• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DownloadSecurity Review Article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Misc.] >> 3rd Party Add-ons >> DownloadSecurity Review Article Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
DownloadSecurity Review Article - 3.Dec.2002 4:25:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread if for discussing the DownloadSecurity review article at http://www.isaserver.org/software_reviews/downloadsecurity.html

Thanks!
Tom

[ December 03, 2002, 06:44 AM: Message edited by: tshinder ]
Post #: 1
RE: DownloadSecurity Review Article - 3.Dec.2002 4:37:00 AM   
Spinner

 

Posts: 12
Joined: 27.Feb.2001
From: Sydney, Australia
Status: offline
I'm interested to hear of people's experiences when running GFI's download security AND Mail Marshal on the same server with an integrated ISA.

[ December 03, 2002, 04:38 AM: Message edited by: Spinner ]

(in reply to tshinder)
Post #: 2
RE: DownloadSecurity Review Article - 3.Dec.2002 11:23:00 AM   
zzz343

 

Posts: 764
Joined: 19.Feb.2002
From: World's 7th Nuclear Power
Status: offline
GFI Download security is very powerfull tool to block download and answer to many ppl seeking for download blocker. Default ISA's S&C rule only block the download not filter them. Therefore GFI DownloadSecurity is 5 star choice for ISA Admins.

But I see one draw back that you must be a web proxy client and you cannot schedule to allow download at specific timings as we have a download policy which allow users to download data in late night hours.

(in reply to tshinder)
Post #: 3
RE: DownloadSecurity Review Article - 6.Dec.2002 2:59:00 PM   
Michael_Dorfman

 

Posts: 23
Joined: 16.Jul.2001
Status: offline
I'm using GFI Download Security, and I am generally happy with it, but I do want to note one limitation: while it checks the FTP and HTTP protocols, and the GFI Mail Security checks the SMTP protocol, there is no GFI product to check the POP3 protocol. What this means is that if you allow your internal users to get mail via POP3 from external sources, you are still vulnerable to viruses. I have not yet found a decent workaround to this problem, and I haven't had any luck persuading GFI that it is worth expanding their products to handle this.

Ideas?

(in reply to tshinder)
Post #: 4
RE: DownloadSecurity Review Article - 16.Dec.2002 10:17:00 AM   
nicks

 

Posts: 47
Joined: 17.Sep.2002
Status: offline
In reply to Michael_Dorfman's post [Smile]

Actually, I am also using the gfi products. I download emails using POP3. I use gfi's mailessentials to download emails from my isp via pop3, scan them using both mailessentials and mailsecurity and forward them to my internal mailserver which is Exchange server.

(in reply to tshinder)
Post #: 5
RE: DownloadSecurity Review Article - 21.Jan.2003 2:13:00 PM   
asasyn2

 

Posts: 54
Joined: 24.Oct.2002
From: London
Status: offline
Tom, I was interested in reading your review of download security but the link doesn't work and I can't find the document on your website anywhere. Has this been taken off?

We've been using DS for a little while and although on the surface it seems okay I have found a few problems.

Although we have chosen to tick the box that says "Do not block Java & Active X" it still seems to block them :-) As an example, the first time you use WTS it runs an active X component, this would not work on any of my client machines until I actually put the site in the exclude list so it wasn't scanned at all! I've had this problem with one other site as well.

GFI support on the web is pretty much non-existent, their knowledgebase holds very little knowledge :-)

(in reply to tshinder)
Post #: 6
RE: DownloadSecurity Review Article - 21.Jan.2003 3:58:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Asasyn,

Check out:

http://www.isaserver.org/tutorials/downloadsecurity.html

HTH,
Tom

(in reply to tshinder)
Post #: 7
RE: DownloadSecurity Review Article - 22.Jan.2003 1:32:00 PM   
asasyn2

 

Posts: 54
Joined: 24.Oct.2002
From: London
Status: offline
Thanks Tom.

(in reply to tshinder)
Post #: 8
RE: DownloadSecurity Review Article - 22.Jan.2003 1:39:00 PM   
asasyn2

 

Posts: 54
Joined: 24.Oct.2002
From: London
Status: offline
Just a follow up note to save you guys some hassle:
If you're using Network Load Balancing and download security over a few ISA servers, make sure you set your affinity to either "single" or "c class" otherwise users randomly get this message:
Wrong or expired request. Error:3

(in reply to tshinder)
Post #: 9
RE: DownloadSecurity Review Article - 22.Jan.2003 10:49:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Asa,

Great tip!

Thanks!
Tom

(in reply to tshinder)
Post #: 10
RE: DownloadSecurity Review Article - 26.Mar.2003 2:53:00 PM   
minerat

 

Posts: 142
Joined: 19.Mar.2003
From: Philadelphila
Status: offline
Has anyone tried to install download security in a multi domain environment? My ISA server is in its own domain with a one way trust to my internal domain. After installing DownloadSecurity, none of my download policies will apply to users in my internal domain. I can add them by username to the list in DS and it looks up their full name, so it can see the users and communicate with the DC.

ISA is asking for authentication and all users are set as web proxy clients (some have the firewall client installed, but even with it disabled the policies don't apply to the right people - e.g. exclude admins). The default rule applies to everyone but excluding users doesn't work. Anyone else noticed this? Suggestions?

