ISA Server

[CXGJarrod]

Does anyone out there use ISA Server for providing internet access for their company? If so, have you had any problems / issues with using it? We were thinking of doing a trial of ISA server and I just wanted to see if anyone had any experience with it.

If you dont use ISA server, what do you use for sharing internet access throughout your company? I have tried several proxy servers (windows based), but have not really liked any of them due to limitations of what I could allow the proxy to do.

Any help would be great.

[MrLinus]

Hi Jarrod,

I haven't used ISA but a friend of mine did. The words "****ing slow pig" came out of his mouth and at the time I believe the setup was PIII1.2/512MB Ram/80GB HD.

I have used Novell BorderManager 3.5 and found it to be fine for the company I had worked at. We'd fill the cache regularly but it was good for locking down what we didn't want employees to get at while still allowing for good internet access.

[t2k2]

I use ISA, and it has been working fine. We are in search of additional reporting tools, however, as our existing ones are not enough - that includes the built-in reports for ISA itself. Oh, and Ms Mittens, I think that 512 MB may be the minimum, so it would probably depend on the amount of users that are being piped through the proxy. Maybe your friend should bump it up to about a gig. Just a suggestion. But honestly, our internet connection seems just fine.

[CXGJarrod]

MsMittens: Unfortuately, we have MS Win2k Servers and cannot run Novell BorderManager 3.5. I have heard some good things about that product.

[Xylinx]

BorderManager? ACK! We have a Checkpoint FW/proxy because of BorderManager...and then there is ManageWise...

[bigbird]

Originally posted here by t2k2
....and Ms Mittens, I think that 512 MB may be the minimum, so it would probably depend on the amount of users that are being piped through the proxy. Maybe your friend should bump it up to about a gig. Just a suggestion. But honestly, our internet connection seems just fine.

The minimum is 256MB but it's dog slow at that. I am running ISA with 1.5GB ram on a dual 1Ghz Dell box with no problems. Environment is ~200 users with net access restricted to about 105 or so.

Oh and you might want to reserve a certain percentage of your pipe for your MIS dept -- so you can always get out when you need to even if Joe Blow is watching the Fox news (provided you let it in)

[Sgt_B]

We run it on a Dell box P4 1.4 GHz 1024 GB RAM. Its been running perfectly fine. We don't use its packet filter capabilites since we have a FW-1 machine sitting in front of it. We haven't run into any issues, and its been up and running no problem for quite some time. No speed issues either on our end.
If there are speed issues, you can always get the Enterprise edition of ISA which allows you to create "ISA arrays" for load balancing and fault tolerance.

Personally I think its a great tool for internet sharing/proxying.

As far as the security side goes....I'm not so sure. I haven't done much testing with it, and like I said I've got FW-1 machine infront of it so I don't really see the need to test it

Go ahead and run it in a test environment first. I'm sure you'll be happy with the results.

"****ing slow pig".....thats kinda funny!
How much bandwidth has he got running through it MsMittens? If he hasn't moved on to a different solution yet, you might suggest running ISA in array mode. Although this does mean a lot more $$$.

<EDIT>
Just wanted to mention the reporting capabilities real quick. They're not so good...

ISA does however integrate well with various third party applications. Some of these apps are designed specifically for ISA. There's virus detection apps, reporting apps, and some other misc things. Check out Isaserver.org . Its got a lot of nice resources, and should help you with some of the research you're doing. Even has a forum on there to ask some questions.

Hope this helps!

[t2k2]

Thanks for the correction bigbird. The minimum for our installation is 512MB because we have the SurfControl add-in for more reporting capabilities. Now I realize why I said that may be the minimum, but I am sure you are right about the 256MB for just the ISA Server itself. I can't remember the rest of the specs on the box, but it's definitely handling the traffic. We may have about 400 users with access through it.

Sgt_B: I definitely agree with you on the suck reporting of ISA...BLAH!

[Wizeman]

I implemented ISA Server about 2 months ago at one of my clients (stupid Small Business Server). I think it works well, but I wouldn't recommend doubling applications up on the server, as Small Business Server does, as ISA eats up resources like crazy. The configuration isn't especially intuitive, but it is fairly easy to adapt to after a while. My biggest gripe is that in order to take advantage of the monitoring, without going to the server to look at the logs, you need to buy third party software, or you have to open the ISA monitoring log files in access and write a program to query that database, either way, it is something that should be provided for, and isn't.

Oh, and don't expect it do to trustworthy intrustion detection, I get my false alarms than I'd like, but I've heard the ISS add in is decent.

Regards,
Wizeman

[Tedob1]

ISA server is a mighty pricy item just to share an internet connection. What do you want out of a proxy, what type of connection to the internet do you have? Do you need to stay connected 24/7

I just got rid of ISA in favor of checkpoint. its like everone says. its a monster. it dosn't do content filtering but it does do a fair job with mime types. if your forced to use third party software to get some decent ids reporting, that to me makes it pretty useless. it reports every connection attempt, even for push type add servers as 'an intrusion attempt' but dosn't tell you the protocal, port number or any info you could use to analyse it. the same thing with dropped packets. i don't know why thet even bothered. it does make a nice caching proxy and the firewall client or user groups are fairly easy to configure.

2k server will allow you to share connections with everyone all by it self. add some firewall and IDS software and your jammen. sygate will allow you to blacklist users and monitor surfing, tiny fw pro does a pretty fare job for the price, under 200 dollars.

Make a list of what you want your proxy/gateway/firewall to do, and lets have a look at it.