• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA server limits

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> ISA server limits Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
ISA server limits - 6.Aug.2008 11:08:07 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

I have some doubts about ISA server limits on both editions:

1- How many firewall policies can I create?
2- I know that ISA supports 1.000 simultaneos remote client vpn connection, but how many vpn site-to-site can is it support?
3- How many concurrent firewall connections is supported by ISA server?

Appreciate any answer.

Regards,
Paulo Oliveira.
Post #: 1
RE: ISA server limits - 6.Aug.2008 5:20:01 PM   
remushociota

 

Posts: 64
Joined: 12.Apr.2004
Status: offline
At #3 I think standard edition holds 40.000 I remember reading it somewhere...

1 and 2 i have no clue.

(in reply to paulo.oliveira)
Post #: 2
RE: ISA server limits - 6.Aug.2008 5:45:25 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

thanks for the reply. Anybody have more clues?

Regards,
Paulo Oliveira.

(in reply to remushociota)
Post #: 3
RE: ISA server limits - 7.Aug.2008 7:51:18 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
1. More than you'll create in a lifetime

2. Included in the number of VPN connections (remote access + site to site = 1000) for Standard edition, unlimited for Enterprise edition.

3. 65,000+

HTH,
Tom

< Message edited by tshinder -- 7.Aug.2008 7:55:24 AM >


_____________________________

Thomas W Shinder, M.D.

(in reply to paulo.oliveira)
Post #: 4
RE: ISA server limits - 7.Aug.2008 3:59:09 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Tom,

thanks for reply.

quote:

1. More than you'll create in a lifetime

Can you convert into numbers? You can tell the most you created for a company. Sorry for these questions, just want to find out more about ISA capabilities to compare with those hardware firewalls!!
quote:

3. 65,000+

Is it for both editions? If exist more than that, what happens?

Regards,
Paulo Oliveira.

(in reply to tshinder)
Post #: 5
RE: ISA server limits - 7.Aug.2008 4:12:31 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
I've seen an array with 300 rules, but imagine Tom can top that

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to paulo.oliveira)
Post #: 6
RE: ISA server limits - 8.Aug.2008 9:45:26 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
I once wanted to test this and created one that had over 1000 rules. The machine had 6 NICs and 6 ISA firewall Networks defined.

However, I'm sure if you want to go over 10,000 rules, you might want to rethink your security design

BTW -- I wouldn't judge any firewall by the number of rules it supports. That's a "feature comparison" and has nothing to do with security.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 7
RE: ISA server limits - 8.Aug.2008 11:07:44 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Tom,

sorry if I mispelled. But I just want to compare the features and not the security.

Im doing this because recently I was asked for my director to do a comparison between two hardware firewall. Im afraid he wants to put one of those in the company, but Im trully happy and satisfied with ISA.
So, Im trying to say is I want to have arguments against some comparison features.

Regards,
Paulo Oliveira.

(in reply to tshinder)
Post #: 8
RE: ISA server limits - 8.Aug.2008 12:34:52 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: tshinder

I once wanted to test this and created one that had over 1000 rules. The machine had 6 NICs and 6 ISA firewall Networks defined.

However, I'm sure if you want to go over 10,000 rules, you might want to rethink your security design

BTW -- I wouldn't judge any firewall by the number of rules it supports. That's a "feature comparison" and has nothing to do with security.

Thanks!
Tom


Knew you would beat me!

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 9
RE: ISA server limits - 10.Aug.2008 10:04:35 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: paulo.oliveira

Hi Tom,

sorry if I mispelled. But I just want to compare the features and not the security.

Im doing this because recently I was asked for my director to do a comparison between two hardware firewall. Im afraid he wants to put one of those in the company, but Im trully happy and satisfied with ISA.
So, Im trying to say is I want to have arguments against some comparison features.

Regards,
Paulo Oliveira.


Hi Paulo,

Best thing to do is show that the "hardware" firewalls (there is actually no such thing) are less secure, by showing how many vulnerabilities they have in the Secunia database. ALL "hardware" firewall have more vulnerabiliites, and are less secure, then the ISA firewall (at least as far as I can tell).

