Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Will NEVER AGAIN use Microsoft ISA Server
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Will NEVER AGAIN use Microsoft ISA Server - 9.Jan.2003 5:57:00 PM
|
|
|
bacarlson99
Posts: 11
Joined: 4.Oct.2001
From: Atlanta, GA USA
Status: offline
|
After using/hacking with Microsoft's ISA Server for about a year now, I can say with confidence that it is the WORST firewall that I have ever used. Let me preface this by saying that I have used Checkpoint Firewall-1, Symantec Raptor, Linux IPchains/IPtables, and SmoothWall. I set up networks for clients, and for some reason one of the clients wished to go with Microsoft's ISA Server. What a disaster.
Now instead of just flaming away with no proof, let me list the reasons I feel this software should be shot and killed:
1) There is no way it should be acceptable that a piece of software just STOPS RESPONDING to DNS request and cuts off access to the internet. How many different forum topics have discussed this problem, and still no solution? I have the service set to automatically restart several times during the day just in case, but it still will just refuse DNS. WFT??
2) The included SMTP filter is crap. It doesn't handle AUTH request properly, and the result is that login attempts to Exchange Server from external are dropped. Microsoft's solution? Disable the SMTP filter. What a crock!
3) The ISA Server interface is about as convoluted as possible. Did they try to hide things, and make everything as inaccessible as possible? I'm sure I will get flamed here, but how many different places do you have to go just set one rule? Look at other firewalls, they have one interface page that allows clear understanding of what ports are allowing what clients where
4) Does ISA Server even have logging? I would like to be able (WITHOUT a third party app) to see exactly what is transpiring realtime so I can troubleshoot a connection. Look at Checkpoint's EXCELLENT logging abilities, it makes determining what port a client to connect with so simple.
Well I know the flames are coming, but I just had to get this off my chest. I absolutely loathe this piece of software, and I recommend anything who is considering using this to run away quickly.
|
|
|
|
|
RE: Will NEVER AGAIN use Microsoft ISA Server - 10.Jan.2003 5:12:00 AM
|
|
|
norristechs
Posts: 41
Joined: 29.Dec.2002
From: USA
Status: offline
|
Tom,
Ok if I get on my soapbox ?? ![[Smile]](/image/smiles/smile.gif)
I have used Checkpoint FW-1 (3.x, 4,x, NG), IPFW (Linux/FReeBSD), Cisco PIX, MS ISA. All of these product have pluses and minus.
I do agree that MS ISA issues should be resolved quicker and frankly the release as it stands with SP-1 and FP-1 should really be a Microsoft release canidate. Too many times are Microsoft products release and end up being total crap, look and Windows ME (blech!) and XP SP-1 is kicking our a** @ the office with the hundreds of issues.
Now that I am on my soap box, another vendors prodcut that cost 10x more than ISA server also have it problems. I spent many hours on the phone, $$ and down time to hear from the support group to upgrade or purchace additional patches. What a pain that was.
Now with ISA server we have the features of MS Firewall, MS Proxy 3, fwd and reverse caching. It this product perfect? No, but In a Windows enviroment you can have better intergration. W ![[Eek!]](/image/smiles/eek.gif) hich is why I do use ISA and will use it even with some of it quirks. If ISA didnt have quirks you would have never publish your book <G>
To sum up the soapboxing...
ISA isnt perfect, but no firewall solution is that is software based. As more features are introduced, more potential quirk or 'features' can arise.
Thanks for the support. Without forums like this ISA would be a stale product and MS wouldnt have a clue as to what we ISA users face in the real world.
- RANT OUT.
- Jeff.
|
|
|
|
RE: Will NEVER AGAIN use Microsoft ISA Server - 10.Jan.2003 12:49:00 PM
|
|
|
zaphod1310
Posts: 7
Joined: 9.Jan.2003
From: Virginia
Status: offline
|
Hi Tom,
OK you raised my interest. Can you tell us more about tail.exe? The best I can gather from Google is that it's some sort of Unix utility for Windows (packet sniffer or something?) I too would like a better view of what ISA is doing (or not doing) with the requests sent to it.
Stay Curious...
|
|
|
|
RE: Will NEVER AGAIN use Microsoft ISA Server - 10.Jan.2003 5:17:00 PM
|
|
|
jmjarvis
Posts: 136
Joined: 17.Jun.2002
From: UK
Status: offline
|
Tail is originally a unix command but other versions exist now.
It basically shows you the end of a log file. The unix version allows you to specify how many lines at the bottom of the file to show you, say last 20. I imagine the windows version will do something similiar.
HTH
Jas
|
|
|
|
|
RE: Will NEVER AGAIN use Microsoft ISA Server - 10.Jan.2003 5:48:00 PM
|
|
|
barky81
Posts: 15
Joined: 29.Apr.2002
Status: offline
|
bacarlson99,
If you really feel that way, take a look at Mandrake Linux's MNF (MultiNetwork Firewall) software. Technically, it's free:
QUOTE:
MNF is one of the most feature-rich firewall products currently available on the market. MNF is based on Linux 2.4 "kernel secure" to provide multi-VPN (Virtual Private Network) as well as multi-DMZ (de-militarized zone) functionalities. With high throughput IPSec encryption, Multi Network Firewall integrates seamlessly into existing networks and works with a wide variety of operating systems, including MS-WindowsTM.
MNF Link
|
|
|
|
RE: Will NEVER AGAIN use Microsoft ISA Server - 10.Jan.2003 6:53:00 PM
|
|
|
bacarlson99
Posts: 11
Joined: 4.Oct.2001
From: Atlanta, GA USA
Status: offline
|
I must admit I am surprised at the reaction to my post... I thought that I would be flamed by Microsoft devotees but instead I have received very positive, constructive thoughts. What a fantastic board.
I will definately take a look at Mandrake's firewall, thanks for the info. I am also looking very closely at ISA Server "Feature Pack" 1, since I still have to use the beast. I am very cautious about applying any new pack/patch/etc to production level servers, especially after the fiasco with the IIS LockDown Tool (the undo option fails to remove the IWAM_COMPUTERNAME account from the Guest group thereby denying any ASP pages from working).
Has anyone applied this Feature Pack with no problems?
|
|
|
|
|
RE: Will NEVER AGAIN use Microsoft ISA Server - 12.Jan.2003 4:31:00 PM
|
|
|
Nate
Posts: 13
Joined: 24.Feb.2001
From: Charlotte, NC USA
Status: offline
|
The DNS issue, yes it is problematic. There is a problem with UDP and ISA. My solution has always been to run the DNS server service on ISA, and forward all internal DNS requests to ISA. If I need to publish a zone create a secondary on ISA. This also protects the internal server form Cache Pollution.
The interface, sorry can't help you there.
SMTP AUTH is now a viable option with FP1. Yeah SMTP filter sucked bigtime before.
One thing to note here, you are comparing ISA (v1) with PIX, CheckPoint, IPChains, all of which have been around the block a few times. So the question boils down to this, what do you want to accomplish? ISA is good at alot, PIX is also very good at what it does, but neither is perfect.
|
|
|
|
|
RE: Will NEVER AGAIN use Microsoft ISA Server - 13.Jan.2003 9:10:00 AM
|
|
|
HJB417
Posts: 187
Joined: 24.Jul.2001
From: nYc
Status: offline
|
Could someone explain what the DNS problem is?
|
|
|
|
|
RE: Will NEVER AGAIN use Microsoft ISA Server - 13.Jan.2003 5:52:00 PM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi HJB,
Check this out:
======================
Jorgen
Junior Member
Member # 8800
posted November 15, 2002 12:13 PM
--------------------------------------------------------------------------------
** NEWS FLASH **
Microsoft has managed to reproduce our problem in their lab AND they have managed to find the cause.. no cure yet though :-(
IF you have UDP based publishing (any UPD not just DNS) AND a Site and Content filter containing FQDN the following happens;
Incoming UDP requests are checked against the Site and Content rules by attempting to do a reverse lookup on the incoming IP (to find a FQDN to match against the IP).
If this for some reason fails (like the requesting IP not being in a reverse zone) then the ISA tries to make a NBTSTAT query against the remote IP to find the FQDN.
Once it has succeded, failed or timed-out on the incoming request it will then process the request.
This can take some time (at least on my side we just drop incoming netbios so those will have to timeout) and during that time the ISA is gobbling up UDP connections.
With heavy traffic this will at times cause the pool of available UDP mapppings to be full so that incoming requests first have to wait for another request to make it through the S&S rules before itself can start the path through!
So if;
- you have a remote client that is not in a reverse zone and that can not be resolved by nbtstat AND if it is re-requesting the DNS information after say 5 seconds
- then you can easily end up in a situation where
- the requests are being held pending, in wait for a process slot, while the ISA is trying to resolve the FQDN of a previous request FROM THE SAME MACHINE!
So the good news is that they know why and the bad news is that it sounds like it is a fundamental change that needs to be done!
Possible workaround, no S&S rules! Not sure I want to go that way....
Was this clear? If not, drop me a line and I'll try again....
/Jśrgen
==========================
HTH,
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Frown]](/image/smiles/frown.gif)
