That's a shame. It's even more of a shame, because I don't recall ever seeing any posts from you either in this list or in the ISA newsgroups about those specific problems. While I can't speak to specific entities (NDA, you understand), There are a great many Fortune 500 companies that believe ISA is a great Enterprise firewall, and they're using it right now to serve world-wide organizational needs. One thing you state that I have to take issue with is your "underlying RRAS" comment. ISA has no need of RRAS to function as a firewall / ALG. RRAS is only required for VPN or if you choose to also use your ISA machine as a router (not the smartest move, but $$ drives deployment). Many folks tend to create conflicting RRAS / ISA configurations, many times without realizing it. <soapbox> Here's a newsflash for you; if you want two separate products from two separate companies to work exactly the same, and you want to dump your entire network routing / VPN / firewall / bag-o-chips functionality on one box and expect no problems, then it's time to wake up Dorothy. </soapbox> Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Fri, 12 Dec 2003 08:49:57 -0500 Glenn Maks <gmaks@xxxxxxxxx> wrote: http://www.ISAserver.org Good Morning Group - I wanted to share with everyone my experience with ISA, regarding the concern if ISA is ready to step in as a Enterprise firewall solution, my first response would be, by itself, NO! and here are my reasons, I recently implemented ISA on a trial bases to see if it could replace my 6 year Raptor firewall running on Windows NT 4.0. At first I liked what I saw, the GUI was intuitive and easy, creating objects to support protocol rules was easy, creating packet filters, again all easy and straight forward. It was not until I rolled out ISA and started to ask more from it did I make my decision to remove it. I was not asking ISA and the under lying RRAS service to do no more than my 6 year old Raptor firewall, it simply was not reliable and stable. Case in point, I used RRAS to connect my 4 branch offices around the world using Microsoft CA and layer 2, it seemed almost on a daily bases one or more of the links were down when I came in every morning, my published public DNS server never did work right, that is to say, I could not NOR Microsoft Tech support get my DNS server to answer to simple queries, using both Packet filters and publishing rules, I noticed the more traffic that went through ISA, the worse things got, I lost my FTP service for no apparent reason, it just stopped responding, I ran performance monitor and noticed that both Private and DMZ physical interface queue length's were off the charts, not to mention, what ever you define in your LAT is considered trusted, so don't create your DMZ in the LAT, ISA will pass everything between those subnets freely. I am not taking shots at ISA, simply reporting the truth, when compared to my 6 year old Raptor firewall, the choice is clear, Raptor! I never had these problems with my old Axent firewall, the VPN tunnels are Rock Solid, I can control what I want and when I want it between each interface and the performance is always predictable, Very Good. So again, based on the number of users in this forum, I have to believe many people are using ISA, that is good, but each one has to make the call to keep or discard it, for me, I will wait to see what version 2 of ISA looks like before I attempt another migration using Microsoft ISA. Glenn ( MCSE ) -----Original Message----- From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: Thursday, December 11, 2003 2:20 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Is ISA a good fit? http://www.ISAserver.org As far as VOIP, it is more of programming clashing. The programmers are creating a object, but instead of taking into consideration real world implementations, are going by standards for that product. ISA is an Enterprise class firewall. It is not perfect. No firewall is perfect. That is why it is always recommend to use a multilayered approach. \ While other firewalls may be easier for VOIP, they can not do functions that ISA can. The more technology is used, the more it will be complex. John Tolmachoff Engineer/Consultant/Owner eServices For You -----Original Message----- From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx] Sent: Thursday, December 11, 2003 10:54 AM To: [ISAserver.org Discussion List] Subject: [isalist] Is ISA a good fit? http://www.ISAserver.org Request For Information... It appears that lately I seem to be finding all the things that ISA cannot do. Is ISA supposed to be an "Enterprise" level application that can truly support Enterprise level needs? Or am I simply just asking too much of ISA. I am asking this sincerely. I have used MS Proxy and ISA for several years now. Frankly, I have not really looked at other products. But now that our business has grown, so has the complexity of our network. I keep running into issues where ISA is a roadblock and not a asset. Are the problems with authentication, not passing protocols (even when defined), VOIP, etc ISA centric, or am I going to have these same issues with any firewall product we purchase? In our mixed environment of Windows, Mac, Linux, and Solaris, is ISA really a good fit? Will there be a release of ISA that will address these issues in the immediate future? Thanks to all with more insight into this than I have. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: johnlist@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmaks@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')