|
-
November 9th, 2004, 09:53 PM
#1
to ISA or not to ISA......
Hi everyone,
About a week ago, I started setting up a new company/domain and was at that time planning on running RH9, with Apache, Sendmail, and FTP. Since that time, I have looked at Sendmail and Qmail, and have had little luck getting either properly configured.
THe owners of the comapny have decided to go back to what we know, SBS2000.
My question is this. Is ISA robust enough to be the sole firewall on this server/domain, or should I convince them that the purchase of a hardware solution is neccessary?
Idea and opinions are great appricated.
MrCoffee
~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face! 
-
November 10th, 2004, 03:48 AM
#2
If you want ISA for the firewall only, buy a hardware firewall. It'll cost you less (1500 Us per Processor for ISA 2004) and it'll probably be more secure. It's really dependent on your need also. Do you need web caching abilites? VPN Abilites?
Etc Etc
-
November 10th, 2004, 04:03 AM
#3
THis server is going to be acting as a webserver, email server, and ftp, but email will be for a very limited number of people. I can't image the webserver or ftp will get more then 50-100 hits an hour max. Might want OWA at some point. We will not be using it as a proxy server.
Actually I was looking on CDW and found a base Sonicwall to work in conjunction with the ISA for around $249 so thats most likely the way I will go. But MS says that ISA is all you really need for a single domain. Acting as firewall for both server and client.
~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!
-
November 10th, 2004, 05:12 AM
#4
Don't run ISA and your webserver/ftp on the same machine.. It's asking for trouble...
-
November 10th, 2004, 01:26 PM
#5
Ok. But why? ISA come bundled with Exchange on SBS. In that kind of a configuration, it isnt possible to take the Web/FTP/email/ISA/IIS/SQL and put in on different servers, and why would you want to, since the whole point of SBS is to get everything you need.
Cheers!
~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!
-
November 10th, 2004, 02:34 PM
#6
Originally posted here by MrCoffee
Ok. But why? ISA come bundled with Exchange on SBS. In that kind of a configuration, it isnt possible to take the Web/FTP/email/ISA/IIS/SQL and put in on different servers, and why would you want to, since the whole point of SBS is to get everything you need.
Cheers!
its just a basic security rule. As more components you put in a machine, more change of a "security breach" appears. Its not advisable run other stuff on the same machine as the firewall, EVEN when MS tell you to do so.
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
November 10th, 2004, 02:52 PM
#7
One of the goals of ISA is to act like a web server, ftp and email server all together but to redirect the traffic to a server inside your LAN who is secure. If you redirect the traffic to you the same machine, it’s destroyed that goals. I’ll stick with by first idea; buy a Sonicwall Firewall with DMZ and VPN support. (Specially VPN support, you don’t regret the $$ spend on that)
-
November 10th, 2004, 03:03 PM
#8
Ok. Now that makes sense (or maybe just stated in a way that my simple mind could grasp.. It is strange that they would bundle it in such a way that it HAS TO reside on the very same server as the web/PDC/etc.
I wasn't trying to be difficult with my question, I was just trying to understand why it wasnt recommended.
I have a rec for either a Soho or a Watchguard and will order it today.
Thanks!
~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!
-
November 10th, 2004, 05:53 PM
#9
I have a couple of sites that run SBS 200x
I beleive the ISA is bundled for security and internal access...an intranet site...and not recommended for public access. Yes they do have public services available for the clients to work remotely...
and you need a VERY strong password policy enabled for these services to be and remain secure....and put a hardware firewall infront.
Get a real server if you want to host a public website. or set the SBS up for the services and pay to host your website\public access somewhere else.
The SBS is for small businesses to be able to have bundled services at a lower cost with out the Small Business having to buy 4 seperate servers, apps and CALs etc
You cannot install any of the SBS components SQL, Exchange, ISA etc on another server unless you buy seperate licensing for that server and setit up as a member.
The SBS is the domain controller.
My .02 cdn
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
November 10th, 2004, 08:57 PM
#10
I agree with Morgan. The bundling of ISA in SBS is intended to give a small business a certain degree of proxy, web caching, internet shating, and internal website protection... Using the sonicwall firewall in conjuction with ISA would work and give you a lot more protection than just using the ISA server as your firewall, exchange, iis, etc.. etc.. etc....
Nobody ever said that MS marketing in the past has been majorly concerned with putting out security products that agree with what everybody will tell you is a good model.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote