RE: Is ISA a good fit?
- From: Jim Harrison <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 12 Dec 2003 06:31:06 -0800
That's a shame.
It's even more of a shame, because I don't recall ever seeing any posts from
you either in this list or in the ISA newsgroups about those specific problems.
While I can't speak to specific entities (NDA, you understand), There are a
great many Fortune 500 companies that believe ISA is a great Enterprise
firewall, and they're using it right now to serve world-wide organizational
needs.
One thing you state that I have to take issue with is your "underlying RRAS"
comment. ISA has no need of RRAS to function as a firewall / ALG. RRAS is
only required for VPN or if you choose to also use your ISA machine as a router
(not the smartest move, but $$ drives deployment). Many folks tend to create
conflicting RRAS / ISA configurations, many times without realizing it.
<soapbox>
Here's a newsflash for you; if you want two separate products from two separate
companies to work exactly the same, and you want to dump your entire network
routing / VPN / firewall / bag-o-chips functionality on one box and expect no
problems, then it's time to wake up Dorothy.
</soapbox>
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
On Fri, 12 Dec 2003 08:49:57 -0500
Glenn Maks <gmaks@xxxxxxxxx> wrote:
http://www.ISAserver.org
Good Morning Group - I wanted to share with everyone my experience with ISA,
regarding the concern if ISA is ready to step in as a Enterprise firewall
solution, my first
response would be, by itself, NO! and here are my reasons, I recently
implemented ISA on a trial bases to see if it could replace my 6 year Raptor
firewall running on Windows NT 4.0. At first I liked what I saw, the GUI was
intuitive and easy, creating objects to support protocol rules was easy,
creating packet filters, again all easy and straight forward. It was not
until I rolled out ISA and started to ask more from it did I make my
decision to remove it. I was not asking ISA and the under lying RRAS service
to do no more than my 6 year old Raptor firewall, it simply was not reliable
and stable. Case in point, I used RRAS to connect my 4 branch offices around
the world using
Microsoft CA and layer 2, it seemed almost on a daily bases one or more of
the links were down when I came in every morning, my published public DNS
server never did work right, that is to say, I could not NOR Microsoft Tech
support get my DNS server to answer to simple queries, using both Packet
filters and publishing rules, I noticed the more traffic that went through
ISA, the worse things got, I lost my FTP service for no apparent reason, it
just stopped responding, I ran performance monitor and noticed that both
Private and DMZ physical interface queue length's were off the charts, not
to mention, what ever you define in your LAT is considered trusted, so don't
create your DMZ in the LAT, ISA will pass everything between those subnets
freely. I am not taking shots at ISA, simply reporting the truth, when
compared to my 6 year old Raptor firewall, the choice is clear, Raptor! I
never had these problems with my old Axent firewall, the VPN tunnels are
Rock Solid, I can control what I want and when I want it between each
interface and the performance is always predictable, Very Good. So again,
based on the number of users in this forum, I have to believe many people
are using ISA, that is good, but each one has to make the call to keep or
discard it, for me, I will wait to see what version 2 of ISA looks like
before I attempt another migration using Microsoft ISA.
Glenn ( MCSE )
-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
Sent: Thursday, December 11, 2003 2:20 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Is ISA a good fit?
http://www.ISAserver.org
As far as VOIP, it is more of programming clashing. The programmers are
creating a object, but instead of taking into consideration real world
implementations, are going by standards for that product.
ISA is an Enterprise class firewall. It is not perfect. No firewall is
perfect. That is why it is always recommend to use a multilayered approach.
\
While other firewalls may be easier for VOIP, they can not do functions that
ISA can.
The more technology is used, the more it will be complex.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-----Original Message-----
From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx]
Sent: Thursday, December 11, 2003 10:54 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Is ISA a good fit?
http://www.ISAserver.org
Request For Information...
It appears that lately I seem to be finding all the things that ISA cannot
do. Is ISA supposed to be an "Enterprise" level application that can truly
support Enterprise level needs? Or am I simply just asking too much of ISA.
I am asking this sincerely. I have used MS Proxy and ISA for several years
now. Frankly, I have not really looked at other products. But now that our
business has grown, so has the complexity of our network. I keep running
into issues where ISA is a roadblock and not a asset. Are the problems with
authentication, not passing protocols (even when defined), VOIP, etc ISA
centric, or am I going to have these same issues with any firewall product
we purchase? In our mixed environment of Windows, Mac, Linux, and Solaris,
is ISA really a good fit? Will there be a release of ISA that will address
these issues in the immediate future?
Thanks to all with more insight into this than I have.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
johnlist@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmaks@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
