail and a number of 3rd party reputation services leveraged on Edge (via MU)

Phishing Confidence Level stamped on Edge, is used by OWA/Outlook 2007 to drive Junk Folder user experience

Links are disabled

Content is “flattened”

Custom weight lists

good and “naughty” words

Affect the score set by the filter

Used rarely for tuning

Client authenticating to ISA Forms Based Authentication: username and password Two-factor authentication: certificates or SecurID One- Time-Passwords HTTP standards: Basic, NTLM, Negotiate Authentication providers AD (Windows) when ISA is a domain member AD (LDAP) when ISA is not a domain member RADIUS – limited support for groups RADIUS for One-Time- Passwords RSA SecurID (w/ Authentication Manager) ISA 2006 Pre-Authentication Mobile Client Web Client User Directory ISA 2006 Array Web Server 1 2 3 FBA SecurID Client Certificate Basic NTLM Negotiate Basic NTLM Negotiate SecurID KCD AD (Windows) AD (LDAP) RADIUS Server SecurID Server

Client authenticating to ISA

Forms Based Authentication: username and password

Two-factor authentication: certificates or SecurID One- Time-Passwords

HTTP standards: Basic, NTLM, Negotiate

Authentication providers

AD (Windows) when ISA is a domain member

AD (LDAP) when ISA is not a domain member

RADIUS – limited support for groups

RADIUS for One-Time- Passwords

RSA SecurID (w/ Authentication Manager)

ISA authenticating to Web Server (eg. OWA, EAS) Basic/NTLM/Negotiate SecurID Kerberos Constrained Delegation Single Sign On No need for additional sign-on to Web server Published web sites must share DNS suffix and be published through the same ISA array Client must support cookies ISA 2006 Pre-Authentication (Contd.) Mobile Client Web Client User Directory ISA 2006 Array Web Server 1 2 3 FBA SecurID Client Certificate Basic NTLM Negotiate Basic NTLM Negotiate SecurID KCD AD (Windows) AD (LDAP) RADIUS Server SecurID Server

ISA authenticating to Web

Server (eg. OWA, EAS)

Basic/NTLM/Negotiate

SecurID

Kerberos Constrained Delegation

Single Sign On

No need for additional sign-on to Web server

Published web sites must share DNS suffix and be published through the same ISA array

Client must support cookies