ISA in SBS - yes, it's secure

A central location for SBS ISA specific configuration information relevant to small consulting practices and others smart enough to use the best technology in the world.

Lingo - The Talk of Broadband

Tuesday, July 17, 2007

Thoughts on what it means to not have an edge SBS

Situating SBS on the edge of the small business network has always been a controversial topic. A network in a box for small companies has to include some kind of firewall doesn't it? So through the years it was RRAS, Proxy 2.0, ISA 2000 and ISA 2004. With word out that SBS will no longer be supported on the edge that means that ISA on that box and RRAS are both out of the picture. Considering that most SBS servers are currently protected by RRAS that's significant.

Having worked in the small business market for a number of years I can tell you with certainty that this will leave the vast majority of SBS customers with networks protected by their DSL router. A DSL router just isn't sufficient to protect against today's application targeted attacks. Neither is it sophisticated enough to serve the publishing needs of Exchange 2007 without leaving gaping holes to exploit.

Microsoft knows best how to protect Microsoft software. SBS is jammed packed with Microsoft software as are most small business desktops. What then will be the official "best practice" recommended by Microsoft to protect their software that these customers are so dependant upon?

8 Comments:

At 8:48 AM, Anonymous Daniel Koster said...

I definitely agree. Even with SBS 2003, many new clients that I have acquired were simply using a basic router as their firewall, and I have always had a hard time convincing clients of ISA's value.

Instead, I simply marketed SBS Premium only, rather than sell SBS Standard and try to upsell to premium, I made premium the default and didn't try to offer a chance to downgrade.

With no ISA, SBS Premium will only have SQL Server? Most of my clients do not need SQL. For my company, this means that we will stop selling a premium edition except on rare occasions.

Very disappointing.

 
At 9:10 PM, Anonymous Anonymous said...

I too used SBS Premium as the default for most of our clients. Many use both ISA and SQL.

I always have liked ISA, but there are some solid reasons why the configuration will not be available in SBS 2008.

We have begun making the switch to using SonicWall TZ180's for the edge firewall / UTM appliance. If you look at the pricing closely, SBS Standard + a TZ180 is actually less expensive for the client and more feature rich than what SBS + ISA had to offer. Fundamentally, it is also more secure by design.

That said, I am sad to see ISA get cut. I was really finding it very useful along with tools such as WebSpy's InSight for SBS Premium to help clients take control of how their staff used the Internet resources provided to them. A very useful added service to our managed services offerings.

SonicWall has a decent solution for that in ViewPoint. While not as robust as InSight, it will do the job.

Word is that InSight will be re-released and improved quite a bit...and will possibly support SonicWall logs (and maybe others).

 
At 1:41 PM, Anonymous Rich Lusk said...

Hopefully SBS 2008 Premium will include the newest ISA license to install on a seperate server. But even with that why should small businesses have to pay for SBS and a seperate license for Windows Server 2008? Not only that but they have to pay for new hardware. Maybe virtual server is the answer? I don't know. It would seem Microsoft will lose a lot money by not having ISA included in SBS 2008. My current clients won't want to upgrade to SBS 2008 if it doesn't have ISA included. My clients really enjoy the security and benefits of ISA and to not have it included in SBS 2008 is really disappointing.

 
At 1:13 PM, Blogger Bud said...

I have never deployed SBS on the edge of a network to date, and as such I'm glad that MS have come to see things my way :-)
I've used SonicWALLs for the edge of my clients networks for a long time now and they are stable, feature-rich, value for money and much easier to replace than SBS servers!

 
At 10:46 AM, Anonymous Anonymous said...

better to move security into an appliance REALLY dedicated like a SonicWALL firewall for example , isnt it ?

 
At 1:09 PM, Blogger Amy - Harbor Computer Services said...

Or an edge ISA server or ISA appliance. This firewall is REALLY dedicated to securing Microsoft products and most networks have a lot of them.

 
At 4:20 PM, Anonymous Anonymous said...

I have existing network Sonicwall firewall at the edge and I am introduing a SBS 2003 Premium to the Network. Can I use both the Sonicwall sitting at the edge, and also ISA sitting (internally)ie Use both firewalls at the same?
Or just use the Sonicwall?
Please help?

 
At 5:01 PM, Blogger Amy - Harbor Computer Services said...

Sure you can have more than 1 firewall in-line. It's called multiple layers of security. I'm not sure how much value there is in, but there's no problem with it. Just be sure to keep pointing your PC's the ISA server as their gateway.

 

Post a Comment

<< Home