Hi. New ISA Server convert here. I hope I'm posting this in the right area. I apologize if I didn't
I've been testing ISA Server at work on an old 500MHz PC and I've got to say I'm impressed with it. So much so, that I'm looking at replacing our 2 existing PIXs, a 515E and PIX 520 with ISA Server 2006.
Being a former "Firmware Guy" I've got some reservations about moving forward with it. Not because I doubt the power of ISA, but because I've never had to put together a server hardware recommendation for a firewall. You just pick your firewall needs based on Cisco's, or other hardware vendor's recommendations and buy.
I thought about getting an ISA Hardware device but ruled it out because I like the hands on configuration with the Microsoft MMC and the ability to add custom services like gateway anti-virus, etc. What I'm asking about here is what recommendations you experts would use given our situation. After all, when you go to upper management for the money to do these projects they want to know that what you're ordering is going to not only last, but also handle what's being thrown at it too.
We are a data center for our clients to all of their locations. We have approximately 50 clients with between 1 and 5 remote sites per client (mostly 1 or 2). Because we are their data center we have a site-to-site VPN tunnel to each branch. We also have a DMZ where we host websites for all of our clients as well as email for about 20 of them. I need to configure the hardware so that it can handle the current load easily and be able to grow as we do. I intend for it to be an edge firewall. We have a bonded T-1 running 3Mbps bi-directional and using about 40-50% bandwidth usage currently. So basically we end up with a star WAN with about 70 site-to-site VPN tunnels.
Input on hardware recommendations from anyone using ISA Server 2006 (especially in a similar setting) would be greatly appreciated from this new convert!
Thanks in advance!
< Message edited by mkleinpaste -- 19.Apr.2007 9:26:12 PM >
The ISA Firewall will handle all the workloads you've spec'ed out here, which is great!
The boxes you have configured should do their jobs pretty good. I usuualy present two options to the customers -- scale up with processors or scale out using ISA Enterprise Edition arrays. Since you haven't called out for failover over and load balancing for the ISA Firewall, you only need Standard Edition, so scaling up is reasonable and most cost effective than our since the EE lic is about $4K more.
TCP offload won't much difference, but IPSec and SSL offload cards can really speed up your VPN and publishing scenarios.
The classes I delived last week and this week were actually done at special request from MS for some of their partners. It was a ton of fun! :) Outside of that, I haven't done much teaching in the last few years. Have focused on writing and consulting.
Looking into the PPPoE at the client end I've been looking at how ISA Server handles that. I've found lot's of information about setting up ISA Server to authenticate to a PPPoE connection but nothing about how to setup a site-to-site with the Home site using a static IP and a 3rd party firewall like PIX or SonicWALL using a PPPoE connection.
I know how to do it with a Cisco and a dynamic-map, but the ISA way seems to be pretty elusive! Looking at our existing connections about a 1/3 of them are PPPoE because Century Tel has been telling clients they can't do static. So, this has kind of become a caveat to moving towards ISA Server.
< Message edited by mkleinpaste -- 26.Apr.2007 1:37:54 PM >
PPPoE isn't so much of a problem as is DHCP. If these hosts don't have static addresses, we can't do IPSec tunnel mode to those hosts, since we can connect to them using an IP addresses only, so DDNS won't solve this problem for us.
I noticed a post on the forums mentioning L2TP\IPsec is more secure and can be used with a FQDN with DynDNS service instead of using an actual IP address in where there is a dynamic address at the branch end. I'm not against changing to this if it bolsters my security.
I just have to figure out how to put a cert on our existing PIXs and TZ-170s since I've never really tried that before.
It's curious that base IPsec tunnels are still in use if L2TP\IPsec is more secure. Other than the certificates what makes it more secure or IPsec more insecure for that matter?
L2TP/IPSec is more secure because you can enforce EAP authentication on the tunnels and thus bypass XUTH exploits. There's a doc on the ms.com/isa site on how to do this with the PIX.
For other VPN gateways, you'll find that you'll be hard pressed to find them supporting L2TP/IPSec.
However, in a site to site VPN connection, the XUTH situation isn't really an issue, as performance is. You don't have header compression with IPSec tunnel mode like you have with L2TP/IPSec. And you can still use a pre-shared key if you like for L2TP/IPSec site to site VPN connections to the PIX if you like.
I appreciate your input. Can ISA Server run multiple tunneling protocols at the same time? For instance can I run IPsec for the static IPs to keep the header compression down, while running L2TP\IPsec with FQDN to enable our clients with PPPoE connections that recieve dynamic IP addresses to remain connected as well?