ISA 2004 firewalls include a very powerful HTTP Security Filter. This filter allows you to block virtually any HTTP connection attempt, based on the settings you configure in the filter. The HTTP Security filter allows you to configure the ISA 2004 firewall to perform detailed searches of the HTTP header and body, and block connections that match your criteria. When used properly, this has the potential to be the ISA 2004 firewall’s “killer app”.
However, most firewall admins have to do double, triple, quadruple and quintiple duties. They don’t have time to make the ISA 2004 firewall their avocation. They need to handle WinXP/Win9x/Win2000 clients, WinNT4/Win2003/Win2003 servers, SQL Servers, Exchange Servers, SharePoint Servers, Certificate Servers, RRAS Servers, IIS Servers, and lots more. There are only so many hours in a day, and the attraction to a firewall like ISA 2004 is that it appears easy to configure. And, on the whole, they would be right.
However, while the HTTP Security filter has a powerful and easy to use interface, the documentation of the feature is abysmal. What do I mean by “abysmal“? Search your dictionary for “tautology“ and then read the Help file and any other MS docs on this subject you might find.
Most firewall admins who opt for ISA 2004 firewalls do so because they want to take advantage of the unique protection provided by ISA 2004, especially for the ISA 2004 firewall’s one of a kind VPN and Exchange security features. This level of protection can be made even better if MS would actually explain and define the various components of this filter and how it works. Otherwise, the HTTP Security Fitler’s power and utility will end up in the dustbin of history like the H.323 Gatekeeper and possibly the VPN-Q feature (I’ll moan about VPN-Q in a future posting).
So the celebrity challange for MS is to come up with clear (not concise! concise usually means “I don’t have the time or inclination to fully explain the subject and explore implications), complete and useful documentation on the HTTP filter. This is how ISA 2004 firewalls can displace Checkpoint and PIX, and prevent users from adopting a Linux based solutution. After all, if I’m going to have to spend hours, days or weeks figuring out how to configure a key piece of a firewall, I don’t have to pay for it, I’ll just use Linux! 🙂
So, MS docs team — belly up to the bar and give the ISA 2004 firewall community what it needs, not what you think they need.