Show him those facts and then ask him way a less secure solution is a better solution.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to paulo.oliveira)
Post #: 10
RE: ISA server limits - 10.Aug.2008 11:57:20 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Paulo,
You can get some numbers from ISA appliance vendors:
http://www.celestix.com/products/msa/comparison.html
http://www.nappliance.com/pdfs/Compare/NetGateway_mISAE_Compare_Product_Datasheet.pdf

You can scroll through their web sites, and since they bundle some add-ons on their appliances, your boss can get a better picture what a "loaded" ISA 2006 machine can do, for example:
http://www.nappliance.com/products/nGatewaymISAE.asp

I think your boss read this:
quote:

The top-of-the-line Cisco ASA 5580-40 offers up to two million simultaneous connections, 750,000 security policies and 10 Gbps of firewall throughput

http://newsroom.cisco.com/dlls/2008/prod_012208.html
Cisco is the king of bling-bling...

Not sure what a "security policy" is, but I have seen hardware firewalls that need a couple of firewall policies or how would they call it to achieve what ISA can achieve with a single access rule or publishing rule, so maybe this would be a reason why they need so many rules .....

Personal I've noticed that once you enter the hundreds of rules arena, it becomes painful for the eye and mind.

Regards,
J

< Message edited by justmee -- 10.Aug.2008 1:29:20 PM >

(in reply to tshinder)
Post #: 11
RE: ISA server limits - 10.Aug.2008 5:38:00 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Tom,

you rigth about that!! I checked the Secunia site and either ISA 2004 or ISA 2006 have none vulnerabilities. For sure I'll remeber this!!

Thanks again.

Regards,
Paulo Oliveira.

(in reply to tshinder)
Post #: 12
RE: ISA server limits - 10.Aug.2008 5:42:41 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi J,

thanks for the reply. I had seen the Celestix comparison and was excited about it.

Anyone in here already used some os these ISA appliances?? I'm really curious about it!
As I said before, I really like ISA and strongly recommend it!

Thanks you guys for help me up!

Regards,
Paulo Oliveira.

(in reply to justmee)
Post #: 13
RE: ISA server limits - 11.Aug.2008 2:41:54 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Paulo,
The celestix ones are good.
Note sure about naplliance, but personal I would like to get my hands on one of those, they look faster on paper than celestix, quite faster actually.
Regards,
J

(in reply to paulo.oliveira)
Post #: 14
RE: ISA server limits - 11.Aug.2008 10:59:51 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi J,

yeah, Id like to have one to make some tests too. I was looking some screenshots from celestix site and seems extremally easy to manage and configure!

Hope someone here in the site already "play" with it and tell use the experience.

Regards,
Paulo Oliveira.

(in reply to justmee)
Post #: 15
RE: ISA server limits - 12.Aug.2008 9:07:48 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The setup is very easy and can be done with the Web interface or the jog-dial in front of the unit. Disaster recovery is a breeze, and you don't even lose your firewall rules, or you can go back to factory settings and use the backup you created with Backup for ISA Server.:)

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to paulo.oliveira)
Post #: 16
RE: ISA server limits - 12.Aug.2008 3:23:45 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Tom,

so, Im assuming you already tested. Thats great to know.
As I said before, I saw the screenshots and the configuration seems like a piece of cake!

One more question about ISA performance . How much users do you recommend to use Standard and Enterprise Edtions.
I mean, company who have 10-150 users = Standard;150-3000 users = Enterprise

Regards,
Paulo Oliveira.

(in reply to tshinder)
Post #: 17
RE: ISA server limits - 13.Aug.2008 8:20:08 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
It's not just about user numbers...there are lots of reasons to use EE even if you have 10 users if certain factors are important to you. Two obvious ones are high-availability and centralised management.

EE will scale more, and hence be better for more users, mainly because you can add more servers and appear as one "logical ISA Server".

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to paulo.oliveira)
Post #: 18
RE: ISA server limits - 13.Aug.2008 11:04:32 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Jason,

thanks for the reply. Im not very familiar with ISA EE, but I know some features of it. I acctually use a ISA SE with 40 users and I was wondering if a company with 150 or 200 users will be enough with ISA SE or will be better EE (not talking about maintenance, but capacity).

Regards,
Paulo Oliveira.

(in reply to Jason Jones)
Post #: 19
RE: ISA server limits - 13.Aug.2008 12:08:58 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
In my experience SE is more than capable of providing enough capacity for 150-200 users. I don't think I would be surprised to see a well spec'd server running SE for 1000 users or even more TBH.

However if you want high availability, scalability or centralised management then an upgrade to EE is a sensible approach.

Cheers

JJ



_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to paulo.oliveira)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> ISA server limits Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts