feature requests for ISA 2007(?) (Full Version)

All Forums >> [ISA Server 2004 Misc.] >> ISA Server 2004 Wish List



Message


sweisler -> feature requests for ISA 2007(?) (3.Jan.2006 5:42:22 PM)

I have been using and implementing ISA 2004 for the last 12-15 months.  Having over half a dozen implementations of ISA 2004 Standard under my belt, I have found ISA 2004 to be an excellent firewall product.  It is an excellent full-duty firewall, not just an application specific firewall (OWA, Exchange, WWW, FTP, etc.), as some people insist on limiting it to.  It is easy to configure and easy to understand, and I love the application filtering capabilities that push it above and beyond the stateful inspection-only products.

However, I have noticed a few short-comings that have limited my ability to fully deploy the product in some environments, leading to split-gateway situations where ISA is running parallel with another firewall device, such as PIX.  Most importantly, I believe Microsoft's monolithic approach of designing ISA 2004 to publish everything behind a single IP address is unrealistic.

Case 1 - publishing a DNS Server behind an alternate IP address - Inbound traffic to the DNS server is handled properly.  But because outbound traffic from the DNS server is NATed behind the default (and unchangeable) main IP address of the external NIC on the ISA firewall, the update notifications to other servers appear to come from a different external IP address than the one the server is published on.  This makes zone transfers a kluged-up nightmare.

Case 2 - publishing a polycom videoconferencing system behind an alternate IP address - same problem as the DNS server above with the NATed outbound traffic, plus the added problem of secondary connections being initiated from both ends once the primary connection is established.  I ended up having to put in a PIX 501 here, just so I could get a simple 1:1 static NAT.

What I would like to see in the next version of ISA is the ability to define NAT relationships, both static (1:1) and dynamic (many:1) for any/all addresses falling under the ALL PROTECTED NETWORKS network set with any external IP address the ISA server is listening on.  That way I could reverse-publish the DNS protocols, or even NAT all traffic from the DNS server on the same external IP address as the inbound publishing rule.  A NAT table, something like what Check Point utilizes, where NAT relationships can be viewed and defined, would be awesome.

Another problem I have is that as great a product as ISA 2004 is, the reporting features, especially working with log files, suck.  There is no other way to describe them.  Having to copy and paste from the log page to a text file just to get a print-out is unacceptable.  What I would like to see is a fully functional reporter for the log files, having standardized reports, customizable reports, and the ability to save (text, csv, sql, etc.) and print directly from the report screen.

Lastly is something Dr. Shinder has addressed in some of his articles.  I would like to see the feature sets provided by the FlexAuth and WebDirect products from Collective Software built in.  This is functionality that should have been included in the current product.  (See Dr. Shinder's "Redirecting OWA Users to the Correct Directories and Protocols" series.)

Finally, to Dr. Shinder and everyone involved with ISASERVER.ORG, a giant THANK YOU!!!.  This site is a godsend and has saved my bacon on more than one occassion.  Keep up the good work.

Sincerely,

C. Scott Weisler 




tshinder -> RE: feature requests for ISA 2007(?) (4.Jan.2006 4:06:20 AM)

Hi Scott,

Thanks! We all try to do what we can to make things better for ISA firewall admins.

I agree with all of your assessments. The static NAT bindings are really critical and I would put that as the number ONE issue with the ISA firewall that should be fixed with the next version.

I hear you regarding the logging issues. While I love MSDE query features, there has to be a better way to get the text data out of it. Also, if the query generates more than 10K entires, you don't even get all of them. I don't want to have to go back to .txt file logging.

As for FlexAuth capabilities, I'm optimistic that this issue might be fixed sooner than later.

Thanks!!!
Tom




ferrix -> RE: feature requests for ISA 2007(?) (8.Feb.2006 6:26:36 AM)

Hey, thanks for the for Collective plug Scott.  We try hard to look for and fill the gaps where we too wish Microsoft had provided those extra features.  As they continue to innovate we hope to continue to fill the next generation of gaps!  In the meantime your support (and the support of Tom and ISAServer.org) helps us stay in business and find those next opportunities to make ISA even better!

www.collectivesoftware.com




tshinder -> RE: feature requests for ISA 2007(?) (8.Feb.2006 9:55:08 PM)

Hi Ferrix,

You guys keep up the good work!

Thanks!
Tom




Page: [1]