Best Way to Setup Windows-based Proxy / Content Filtering Server?

I would go with ISA 2006 from Microsoft.  Our company use ISA as a back end firewall as part of the DMZ - very good - easy to use and has excellent documentation.

Content filtering add-on  - websense

www.isaserver.org

http://www.microsoft.com/isaserver/prodinfo/features.mspx

Is this an economically feasible solution for a small business with under 100 employees?

If you already have a server that can do the job then the software is around 1000 GBP.

Are there any alternatives to MS software that are Windows based?  I prefer not to use MS products if I can help it.  I'd ultimately prefer a Squid Linux box set up if any linux guys are available on EE but if it will be a Windows box are there any other Windows options?

Oh nevermind, we have a copy of ISA 2006 might as well use it.

How complicated is it to set up the NIC cards? I'd be stringing this inbetween a router and switch that are using 802.1Q port tagging most likely, so the NIC would need to be configured as such as well.

If I can get the NICs set up right then I can start testing the ISA.

The VLANS have to be included in the Internal network.

"Networks" are configured from ISAs point of view so if you have a "Network Behind a Network" , or access to internal subnets through an internal router, then logically all of those subnets are accessibile through the same interface, in ISAs point of view.

After this is defined, you then create Subnet objects (or Computer Sets or Computer objects)for your internal segments and then define Access Policies to these Subnets.

Network card configuration...

On the internal (facing the lan)  use internal dns servers and no gateway
On the external (facing the router) use no dns and a gateway of the router.
This is an edge firewall setup.  If you have a firewall on your router you could setup a dmz (depending on what apps you're using)  and have the isa as a back end firewall.

If you are using three network cards

setup a 3-leg perimeter network

setup your rules accordingly.
back-firewall.JPG
3leg-5B2-5D.jpg

We currently have no DMZ setup but are using a Cisco 2811 router with CBAC firewall enabled. There are 2 data VLANs and 1 phone VLAN defined on the router that travel through the trunk port I'm talking about.

Would I be able to set up a single wire from the router to the NIC, and set the NIC for port tagging? If so what IP would I give the machine, or how would I give the machine an IP? Since the port the other NIC plugs into is a trunk that would also need to be 802.1Q.

Or would I need to have a single wire coming from each data subnet I want to protect?

My assumption is this: I need to set both NIC cards to 802.1Q port tagging, and somehow give the PC a "virtual IP" on one of those subnets to access it by. Similar to setting up a switch that uses 802.1Q. Is that accurate? If not how do you set up the NICs logically?

When you enable VLAN tagging on the ISA Firewall's NIC(s), each VLAN will appear on the ISA Firewall as a different logical NIC.

Then within ISA define the scope of the internal network so that it has connectivity to the various vlans.  

On the internal switches Make the default gateway for all the VLANS the internal NIC of the ISA server.

After defining both NICs for VLAN tagging, how would I access the box at all? Currently it has a statically defined IP, but with tagging enabled it does not have an IP. This is my biggest confusion about setting this up. How would I still define it an IP so that I can remote desktop to it from the network on just one of the subnets?

Currently the default gateway for all VLANs is our router, and each subnet has an IP defined in that IP range all pointing to the same device, the router. So the logical interfaces on the router have the gateway IP's defined on them, not my switches.

I plan to wire this in behind the router and in front of our "core" switch. Would this involve me taking the IP settings off the Cisco router and defining each subnets gateway as the ISA server's logical IP? Would that interfere with the Cisco router doing any routing? Am I understanding you correctly?

can all your separate vlans communicate with each other or are they isolated?

I have an ACL allowed certain IPs to communicate with other subnets, but overall they are isolated.

Just to try to get this working, I've wired it inbetween my desktop and the port on the wall.  I have the NICs setup as AC NOva suggested, with the Router NIC going towards the port on the wall, and Switch NIC going towards my desktop.

I had to assign an IP to each NIC so the server technically has two IPs. From the ISA server I can ping the internet and ping internal LAN users. When connecting through my desktop however I have no network connectivity, even when changing my desktop's Gateway to the ISA Server's IP.

How would I get basic connectivity to work. Forget 802.1Q for right now I want to get this functional with just a single desktop with one subnet then work on bringing the rest into it.

Daniel, I work in the ISA team and AC Nova has suggested i might be able to get involved in this one with you both - I am going to take this back a number of steps so that I can ask a number of questions before moving forwards again. I am in the UK so our time zones will be slightly off.

I note that the original question asked for recommendations but the question has now changed to how to setup an environment/network scenario so it has expanded quite a lot.

I agree with the recomnmendation made above - ISA server is likely the best product on the market to get a firewall and an application gateway/reverse proxy in one system. SBS Premium came with ISA server and this had a maximum of 75 users (sbs2003) so 100 users is certainly in the range. ISA can actually handle up to 10000 users per noode as itis extremely scaleable. You mentioned that were looking for a proxy server so I assume you do not need to use ISA as a firewall? Can you confirm?

What are the switches you are using?
What version of ISA server are you using?

Keith
ISA MVP