(in reply to tshinder)
Post #: 11
RE: DownloadSecurity Review Article - 27.Mar.2003 10:29:00 AM   
jmjarvis

 

Posts: 136
Joined: 17.Jun.2002
From: UK
Status: offline
Hey Guys,

Here's my 2p worth.

Overall its a good product BUT I'm still waiting back from them regarding one problem I have and thats running it on an array of ISA's with NLB on the inside.

The file would download without problems but as soon as you click on the Save button you get timeout errors as asasyn2 has mentioned above.

After netmon'ing it I found that the client wasn't going back to the same ISA through the whole process.

Their recommendation was to set the Affinity mode to Single [Frown] and after trying this found that this didn't work either. After going back to them for a sensible solution its all gone quiet. I'll chase them up again today.

Jas

[ March 27, 2003, 10:40 AM: Message edited by: Jason Jarvis ]

(in reply to tshinder)
Post #: 12
RE: DownloadSecurity Review Article - 27.Mar.2003 6:23:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jason,

The problem isn't with DownloadSecurity, its with NLB. Use PASV mode and it'll work.

HTH,
Tom

(in reply to tshinder)
Post #: 13
RE: DownloadSecurity Review Article - 28.Mar.2003 8:05:00 PM   
minerat

 

Posts: 142
Joined: 19.Mar.2003
From: Philadelphila
Status: offline
have DS installed on my sole ISA server, which is a DC for its own domain and has a one way trust with the internal domain; everything works great except for Download Security. It applies the default file checking rule to everyone, even though users (both internal domain users and ISA domain )are authenticating agains ISA just fine. It doesn't even exclude the ISA domain users that are explictly excluded (apply the default file checking rule to all except the list below; ISA domain user is listed in there)

GFI tells me this from http://kbase.gfi.com/showarticle.asp?id=KBID001637

If GFI DownloadSecurity is installed on a machine that is part of Active Directory, DownloadSecurity does not support installing in a multiple domain environment.
However, DownloadSecurity can be installed in a multiple domain environment if it is installed in non-Active Directory mode, i.e. the machine that is running GFI DownloadSecurity is not part of Active Directory. This is normally the case, since most ISA server installations are found on the DMZ.
Note that in this case, the users would have to be entered manually. The Administrator would have to first insert the users in the Local Windows Users and Computers, and manually insert the users once again in the DownloadSecurity configuration.

This doesn't seem like the right solution for ISA. Unless I totally misunderstand how ISA should be implemented, no one would set it up like that. First off, Enterprise Edition requires Active Directory for array settings/configuration, right? Also, if the ISA server isn't in a domain, how would one establish a one way trust with the internal network so one can set access rules by users? No one would also want to put ISA on their internal domain.

Is Download Security really a viable solution?

[ March 28, 2003, 08:20 PM: Message edited by: AndrewM ]

(in reply to tshinder)
Post #: 14
RE: DownloadSecurity Review Article - 15.Apr.2003 10:15:00 PM   
minerat

 

Posts: 142
Joined: 19.Mar.2003
From: Philadelphila
Status: offline
Just wanted to say that I've been working with GFI and they see the problem the same way I do. I'm able to get rules/exceptions to apply to my users in the ISA domain if I give those users email addresses. They are looking into full multi domain support. I've been very impressed with the professionalism of the GFI staff throughout this process.

(in reply to tshinder)
Post #: 15
RE: DownloadSecurity Review Article - 17.Apr.2003 1:35:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Andrew,

I've had the same experiences. GFI has always worked hard with me to solve any problem I've had with their products.

Thanks!
Tom

(in reply to tshinder)
Post #: 16
RE: DownloadSecurity Review Article - 20.Dec.2003 7:24:00 AM   
Fire

 

Posts: 265
Joined: 19.Mar.2001
From: Ontario, Canada
Status: offline
I try to install the version 6 on the ISA Server. The thing is after I install that one, I can't patch any file from ms. It always stop at stopping web proxy service.

Not Happy with That!

(in reply to tshinder)
Post #: 17
RE: DownloadSecurity Review Article - 12.Jan.2004 9:03:00 AM   
Patrizia

 

Posts: 18
Joined: 12.Jan.2004
Status: offline
Fire,

Some of the updates done to the system using Microsoft Windows update feature are downloaded from windowsupdate.com. This article should provide you with more information: http://kbase.gfi.com/showarticle.asp?id=KBID001489

(in reply to tshinder)
Post #: 18
RE: DownloadSecurity Review Article - 24.Feb.2005 8:57:00 PM   
Guest
Is there a way to elimanite a URL from being cached through ISA. Reason being, our webteam is making changes to a website, but cannot view the changes.

(in reply to tshinder)
  Post #: 19
RE: DownloadSecurity Review Article - 21.Mar.2005 2:48:00 PM   
Guest
Dear all, can anyone tell me if they've come up against the "System is overloaded, please retry later" error when downloading files ?

We've just deployed GFI Dsec 6 with ISA and websense and this seems to be a huge problem.

If anyone else has come up against it, please let me know how you managed to fix it.

cre8toruk@yahoo.co.uk

(in reply to tshinder)
  Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Misc.] >> 3rd Party Add-ons >> DownloadSecurity Review Article Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts