I'm going through the documentation for the installation of QSS, and it says I have to install the 'Microsoft FTP Service'. Is this the same FTP service that gets installed with the IIS service? If so, is it safe to run IIS on a front facing ISA server? Won't this open up a security hole?
You are right Thomas, Excellent question.
When I have created QSS 3 years ago, I needed a way to exchange data between the Security Client component (installed on the workstation) and the Approval Server (on the ISA 2004 itself). The reason is that the client will make a technical “picture” of the machine and send it to the server part, which will decide it is compliant. All the ‘intelligence’ is on the server side which is totally different if you compare QSS with RQC/RQS.
I have decided to use FTP for the following reasons :
· I did not want to create my own “multithreaded” component (I have some customers that provides hundreds of simultaneous VPN tunnels), · ISA 2004 by default has a FTP application filter, · Only people from the VPN networks can FTP the ISA 2004 machine (nobody else !), · Creating your own component or protocol implies that you must prove that you are not another source of attack : this is in general a lot of discussion for nothing · You only need to run the FTP service on ISA, not the other ones (especially WEB) · If this service has a bug somewhere and is a source of attack, I assume that Microsoft will have a strong process to provide a patch, and that it will be deployed pretty quick. Since the only way for a user to talk to isa smtp service is to upload a file, the risk is extremely low (compared with the risk of an application running on IIS/WEB service).
I don’t plan to change that system in the next release of QSS , except if you give me good feedback on this ;-)
For your info, the next release of QSS will support all Microsoft new things : Vista, antispyware, ISA 2006… if you have any special request, just let me know (Thomas you can broadcast this info ;-). This will help me to make a product that is compatible with all kind of scenarios.
Keep in mind that RQC/RQS will not be enhanced (my opinion), that NAP will not arrive before 2 years … so QSS is still a good product for the community.