Legacy Features

Internet Security and Acceleration (ISA) Server 2004 and ISA Server 2006 introduced numerous features and functionalities that are included in Forefront Threat Management Gateway (TMG). Some of the most notable advancements are described on this page.

Multiple Networking

The ISA Server 2000 networking model included an internal network and multiple external networks, some of which could be configured as a perimeter network (also known as demilitarized zone, DMZ, or screened subnet). ISA Server 2004 supports the configuration of multiple networks with different access policies behind the ISA Server computer, including virtual private networks and perimeter networks in addition to a standard Internal network. For more information see Multi-networking.

Network Entities

ISA Server 2004 introduced a rich set of network objects, including address ranges, computers, computer sets, networks, network sets, and subnets, that can be used to define source and destination settings for policy rules. For example, you can group networks in network sets and define specific policies for them so that when you add a network, you can add the new network to a network set and apply that policy to it. You can use network rules to specify which network entities have a routing relationship between them and which have a network address translation (NAT) relationship.

Cache Rules

ISA Server 2004 provided a centralized cache policy under a single administrative node, the cache rule. This is reflected in changes in the administration object hierarchy. For more information, see Introduction to the Forefront TMG Cache Objects.


ISA Server 2004 provided a persistence mechanism that allows you to save and reuse array configurations or portions of configurations, such as specific policies. For more information see About Persistence.

Virtual Private Networking

ISA Server 2004 introduced support for secure virtual private network (VPN) access that can connect branch offices or remote users to corporate networks. The firewall policy is applied to VPN connections to control what resources and protocols VPN users can access. For more information, see Virtual Private Networks.


ISA Server 2004 can authenticate users using built-in Windows authentication methods, predefined authentication schemes that are installed with the Microsoft Firewall service, or third-party authentication schemes that are registered with Web filters. For more information see About Authentication in Forefront TMG.

Network Configuration Detection Mechanism for Application Filters

ISA Server 2004 provided a Network Configuration Detection (NCD) module, and NCD programming interfaces and events for use by application filters. The NCD module introduced in ISA Server 2004 continually checks for changes to the network configuration, and sends NCD notifications describing those changes when they occur. Using the NCD mechanism, you can design a filter that reacts appropriately to changes in network configuration, such as dynamic changes in virtual adapters, the addition of new network adapaters, or the removal or addition of IP addresses to a network. For more information, see Network Configuration Detection.

Server-side Notifications for Web Filters

ISA Server 2004 provided server-side notifications for Web filters. For more information, see Introduction to Web Filters.

Link Translation

Web pages returned from a Web server published by a Web publishing rule may include links containing the internal names of computers. Because external clients cannot resolve these names, these references will appear as broken links. ISA Server 2006 added a built-in Web filter named Link Translation Filter, which uses mappings to translate internal computer names in links on Web pages to publicly resolvable names. Each mapping translates the internal name (or IP address) of a Web site to the public name (or IP address) of the Web site. For example, a mapping can translate the internal name to the public name. A set of link translation mappings is called a link translation dictionary. When link translation is enabled for a Web publishing rule, a default link translation dictionary is automatically created for the rule.

ISA Server 2006 could automatically add mappings to the link translation dictionary of a Web publishing rule for translating internal names in the links on a Web page returned by a Web server published by one Web publishing rule if those internal names are used in other Web publishing rules that are defined in the same array or in another array in the enterprise.

In addition, the administrator can define explicit mappings that apply to a specific Web publishing rule, mappings that apply to all the Web publishing rules defined in a specific array for cross-site link translation, and mappings that apply to all the Web publishing rules defined in any array in the enterprise for cross-array link translation.

Caching BITS Content

The Background Intelligent Transfer Service (BITS) helps to transfer large amounts of data without degrading network performance. It does this by transferring data in small chunks, utilizing unused bandwidth as it becomes available, and reassembling the data at the destination. BITS also maintains file transfers when a network disconnection occurs, or a computer needs to be restarted. When the network connection is reestablished, BITS will continue where it left off. Any cache rule can be enabled to cache content received using BITS.

Certificate Management

ISA Server 2006 introduced means for managing the certificates used for SSL authentication.

Secure Web Publishing and Single Sign On

ISA Server 2006 focused on secure Web publishing, making your internal Web resources available on the Internet, securely and efficiently. ISA Server 2006 introduced introduced support for enhanced multi-factor authentication (smart cards and one-time passwords), flexible integration with Active Directory using the Lightweight Directory Access Protocol (LDAP) for ISA Server computers belonging to a workgroup, customizable forms-based authentication, and additional authentication delegation (using the NTLM challenge/response authentication protocol, Kerberos constrained delegation, the Simple and Protected Negotiation (SPNEGO) protocol, and RSA SecurID credentials).

The single sign on (SSO) feature introduced in ISA Server 2006 allows you to specify domain names (for example, www.northwindtraders.com or *.contoso.com) for a Web listener that uses forms-based authentication. After a user is authenticated for access to a Web site that matches a domain name specified for SSO in a Web listener, the user can access any other URL containing a matching domain name through the same Web listener without being prompted to present credentials again. In particular, users can move safely from one application to another, without having to reauthenticate. For example, an authenticated user can move securely and seamlessly from Outlook Web Access to a SharePoint site by clicking a link in an e-mail, without reauthenticating.

HTTP Compression

ISA Server 2006 used the industry standard GZIP and Deflate algorithms, which are built into Microsoft Windows Server 2003 and Windows 2000 Server operating systems and into Microsoft Internet Explorer 6, Internet Explorer 5, and Internet Explorer 4, for HTTP compression. These algorithms compress static files, and optionally perform on-demand compression of dynamically generated responses before sending them over the network. These same algorithms are again used to decompress the static files and dynamic responses on clients that support HTTP 1.1. A client that is configured to use HTTP 1.1 can request compressed content from a Web server. Web servers indicate in their responses whether they support compression.

Publishing Server Farms

ISA Server 2006 introduced Web publishing load balancing for deploying farms of Web servers in a protected network using session- and IP-based affinity with automatic out-of-service detection.

Send comments about this topic to Microsoft

Build date: 11/30/2009

© 2008 Microsoft Corporation. All rights reserved.