Solved

ISA Server 2006 Replacement

Posted on 2014-01-21
33
2,977 Views
Last Modified: 2014-03-11
we have a AD forest with about 20 sites. each one has a ISA Server 2006 which acts as a proxy server.
i personally dont like that solution,since its a bit overhead to have an ISA Server 2006 on a site with only 3-5 employees.

i personally would have a centralized solution where each site could be administered from.

i also want to replace ISA Server 2006 with something new and more performant.

what could a good solution look-a-like?
0
Comment
Question by:DukewillNukem
  • 15
  • 15
  • 3
33 Comments
 
LVL 27

Expert Comment

by:Steve
ID: 39799670
There's not really enough info for us to be able to make any recommendations


What features of the ISA server do you use/need?

Do all your sites connect to a central site/server or are they all running independently?

What 'administration' would you like to be able to perform centrally?
0
 

Author Comment

by:DukewillNukem
ID: 39799720
as previously described,ISA works only as a proxy and each runs independently. thats it.

i want to be able to administer each single site from our headquarter: white/blacklisting,etc
0
 
LVL 27

Expert Comment

by:Steve
ID: 39799782
so you are referring only to the webfiltering element of ISA?

A web based filter may be your best bet then, as the other options I could recommend wouldn't allow central management of the filter.

opendns is one option but fairly easy to circumvent.
Webroot, websense & barracuda are all well know and work well.

some routers include this facility for a small subscription, but you'd have to manage them individually.
0
 

Author Comment

by:DukewillNukem
ID: 39799867
not only.
i prefer to have an appliance whre i can doa ll the workl from one central point. i thought about bluecoat and /or F5,that seems to be a good one too.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39800038
you probably looking at application filter, network filter, secure gateway, reverse and forward proxy, dns firewall, web application firewall, anti-ddos, web defacement service, data leakage, breach detection etc...there is too huge for a one size fit all and also not scalable for single appliance as it becomes bottleneck in performance and security is deemed the culprit...actually all has their leading solution or provider for each capability. We are saying to optimise and replace TMG for a start then I do think the application delivery controller such as F5, Citrix or even A10 comes into picture...

Taking F5 for example, it starts of with LTM which can serves as network controller and has the Advanced FW (network FW to be exact) and App Security module (WAF) that can add on. More still it has APM for access control to proxy Kerberos, NTLM, SSL VPN  and even act as SAML gateway for AD federation service or the likes...not forgetting they are load balancer from a start...they likely to lose out the breach detection such as malware analysis, network forensic or sandbox capability...but that may not be your priority. ASM do support ICAP to AV server if needed to..

Just some F5 APM example or use case...
https://devcentral.f5.com/articles/tmg2f5-series-publishing-microsoft-exchange-using-f5
https://devcentral.f5.com/articles/-ldquoapples-to-apples-rdquo-comparing-an-apm-deployment-to-tmg

interestingly this article (with series of evaluation performed) perform some elimination of provider which you may want to take a look https://www.winsec.nl/2013/01/16/securing-edge-post-tmg-world/

but in its summary (part 6) https://www.winsec.nl/2013/03/29/securing-edge-post-tmg-world-part-6/, it concluded to the below

the main factors that drove this decision were:

Hyper-V support
Excellent GUI
Ease of use / gradual learning curve
Authentication model
Application control
Wide support for VPNs
Depth of customization
Depth or reporting
User friendlyness (user portal, graphical error messages)
Level of support available
Modularity (through licensing)

So yeah, that basically sums it up for this blog series.
Expect to see some follow ups with tips, advice, scenarios etc. in the near future when we start migrating the first ISA and TMG deployments to Sophos UTM.

Eventually it depends on what you need and I believe the existing rule migration is a big criteria for the winner take all...
0
 
LVL 27

Expert Comment

by:Steve
ID: 39802477
not only.
Sorry mate. Not sure what you mean by that.

You can certainly consider a single appliance but it has big downsides when shared out for multiple sites.
Selecting a site to host the device is important as you need to consider bandwidth and the ability for all sites' traffic to flow smoothly to this central point.

You also need to consider how the sites would function if this central point wasn't reachable for any reason.
0
 
LVL 61

Expert Comment

by:btan
ID: 39802733
Indeed single application is not the best fitting for multiple sites espe international org has spread out in wide locality. the key is know where (regardless of site) is that the perimeter or boundary you are seriously going to guard and invest the control inspection. You cannot inspect what you cannot see so meaning the traffic is supposed to go through that ideally including VPN. however, that is the idealistic and simplistic assumption we make but minimally that set the bar to catch most traffic if you can set the boundary for the critical service and enclave them as architecture ...
0
 

Author Comment

by:DukewillNukem
ID: 39802801
all sites are connected through MPLS,but the traffic is unecrypted. so,from any site i want to connect to the internet,i will have to go through a proxy.

therefore,a single proxy should be able to cover every single site and that should be possible,right?
0
 
LVL 61

Expert Comment

by:btan
ID: 39802851
Should not be an issue and that is supposed what a proxy should do for traffic going through it. The box just need to be able to sustain that performance for real time filter. For F5 I believe they have LTM and WOM too in case you need for site to site wan optimisation. For multiple site, they should still go through the same proxy policy checks
0
 

Author Comment

by:DukewillNukem
ID: 39802898
so,a single proxy would be one-size-fits-all solution?  question is,which product (next to F5) would fulfill all the needs?  and how should it be configured?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 39803179
Yes but caveat is F5 is primarily a reverse proxy in making from beginning. Forward proxy is viable but not its strength.

