ISA in SBS - yes, it's secure

A central location for SBS ISA specific configuration information relevant to small consulting practices and others smart enough to use the best technology in the world.

Lingo - The Talk of Broadband

Tuesday, January 25, 2005

Welcome!

Why another blog? Because I Googled and couldn't find a central location for ISA in SBS information. Configuring and maintaining ISA isn't rocket science but sometimes finding the information that you need is. Over time, this blog will contain links, articles and sample configuration scenarios.

Since making small business networks secure and as functional as a Fortune 500 network is my thing this blog will focus on just that. Welcome all consultants supporting small business server and small business admins.

Comments are welcome.

2 Comments:

At 10:41 PM, Anonymous Anonymous said...

Hi Amy,

This is great! This is exactly what both the ISA and SBS community needs. A good, authoritative place for ISA/SBS info.

I'll make sure to include in the next newletter.

Thanks!
Tom

 
At 7:11 PM, Anonymous Anonymous said...

Is it really a good idea in todays day and age to run a firewall on the core network server? All you gota do is compromise one machine and you got it all.
DeepICE | 02.16.05 - 1:01 am | #

--------------------------------------------------------------------------------

There are compromises to be made, you'll get no argument from me that even better security can be achieved. But security is always about balancing easy of use and budget. Small business want to use OWA, remote dekstop, VPN, RPC over HTTP and ISA Server is the hands down best firewall at protecting these services. Given the budget we have to work with SBS with ISA is the best choice for small businesses.
amy | 02.16.05 - 8:39 am | #

--------------------------------------------------------------------------------

I understand whay your saying - but is it really a good idea to encourage bussiness in this situation to go with a software firewall on the main box - or isn't it better for them to have a dedicated (there are plenty of cheap but good) little firewall box.

I am not talking about ISA in general. We ran ISA on a dedicated machine and we were more then happy with it. I am asking about combining it all into one machine.
DeepICE | 02.16.05 - 10:36 am | #

--------------------------------------------------------------------------------

The cheap firewall appliances don't offer enough protection for Exchange, RPC over HTTP, OWA and Remote Desktop access. They can't tell the difference between legitimate RPC traffic and RPC from an authenticated Outlook client, ISA can. That said, it's not a bad idea to stick one in front of the SBS server and let it block junk on used ports.
amy | 02.16.05 - 2:53 pm | #

--------------------------------------------------------------------------------

Good points - this dilemma led (in part) to the creation of two separate SBS2003 editions - one with ISA for people that wanted to use it with the firewall capabilities, and one without ISA (and SQL) for people that didn't need the firewall capabilities, because - rightly or wrongly - they thought a dedicated firewall (or more commonly in SBSville a SOHO router) would provide all the protection they needed.

I personally use both, but the added overhead of having to do everything twice quickly gets old, and complex protocol support can be really tough to get right.

Having ISA on the same box as the DC is potentially more of a risk than separation, but at the same time, we're talking about businesses that don't see the value in having multiple servers yet.
Tristank | Homepage | 02.16.05 - 6:33 pm | #

 

Post a Comment

<< Home