Just when I thought the Microsoft Corporation had forgotten small to medium-size organizations (SMOs) with its complex release of Exchange 2000, I received a pleasant surprise. Microsoft’s successor to Proxy Server has renewed my faith in the company’s commitment to providing technology solutions for the nonenterprise organizations that make up over 80 percent of the marketplace. I have found that Microsoft’s Internet Security and Acceleration (ISA) Server offers certified security, access control, caching, and much more, while still delivering a product that keeps ease of administration and affordability in mind. I will show you a recent firewall implementation process in which I selected ISA Server as the best product for a client.
My last consulting engagement involved what I would classify as a small client with around 100 workstations and four server class systems with a T-1 connection to the Internet. This organization was managed by two top-notch IT professionals who understood the value of IT and how to use it to enhance their organization. They were undergoing a complete migration from NT 4.0 to Windows 2000 and Exchange 5.5 to Exchange 2000. They also wanted to bring Web and e-mail services inside their network in order to have better control of them and reduce costs. Thus, the search was on for a suitable firewall solution.
The requirements were clear. Find a cost-effective firewall solution that would provide a standard level of security while also providing a way to control Internet access to certain groups. Additionally, the two IT professionals wanted a way to allow secure VPN connections into their environment as needed as well as allowing them to perform some remote administration from home.
ISA Server as the solution
They researched, tested, and evaluated several well-known products. Many were too costly and required extensive knowledge and training just to implement and administer. The lower-priced solutions did not provide all the features and requirements of the client, especially when it came to Web caching and access control based on groups. What was left standing after weighing the pros and cons of each product was Microsoft’s ISA Server, the successor to Proxy Server 2.0. Those of you familiar with Microsoft Proxy Server would probably never recommend it as a suitable standalone firewall solution. I never would—and I don’t think the guys at Microsoft ever intended it to be one. However, with ISA Server, the folks at Redmond have a great firewall product on their hands that many SMOs should consider.
The standard edition of ISA Server, at $1,499 per CPU, is a standalone server product that does not require Active Directory and that supports up to four CPUs. Microsoft offers reduced pricing for some competitive upgrades; for example, you can replace Axent Raptor Firewall, Check Point FireWall-1, Cisco Secure PIX Firewall, or IBM SecureWay Firewall with the standard edition for $749. Since my client qualified for Academic pricing, the cost was even more attractive.
Pricing aside, ISA Server offers some useful and innovative features, such as access control based on user and group affiliation, integrated caching of Web content, and transparent inbound Web proxying. The product also delivers an easy-to-administer interface that’s built around the Microsoft Management Console model.
I know what you’re thinking: “Features are nice, but what about security?” To answer that question, one of the IT security industry's most respected independent laboratories, ICSA Labs, has certified Microsoft Internet Security and Acceleration Server 2000 as a secure enterprise firewall. This should bring some peace of mind because in the world of Internet security, ICSA certification is the de facto standard. The product also comes with an array of intrusion-detection options for all of today’s most common security attacks, such as the denial of service attacks and port probes. Many third-party vendors offer add-on components that make the product even more secure and provide additional features, such as Web and e-mail content filtering.
Implementing ISA Server
Once the appropriate product for the client was identified, tested, and approved, the time came for implementation. The hardware we selected was a rack-mounted, dual processor Dell 2450 with Windows 2000 Server installed. Immediately after the installation of ISA Server, a firewall configuration wizard appeared. The wizard was easy to follow and explained each step in great detail. After some time, the system was configured to allow outbound traffic of common Internet services, such as HTTP, HTTPS, FTP, and Telnet. More specifically, access was restricted to certain NT groups. Inbound HTTP traffic was allowed to the Web server and to users who were able to connect to the Exchange server using Outlook Web Access. The Secure Mail Server Wizard made setting up inbound and outbound SMTP traffic to and from the Exchange 2000 server a snap. The wizard also assisted in the setup of Terminal Server access to a remote administration server via the default port.
The last step was the configuration of secure VPN access into the network through the ISA Server. This alone eliminated the need for multiple dial-in lines, which the client used for a few vendors providing technical support to their mission-critical software. I won’t go into the specific details on how all this was set up for the client, but the interface and wizard allowed for intuitive configuration of virtually every configuration needed. Even after the initial setup, minor changes were an administrative breeze.
SMOs need a solid firewall solution that fits their unique requirements. Microsoft’s ISA Server 2000 delivers an easy-to-administer, ICSA-certified firewall product with exceptional features at a price that small to midsize companies can afford.
What kind of requirements do you have for a firewall?
Have you looked into ISA Server? What are your thoughts? We look forward to getting your input and hearing your experiences regarding this topic. Join the discussion below or send the editor an e-mail.