• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Recommendation request

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Misc.] >> ISA Firewall Coffee Shop >> Recommendation request Page: [1]
Login
Message << Older Topic   Newer Topic >>
Recommendation request - 19.Apr.2007 9:21:12 PM   
mkleinpaste

 

Posts: 21
Joined: 19.Apr.2007
Status: offline
Hi.  New ISA Server convert here.  I hope I'm posting this in the right area.  I apologize if I didn't
 
I've been testing ISA Server at work on an old 500MHz PC and I've got to say I'm impressed with it.  So much so, that I'm looking at replacing our 2 existing PIXs, a 515E and PIX 520 with ISA Server 2006.
 
Being a former "Firmware Guy" I've got some reservations about moving forward with it.  Not because I doubt the power of ISA, but because I've never had to put together a server hardware recommendation for a firewall.  You just pick your firewall needs based on Cisco's, or other hardware vendor's recommendations and buy.
 
I thought about getting an ISA Hardware device but ruled it out because I like the hands on configuration with the Microsoft MMC and the ability to add custom services like gateway anti-virus, etc.  What I'm asking about here is what recommendations you experts would use given our situation.  After all, when you go to upper management for the money to do these projects they want to know that what you're ordering is going to not only last, but also handle what's being thrown at it too.
 
We are a data center for our clients to all of their locations.  We have approximately 50 clients with between 1 and 5 remote sites per client (mostly 1 or 2).  Because we are their data center we have a site-to-site VPN tunnel to each branch.  We also have a DMZ where we host websites for all of our clients as well as email for about 20 of them.  I need to configure the hardware so that it can handle the current load easily and be able to grow as we do.  I intend for it to be an edge firewall.  We have a bonded T-1 running 3Mbps bi-directional and using about 40-50% bandwidth usage currently.  So basically we end up with a star WAN with about 70 site-to-site VPN tunnels.
 
Input on hardware recommendations from anyone using ISA Server 2006 (especially in a similar setting) would be greatly appreciated from this new convert!
 
Thanks in advance!

< Message edited by mkleinpaste -- 19.Apr.2007 9:26:12 PM >
Post #: 1
RE: Recommendation request - 23.Apr.2007 10:59:14 PM   
mkleinpaste

 

Posts: 21
Joined: 19.Apr.2007
Status: offline
Hello?

I figured I'd least get a flame or something.  Nobody's interested in helping a new convert?  I wouldn't be asking if it wasn't important.

Pretty please? 

< Message edited by mkleinpaste -- 23.Apr.2007 11:02:00 PM >

(in reply to mkleinpaste)
Post #: 2
RE: Recommendation request - 25.Apr.2007 8:33:37 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mkle,

I've seen your post and I'll give you a more complete answer later today. Got to teach a ISA and IAG class today!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mkleinpaste)
Post #: 3
RE: Recommendation request - 25.Apr.2007 11:56:21 AM   
mkleinpaste

 

Posts: 21
Joined: 19.Apr.2007
Status: offline
Thanks Tom!  I look forward to receiving your insight! 
The Microsoft Best Practices for Performance was interesting but didn't really address some of the specifics to our network.

Here's the specifics of what I'm trying to build this firewall for:
  1. Site-to-site VPN tunnels (to our client's location)
    1. Currently 53 active 3des tunnels
      1. Must also be able to set it up to create site-to-site tunnels with clients using PPPoE at their end.

    2. Needs to be able to expand to potentially double that
    3. VPN client access (random usage)
    4. Limit each tunnel to specific protocols.

  2. Gateway security
    1. Content filtering (very cool with the redirect by the way!)
    2. HTTP/FTP antivirus
    3. Intrustion Detection (preferably prevention)

  3. Web Publishing
    1. Web Publishing from a 3-leg Perimeter DMZ
    2. OWA/OMA - FBA with AD
    3. SharePoint - FBAwith AD

I spec'd out a server to run it on and am also curious as what potential throughput, site-to-site vpns, etc it could handle.
  • Dell PE1950
    • 2 x Quad Core 2.66GHz Intel Xeon, 1333MHz FSB, 2x4MB cache
    • 4 GB 667MHz RAM
    • 2 x 36GB SAS 10K RPM drives in RAID 1 config
    • Total 3xBroadcom Gb Ethernet ports
      • Curious as whether TCP/IP Offload will improve the ISA performace too?

    • Windows 2003 R2 Standard
    • ISA server 2006 x 2 processor licenses
    • One of the ISA Server 2006 compatible AV/AS suites
      • Kaspersky or BitDefender at this point

PS where can I find out about these ISA/IAG classes you're giving.  Training will be part of the proposal I send to upper management?

< Message edited by mkleinpaste -- 25.Apr.2007 1:17:23 PM >

(in reply to tshinder)
Post #: 4
RE: Recommendation request - 26.Apr.2007 10:33:46 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mkle,

The ISA Firewall will handle all the workloads you've spec'ed out here, which is great!

