GFI Download security is very powerfull tool to block download and answer to many ppl seeking for download blocker. Default ISA's S&C rule only block the download not filter them. Therefore GFI DownloadSecurity is 5 star choice for ISA Admins.
But I see one draw back that you must be a web proxy client and you cannot schedule to allow download at specific timings as we have a download policy which allow users to download data in late night hours.
I'm using GFI Download Security, and I am generally happy with it, but I do want to note one limitation: while it checks the FTP and HTTP protocols, and the GFI Mail Security checks the SMTP protocol, there is no GFI product to check the POP3 protocol. What this means is that if you allow your internal users to get mail via POP3 from external sources, you are still vulnerable to viruses. I have not yet found a decent workaround to this problem, and I haven't had any luck persuading GFI that it is worth expanding their products to handle this.
Actually, I am also using the gfi products. I download emails using POP3. I use gfi's mailessentials to download emails from my isp via pop3, scan them using both mailessentials and mailsecurity and forward them to my internal mailserver which is Exchange server.
Tom, I was interested in reading your review of download security but the link doesn't work and I can't find the document on your website anywhere. Has this been taken off?
We've been using DS for a little while and although on the surface it seems okay I have found a few problems.
Although we have chosen to tick the box that says "Do not block Java & Active X" it still seems to block them :-) As an example, the first time you use WTS it runs an active X component, this would not work on any of my client machines until I actually put the site in the exclude list so it wasn't scanned at all! I've had this problem with one other site as well.
GFI support on the web is pretty much non-existent, their knowledgebase holds very little knowledge :-)
Just a follow up note to save you guys some hassle: If you're using Network Load Balancing and download security over a few ISA servers, make sure you set your affinity to either "single" or "c class" otherwise users randomly get this message: Wrong or expired request. Error:3
Has anyone tried to install download security in a multi domain environment? My ISA server is in its own domain with a one way trust to my internal domain. After installing DownloadSecurity, none of my download policies will apply to users in my internal domain. I can add them by username to the list in DS and it looks up their full name, so it can see the users and communicate with the DC.
ISA is asking for authentication and all users are set as web proxy clients (some have the firewall client installed, but even with it disabled the policies don't apply to the right people - e.g. exclude admins). The default rule applies to everyone but excluding users doesn't work. Anyone else noticed this? Suggestions?
Here's my 2p worth.
Overall its a good product BUT I'm still waiting back from them regarding one problem I have and thats running it on an array of ISA's with NLB on the inside.
The file would download without problems but as soon as you click on the Save button you get timeout errors as asasyn2 has mentioned above.
After netmon'ing it I found that the client wasn't going back to the same ISA through the whole process.
Their recommendation was to set the Affinity mode to Single and after trying this found that this didn't work either. After going back to them for a sensible solution its all gone quiet. I'll chase them up again today.
[ March 27, 2003, 10:40 AM: Message edited by: Jason Jarvis ]
have DS installed on my sole ISA server, which is a DC for its own domain and has a one way trust with the internal domain; everything works great except for Download Security. It applies the default file checking rule to everyone, even though users (both internal domain users and ISA domain )are authenticating agains ISA just fine. It doesn't even exclude the ISA domain users that are explictly excluded (apply the default file checking rule to all except the list below; ISA domain user is listed in there)
If GFI DownloadSecurity is installed on a machine that is part of Active Directory, DownloadSecurity does not support installing in a multiple domain environment. However, DownloadSecurity can be installed in a multiple domain environment if it is installed in non-Active Directory mode, i.e. the machine that is running GFI DownloadSecurity is not part of Active Directory. This is normally the case, since most ISA server installations are found on the DMZ. Note that in this case, the users would have to be entered manually. The Administrator would have to first insert the users in the Local Windows Users and Computers, and manually insert the users once again in the DownloadSecurity configuration.
This doesn't seem like the right solution for ISA. Unless I totally misunderstand how ISA should be implemented, no one would set it up like that. First off, Enterprise Edition requires Active Directory for array settings/configuration, right? Also, if the ISA server isn't in a domain, how would one establish a one way trust with the internal network so one can set access rules by users? No one would also want to put ISA on their internal domain.
Just wanted to say that I've been working with GFI and they see the problem the same way I do. I'm able to get rules/exceptions to apply to my users in the ISA domain if I give those users email addresses. They are looking into full multi domain support. I've been very impressed with the professionalism of the GFI staff throughout this process.