• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA Noob here

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> ISA Noob here Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA Noob here - 30.May2007 7:30:24 AM   
Enlil242

 

Posts: 8
Joined: 30.May2007
Status: offline
Hello there all!

I have the need to become and ISA expert in kind of a hurry. I am soo happy to have found this site. I am not sure if this has already been stated, but, I was wonsdering if there is a specific way to set this up for the follwowing basic requirements, (With the possibilty of utilizing more of it's features done the pipe.

1.)    Userid/password access to interent for web browsing
2.)    Monitoring web browsing with reports.
3.)    Blocking of websites. (Content Filtering)

Does ISA Server provide these basic requirements I have here? Sorry for such a rudimentary question, but I haven't looked into these technologies before and we have had websense in the past which has expired and management doesn't want to renew. They prefer the MS approach.

If possible, is there a pretty good reource on how to set ISA up to perform the three tasks without much overhead?

Thanks in advance for your expert input!

Jeff

< Message edited by Enlil242 -- 30.May2007 7:43:23 AM >
Post #: 1
RE: ISA Noob here - 11.Jun.2007 9:35:27 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
You don't mention security. Do you want the ISA Firewall to provide security or are you using it just as an optional logging device for user activity.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Enlil242)
Post #: 2
RE: ISA Noob here - 11.Jun.2007 12:02:52 PM   
Enlil242

 

Posts: 8
Joined: 30.May2007
Status: offline
Thanks for your reply! It has been a bit of time since posting this. I have read up on ISA since, thanks to your articels and MS Whitepapers.

I am most certain we would like to take advantage of all the security features available in ISA Server 2006. At this time, I am trying to ascertain if I can utilize ISA to meet the the business needs outlined above. They want me to investigate the Microsoft route since they are not renewing Websense, which seems to have more granular control and is what our Networking team prefers.

My ISA Server will be placed internally behind our PIX. Is there an article on the best practices for this type of placement?

Also, I am reading your article on the ISA Firewall Client. I take it that this will have an important role in meeting my requirements, too?

I really appreciate the information you provide, I just need a good kickstart.

Also, I need to investigate high-availability without the obligation of upgrading to the Enterprise versrion. Our EA gives us the license for Standard. Are there any good HA scenarios I can do with Standard?

Thank you,

Jeff

< Message edited by Enlil242 -- 11.Jun.2007 12:06:22 PM >

(in reply to tshinder)
Post #: 3
RE: ISA Noob here - 12.Jun.2007 10:10:43 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jeff,

First place to start re: integration with the PIX: http://www.isaserver.org/tutorials/2004isapixdmz.html

Other answers inline:

Also, I am reading your article on the ISA Firewall Client. I take it that this will have an important role in meeting my requirements, too?
TOM: If you want the most comprehensive logging and reporting of what users do, from what computer names they're doing it from, and the actual applications that they're using when they're doing their stuff, then you should install the Firewall client. I consider it an ISA Firewall best practice.

I really appreciate the information you provide, I just need a good kickstart.


Also, I need to investigate high-availability without the obligation of upgrading to the Enterprise versrion. Our EA gives us the license for Standard. Are there any good HA scenarios I can do with Standard?
TOM: You could use Round Robin DNS for the Firewall clients. There is also a trick you can use to enable client side CARP behavior for Web Proxy clients connecting to ISA SE. I believe there's an article on this site on how to do it (I didn't write that one, but it was written by someone who is quite good with the ISA Firewall).
HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Enlil242)
Post #: 4
RE: ISA Noob here - 12.Jun.2007 11:02:39 AM   
Enlil242

 

Posts: 8
Joined: 30.May2007
Status: offline
Great stuff! I am also forwarding this article on to my Networking partner. Thanks for the info. This will keep me busy for a while...

I will search out the CARP trick document. I did bring up the Round Robin DNS approach, but wouldn't that shoot back errors if one of the servers were down? I didn't think there was enough intelligence built in with that apporach. I'll read up more on that though...

Thanks again!

Regards,
Jeff

Just a quick Post Script... Since there is no built-in URL Filtering in ISA Server, what would you recommend as far as a good (and cheap) add-on?

< Message edited by Enlil242 -- 12.Jun.2007 11:33:26 AM >

(in reply to tshinder)
Post #: 5
RE: ISA Noob here - 13.Jun.2007 9:56:23 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
There are several free lists of block sites that you can import into the ISA Firewall. You can also use the MVPS host file block list, which works on the ISA Firewall and doesn't require that you configure any ISA Firewall components.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Enlil242)
Post #: 6
RE: ISA Noob here - 14.Jun.2007 12:21:36 PM   
Enlil242

 

Posts: 8
Joined: 30.May2007
Status: offline
OK. Thank you very much for the info. I am really getting a good idea of this product. Also, it's strengths and weaknesses.

I am taking from your last post that any web filtering done in ISA is pretty much a manual process. Correct? Meaning all of the updating would be done by the admin as opposed to a product (subscription) such as WebSense which would have a dynamically updated database. This is a huge deal for us. You had asked in the beginning if this would primarily act as a logging device for user activity. The reason why I am looking into ISA 2006 is to replace WebSense. So, any feature in WebSense should be in ISA for me to recommend it. (We already have a license for ISA because of our EA agreement)

So, as of now I see that:

- Detail user logging / reporting will require the ISA Firewall Client installed.
- Web filtering is a manual process by setting up and creating URL sets / importing lists.

This leaves the last feature I still am in the dark about...

- Reporting.

OK so far I haven't been able to see what types of reports I can generate on user activity out of the box. Does ISA 2006 come with a good reporting feature? Meaning, can I create detailed reports on user activity without a whole lot of effort? (as far as this goes, I am referring to how report generation is done in SMS, requiring a lot of SQL knowledge and time to create them.)

I have seen some compelling add-ons that will do URL filtering and Report generation that I am seeking, but I do not want to spend as much or more money for these add-ons when I can just renew my WebSense license that would do it all...

Thanks again for you detailed expertise and references to some great content. It really is making it easier to understand this very robust and complex product. I am hoping we can utilize it, but I feel that where ISA really shines is in areas we already are covered. If I seem to be wrong with this analysis, please let me know.

Regards,

Jeff

(in reply to tshinder)
Post #: 7
RE: ISA Noob here - 14.Jun.2007 12:59:18 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jeff,

The areas where the ISA Firewall really shines and makes it a superior product:
  • Network firewall -- more secure than just about every one of the current "hardware firewalls". In contrast to most other firewalls in the market, neither ISA 2004 or ISA 2006 have any vulnerabilties noted in the Secunia database. That is an ENORMOUS accomplishment! In addition, the addition of the Firewall client provides detailed information about user activity to and through the ISA Firewall that no other firewall on the market today can provide
  • VPN Server -- provides extremely granular access control over remote access VPN users and applies both stateful packet and application layer inspection to remote access VPN clients
  • Remote Access to Exchange Web Services -- ISA is second best product in the market to for enabling secure remote access to Exchange Web services. The only better product is the IAG 2007
  • Remote Access to SharePoint Portal Servers -- ISA is the second best product in the market today for enabling secure remote access to SharePoint Portal Servers. The best product is the IAG 2007

Those are the strong points. As you noted one of the weak points is that the admin must manage the block list -- that's why it's so cheap :)  Seriously, many people do use the public free block lists to good effect. You also could use some of the other add-ons that are more cost effective than Websense.

Another weak point is the reporting. While the ISA Firewall has a ton of canned reports, it doesn't do what you and most other people want to do -- see the activity of a particular user has been over X period of time, or on a specific day, etc. You can use third party tools to give you that kind of detailed reporting, but ISA reports will only give you reports on "Top Users" such as the top 10 or 20 or 50 or 100.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Enlil242)
Post #: 8
RE: ISA Noob here - 14.Jun.2007 5:27:35 PM   
Enlil242

 

Posts: 8
Joined: 30.May2007
Status: offline
Thank you much, Tom. Your help in understanding the basics have been very appreciated.

Regards,
Jeff

(in reply to Enlil242)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> ISA Noob here Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts