This is my first post to the ISAServer.org forums, so please bear with me .
I was wondering if anyone has any experience with Tiny Software's WinRoute Pro as a firewall/web cache server, and then has switched to using ISA Server.
I'm currently using WinRoute, and it's an absolutely superb product that is small, fast and VERY configurable (running as a NAT).
One of the specific features that I really like is the ability to filter traffic based on IP address. For example, I have Terminal Services installed on my Win2K Adv. Server that is running WinRoute Pro. To access it from a remote location, I added the remote location's IP to a list of 'Allowable' IP's. If the incoming packet to the destination does not match the 'Allowable' IP address filter, the packet is dropped and the connection is prevented. In this way, I can specifically determine which IP's have access to my network, and which do not. Now you might say that the source IP can be spoofed, and access gained, but the 'Allowable' IP's list isn't public (obviously ), and so that isn't really an issue.
Another favourite feature of mine is the Port Mapping feature. I can map any port to allow traffic through the Firewall to any defined client on the internal network. This works hand-in-hand with the 'Allowable' IP's filter that I have set, meaning that I can run server-applications such as WinVNC server on my Win2K Pro clients behind the Firewall, and only allow access to those clients from a predefined set of remote IP's.
I also don't have to specify which applications are allowed to connect to the Internet. Any communication initiated behind the firewall is automatically allowed through, while any communication attempting to connect to my network, that is outside the range of allowed IP's, is denied.
I can also remotely administer WinRoute (from the Internet or LAN) with a tiny (~800kb) application, that is the same one used on the server running WinRoute.
Some other features:
*has a web cache that you can configure to use various parameter for, such as file size cached, TTL, site-specific TTL, etc.
*has a mini-DNS forwarder built-in that forwards DNS queries that are known to the system (the one's assigned to your external interface through DHCP)
*has a mini-DHCP that provides clients with IP information including Default Gateway, DNS Server, Domain Name, Lease Time, and WINS Server based on a scope that you define
*built-in mail server (I'm not using it, so can't comment on it)
*can operate completely in stealth mode (invisible to the Internet, but fully functional)
*various other features too numerous to mention
WinRoute is completely secure (if setup right), and allows me the flexibility that I need in order to run applications without worrying about doing additional administration. It's completely transparent to end users, and I don't have to install any additional software on the client for it to work.
Some things I don't like:
*logs are not easy to read, but very detailed (which is good)
*not sure about its compatibility with Active Directory
*no reporting features
*interface needs a facelift and/or update
*a few minor issues that I can't remember right now
So, my questions are:
1) Has anybody had experience with both WinRoute Pro, and ISA Server, and have any thoughts on what pros and cons there are to either or both?
2) What requirements are there to running ISA? (I currently am using WinRoute's built-in DHCP, and DNS Forwarder) Do I need to configure DNS Server, DHCP Server, and/or any other servers in order to seamlessly use ISA?
3) Can I filter incoming connections by IP address like I can with WinRoute Pro?
4) How easy is ISA to set up? WinRoute did NOT take me very long to set up at all.
5) Will I have to micromanage ISA (as in specifically define what applications can and can't access the net and/or various ports)?
6) Is there a steep learning curve to ISA?
7) What exactly is the difference between SecureNAT and a Firewall client? When does one need to use SNAT, and when is the Firewall client used instead? Sorry if this is a stupid question, but I couldn't find any concrete info on this.
*Windows 2000 Advanced Server running WinRoute Pro, WINS Server, Norton Corporate AV, VPN Server on a small LAN
Any thought or ideas you might have will be greatly appreciated!
Keep in mind I'm looking at durability, ease of use, flexibility, and manageability issues.
If anyone wants to try WinRoute Pro for themselves, you can download a 30 day eval from their site at: www.tinysoftware.com
Thanks in advance!
PS: Thanks to Tom and Deb for providing a great web site with loads of USEFUL information that I'll be sure to use in the future (if I use ISA that is )!
[This message has been edited by *Bobby*Digital* (edited 18 June 2001).]