I want to set up ISA as a second layer Firewall and Caching Proxy Server with Websense Security Suite. This will sit in front of my hardware firewall, with a static route between the two.
I already have licenses for Websense which I want to integrate with ISA 2006. I would also like to virus scan the HTTP and FTP traffic but have been advised that my only solution for this is to look at a Network Engines NS9200 appliance which for a company of 100 users is a bit too pricy and overkill.
Apparently the problem is with Websense and AV scanning?
Can anyone shed some light on this and perhaps share some alternative solutions?
I have no experience with ISA Server 2006, but I am running Websense Security Suite together with GFI WebMonitor (with virus scanning enabled) on ISA 2004, and as far as I can tell they are able to co-exist without any problems whatsoever. They each have their own web filter add-in in ISA Server, so when a request is filtered, it will only be passed to the next add-in in line after the previous one has completely finished processing it, preventing them from interfering with each other.
Since other antivirus solutions for ISA Server will most likely work as an add-in as well, I wonder what problems your advisor is expecting when combining them with Websense.
Network Engines have many products in their range, for SME to Enterprise. However, in order to use ISA and Websense and Kasperksy AV (I think this is what they use) you can only use the high end platform - NS9200 - which makes it quite expensive for SME, certainly 100 users. Unfortunately there are no alternatives for Network Engines in the smaller range simply because the hardware isnt capable of supporting all 3 modules - therefore I think your advisor is correct in that a supported and hardened platform is the NS9200.
However, you could substitute the hardware with an HP, DELL etc. and build your own server for this operation. I guess you advisor has reservations about this as it throws a spanner in the works for support perhaps? - i.e. it's not an appliance anymore.
Technically you can run ISA with websense and an AV engine all on one server for smaller installs with the websense reporter elsewhere. You can also operate them as a second layer firewall behind a perimeter firewall such as Sonicwall, Netscreen, Check Point - ISA works best as the second firewall as it has better protection of network assets.
I'm sure your consultant with have a few troubles along the way but that's expected with the complexities of combining 3 software products ;)
When you say 'problem with websense and AV scanning' what they probably meant was Websense doesn't have an AV engine so you need to allow for this - Kasperksy or another engine...