I have been using and implementing ISA 2004 for the last 12-15 months. Having over half a dozen implementations of ISA 2004 Standard under my belt, I have found ISA 2004 to be an excellent firewall product. It is an excellent full-duty firewall, not just an application specific firewall (OWA, Exchange, WWW, FTP, etc.), as some people insist on limiting it to. It is easy to configure and easy to understand, and I love the application filtering capabilities that push it above and beyond the stateful inspection-only products.
However, I have noticed a few short-comings that have limited my ability to fully deploy the product in some environments, leading to split-gateway situations where ISA is running parallel with another firewall device, such as PIX. Most importantly, I believe Microsoft's monolithic approach of designing ISA 2004 to publish everything behind a single IP address is unrealistic.
Case 1 - publishing a DNS Server behind an alternate IP address - Inbound traffic to the DNS server is handled properly. But because outbound traffic from the DNS server is NATed behind the default (and unchangeable) main IP address of the external NIC on the ISA firewall, the update notifications to other servers appear to come from a different external IP address than the one the server is published on. This makes zone transfers a kluged-up nightmare.
Case 2 - publishing a polycom videoconferencing system behind an alternate IP address - same problem as the DNS server above with the NATed outbound traffic, plus the added problem of secondary connections being initiated from both ends once the primary connection is established. I ended up having to put in a PIX 501 here, just so I could get a simple 1:1 static NAT.
What I would like to see in the next version of ISA is the ability to define NAT relationships, both static (1:1) and dynamic (many:1) for any/all addresses falling under the ALL PROTECTED NETWORKS network set with any external IP address the ISA server is listening on. That way I could reverse-publish the DNS protocols, or even NAT all traffic from the DNS server on the same external IP address as the inbound publishing rule. A NAT table, something like what Check Point utilizes, where NAT relationships can be viewed and defined, would be awesome.
Another problem I have is that as great a product as ISA 2004 is, the reporting features, especially working with log files, suck. There is no other way to describe them. Having to copy and paste from the log page to a text file just to get a print-out is unacceptable. What I would like to see is a fully functional reporter for the log files, having standardized reports, customizable reports, and the ability to save (text, csv, sql, etc.) and print directly from the report screen.
Lastly is something Dr. Shinder has addressed in some of his articles. I would like to see the feature sets provided by the FlexAuth and WebDirect products from Collective Software built in. This is functionality that should have been included in the current product. (See Dr. Shinder's "Redirecting OWA Users to the Correct Directories and Protocols" series.)
Finally, to Dr. Shinder and everyone involved with ISASERVER.ORG, a giant THANK YOU!!!. This site is a godsend and has saved my bacon on more than one occassion. Keep up the good work.
C. Scott Weisler