Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Is ISA actually any good - General consensus????

Status
Not open for further replies.
fuunstatic

fuunstatic

MIS
Feb 19, 2002
363
0
0
GB
we are pilot testing a new ISA server and users are complaining sometimes that pages get dropped or come through half loaded

other problems are downloading from FTP sites. Every user local to the server can download ok whereas users in a remote site cannot. Other users are on checkpoint firewall-1 which performs excellently.

Sometimes the ISA box needs to be rebooted

I am not looking for a fix to the above issue just a general consensus on what people think of this product. This is the second time I have encountered ISA servers in different jobs and the same problems always seem to crop up

Does anyone actually think it is any good? (if so do you have many users, remote sites?)

I'm not doing market research just curious about whether to dump this ISA and go for a different product?

Any comments much appreciated, thanks

"Work to live, don't live to work"

"The problem with troubleshooting is that sometimes it shoots back"
 
Sort by date Sort by votes
I like the ISA server on the inside part of a back to back firewall. We use a hardware based firewall for the outside. I do like the ability to integrate with active directory for users and groups. There are some weird things, but I have found answers for most of them. I do like the control by user.

Some things feel quite different compared to other firewalls that I have worked with.

I probably would not trust it as my only firewall, but I am happy with it on the inside.

Dan
 
Upvote 0 Downvote
Hi,
I agree with dan, I also use ISA in conjunction with a hardware firewall and have found it to be a bit quirky but good overall. Its easy to manage internet access on a large scale and the enterprise policy becomes very useful when dealing with multiple sites.
However I'm also not sure if I would trust it as a firewall on its own.

Mike

 
Upvote 0 Downvote
I would trust it, it is the first Microsoft firewall to be certified as such by the indipendant firewall testing authority.

at the end of the day all firewalls are software running on hardware regardless of what make or model, so when people say hardware firewall vrs software firewall there is no difference.

ITmontyp

So Long and thanks for all the fish :)
 
Upvote 0 Downvote
Whassup, all!

I agree with ITMontyP (not just because Monty is my nickname either). ISA is no different than any other firewall product product, in the sense that it's just code running on top of some OS-based code, running on top of hardware.

The pluses to using ISA to me are too numerous to mention. I deploy it to protect both internal and publi networks. It's easy to configure, if you've configured firewalls before. It's rock solid. Very versatile in the amount of information you can collect from hosts, both inside and outside. Easy to train other people how to use. Extremely granular in the control of traffic to users, groups, and machines. Love the way it integrates with AD (and even if you aren't deploying AD, it's still "da bomb" firewall. Most of all, it's extremelysecure, so long as you keep up with the security bulletins, hotfixes and SPs for the product.

Like any PC-based software product, it's reliability will depend upon the reliability of the hardware it sits on. Put it on a spare box and you're beggin for trouble. Put it on a server-grade (whether you build it or an OEM does is irrelevant if you're using tried-and-true technology, parts and you know what you're doing) machine and you can be set your watch to it almost.

If you're interested in how I've been deploying it as a solution to small business, enterprises, non-profits, etc. just holler at me. I'll share with you what I know.

Technology is a lot like love. You can shape it and develop it; but it's useless until you share it. Word.
 
Upvote 0 Downvote
I agree the fact that its AD integration is a major plus and ease of use. However it just seems that users complain that pages get dropped or only half load with the feeling that the ISA server just "gives up". I have stopped using it and use our old firewall.

Is this a timing out issue or TTL issue. i'd be interested in seeing screenshots or settings used that gives a stable and reliable ISA and by reliable I mean that 99% of pages are delivered to the users

"Work to live, don't live to work"

"The problem with troubleshooting is that sometimes it shoots back"
 
Upvote 0 Downvote
Immacola

maybe you could provide us with you configuration and let us see if there are any obvious problems



ITmontyp

So Long and thanks for all the fish :)
 
Upvote 0 Downvote
OK the main problems are in Internet Explorer with users getting "10060 - connection timeout" error message

Have tried all the suggestions from MS so, I am assuming it is because the link we are using is congested so I want ISA to route packets through our less congested link. How do I do this as I cannot change the default gateway for the following reason

The router is connected to the following 2 firewalls then to the internet
138.a.b.c firewall - heavily congested
138.a.d.e firewall - less congested

the router's default gateway is 138.a.b.c (router has 10.0.0.0 and 138.0.0.0 subnets binded to it on the inside)

ISA is on a 10.x.0.0 network, it's DF gateway = 10.x.0.y and cannot be changed to the 138.a.d.e gateway as it is on a different subnet

i want to make the ISA retrieve web requests via our other gateway which is ie 138.a.d.e. (firewall B) - "Less congested"

It has to be done at the ISA end because when it reaches the router, the router's gateway of last resort is always 138.a.b.c

any ideas as I want to avoid having to utilise a downstream isa server

"Work to live, don't live to work"

"The problem with troubleshooting is that sometimes it shoots back"
 
Upvote 0 Downvote
could you provide the info on your 2 network cards in your isa server.

ip address
snet mask
default gway

what services are bound to each

from a command line do a route print > route.txt & post the results

cheers



ITmontyp

So Long and thanks for all the fish :)
 
Upvote 0 Downvote
the ISA has one network card only with 2 ip addresses binded to it

they are
10.x.0.y (main one on the ipconfig)
138.a.b.c (extra one binded to the card)



"Work to live, don't live to work"

"The problem with troubleshooting is that sometimes it shoots back"
 
Upvote 0 Downvote
That may be a big part of your problem. I would highly recommend running the ISA Server with two different NIC's. First of all, I think that is the only way you will have an effective firewall blocking access. Additionally, it has to be a lot of traffic on one NIC to try and pick up all of the traffic and deliver it. NIC's don't cost that much and it is really the right way to go. We don't have the problems that you are indicating with 300 users accessing the Internet through our ISA Server running on a 500 MHz processor on the server.

Dan
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
106
Sparrow4
Sparrow4
DROFNUD
  • Locked
  • Helpful tip
Smartcenter Dashboard - Searching for "Any" keyword
Replies
0
Views
35
DROFNUD
DROFNUD
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
125
nnaarrnn
nnaarrnn
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
111
MottoK
MottoK
Billz66
  • Locked
  • Question
Scripting anyconnect
Replies
1
Views
45
Billz66
Billz66

Part and Inventory Search

Sponsor

Back
Top