Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Uninstall Microsoft ISA on our SBS box now that we are using pfSense?

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 6 Posters 5.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dotdashD
      dotdash
      last edited by

      An old version of ISA server ran over my dog when I was 10, so I eliminate it whenever I have the chance. If you elect to go that route, you will need to (off the top of my head and not necessarily complete):
      Disable the second NIC on the ISA server.
      Add the firewall as a default gateway on the server.
      Change the default gateway on all machines to the new firewall.
      Uninstall the ISA server client from workstations.
      Change proxy settings on workstations.
      Uninstall ISA from the server.

      The gateway is easy if the machines pull DHCP, and the proxy stuff can be changed via group policy, so it's really not that bad.

      1 Reply Last reply Reply Quote 0
      • K
        Kim
        last edited by

        Our ISA server is set up in a pretty 'unsupported' way - a single network card, and using SecureNAT for a transparent proxy server - so I think to uninstall ISA we'd only need to change the default gateway through our DHCP server, and then uninstall it.

        Other services on our SBS server are DNS and DHCP - is it worth running both of these on our pfSense box instead of the SBS server, or is it a case of "if it aint broke, don't change it"? Would there be advantages of running DHCP and DNS on the pfSense box instead of SBS?

        Thanks!
        Kim

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Personally I like the ISA proxy + perimeter firewall approach. Though you need two NIC's in the ISA box to use firewall clients, so you would have to slightly change things to do exactly as I prefer to do.

          What I would suggest is pfsense with 3 interfaces at the perimeter, LAN, WAN, and OPT. OPT would have the second NIC in the SBS system, and would be what ISA would treat as WAN, though it would be a private IP subnet. LAN would be your internal network and the other NIC in your SBS box.

          Then change your LAN rules to not allow anything, add whatever few specific rules you may need for direct Internet access (I would limit this as much as possible), install the ISA firewall client on client machines, and point them to the SBS box.

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            Or check out Microsoft ForeFront:  http://www.microsoft.com/forefront/default.mspx

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              ISA absolutely increases your security. You can do a lot more with it than you can pfsense from an authentication standpoint (policies by Active Directory users or groups), ability to specify what types of files users can or can't download, ability to restrict sites by URL, excellent reverse proxy if you use OWA and/or OMA, layers 5-7 capabilities, etc. etc.  It's a very useful piece of software. I don't care to use it directly on the perimeter, but that's mostly just personal preference.

              1 Reply Last reply Reply Quote 0
              • K
                Kim
                last edited by

                Unfortunately half the machines on this network are Mac OSX - so there is not an ISA client for these machines (so we have to use SecureNAT).

                I think I will continue to use ISA to cache http stuff and to block certain protocols from the pfSense box to the SBS server (such as only allowing http, smtp, https, remote desktop, etc). So it will just act as a layer between our gateway (pfSense) and the server.

                Is there an easy way I can use it to still cache http stuff? (a cache forwarder in pfSense stuff or something?)

                Kim

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  Yeah, OS X complicates things. You can still configure the proxy in their browser, though any other application will need to be proxy-aware (most are), or you'll have to allow direct access to the Internet for those machines/protocols. I strongly prefer proxying everything outbound, I would try to stick with the type of ISA setup I described above if at all possible, and let it do the caching.

                  The squid package should let you do caching, but I'm not familiar with it.

                  1 Reply Last reply Reply Quote 0
                  • K
                    Kim
                    last edited by

                    We had tried setting up the proxy server manually on the OSX machines, but a couple of the programs we use frequently did not use it - so we had to go the SecureNAT route. However in a single network card scenario which we have, this is not really supported very well.

                    Would there be a way to do it still with one network card?

                    Kim

                    1 Reply Last reply Reply Quote 0
                    • C
                      cmb
                      last edited by

                      Not sure, I've never run ISA with a single NIC, and it's generally frowned upon.

                      In your situation, it might make the most sense to take pfsense out of the picture entirely, drop a second NIC in the ISA box, and use it as your perimeter.

                      1 Reply Last reply Reply Quote 0
                      • S
                        sai
                        last edited by

                        omg, chris has been borged

                        :-)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.