RE: Is ISA a good fit?
- From: Glenn Maks <gmaks@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 12 Dec 2003 12:06:29 -0500
Hello Tom - I have opened calls to Microsoft ISA support regarding the
issues I stated in my ISA review early this morning, first allow me set the
record straight, because I think Jim was taking it personally, I know Jim or
at least I was told that he is part of the ISA development team, so I
understood his humorous sarcasm referencing Dorothy, the fact is that ISA is
being marketed for Prime Time use as a Enterprise Solution, as such, the way
I have implemented ISA into my organization mirrors my existing
configuration I have with my Axent Raptor Firewall, I ran both in parallel
just in case I needed to scramble back to Raptor, unfortunately, I had to do
that, I was pressured by Executive management because basic organizational
functions were being impeded based on the unreliable RRAS connectivity it
provided to all my branch offices. The issue with RRAS was that it took
forever to connect, when it did connect and sometimes not all, even if I
consoled into the dialing ISA RRAS Server and initiated connection manually,
keeping in mind all the while the Links are down, no inter office mail, no
Exchange replication, no access to shared resources, this is huge
on the radar screen for management. Let me ask you this, you have 2 ISA RRAS
Servers on opposite sides of the world, each office has at least a 512 MB
dedicated connection to the Internet or better, like a full T-1, what is
reasonable in terms of time for RRAS to reestablish connections? As far as
DNS hot fixes, I read off the version
releases of several DLL's to Microsoft's Tech support and based on what they
told me I already had the DNS hot fix in place. Believe me, I wanted ISA,
this a product I believed in that could replace my old firewall, my company
has partnership agreements with Microsoft, so the path to ISA was an easy
one to make, but the fact is, after
I rolled it out and started to add additional functionality to it, Nothing
More or less than what I already had with Raptor, things started to go down
hill quickly. I had 2 choices, remain with ISA and work through the issues,
all the while my companies services suffer or flip the switch back onto
Raptor. The comment that Jim made regarding an all services and
functionality running on one box, and that it was not very smart to do that,
I am asking nothing more from my combination of ISA and RRAS
that I already have with my 6 year old Axent Firewall, further more, if
Microsoft's VPN solution for now is to use RRAS then it is not unreasonable
to expect a certain level of performance and reliability from it.
Personally, I still believe in the product, the down side is that it will be
a hard sell to management when version 2 is released based on the
experience, and it is NOT the way I rolled it out or planned the migration,
as I know some folks will say, I took this one step at a time, one service
at a time.
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Friday, December 12, 2003 11:13 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Is ISA a good fit?
http://www.ISAserver.org
Hi Glenn,
So PSS wasn't about to solve your VPN gateway to gateway issue? Didn't they
give you to rollup hotfix that solved the dreaded DNS publishing issue?
Thanks!
Tom
_____
From: Glenn Maks [mailto:gmaks@xxxxxxxxx]
Sent: Friday, December 12, 2003 8:51 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Is ISA a good fit?
http://www.ISAserver.org
Jim - in fact I have posted many issues and have received many valued
responses, even from you, in fact when I opened my Microsoft support ticket,
I asked the 2nd level support engineer about ISA Discussion Group in
reference to Tom and yourself,
he told me many Microsoft ISA support engineers use this same forum and know
about you, so believe me, it is not like I was coming in cold, My evaluation
is accurate based on my experience and the way I NEEDED to use ISA. As for a
total enterprise solution, Most Enterprise firewall solutions roll in VPN
support, either client VPN or firewall to firewall, like my old Axent Raptor
firewall which is 6 years old, so this is not a new idea, Microsoft choose
to use RRAS because it already existed in earlier releases of Server
operating systems, Yes, it is true RRAS is not necessary for ISA to function
as a Firewall, Web Proxy, but to complete the total Enterprise requirements
it is if you wish to connect Branch offices, and I am saying that I had
reliability issues with RRAS, it simply was not stable, the times I had to
reboot my ISA server RRAS would take minutes to complete the connection and
sometimes not at all, I reboot Raptor and I can start pinging remote hosts
on the other side of the world even before the OS allows you to login, so
believe me there is a huge difference. I am not arguing the case to scrap
ISA, if I did I am sure I would be flamed by Microsoft supporters. As far as
waking up Dorothy, I guess she is already walking the streets, because my 6
year old Axent Raptor firewall functions as my Firewall, Global Branch
Office VPN and DMZ server, everything needed to run the operations here in
my office, so I guess I do have my bag of chips Jim.
-----O
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmaks@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
