I need your input

Access control
Group Policy
Internet access
ISA Server
ISA Server 2006
User Permissions
Howdy folks, I have the following set up: 2 Domain Controllers - Win2k3 Standard 1 member server with Exchange 2003 Standard 100 XP Pro workstations T1 connection Currently I use a sonicwall Pro 200 firewall, Symantec Corporate edition 10 AntiVirus, and Symanted Mail Security for Exchange. Everything works fine. I need to be able to control internet access a little better than just with group policy proxy settings and such, and also monitor internet usage. It was suggested that I use Microsoft ISA server 2006 and I can purchase it through a non-profit agreement for about $60. I have never used it or seen it used and hoped you would offer your experiences/knowledge about the product. My questions: 1. Will it provide internet access control on a per user basis? 2. Can I allow only certain websites, or block certain websites? 3. Would this replace my Sonicwall firewall, or just add to it? (I would love to cancel the support agreement) 4. Does the remote user connection feature work well/reliable? 5. Is a users internet surfing speed affected by going through ISA server? This is VERY important to us. 6. Do the logs provide detailed history of internet activity? 7. Is there any SPAM, Antivirus, spyware/malware protection built in to this product? 8. Finally, are there any general, or specific "gotchas" or "pain in the butts" to watch out for with this product. Feel free to offer other product suggestions if this one is not recommended. Thanks...and hopefully that's not too many questions

Answer Wiki

Thanks. We'll let you know when a new response is added.

In general, I like (and resell) the Sonic Wall products – although I work on all sorts of other stuff.

My question to you is with 10 users, why do you need such fine-grained control? Among other things, the SonicWall products provide reports on who (IP) has gone to what web sites – if you need evidence to change behavior.

Just my $.02 worth,


Discuss This Question: 6  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Tmac24
    I currently use an ISA 2004. We have a much larger environment (1600 worstations 1000 staff 3500 students.)The isa server can control access for users or groups. However there is no gatway anti-virus or spam filter. It does not affect our connection speeds. It gives great reports on internet usage, protocl usage, by IP and user name. If you can get the ISA server that cheap you may also want to look into something like webwasher. It's software based will run on the same machine as the isa (it's basically a plugin) it will do anti-virus at the gateway, spam filter, content filter, reporting, SSL filtering (monitors proxy sites and blocks them) It is modular so you can purchase only what you think you need. So far it was one of the better products I have seen. http://www.securecomputing.com/index.cfm?skey=22
    0 pointsBadges:
  • Tbitner
    We have ISA 06 in our company (300 employees) and it's setup by our Sys Admin, but I'll tell you what I know. 1. Yes it can tie into Active Directory users and groups 2. Yes we block websites such as myspace and youtube 3. Our's sits on a public DMZ behind our Juniper firewall, although the ISA is a firewall in itself. 4. Don't know. 5. Probably a slight improvement in speed since ISA caches requests. 6. Don't know 7. See other reply 8. It seems challenging since our Sr. Sys Admin is frequently tinkering with it. I know there's books to teach you ISA though. - Our remote vpn users who terminate on the Juniper don't seem to get filtered through the ISA even though their browser is configured for it. This may be something wrong on our end. - we had to install ISA client software on computers that used "complex protocols" (microsoft term) to access the internet such as FTP, telnet, SSH. - Sometimes traffic destined for the internet is difficult to trace, because it could either go directly through the firewall or the ISA depending on the protocol. Another filtering program is Websense which I setup for a previous company exactly the same size and technology as yours (except pix firewall environment). You install the software on a server on the LAN and configure the firewalls to intercept HTTP traffic and ask websense if it's allowed or denied. I didn't notice any performance decrease and I thought it was very easy to use and setup. It doesn't work for home vpn users though. Reporting also ties into Active Directory so you can filter on any user/group, category, etc. It's strictly web filtering and I think it was costing us $5000/yr for 250 users. On a side note, a great appliance for SPAM/VIRUS/SPYWARE filtering is from Barracuda Networks (www.barracudanetworks.com). We also used this instead of Symantec Spam/AV Filter on our Exchange server. The great thing about it was that is sat in front of all the servers and prevented their resources being sucked up by processing junk. It also eliminates virues from having the chance to even touch a server and then being scanned by the local AV scanner; possibly exploiting a Symantec AV flaw.
    510 pointsBadges:
  • TedRizzi
    I use CA's Secure Content Manager, to provide the services that your looking for. it does anti-spam,spyware, virus protection, website blocking, and reporting. it can do detailed logging. for both smtp and http protocols. I use it as a proxy server for http and ftp, and filter all incoming email thru it. for spam and virus protection.
    0 pointsBadges:
  • DavidLevine
    You can certainly use ISA Server as a solution. I am not all that familiar with it so I can't really speak to what it will do out of the box, but I know that there are a bunch of plugins for ISA that will do content filtering... SurfControl, Marshall, etc. They all have products that plug in to ISA. Since you already have an investment in SonicWall you might want to look at them also. They certainly offer content filtering solutions baked into thier firewalls. (we use a similar product from St Bernard - a filtering appliance called iPrism which has been fantastic for us). You could also probably setup a squid proxy on a white box and use some open source content filtering... thats an option... There is also free software (especially if you are a non-profit) from BlueCoat systems. It is called K-9. I have used it for very small projects before and it is a good option. Hopefully your find some of this useful... Best, David
    15 pointsBadges:
  • Gwenz
    The ISA server would give you the per user control and ability to block. I would use group policy though, instead of assigning usage control on a per user basis. ISA does not come with any built in anti-virus software. I'm curious, are you using any system management tools? You have an ideal configuration for Essentials 2007, including adding an ISA server. Check out : http://www.microsoft.com/sce Gwen http://myitforum.com/cs2/blogs/gzierdt/default.aspx
    30 pointsBadges:
  • Buddyfarr
    We use ISA and have had a lot of issues with it. One product we are looking into is Secure Computing's Webwasher appliance. It will do all the web filtering on a username basis, AV, Malware and also will do SSL filtering. It actually unecrypts the SSL, finds out where it is going, filters it out if it is not allowed. If it is allowed it re-encrypts it and passes it along.
    6,850 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: