Transition from MS ISA 2006 to PFsense

  • Hi all, just looking for some advice on how best to remove an ISA 2006 box from our environment and replace it with our (brand-spankin' new!) PFW1000 10-port PFsense appliance.

    Currently, we've got an ISA 2006 server running DHCP, VPN, etc., with four dedicated NICs: one for WAN, then one for each of our VLANs. ISA handles all the VLAN routing and firewall stuff. I'd like to slowly integrate PFsense without a lot of downtime, so I can test it out and gradually switch things over to the new PFsense box. My first thought is to just re-route ISA WAN to the PFsense box. But I'm wondering if I could also connect PFsense to the network and specify gateways via DHCP, so if a machine had a default gateway of, it would route through ISA, while if it was, it would route through PFsense…so that both of these routers could exist on the network at the same time. And, in theory, a machine with a DG ISA would be able to talk to a machine with DG PFsense. ?

    I'm wondering if and how this would work.

  • My preferred approach is to run the firewalls in parallel for testing and then make the cut-over when I'm satisfied with the new configuration.
              – LAN <--> ISA <--> Internet
    Clients  --|
              -- LAN <--> pfSense <--> Internet

    You can just change the gateways/DNS on the clients for testing purposes. Of course there's endless caveats depending on your situation.

  • Banned

    You can do a lot with ISA that you cant do with Pfsense regarding Layer7 inspection.

    I love the ISA and TMG for what its worth and I use it as 2nd layer to the servers with layer7 inspection.

  • Thanks for your replies. I have the PFsense box setup in parallel, on a test LAN now, and I think I can set it up to talk to the Town's DC/DNS for further testing. Beyond that, I should be able to cut it over during off hours.

    We're not using any of the AD integration features of ISA (firewall rules are all IP-based), and I'd like to do basic traffic shaping for our future VOIP phone system. I'm not planning anything too fancy, just making sure there's a small amount of bandwidth available for our staff computers at all times to prevent lag/high pings. I work at a public library so we try not to filter or limit too much.

    We also have two domain controllers running that only support ISA, since they switched over to the Town's domain a few years back but did not want to remove ISA from it's original domain. Yikes!

Log in to reply