Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Transition from MS ISA 2006 to PFsense

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cwyant55
      last edited by

      Hi all, just looking for some advice on how best to remove an ISA 2006 box from our environment and replace it with our (brand-spankin' new!) PFW1000 10-port PFsense appliance.

      Currently, we've got an ISA 2006 server running DHCP, VPN, etc., with four dedicated NICs: one for WAN, then one for each of our VLANs. ISA handles all the VLAN routing and firewall stuff. I'd like to slowly integrate PFsense without a lot of downtime, so I can test it out and gradually switch things over to the new PFsense box. My first thought is to just re-route ISA WAN to the PFsense box. But I'm wondering if I could also connect PFsense to the network and specify gateways via DHCP, so if a machine had a default gateway of 192.168.3.1, it would route through ISA, while if it was 192.168.3.2, it would route through PFsense…so that both of these routers could exist on the network at the same time. And, in theory, a machine with a DG ISA would be able to talk to a machine with DG PFsense. ?

      I'm wondering if and how this would work.

      1 Reply Last reply Reply Quote 0
      • M
        MindfulCoyote
        last edited by

        My preferred approach is to run the firewalls in parallel for testing and then make the cut-over when I'm satisfied with the new configuration.
                  – LAN <--> ISA <--> Internet
        Clients  --|
                  -- LAN <--> pfSense <--> Internet

        You can just change the gateways/DNS on the clients for testing purposes. Of course there's endless caveats depending on your situation.

        Err

        –
        Erreu Gedmon

        Firewalls are hard...
        but the book makes it easier: https://portal.pfsense.org/book/

        1 Reply Last reply Reply Quote 0
        • S
          Supermule Banned
          last edited by

          You can do a lot with ISA that you cant do with Pfsense regarding Layer7 inspection.

          I love the ISA and TMG for what its worth and I use it as 2nd layer to the servers with layer7 inspection.

          1 Reply Last reply Reply Quote 0
          • C
            cwyant55
            last edited by

            Thanks for your replies. I have the PFsense box setup in parallel, on a test LAN now, and I think I can set it up to talk to the Town's DC/DNS for further testing. Beyond that, I should be able to cut it over during off hours.

            We're not using any of the AD integration features of ISA (firewall rules are all IP-based), and I'd like to do basic traffic shaping for our future VOIP phone system. I'm not planning anything too fancy, just making sure there's a small amount of bandwidth available for our staff computers at all times to prevent lag/high pings. I work at a public library so we try not to filter or limit too much.

            We also have two domain controllers running that only support ISA, since they switched over to the Town's domain a few years back but did not want to remove ISA from it's original domain. Yikes!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.