RE: Is ISA a good fit?
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 12 Dec 2003 08:27:27 -0600
Hi Glenn,
I appreciate you taking the time to share those experiences.
Now, I can tell you that have have an SLA with my ISP that allows me
100GB/mo of traffic and then I pay for overage. I always go over and
will probably have to increase it to 150GB/mo. For the last six months
I've pumped through a single ISA firewall a total of about 830GB (this
is a T1).
I'm publishing:
HTTP
HTTPS
OWA
FTP
NNTP
DNS xMany
SMTP
POP3
IMAP4
Secure Exchange RPC
And of course serve as the local ISP for our neighborhood via WAPs.
I also use VPN when out -- but don't have a gateway to gateway link,
although my customers do and they don't complain to me about it.
After the rollup hotfix that was release many months ago was applied,
the ISA firewall runs about the same as my refrigerator. I never think
about it except to run my daily log analyses. Same goes my customers,
but they get their logs analyzed once a week :-)
So, I think that layer 1 issues, and possiblly layer 8, is what causes
these problems. I see many people make the same complaints, but the
thing is that when I put things together, I don't seem to have the same
problems :-\
Thanks!
Tom
Thomas W Shinder
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
ISA Server 2004 Beta - Coming Soon
<http://www.microsoft.com/isaserver/beta/default.asp>
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
<http://tinyurl.com/1llp>
-----Original Message-----
From: Glenn Maks [mailto:gmaks@xxxxxxxxx]
Sent: Friday, December 12, 2003 7:50 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Is ISA a good fit?
http://www.ISAserver.org
Good Morning Group - I wanted to share with everyone my
experience with ISA, regarding the concern if ISA is ready to step in as
a Enterprise firewall solution, my first
response would be, by itself, NO! and here are my reasons, I
recently implemented ISA on a trial bases to see if it could replace my
6 year Raptor firewall running on Windows NT 4.0. At first I liked what
I saw, the GUI was intuitive and easy, creating objects to support
protocol rules was easy, creating packet filters, again all easy and
straight forward. It was not until I rolled out ISA and started to ask
more from it did I make my decision to remove it. I was not asking ISA
and the under lying RRAS service
to do no more than my 6 year old Raptor firewall, it simply was
not reliable and stable. Case in point, I used RRAS to connect my 4
branch offices around the world using
Microsoft CA and layer 2, it seemed almost on a daily bases one
or more of the links were down when I came in every morning, my
published public DNS server never did work right, that is to say, I
could not NOR Microsoft Tech support get my DNS server to answer to
simple queries, using both Packet filters and publishing rules, I
noticed the more traffic that went through ISA, the worse things got, I
lost my FTP service for no apparent reason, it just stopped responding,
I ran performance monitor and noticed that both Private and DMZ physical
interface queue length's were off the charts, not to mention, what ever
you define in your LAT is considered trusted, so don't create your DMZ
in the LAT, ISA will pass everything between those subnets freely. I am
not taking shots at ISA, simply reporting the truth, when compared to my
6 year old Raptor firewall, the choice is clear, Raptor! I never had
these problems with my old Axent firewall, the VPN tunnels are Rock
Solid, I can control what I want and when I want it between each
interface and the performance is always predictable, Very Good. So
again, based on the number of users in this forum, I have to believe
many people are using ISA, that is good, but each one has to make the
call to keep or discard it, for me, I will wait to see what version 2 of
ISA looks like before I attempt another migration using Microsoft ISA.
Glenn ( MCSE )
-----Original Message-----
From: John Tolmachoff (Lists)
[mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
Sent: Thursday, December 11, 2003 2:20 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Is ISA a good fit?
http://www.ISAserver.org
As far as VOIP, it is more of programming clashing. The
programmers are creating a object, but instead of taking into
consideration real world implementations, are going by standards for
that product.
ISA is an Enterprise class firewall. It is not perfect.
No firewall is perfect. That is why it is always recommend to use a
multilayered approach. \
While other firewalls may be easier for VOIP, they can
not do functions that ISA can.
The more technology is used, the more it will be
complex.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-----Original Message-----
From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx]
Sent: Thursday, December 11, 2003 10:54 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Is ISA a good fit?
http://www.ISAserver.org
Request For Information...
It appears that lately I seem to be finding all the
things that ISA cannot do. Is ISA supposed to be an "Enterprise" level
application that can truly support Enterprise level needs? Or am I
simply just asking too much of ISA. I am asking this sincerely. I have
used MS Proxy and ISA for several years now. Frankly, I have not really
looked at other products. But now that our business has grown, so has
the complexity of our network. I keep running into issues where ISA is
a roadblock and not a asset. Are the problems with authentication, not
passing protocols (even when defined), VOIP, etc ISA centric, or am I
going to have these same issues with any firewall product we purchase?
In our mixed environment of Windows, Mac, Linux, and Solaris, is ISA
really a good fit? Will there be a release of ISA that will address
these issues in the immediate future?
Thanks to all with more insight into this than I have.
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory:
http://www.serverfiles.com
No.1 Exchange Server Resource Site:
http://www.msexchange.org
Windows Security Resource Site:
http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: johnlist@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory:
http://www.serverfiles.com
No.1 Exchange Server Resource Site:
http://www.msexchange.org
Windows Security Resource Site:
http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: gmaks@xxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
