Uninstall Microsoft ISA on our SBS box now that we are using pfSense?
-
An old version of ISA server ran over my dog when I was 10, so I eliminate it whenever I have the chance. If you elect to go that route, you will need to (off the top of my head and not necessarily complete):
Disable the second NIC on the ISA server.
Add the firewall as a default gateway on the server.
Change the default gateway on all machines to the new firewall.
Uninstall the ISA server client from workstations.
Change proxy settings on workstations.
Uninstall ISA from the server.The gateway is easy if the machines pull DHCP, and the proxy stuff can be changed via group policy, so it's really not that bad.
-
Our ISA server is set up in a pretty 'unsupported' way - a single network card, and using SecureNAT for a transparent proxy server - so I think to uninstall ISA we'd only need to change the default gateway through our DHCP server, and then uninstall it.
Other services on our SBS server are DNS and DHCP - is it worth running both of these on our pfSense box instead of the SBS server, or is it a case of "if it aint broke, don't change it"? Would there be advantages of running DHCP and DNS on the pfSense box instead of SBS?
Thanks!
Kim -
Personally I like the ISA proxy + perimeter firewall approach. Though you need two NIC's in the ISA box to use firewall clients, so you would have to slightly change things to do exactly as I prefer to do.
What I would suggest is pfsense with 3 interfaces at the perimeter, LAN, WAN, and OPT. OPT would have the second NIC in the SBS system, and would be what ISA would treat as WAN, though it would be a private IP subnet. LAN would be your internal network and the other NIC in your SBS box.
Then change your LAN rules to not allow anything, add whatever few specific rules you may need for direct Internet access (I would limit this as much as possible), install the ISA firewall client on client machines, and point them to the SBS box.
-
Or check out Microsoft ForeFront: http://www.microsoft.com/forefront/default.mspx
-
ISA absolutely increases your security. You can do a lot more with it than you can pfsense from an authentication standpoint (policies by Active Directory users or groups), ability to specify what types of files users can or can't download, ability to restrict sites by URL, excellent reverse proxy if you use OWA and/or OMA, layers 5-7 capabilities, etc. etc. It's a very useful piece of software. I don't care to use it directly on the perimeter, but that's mostly just personal preference.
-
Unfortunately half the machines on this network are Mac OSX - so there is not an ISA client for these machines (so we have to use SecureNAT).
I think I will continue to use ISA to cache http stuff and to block certain protocols from the pfSense box to the SBS server (such as only allowing http, smtp, https, remote desktop, etc). So it will just act as a layer between our gateway (pfSense) and the server.
Is there an easy way I can use it to still cache http stuff? (a cache forwarder in pfSense stuff or something?)
Kim
-
Yeah, OS X complicates things. You can still configure the proxy in their browser, though any other application will need to be proxy-aware (most are), or you'll have to allow direct access to the Internet for those machines/protocols. I strongly prefer proxying everything outbound, I would try to stick with the type of ISA setup I described above if at all possible, and let it do the caching.
The squid package should let you do caching, but I'm not familiar with it.
-
We had tried setting up the proxy server manually on the OSX machines, but a couple of the programs we use frequently did not use it - so we had to go the SecureNAT route. However in a single network card scenario which we have, this is not really supported very well.
Would there be a way to do it still with one network card?
Kim
-
Not sure, I've never run ISA with a single NIC, and it's generally frowned upon.
In your situation, it might make the most sense to take pfsense out of the picture entirely, drop a second NIC in the ISA box, and use it as your perimeter.
-
omg, chris has been borged
:-)
