We are in the process of upgrading our perimeter firewall and would like to see what is the best option. I am currently using two x506 tippingpoints at the perimeter, which forward all the traffic to isa 2006 firewalls. There is no HA or arrays setup, this is the main reason for the upgrade. Basically a double Nat setup, with port forwarding.
We have one isa for incoming customer traffic, with load balanced T1s (3mb). The other isa is for user internet access for internal users, with a single 15mb cable connection. If we choose not to go with ISA or a proxy, what are the advantages and disadvantages? Currently all the browsers point to an Isa server/port number and they have the firewall client.
The alternative option is no Isa or proxy, each user has to point to a router as the gateway and dns server that knows the way out. Not all of our users get internet access, we control the internet use by a windows group and that group is added to an Isa rule.
The isa using the 15mb connection has a port mirrored in both directions, to a web filter server. The web filter server monitors the sites visited, and is able to block based on rules.
From: Amazon, Brazil
if you replace ISA firewall for a router, you have to think about the features you are going to loose, like advanced HTTP and publishing rules inspection, user-based access rules, cache server, VPN granularity.