We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

ISA server

Medium Priority
509 Views
Last Modified: 2012-05-05
How secure is ISA server when running directly connected to the internet?  Does anyone recommend this?  Is this something that should run behind a good hardware firewall, or is this a good stand-alone firewall?
Comment
Watch Question

Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
ISA server can operate in any of these modes safely. Love them or hate them, Microsoft's ISA is recognised as one of the best application layer firewalls on the market. it can also perform content filtering as wells as the satndard packet filtering. Personally I tend to run a hardware firewall on the outside for my installs even if this is simply the firewall on a dsl router. this allows all the rubbish I don't want to be blocked immediately without ISA having to waste resource/processing time checking things it need not be concerrned with.

The best combination I have seen to date is a PIX on the outside with the ISA as an internal firewall. If you are going to be using VPN's I tend to use the Cisco PIX to terminate these. Anything else on the outside of the ISA, I terminate the VPN's on the ISA itself.

The one exception to the rule is for SBS. This uses a slightly cutdown/amended version of ISA as it runs on the SBS DC server  On these I always use a hardware firewall to put something between the DC and the Internet.

Regards
Keith

Author

Commented:
Agreed on SBS running DC with router.  That's a must.  Good point on letting the DSL router handle the rubbish.  

I'm not totally clear with the following statement.  Got the first part, but on the second, do you mean if you are running a router other than a PIX, you terminate the VPN internally to the ISA?

>>If you are going to be using VPN's I tend to use the Cisco PIX to terminate these. >>Anything else on the outside of the ISA, I terminate the VPN's on the ISA itself.


Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Yes, that is what I was saying but that is a personal view rather than a technical view.

I have a knowledge of the Cisco PIX firewalls and am happy for them to terminate my VPN's when the client has purchased one (A PIX) with the ISA server inside acting as the internal firewall.
If the client has not purchased a PIX, I make the alternative external firewall/router act as a passthrough for VPN's and terminate them on the ISA server itself.

Author

Commented:
I have a PIX 501 running 6.3.  Do you have any experience with this model?  Is this a 'secure' firewall to use at this point, or is the OS getting a little outdated, and possibly needs upgrading to run in front of ISA?
Enterprise Architect
CERTIFIED EXPERT
Top Expert 2008
Commented:
6.3(5) is the latest version of the PIX IOS (the 501/506 cannot run version 7).

Yes, this is fine from a security point of view. It will certainly run 'in front of' ISA perfectly well. I believe that 6.3(5) had some updates in respect to some of the VPN support so an upgrade to this version if you have an earlier one will certainly be beneficial to you.

So, in summary.

An external connection fronted by your 501 and backed by isa2004 SP2 is one of the most powerful combinations I can think as well as being one of the most flexible.

'Up'ing the PIX501 from 6.3(x) to 6.3(5) would be a good move purely for the enhanced updates regarding the PIX VPN capabilities plus access to the latest PDM software for web based configuring if you use that.

Regards
Keith

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Cool.  Thanks.
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Welcome
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.