We have a critical application server on our network that's provided and maintained by a service provider. We're aware of security problems on this server, including weak authentication, missing security patches, and a lack of encryption for application data sent between the server and our client workstations. However, we don't have access to the server to address these problems. Can we put something between the server and the rest of our network to protect the network?
Yes. If the critical application is Web-based, you can insert ISA Server 2000 on a machine between the application server and the rest of your network and use ISA Server's reverse proxy feature. You can configure ISA Server to require Secure Sockets Layer (SSL) encryption and Active Directory (AD)-based authentication from clients without the knowledge of the application server. After you've set up the SSL connection and authenticated the clients, the ISA Server functions as a proxy, passing HTTP requests and responses between the client and the application server. If your application uses different protocols than HTTP, you can insert RRAS as a VPN server between the application server and the rest of your network. If you do so, users will have to connect to the RRAS server by using a VPN connection, then they can use the client application to communicate with the application server over an authenticated and encrypted VPN tunnel.
