Replacing ISA server with a linux based system

[localzuk]

We currently have a proxy server set up (ISA 2006) which does all the usual proxying and caching fun. The server also has an external IP address which is actually on our net router (the router receives data to it and NAT forwards it to the internal IP of the ISA box).

This box also makes use of the firewall functions to prevent internal access to bits and pieces which shouldn't be accessed and also forwards various ports to other places.

Now, I know how to go about setting up a squid proxy, my question is - do I want to go into the nitty gritty of iptables for the firewall side of things or should I stick to a nice front end like shorewall?

This way we manage to cut our MS Tax a little more.

Cheers
Tony

[webman]

You might like something that comes pre-packaged as a firewall and proxy, perhaps IPCop with AdvProxy and URLFilter addons.

[localzuk]

My only problem with that is I keep on hearing that 'it is slow' - in reference to a variety of them. Also, does IPCop not require you to have 2 network cards - one for an internal (green) and one for an external (red) interface which need to be on different subnets?

[webman]

Ours does have it set up like that as it is our default gateway and NAT, and I don't actually know if it can run with just one interface.

[CyberNerd]

shorewall is a nice(ish) non graphical front for managing iptables.
http://www.shorewall.net/

[contink]

I'm in the same boat in one of my schools (a primary with 26 machines) with ISA being a constant thorn in my side (admittedly I don't know how to configure it properly).

I'd prefer to shift all the proxy, security and filtering across to a smoothie or similar box but in this instance would a HomeBrew Smoothie (with Dans Guardian and proxy enabled) be sufficient or advisable?


Note: I'm looking at the Extended Defence + Homebrew version of Smoothie in case anyone is after specifics.

[Geoff]

I don't see why that wouldn't work contink.

[contink]

I don't see why that wouldn't work contink.

Ok... I guess I'll run some testing using the staff machine.. At least then someone gets net access that works :P

[tom_newton]

Given our experience with open source components, I can confidently state that your linux-based solution does not necessarily have to be slow!

WRT 2 NICs, our "corporate guardian" is the only 1-NIC out-of-the-box that I know of, though rolling your own version with DG would be well within the bounds of possibility.

[localzuk]

Right, as I don't want to mess around with the IP address settings I am going to go with a home rolled Ubuntu Server + Squid + Dansguardian + Shorewall solution.

Now to build and test it in a VM.

[plexer]

My only problem with that is I keep on hearing that 'it is slow'

Anyone saying that with out backing it up is just talking nonsense.

Ben

[localzuk]

Indeed, I now have a set up as mentioned above (although I need to play with the shorewall rules) that runs significantly faster than our ISA server - and it is running in a vm.

Now just to customise

[contink]

Right, as I don't want to mess around with the IP address settings I am going to go with a home rolled Ubuntu Server + Squid + Dansguardian + Shorewall solution.

I think the only reason I'm not tempted to go with a home rolled system is that I don't want to be dealing with the grief of a kernel upgrade when something like smoothie does it all for me.

Ack... that sounds so lazy doesn't it... I think it's just that I have enough to learn about firewall rules, etc.. let alone relearn all my nix stuff. ops:

[Simcfc73]

I just upgraded to SchoolGuardian 5 which has a lovely real time monitor now which auto refreshes every 5 seconds or so. Its very useful.

Celeron 2Ghz with a gig of ram and it flies.

You have to pay for it though but everything is automatic and the upgrades always work.

[NetworkGeezer]

I just upgraded to SchoolGuardian 5 Celeron 2Ghz with a gig of ram and it flies. Proper rackmounted job or 'converted' desktop PC?