Extending ISA/IAG beyond the limit

AGAT Security suite - introductionAGAT Security suite is a set of unique

components that allow extending ISA / IAG functionality to solve complex architectures and requirements, typically implemented in large, complex and well secured networks.

To learn more about our solutions please visit our website at http://www.agat.co.il or contact yoavc@agat.co.il

Main Filter listAG Authentication RelayActiveSyncAG Remote Cert AuthAG SSOAG MultiplexerAG Secured File Upload

AG Authentication Relay

AG Authentication RelayGeneral description

The Authentication Relay filter allows users to authenticate using a digital certificate when the application is protected by more than one ISA server in a cross domain architecture.

.

AG Authentication Relay (cont)

The solution is based on two web filters: In the front ISA the Relay filter signs the user’s

name (after being authenticated by ISA) and time stamp and submits the signed data in the request header.

In the back ISA the Consumer filter verifies that the message was received from the front ISA and then performs the authentication to the required application..

The solution does not require any domain trust relationship between the front and back domains.

AG Authentication Relay (cont)

ArchitectureOption A- Basic Authentication Relay

AG Authentication Relay (cont)

ArchitectureOption B- Strong Authentication Relay

AG Authentication Relay – Use casesWhen more than one ISA is protecting the application and smart card authentication is needed.When there is a single front end ISA in the external domain protecting several sub-networks that are using ISA.Typically when using IAG as a gateway and several ISA servers are protecting the internal domains.When you need the client’s certificate at the back end of multiple ISA architecture.

AG Active Sync Filter

AG ActiveSync - intro & requirementActiveSync is a data protocol used to

synchronize end user devices with Exchange server.

Typically the exchange server is published using IAG/ISA.

 Organizations need to control the content

published to the client (ie iPhone, windows mobile) to ensure that the content published is compatible with the device security level requirements.

AG ActiveSync filter solutionThe ActiveSync filter allows configuring

publishing rules according to device type and Exchange objects (mail, events, tasks and contacts).

In addition, the filter can block publishing of attachments and can perform content filtering.

AG ActiveSync filter featuresFilter rule configuration by device type (iPhone,

windows mobile etc)Allowing or blocking Sync of the following objects:

mail messages, contacts, tasks and calendar events.Allowing or blocking Sync of attachments in mails

messages or eventsFiltering by words in content of mail and calendar

events.Allowing meeting requests to be published even

when mail is blocked.Support ActiveSync 4.5

AG Remote Cert Auth

AG Remote Cert Auth- DescriptionEnable to perform certificate authentication

using an LDAP that is not in the same domain as the ISA server.

AG Remote Cert Auth -Use casesWhen users are using smart cards to login

and the LDAP is in a different domain than the ISA.

Typically when organization is securing theLDAP / Active directory in a separate domain then the ISA

AG SSO

AG SSO - DescriptionAdd user certificate and LDAP properties to

header request for application authentication.

AG SSO - Use casesWhen your web application is not

configured to use Windows authentication and user identity is needed.

Properties from LDAP are needed for the application.

When you need to pass the client certificate to your internal IIS.

AG Multiplexer

AG Multiplexer - DescriptionEnable transmitting the user's request

via a single point of access to several internal destinations according to user organization unit or group

Automatically generate a menu page listing all accessible URLs.

AG Multiplexer – Use casesWhen you need to provide a single point of

access to all users to browse to different web applications.

When routing users is needed according to the location in the Organization Unit (OU) or Group.

Typically when the network is divided into several subnets/domains managed separately.

Avoid publishing many internal sites.

AG Access Controller

AG Access Controller- DescriptionThe filter extends the ISA web publishing

rule system with additional criteria.Supports configuring the web publishing

rules based on user OU or Group.Enables working with an LDAP server that is

not in the same domain as the ISA/IAG.

AG Access Controller - SSL VPN Allows filtering users that use SSL VPN.Enables identifying the user in SSL VPN in

order to prevent anonymous requests entering the firewall

AG Secured File Upload

AG Secured File Upload- DescriptionFast file content verificationVerify that the extension of the file matches

the file contentPass file to antivirus to check virus in contentBlock dangerous content before reaching

internal site.

ENDSee more filters available on

http://www.agat.co.il