IAG's end point control engine is one of the most capable I've reviewed, but it does come at a price. Because of its dependence on Internet Explorer and ActiveX, non-Windows platforms will not be able to participate in the deep inspection available in IAG. For non-Windows clients, end point detection will be limited to only what IAG can detect via the browser.

The Bottom Line Microsoft Internet Application Gateway 2007 Microsoft, microsoft.com Excellent  8.7 criteria score weight Security 9 35% Interoperability 8 25% Scalability 9 20% Setup 8 10% Value 9 10% Cost: Only available as part of an OEM bundle. As tested on Celestix WSA4000, $7,495 for up to 2,500 users (other models available) Platforms: Any TCP/IP-based network; full client functionality requires Windows, Internet Explorer, and ActiveX Bottom Line: Microsoft's IAG 2007 is a full-featured SSL VPN solution available only as part of an OEM/appliance bundle. IAG sits on top of Microsoft ISA Server, providing multiple layers of security. The end point inspection is close to perfect, but only if you run Windows and Internet Explorer. IAG's policy engine is very robust and includes a wide range of predefined applications to make policy definition easier. About our Reviews and Scoring Methodology

Positive thinking
The heart and soul of IAG is the access control policy engine. IAG uses a "positive logic rule set" to define each exposed application, and every aspect of the exposure is carefully detailed and managed. IAG comes with a large list (more than 60) of known applications admins can choose from to build their access policy on, such as Web applications, legacy applications, and file access. These exposed applications are wrapped in end point access control policies, upload/download polices, and URL scrubbing to ensure only valid paths are available to the end-user.

Click for larger view.

IAG's policy engine really does more than simply allow/deny access to applications: It acts more like an application firewall by inspecting each session and only allowing specific transactions to pass. For example if a remote user logs into the corporate mail portal from a laptop in Starbucks, the user's policy may not allow him or her to download attachments from the mail system.

But more than that, IAG can block specific transactions within an application based on end point security posture. As in our Starbucks example, IAG can block specific portions of the Web application, such as company contact lists, simply based on where the client is located.

Power trip
For power users who need network layer access, most methods of connecting require IE and ActiveX. IAG does include one method that uses either ActiveX or Java but it is basically an SSL wrapper. It creates a one-to-one mapping of application to local port, but this isn't true network-level access.

IAG's Network Connector requires ActiveX but provides a more traditional network-level access with routable IP addresses assigned to the virtual adapter. Users have access to any resource on the network (as allowed by policy) just as if they were logged on to the local network.

Reporting and logging in IAG covers the basics: system usage, user access, and session information. The Java-based Web Monitor provides a graphical view into user, application, and system activity, with easy-to-read, customizable graphs. Also included in Web Monitor is an event query tool to help admins dig out a specific error or status message. During my tests, I found the Web Monitor a handy tool for seeing the status of each connected client.

Microsoft made a good move in acquiring the Whale technology and merging it with ISA Server. The total package makes for one flexible yet secure solution for remote access to the enterprise. The end point control is one of the best going, but full functionality is limited to Windows and Internet Explorer clients. Same thing for network-level remote access -- it’s available for non-Windows platforms, but to get the total package it requires IE and ActiveX. I like the appliance form factor, and my test unit from Celestix is first rate. Along with Juniper and F5, admins should give Microsoft IAG a look when SSL VPNs come knockin' at their door.