The boxes you have configured should do their jobs pretty good. I usuualy present two options to the customers -- scale up with processors or scale out using ISA Enterprise Edition arrays. Since you haven't called out for failover over and load balancing for the ISA Firewall, you only need Standard Edition, so scaling up is reasonable and most cost effective than our since the EE lic is about $4K more.

TCP offload won't much difference, but IPSec and SSL offload cards can really speed up your VPN and publishing scenarios.

The classes I delived last week and this week were actually done at special request from MS for some of their partners. It was a ton of fun! :)  Outside of that, I haven't done much teaching in the last few years. Have focused on writing and consulting.

Thanks!
Tom




_____________________________

Thomas W Shinder, M.D.

(in reply to mkleinpaste)
Post #: 5
RE: Recommendation request - 26.Apr.2007 1:23:16 PM   
mkleinpaste

 

Posts: 21
Joined: 19.Apr.2007
Status: offline
Tom,

That's great news!  Thank you very much!

Looking into the PPPoE at the client end I've been looking at how ISA Server handles that.  I've found lot's of information about setting up ISA Server to authenticate to a PPPoE connection but nothing about how to setup a site-to-site with the Home site using a static IP and a 3rd party firewall like PIX or SonicWALL using a PPPoE connection.

I know how to do it with a Cisco and a dynamic-map, but the ISA way seems to be pretty elusive!  Looking at our existing connections about a 1/3 of them are PPPoE because Century Tel has been telling clients they can't do static.  So, this has kind of become a caveat to moving towards ISA Server.

< Message edited by mkleinpaste -- 26.Apr.2007 1:37:54 PM >

(in reply to tshinder)
Post #: 6
RE: Recommendation request - 27.Apr.2007 10:56:01 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
PPPoE isn't so much of a problem as is DHCP. If these hosts don't have static addresses, we can't do IPSec tunnel mode to those hosts, since we can connect to them using an IP addresses only, so DDNS won't solve this problem for us.

Tom


_____________________________

Thomas W Shinder, M.D.

(in reply to mkleinpaste)
Post #: 7
RE: Recommendation request - 27.Apr.2007 12:08:58 PM   
mkleinpaste

 

Posts: 21
Joined: 19.Apr.2007
Status: offline
I noticed a post on the forums mentioning L2TP\IPsec is more secure and can be used with a FQDN with DynDNS service instead of using an actual IP address in where there is a dynamic address at the branch end.  I'm not against changing to this if it bolsters my security.

I just have to figure out how to put a cert on our existing PIXs and TZ-170s since I've never really tried that before.

It's curious that base IPsec tunnels are still in use if L2TP\IPsec is more secure.  Other than the certificates what makes it more secure or IPsec more insecure for that matter?

(in reply to tshinder)
Post #: 8
RE: Recommendation request - 28.Apr.2007 11:57:35 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
L2TP/IPSec is more secure because you can enforce EAP authentication on the tunnels and thus bypass XUTH exploits. There's a doc on the ms.com/isa site on how to do this with the PIX.

For other VPN gateways, you'll find that you'll be hard pressed to find them supporting L2TP/IPSec.

However, in a site to site VPN connection, the XUTH situation isn't really an issue, as performance is. You don't have header compression with IPSec tunnel mode like you have with L2TP/IPSec. And you can still use a pre-shared key if you like for L2TP/IPSec site to site VPN connections to the PIX if you like.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mkleinpaste)
Post #: 9
RE: Recommendation request - 2.May2007 1:04:01 PM   
mkleinpaste

 

Posts: 21
Joined: 19.Apr.2007
Status: offline
Thanks Tom,

I appreciate your input.  Can ISA Server run multiple tunneling protocols at the same time?  For instance can I run IPsec for the static IPs to keep the header compression down, while running L2TP\IPsec with FQDN to enable our clients with PPPoE connections that recieve dynamic IP addresses to remain connected as well?

(in reply to tshinder)
Post #: 10
RE: Recommendation request - 3.May2007 7:41:58 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Yes! Each tunnel is configured separately and you can choose the VPN protocol to use for each tunnel.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mkleinpaste)
Post #: 11
RE: Recommendation request - 4.May2007 11:40:09 AM   
mkleinpaste

 

Posts: 21
Joined: 19.Apr.2007
Status: offline
Thanks Tom! 

That seals it.  I'm writing up the proposal right now.

I've definately appreciated all your help!

_____________________________

Michael Kleinpaste

(in reply to tshinder)
Post #: 12
RE: Recommendation request - 5.May2007 2:45:43 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Michael,

Great!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mkleinpaste)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Misc.] >> ISA Firewall Coffee Shop >> Recommendation request Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts