Hello everyone.

I've always had mixed feelings about Microsoft ISA server.  On one hand, it simplifies MS security mgmt by tying many necessary security items into one management realm.  On the other hand, IMHO, it's not as thorough as some of the standalone solutions out there, which I've implemented.

I was talking to a solutions consultant earlier this morning, who said he's working on a squid proxy solution for a customer, and that they are a normally a heavily-biased, pro-MS shop.  They're open to his solution, however, their security folks are strongly pushing to be fully ISA-only, thereby making his proposal a tough sell.

He asked me if I have any docs or info from anyone on the 'negative' side of ISA.  Does anyone have any feedback to that regard?  Again, I personally could go either way, dependent upon the scenario, even though I prefer individualized offerings.

Thanks in advance for any information you might have.

Tim (Hayabusa0194)

That's kind of what I'd mentioned to him, previously, too.  I know when ISA first hit the scene, it was kind of shaky in my experimentation with it, but it's really grown and been pretty solid.  Like I said, I prefer to have my individual solutions, but that's me, and I go either way, dependent on the needs and training of the customer, as you duly noted.

I appreciate the feedback, and will pass along to him.

Anyone else?

Thanks.

Tim (Hayabusa0194)

I havent really got anything to add, personally my opinion would be as long as it can be proven to meet the customers requirements, has the management requirements needed and the robustness, and most importantly to the customer meets both the financial infrastructure requirements it should be considered on its own merits.

Anyway I was just wondering if anyone has ever been pressured to move away from a software solution like ISA, and guided down a hardware solution route. That is certainly the impression I get from alot of customers who are not familiar with ISA and alike.

About the only additional thing I would consider is the size of the organization. Even MS themselves say that if it placed on an edge with a huge amount of bandwidth, it just can't keep up. So use a hardware firewall. Many large organizations heavily invested in MS use Cisco on the outside and ISA on the inside. But if the company is small enough and the server hardware used for the box has enough horsepower to handle the load, then let them use ISA. Especially if their comfort zone is in MS tech and as Ketchup mentions, the AD integration really makes more sense.

Hope that helps,
Don

I don't have any experience with ISA but thought I'd mention that one reason why a customer installed an ISA server instead of other similar products from different vendors is because they have strict criteria regarding security and ISA has EAL4 accreditation: http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/common-criteria.aspx
Even though other vendor products were tested and proven to be faster and more scalable than ISA the only reason why ISA was chosen was because EAL4.