SurfControl Mobile Filter (Full Version)

All Forums >> [ISA Server 2004 Misc.] >> 3rd Party Add-ons



Message


bctgroup -> SurfControl Mobile Filter (5.May2006 9:35:19 AM)

Hi all
 
We run ISA 2004 with SurfControl for ISA v5 on Windows 2003.
 
I'm about to test the Mobile Filter module for SurfControl.  It's an interesting product.  It's designed to enforce SurfControl policies on laptop and other remote users.  I thought it kept a copy of the SurfControl policies locally and updated these over the VPN or LAN, but that's not how it works.  What it does is to check back in real time with the Mobile Filter server each time the user tries to access a web site. 
 Pros- Inexpensive at about 200 for 25 users.- Claims to be tamper-proof and would be transparent to the end-user.- Allows lapotp users to use their own Internet connection rather than have to use bandwidth by connecting to the office via VPN and browsing the web that way. 
Cons- Requires a dedicated server to be placed on the DMZ (http://www.surfcontrol.com/uploadedfiles/Mobile_Filter_Deployment_and_Best_Practices_Guide.pdf) so the product's cost is dwarfed by the expense of buying and licensing a new server.- Firewall rules would have to be implemented allowing the Mobile Filter server to communicate with the SurfControl SQL database on the ISA server and with Active Directory. 
Has anyone tried out this product? 
 
Anyone not using a DMZ?  I ask because we host a couple of web sites and don't have a DMZ.  It's the Swiss cheese argument.
 
Regards
 
Paul




Jason Jones -> RE: SurfControl Mobile Filter (11.May2006 2:20:41 AM)

Yeah works well...

It is not necessary to put the mobile filter in the DMZ, as you can publish it using ISA web publishing and appropriate paths/HTTP filters for better security. I have a customer doing this just fine [;)]

SurfControl dont seem to understand the concept of reverse proxying and hence just mention DMZ [:(]

JJ




bctgroup -> RE: SurfControl Mobile Filter (11.May2006 11:49:20 AM)

quote:

ORIGINAL: Jason Jones

It is not necessary to put the mobile filter in the DMZ, as you can publish it using ISA web publishing and appropriate paths/HTTP filters for better security. I have a customer doing this just fine [;)] 


Yes, when I came to install the product I noted that all that was required was to have port 80 access to the server hosting the mobile filter.  No need to put the server in the DMZ at least for test purposes.

I think what will decide me on this one is whether the mobile filter server can integrate with the ISA server filter.  I got the distinct impression that user access would be logged to a central database on the ISA server, but I've had no joy pointing the mobile filter server to the ISA server db.

If the mobile filter ends up as a stand alone product then there's a stronger case to put it in a DMZ.  The thing is, in order to check user permissions etc it has to access Active Directory.  If it's on a DMZ that means putting another hole in the firewall. 




Page: [1]