Uninstall Microsoft ISA on our SBS box now that we are using pfSense?

  • We have a Windows 2003 SBS box with ISA installed.

    I have installed pfSense on one of our old servers. Now that I have this in place, is there any point continuing to run ISA on our SBS box? We would no longer be using the ISA box as our gateway for clients - but maybe it is worth keeping it there as an extra layer of security? Or would the benefits of uninstalling it (less processes on the SBS box) outweigh the benefits of leaving it on there?

    Am just interested to see what peoples thoughts are.


  • Why are you switching? you could be asking for trouble.

    As much as i like pfSense i would not change from a working SBS 2003 with ISA. It sounds easy to uninstall but i think you will end up with a reinstall.

    SBS remote access is very easy to install and use. i would test and retest it before using pfsense.

    –--------------------- OFF Topic -----------------------------

    Say "Shared calender and you have sold a SBS 2003"
    Give them remote access too and you have them in your pocket.

    Windows Small Business Providers does not need 10 commitments  ;)

  • ISA is useful as a web proxy - you could route all your http through that.

    As far as I am concerned, ISA doesn' t really increase your security.

  • Cool, thanks for the comments. pfSense is going to be a replacement for a outdated (5 or 6 years old) Sonicwall hardware firewall - so we might still leave ISA in place then (and perhaps just disable the logging), and use it as an http proxy.

    What sort of rules would I need to set up for this? (in order to ensure that only http data from the LAN is routed via the SBS box - and not re-routed back to itself when it is returned to the pfSense gateway?)


  • An old version of ISA server ran over my dog when I was 10, so I eliminate it whenever I have the chance. If you elect to go that route, you will need to (off the top of my head and not necessarily complete):
    Disable the second NIC on the ISA server.
    Add the firewall as a default gateway on the server.
    Change the default gateway on all machines to the new firewall.
    Uninstall the ISA server client from workstations.
    Change proxy settings on workstations.
    Uninstall ISA from the server.

    The gateway is easy if the machines pull DHCP, and the proxy stuff can be changed via group policy, so it's really not that bad.

  • Our ISA server is set up in a pretty 'unsupported' way - a single network card, and using SecureNAT for a transparent proxy server - so I think to uninstall ISA we'd only need to change the default gateway through our DHCP server, and then uninstall it.

    Other services on our SBS server are DNS and DHCP - is it worth running both of these on our pfSense box instead of the SBS server, or is it a case of "if it aint broke, don't change it"? Would there be advantages of running DHCP and DNS on the pfSense box instead of SBS?


  • Personally I like the ISA proxy + perimeter firewall approach. Though you need two NIC's in the ISA box to use firewall clients, so you would have to slightly change things to do exactly as I prefer to do.

    What I would suggest is pfsense with 3 interfaces at the perimeter, LAN, WAN, and OPT. OPT would have the second NIC in the SBS system, and would be what ISA would treat as WAN, though it would be a private IP subnet. LAN would be your internal network and the other NIC in your SBS box.

    Then change your LAN rules to not allow anything, add whatever few specific rules you may need for direct Internet access (I would limit this as much as possible), install the ISA firewall client on client machines, and point them to the SBS box.

  • Or check out Microsoft ForeFront:  http://www.microsoft.com/forefront/default.mspx

  • ISA absolutely increases your security. You can do a lot more with it than you can pfsense from an authentication standpoint (policies by Active Directory users or groups), ability to specify what types of files users can or can't download, ability to restrict sites by URL, excellent reverse proxy if you use OWA and/or OMA, layers 5-7 capabilities, etc. etc.  It's a very useful piece of software. I don't care to use it directly on the perimeter, but that's mostly just personal preference.

  • Unfortunately half the machines on this network are Mac OSX - so there is not an ISA client for these machines (so we have to use SecureNAT).

    I think I will continue to use ISA to cache http stuff and to block certain protocols from the pfSense box to the SBS server (such as only allowing http, smtp, https, remote desktop, etc). So it will just act as a layer between our gateway (pfSense) and the server.

    Is there an easy way I can use it to still cache http stuff? (a cache forwarder in pfSense stuff or something?)


  • Yeah, OS X complicates things. You can still configure the proxy in their browser, though any other application will need to be proxy-aware (most are), or you'll have to allow direct access to the Internet for those machines/protocols. I strongly prefer proxying everything outbound, I would try to stick with the type of ISA setup I described above if at all possible, and let it do the caching.

    The squid package should let you do caching, but I'm not familiar with it.

  • We had tried setting up the proxy server manually on the OSX machines, but a couple of the programs we use frequently did not use it - so we had to go the SecureNAT route. However in a single network card scenario which we have, this is not really supported very well.

    Would there be a way to do it still with one network card?


  • Not sure, I've never run ISA with a single NIC, and it's generally frowned upon.

    In your situation, it might make the most sense to take pfsense out of the picture entirely, drop a second NIC in the ISA box, and use it as your perimeter.

  • omg, chris has been borged