 I see the NGFW or UTM build can also be candidate. If you check my first posting links you see that they eliminated a list of possible and drill down to Sophos. Coming back they do have application proxy gateway capability.
http://searchsecurity.techtarget.com/magazineContent/NGFW-Getting-clarity-on-next-gen-firewall-features
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 39803219
This is the link to Sophos UTM and you can catch the proxying section...
https://www.winsec.nl/2013/03/29/securing-edge-post-tmg-world-part-5/
0
 

Author Comment

by:DukewillNukem
ID: 39811561
i dont care so much about the product itself,it could be anything.
our situation is as follows: each site has its own ISA 2006 server which gets administrated separately because each site is independent from each other with its own provider.

according to our CEOs,this must change in future. each site must be administered from a single,central point.

so,what could be a solution that fulfills our needs?
0
 
LVL 61

Expert Comment

by:btan
ID: 39811695
Then the above has shared that it can be fulfilled from central box
0
 

Author Comment

by:DukewillNukem
ID: 39811742
which one?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 39812245
Pardon me, it is the Sophos UTM - From the "Proxying" and "Advanced Features" section it describe further https://www.winsec.nl/2013/03/29/securing-edge-post-tmg-world-part-5/
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:DukewillNukem
ID: 39817610
that one looks interesting.is there another product,this way i can compare them?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 39817678
Probably
Barracuda NG  - one thing highlighted is that lacking user-controlled overriding (or soft blocking as it is known in other products), which allows you to select a subset of users who get to override certain filters if required
https://www.winsec.nl/2013/02/23/securing-edge-post-tmg-world-part-4/
0
 

Author Comment

by:DukewillNukem
ID: 39841319
o,,thank you
0
 

Author Comment

by:DukewillNukem
ID: 39867297
we also have sourcefire as IDS,but im certain we can get rid of that one too and have a "all-in-one" solution.any other suggestions?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 39867312
that is what UTM "want" to offer and since you already persist for the multi feature UTM or NGFW is probably the possible candidate .... Cisco also bought over Sourcefire and they have the Cisco ASA CX (but it is not SourceFire inside though they have IPS capability already built in for CX, not separate physical module)

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/qa_c67-700607.html
0
 

Author Comment

by:DukewillNukem
ID: 39867338
Cisco also bought Sourcefire?? didnt knew that....since we already have cisco firewalls too,that could lead to an easy decision.....
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 39869116
Good to poll those "sale" guys again and probably  a upgrade is more enticing and optimal for the all in one that you are looking at

http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/sourcefire.html#~faqs

Q: What are the plans for Cisco integrated IPS on ASA?
A: The ASA is an industry leading firewall and Cisco intends to continue to aggressively invest and evolve the ASA. Specifically, Cisco intends to utilize the Snort engine and signature set as part of the ASA integrated IPS offers. This is in-line with the architectural evolution that was already planned as part of the Cisco platform evolution and is consistent with Cisco's commitment to growing the Snort open source community and Snort usage across the industry.

Q: What are Cisco's plans for the Sourcefire FirePOWER Platforms?
A: Sourcefire's FirePOWER platform is a powerful, integrated multi-service security appliance which aligns very well to Cisco's overall platform strategy. The FirePOWER platform performance and efficacy has been demonstrated by NSS Labs and other independent 3rd party tests. After close, Cisco intends to build upon this success and plans to further accelerate the roadmap and adoption of the FIrePOWER platform.
0
 

Author Comment

by:DukewillNukem
ID: 39869659
ok.
heres a follow up from our infrastructure: we do have about 30 ISA servers on each of our sites and we have deployed some ISA server chaining,because from site in countries like china; websites like,say BBC or ABC are not available.
to successfully migrate,this fact must be considered and deployed.
in future,i want to administer each site from one single point. is that possible?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 39870008
though I have not used but they do seems to have central mgmt of the various chained device including existing ASA

http://www.drchaos.com/comparing-asa-management-internal-vs-external-cisco-prime-security-manager-overview/

For those that want to centralize managing all security features for both 1st and 2nd generation ASAs, Cisco offers External Prime security manger.  For example, you can push out one Access List or Policy to enforce something to all security solutions on your network (ASA 5520s, ASA5545s and any CX modules as an example). External Prime can be an appliance or VM and has a cost.
0
 

Author Comment

by:DukewillNukem
ID: 39881907
i forgot top mention that we have  ISA chaining as a solution. so sophos would fulfill this all too?
0
 
LVL 61

Expert Comment

by:btan
ID: 39882215
I see Sophos may not even chaining though, but the implementation aspects will be best clarified by the principle based on the capacity provided. At most they are looking at HA configuration with all traffic coming into the same node and the sizing is to be properly catered on the effective throughput load.
0
 

Author Comment

by:DukewillNukem
ID: 39882228
looks this could be our best solution....any other suggestions?
0
 
LVL 61

Expert Comment

by:btan
ID: 39882282
May be better to focus Cisco CX and Sophos UTM :) We can hear from others though
0
 

Author Comment

by:DukewillNukem
ID: 39882325
from that point,i`d go for sophos.
but we also have sourcefire IDS. maybe we can implement that into cisco ASA
0
 
LVL 61

Expert Comment

by:btan
ID: 39882378
Thanks for sharing
0
 

Author Comment

by:DukewillNukem
ID: 39919903
since its not clear what Cisco is up to,ill better wait.However, with our proxy solution we can proceed. heres even more info: there proxy-chaining implemented,that seems to be the trickiest part: how do we migrate all those settings into a single appliance/device?
0
 
LVL 61

Expert Comment

by:btan
ID: 39920008
i do suggest not going to delve into proxy chaining support in the replacement as it may other means to achieve it and not termed as proxy chaining - have the support or sales to advice instead. The use case outcome should stand to lessen the overall impact.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now