Welcome to ISAserver.org

Questions for ISA / Surf Control users

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Misc.] >> 3rd Party Add-ons >> Questions for ISA / Surf Control users

Page: [1]

Message

<< Older Topic Newer Topic >>

Questions for ISA / Surf Control users - 23.Mar.2007 4:44:22 PM

Jassyca

Posts: 8
Joined: 3.Aug.2006
Status: offline

We currently use Websense 6.2 on our ISA server to stop employees from being able to access restricted websites. Our license with Websense will be coming up for renewal this summer and to be honest, Websense is awful damn expensive. I read Tom Shinder's review about Surfcontrol but that didn't answer all of my questions. So I'd like to get some opinions from administrators who are currently using Surf Control on ISA server.

How stable is it? Does it seem to slow the server down at all? Suppose we are using Microsoft's Active Directory. Can I create rules based on Active Directory groups? How flexible are the rules? For instance, is there a way to create exceptions? "Block everyone from downloading *.exe unless they are a member of 'MIS'." So on.

Does it only cover web (ie, ports 80 and 443) or other ports as well? (Tom's review seemed to indicate that it can only filter web traffic not Kazaa and all that other junk. I guess for blocking that stuff, you just rely on ISA.)

Is there a way to set bandwidth limits? Suppose, for instance, we need to allow certain users to be able to access streaming media sites. Can we at least restrict how much of the pipe streaming media will use so we don't get 20 calls from people complaining the "internet is so slow! I can't do my job!"

What kind of information can I get out of Surfcontrol through reports? Currently, our Websense generates a "top 10 most active websurfers" report every week. Management loves it. From that, we can choose a specific person and generate a report of all the sites the user frequented from date to date (as long as those are still valid dates in our logs). We can also generate a "top 10 most active web site categories" report each week or month. Or "top 10 most blocked web sites" or a report on top 10 blocked users. On and on. What kind of reports could we see from Surf Control?

Tom's article mentioned there are 47 categories for web sites. Suppose we need to partially block a category? In other words, is there a way to create exceptions? For instance, we have a policy in our employee handbook that says "no external webmail". However, we had to create exceptions to that rule so our employees could logon to specific secure webmail sites to retrieve sensitive messages. (We deal with a lot of personal health information about people. SMTP traffic is sent in plain text which, of course, you don't want to do with such sensitive information. So people who have to send info to us either put the message into a zip file and password protect the zip file or they sign on with a service like Ziplip, like we did. HTTPS traffic is encrypted so recipients can view the sensitive information in relative security.)

Do you have to install anything at all the workstation in order for Surf Control to work at the desktop or to get user logon names for its reports? Does anyone have any experience with Surf Control's filter in a Citrix environment? If so, did you have to install anything on your Citrix server(s) in order to get user logon names for your reports?

Overall, how satisfied are you with SurfControl? How much time do you spend baby-sitting it? Have you ever had to contact their tech support and, if so, was it a nightmare?

Anyone's thoughtful opinions would be appreciated. Thank you.

< Message edited by Jassyca -- 23.Mar.2007 4:46:35 PM >

Post #: 1

Featured Links*

RE: Questions for ISA / Surf Control users - 23.Apr.2007 10:39:15 AM

alistair

Posts: 2
Joined: 23.Apr.2007
Status: offline

hi after reading the needs that you require currently i use a Bloxx web filter and i have to say i think its fantastic it doesnt just use a massive url data base but it does this clever thing called page scanning and you can set scoring so if it goes over that limit it will block the page very user friendly to be honest there is a lot that this baby can do in fact to many things to mention

Reporting lets just say i can create over 110 types of reports keeps my HR department very happy

hope this helps

(in reply to Jassyca)

Post #: 2

RE: Questions for ISA / Surf Control users - 20.May2007 11:45:07 PM

bandrzejewski

Posts: 3
Joined: 18.May2007
Status: offline

We currently use Surfcontrol 5.5 and 5.0 web filter with our ISA Enterprise 2004 SP2 and ISA Standard SP2 with their Reporting Central 2.5 and 2.0 product respectively. We operate our ISA's within the domain, single NIC homed (using a nic team), using as a web proxy only. We are not at the point yet to do CARP, but getting there and asking questions to Surfcontrol on best practices with their product with ISA Enterprise 2004. Most of my experience is with ISA Standard 2004 for the past 5 months with their product. Our install with ISA Standard 2004 is 3+ years going with Surfcontrol.

When rebuilding our Enterprise 2004 server from scratch from Standard 2004 due to an OS service pack error, I did notice a slight increase in load placed on the server since you are placing an additional filter in ISA, but nothing too signifiant. You use either MSDA on your local ISA, or a dediated SQL server (highly recommmended). The ruleset and data can be stored in the same database, or in seperate databases after installation.

I have to email and call support several times due to this rebuild due to some of our rulesets being several years old and doing a clean install from a prior version of their web filter product. When calling their normal support line, their help system is similar to MS PSS: a support service takes down your issue and basic info, assigns a support #, and you wait into a que. You can either continue waiting in the que, or leave a call back number with your # in your que position. Wait was around 1 hour with the normal support line when calling in around noon EST. (As I learned later after the call, our company has priority support, and much shorter of a "wait" line). Support was extremely knowledgeable and helpfull. Email seems to take a while (48 hours plus), even with priority support. Their email does state if it is a large priority issue to contact their support line.

For rules, it is similar to ISA in the rule creation respect (to, from, who, when, what, etc.). These rules can share a object hiearchy like ISA for things such as categories, url groups, AD security groups, AD objects (user, computer), IP's, error pages, etc. It is top down ruleset like ISA. They do have bandwidth controls, but I have never played with them. Rules are basically website based. Anything non-website is recommended to go through ISA (like p2p).

Categories are updated nightly with their own scheduler tool. You can also add your own URLs to the categories, and if you wish, submit to Surfcontrol for their master list. If you want to make exceptions, place your rule above the rule referencing the category (like ISA).

For reporting, they have all the standard reports (top 10s, etc) with search critera by date range, yesterday, last 7 days, last month, last year, etc. You can also run detail reports on all available objects from the Web Proxy product (i.e. all user activity for AD security group XYZ, date range, exclude categories X, Y, Z). You can schedule reports to run using the same scheduler tool for the cateogory updates, or manually export to PDF, HTML, etc.

If you need more information, best thing to do is to go to Surfcontrol's website, go to support, and select the product, and go through their install and support manuals. They should be able to show you all the reports available. They also have 30 day trials of almost all their software.

(in reply to alistair)

Post #: 3

RE: Questions for ISA / Surf Control users - 14.Jul.2007 2:16:52 PM

jmilito

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline

Bandwidth priority rules in SurfControl seemed to do okay...however...you should consider a Packeteer or Xroadsnetwork appliance. SurfControl and ISA are great products but performance and prioritization is best done off box with an appliance. They help maximize your usage without letting P2P or other "job related" things get out of control thus allowing true mission critical apps the bandwidth they need even during periods of "slowness"

(in reply to bandrzejewski)

Post #: 4

RE: Questions for ISA / Surf Control users - 20.Jul.2007 7:43:22 AM

sportman

Posts: 1
Joined: 20.Jul.2007
Status: offline

I have had a problem with surfcontrol central report but i repaired it cleaning files in java control panel (temporary internet files)

I hope this information help something

Tuve problemas con el surfcontrol report pero logr� solucionarlo borrando los archivos temporales en el panel de control de java

Espero que esta informaci�n sirva para ayudar a alguien

(in reply to jmilito)

Post #: 5