ISA Server 2006 Replacement

There's not really enough info for us to be able to make any recommendations


What features of the ISA server do you use/need?

Do all your sites connect to a central site/server or are they all running independently?

What 'administration' would you like to be able to perform centrally?

as previously described,ISA works only as a proxy and each runs independently. thats it.

i want to be able to administer each single site from our headquarter: white/blacklisting,etc

so you are referring only to the webfiltering element of ISA?

A web based filter may be your best bet then, as the other options I could recommend wouldn't allow central management of the filter.

opendns is one option but fairly easy to circumvent.
Webroot, websense & barracuda are all well know and work well.

some routers include this facility for a small subscription, but you'd have to manage them individually.

not only.
i prefer to have an appliance whre i can doa ll the workl from one central point. i thought about bluecoat and /or F5,that seems to be a good one too.

not only.

Sorry mate. Not sure what you mean by that.

You can certainly consider a single appliance but it has big downsides when shared out for multiple sites.
Selecting a site to host the device is important as you need to consider bandwidth and the ability for all sites' traffic to flow smoothly to this central point.

You also need to consider how the sites would function if this central point wasn't reachable for any reason.

Indeed single application is not the best fitting for multiple sites espe international org has spread out in wide locality. the key is know where (regardless of site) is that the perimeter or boundary you are seriously going to guard and invest the control inspection. You cannot inspect what you cannot see so meaning the traffic is supposed to go through that ideally including VPN. however, that is the idealistic and simplistic assumption we make but minimally that set the bar to catch most traffic if you can set the boundary for the critical service and enclave them as architecture ...

all sites are connected through MPLS,but the traffic is unecrypted. so,from any site i want to connect to the internet,i will have to go through a proxy.

therefore,a single proxy should be able to cover every single site and that should be possible,right?

Should not be an issue and that is supposed what a proxy should do for traffic going through it. The box just need to be able to sustain that performance for real time filter. For F5 I believe they have LTM and WOM too in case you need for site to site wan optimisation. For multiple site, they should still go through the same proxy policy checks

so,a single proxy would be one-size-fits-all solution?  question is,which product (next to F5) would fulfill all the needs?  and how should it be configured?

i dont care so much about the product itself,it could be anything.
our situation is as follows: each site has its own ISA 2006 server which gets administrated separately because each site is independent from each other with its own provider.

according to our CEOs,this must change in future. each site must be administered from a single,central point.

so,what could be a solution that fulfills our needs?

Then the above has shared that it can be fulfilled from central box

which one?

that one looks interesting.is there another product,this way i can compare them?

o,,thank you

we also have sourcefire as IDS,but im certain we can get rid of that one too and have a "all-in-one" solution.any other suggestions?

Cisco also bought Sourcefire?? didnt knew that....since we already have cisco firewalls too,that could lead to an easy decision.....

ok.
heres a follow up from our infrastructure: we do have about 30 ISA servers on each of our sites and we have deployed some ISA server chaining,because from site in countries like china; websites like,say BBC or ABC are not available.
to successfully migrate,this fact must be considered and deployed.
in future,i want to administer each site from one single point. is that possible?

i forgot top mention that we have  ISA chaining as a solution. so sophos would fulfill this all too?

I see Sophos may not even chaining though, but the implementation aspects will be best clarified by the principle based on the capacity provided. At most they are looking at HA configuration with all traffic coming into the same node and the sizing is to be properly catered on the effective throughput load.

looks this could be our best solution....any other suggestions?

May be better to focus Cisco CX and Sophos UTM :) We can hear from others though

from that point,i`d go for sophos.
but we also have sourcefire IDS. maybe we can implement that into cisco ASA

Thanks for sharing

since its not clear what Cisco is up to,ill better wait.However, with our proxy solution we can proceed. heres even more info: there proxy-chaining implemented,that seems to be the trickiest part: how do we migrate all those settings into a single appliance/device?

i do suggest not going to delve into proxy chaining support in the replacement as it may other means to achieve it and not termed as proxy chaining - have the support or sales to advice instead. The use case outcome should stand to lessen the overall impact.