Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17



Posted on 2001-06-06
Medium Priority
Last Modified: 2010-07-27
We are considering upgrading to Small Business Server.  It has proxy, which I am gathering it is a firewall. I am looking to implement a network security solution. Can some clear up for me what is the difference between Proxy and a hardware firewall. and suggest which will be a better choice. Let me give you a breakdown of what we have.

1  Win 2k server with exchange 2k
10 Win 2k pro
2  Win 98

We use outlook Web Access.  
We do not host web, ftp or any thing else.

Should we 1st invest in a server and put Exchange on it, and still give it a public IP so we can access OWA ( OWA is accessed through dynamic ISP IPs). Then install the DC on an internal IP to protect data.  

Or should we just go ahead and invest in Small Business Server, and Proxy will do the job.

Our goal is to protect data, while allowing OWA, and Terminal server capabilities (administrative for now and possibly applications in the near future).
Question by:sjs
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +5

Expert Comment

ID: 6162517
A proxy server is a server that sits between a client application, such as a Web browser, and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server.

A firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Most firewalls also have the capability to provide proxy services.

You could use SBS to provide proxy services but I would definately not recommend it for firewall services.  

For a firewall you could go out and purchase a hardware firewall or use FreeBSD on an old PC.  FreeBSD has a very good filewall implementation and the software is free.

Good luck.
LVL 12

Expert Comment

ID: 6163021
Chapo's solution is good, as long as you have FreeBSD skills. A hardware firewall is an overkill and I doubt there is a budget for it.

Since you are using Windows 2000, you can implement ISA (Internet Security and Acceleration) Server. It is based on Checkpoint-1 firewall which is a de facto industry standard. It also incorporates proxy services nad integrates comlpetely with W2K.

Accepted Solution

Droby10 earned 400 total points
ID: 6163765
from the standpoint of internally sourced requests, the functional differences between a proxy and firewall are as follows....

a proxy will act on behalf of the client...
  - ie. a client makes request to proxy, proxy makes outbound request, proxy returns results to client.

there is generally a secondary protocol or application protocol extension that is used for secure transmission between the client and the proxy (and possibly the proxy and the next proxy,...,...)


a firewall will forward/route/[translate] packets...
  - ie. client makes outbound request, traffic flows through firewall's inbound and outbound tcp/ip stack where each packet is subject to the rules, if the traffic is allowed then the firewall will forward the traffic to the next hop.  when response traffic comes back this process is in reverse.

this can be hardware -or- software.
  - [hardware] shasta, nokia ip*** (which really runs checkpoint, so it's a toss-up)
  - [software] ipfw/ipfilter/checkpoint/etc.

[which one's better?]
depends on organizational structure, size, and the support availability for each of the options being evaluated both internally and from the vendor.  while it's a general consensus that proxys provide more security (in the form of application-level security, instead of network-level security), i'm personally a fan of firewalls.
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.


Expert Comment

ID: 6163784
the best answer i can give is setup a dmz.
yes, you may only be providing a single service in the way of exchange...but it sounds like you could be expanding that at some will also save you heartache when a get-by solution causes complete compromise of your systems.
LVL 11

Expert Comment

ID: 6164191
Nenadic, What makes you think that ISA is based on FW-1?

Expert Comment

ID: 6164827
You could use some kind of a Hardware router/firewall with the server as a DMZ and let the router do NAT to firewall the rest of the boxes. I assume you just want Internet access for the users. LInksys, Netgear, Asante make low end routers or look at Cisco

Expert Comment

ID: 6165058
MS Proxy includes packet filtering, which makes it a firewall.  I don't know if Microsoft would be my first choice for a security product, though.

You could run proxy, Exchange, etc. all on one server, but even Microsoft doesn't recommend that.

What I have done (on MS's recommendation) is set up Proxy on one machine, either PDC of its own domain or a member server (not DC) of your existing domain.  Then harden it by disabling unnecessary services (OK, everyone, stop laughing at the idea of "hardened" Windows).  Put the Exchange server behind it, and use reverse hosting to have the Proxy server pass traffic to it.

To enable the Exchange server to exchange mail with the Internet, you'll also have to do server proxying: install WinSock Proxy Client on it and do a little configuration as outlined in

But if you're using Win2k, then as mentioned above, ISA might be a better option.  I haven't used ISA, so I can't comment on it.  My understanding is that it's just an upgraded Proxy, so the configuration ought to be similar.

For security and stability reasons, I wouldn't run anything but Proxy on my proxy server if at all possible.

For such a small network, how about a Cobalt Qube?  It has a basic proxy on it....
LVL 11

Expert Comment

ID: 6165109
Actually ISA is now a full fledged stateful firewall with some application proxies.  It performs pretty well, but if you don't need Active Directory integration I would probably opt for a hardware solution like SonicWall or Watchguard.  They are easier to configure and trouble shoot.

Expert Comment

ID: 6168492
If you want to have the best firewall, go into Linux!
Else, just use a simple router (hardware).

Expert Comment

ID: 6168587
No matter how you slice it, you should have your proxy/firewall on a separate device.  So I'll second geoffryn's comment; your life will be easier if that device is an appliance instead of a Windows server.  And it might be more secure....

Expert Comment

ID: 6236590
First, do not "upgrade" to sbs.  This product is notorious for it's problems and has been since it's inception.  Linux isn't a good firewall choice as most people don't know how to configure it and it may be hard to get support.  I suggest a hardware device.  There are many soho devices on the market that may be good for you.  I sell mostly the cisco pix.  The 506 model is less money than a pc and is dummy proof.  It will translate for your exchange web box and will protect your entire network.  Do NOT put exchange on the public network.  It will be most likely hacked in hours unless you know how to secure it and then it's still not too secure.  Remember that although proxy does offer some protection, it was developed to speed up internet access via caching for shops with slow links.  In my experience most software firewalls are more expensive and harder to work with than a dedicated firewall device.  The checkpoint is great if you have an extra server and 10 grand.  I have heard good things about the sonic wall devices although I'm no expert on them.  I have done what your asking with the pix for dozens of clients, but I'm sure that most sub 1500$ devices would do the same thing.
Hope this helps.

Expert Comment

ID: 6237926
I agree with bseaman. I am running Linux for Apache, ftp, and am setting up email. I have multiple Virtual Hosts set up. I had linux running as a firewall then realized that a hardware device meant the network stayed up as I was restarting the Linux Box. If linux was the firewall it put a lot more heat on me to keep it up 24/7 while I was learning. I've used Linksys, Netgear, and Asante routers for DSL and been pretty pleased (the $100-$200 price tag is pretty painless). Most have the option of setting up one internal IP address as a DMZ where that computer appears from the internet side is exposed. Then you have NAT for the rest plus you can forward specific ports to specific computers. I've considered going with a higher end router but am not sure what the differences would be nor the costs.

Featured Post

Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question