1) Lose the CSS part of ISA. Prove to me that ISA could not be written to NOT have to use this setup. It's unnecessary, inversely affects network troubleshooting, _may_ require a stand alone server (but two extra servers would be better) or "dirtying" a domain controller (or two). I don't have enough bad things to say about a firewall that almost _requires_ external configuration storage. I want my firewall to do its job, not put pieces of itself all over the internal network. Last time I saw behavior like this it had Save.exe and Gator attached to it and called itself KaZaa and RealPlayer.
TOM: Actually, this is pretty standard for any centralized management solution where you use centralized storage of policy for thousands of arrays is thousands of locations located thoughout the world. How else would you manage these hundreds or thousands of array from a single console and management interface and storage?
2) Money. A'hm talkin' 'bout money. Honestly, who comes up with the pricing structure for ISA firewall? $6000 for ISA 2006 Enterprise (single cpu) plus a $Gr for the OS that it _requires_ to function, plus $pick-your-price for the hardware part of this equation, then you can double it (or then some) because you need two such setups to make use of the "enterprise" feature. Add some more $money if you want to have things like virus checking, content filtering, etc. That is a monumental amount of money for a redundant basic packet filter setup... ISA is very nice, but not that nice.
TOM: Check the price list for ASA, Netscreen and Check Point. ISA pricing is consistent with its main competitors. The problem is that most people can't admit to themselves that the ISA Firewall is as secure, and in many cases, more secure, than their traditional "hardware" firewalls. However, I do agree that the prices for ALL FIREWALLS, including the ISA Firewalll, is too high.
3) But wait, I'm not done with the cost issue yet. Microsoft will charge you $1500 for the "standard" version, $6000 for the "enterprise" version. Say what? The math tells me that I'm paying $4500 for NLB and CARP (and possibly this "feature" of having the configuration Borg'd all over the internal network). $4500 for NLB? $4500 if you want what could best be described as the _ability_ to have a "hot standby" (_ability_ because you'd need to spend the $4500 again on another machine to make a pair). That's NLB? That's CRAP. Somewhere an executive at EMC is laughing knowing that his own Rainconnect is superior and at ~$5Gr is actually _substantially_ cheaper...
TOM: Actually, you're paying for centralized management. Check out the Check Point pricing for this feature set and you'll soon realize that you're saving a TON of money going with the ISA Firewall solution.
4) Since I broached the subject of NLB, let's discuss. Microsoft has wizards for everything. They probably have a wizard to help me make a spiced latte using spices imported from the finest middle east locations, using coffee beans from the highest mountains in Columbia, harvested at just the right time of a full moon night and handled only by vestal virgins. But do they have a wizard to make this multi-thousand dollar NLB option come to life? No. Seriously, you almost have to wave a dead chicken over the servers and hold a seance in order to bring up a fully functioning NLB setup... Unacceptable.
TOM: I don't understand this one. There is a built in wizard and it works for me every time.
5) People still have to go to Microsoft Downloads if they want some of the tools for use with ISA. Just a thought, but why not include them on the disk? Okay, so some people (most maybe) don't use them. Then I guess they never have to directory surf to find them on the ISA disk. It may have saved someone some time and grief of having to find them on Microsoft's site, the whole time thinking about the $6Gr+ it cost and they couldn't be bothered to include them on the CD. Or, and I'm really going out on a limb here, why not make some of them _part_ of ISA? Somewhere, in a cold, dark, executivey room, a collective _WHAT?_ emerges, as flames shoot from the backs of said executives as they muster up a "WHAT DID HE SAY?" in a tone sounding like it was generated from the bowels of a very deep place...
TOM: Now that is a GOOD idea!
Thomas W Shinder, M.D.