ISA Server Configuration
Would like to get some opinions on the best way to configure a new ISA server that I am installing. At the moment our network has a hardware firewall (called a busibox), with a machine running SurfControl monitoring web traffic. The problem is that if the machine with SurfControl goes down the internet becomes wide open.
What I am thinking of doing is running an ISQ server as the web proxy with only the port 80 requests coming from it being allowed through the firewall machine. Do I set ISQ up as a single network adapter configuration and direct all machine to it as the web proxy server? Or is there a better way of doing it. Removing the Busibox is not an option as it is our ADSL modem and VPN box (that and the fact that the district office tell us we have to have it)
Thanks in advance
I don't use surfcontrol or busibox, but they are a proxy and a firewall respectively, aren't they? You just need to deny outbound port 80 traffic on the firewall, and allow it only from surfcontrol. No surfcontrol, no outbound traffic. Easy :)
Surfcontrol is not a proxy just a web filter, but busibox is the firewall. What you are saying though is sort of what I want to do. Make the new ISA Server (with surfcontrol running as the web content filter) the proxy server and then deny all outbound port 80 traffic at the firewall unless it comes from the proxy.
The question is the best way to configure ISQ to do this. I am not familiar with it and would like some better opinions first.
I'm not familiar with busibox at all - but I'm reasonably familiar with ISA.
It sounds like you want to use ISA as a kind of gateway which is what we have here.
Here's one way you could implement what you want:
1) Configure the busibox IP so it's a seperate range (say 192.168.200.x/255.255.0.0).
2) Create the ISA server with 2 NICs, 1 connecting to your internal network and 1 which is on the same IP range as the busibox.
3) Configure ISA to allow web-proxy requests on port 80 for the Internal network.
4) Setup the ISA firewall rules so that ISA talks directly to the busibox.
Now this won't necessarily stop people accessing the internet if SurfControl dies, but it will mean that no internet traffic (except from what you configure on the busibox) will ever get to your busibox except from the ISA server unless you specify otherwise.
Is there an error message when your surfcontrol just dies?
It might be worth looking into why your SC dies as well, so that you have a robust internet proxy/monitor box and your busibox is secure also.
Hope this helps or sheds some light.
I run both Surfcontrol and ISA on the same box here. There is an option in the Surfcontol Web Filter application to block internet access if the filter crashes which should do what you are after. It would entail moving Surfcontrol to the ISA box though.
Surfcontrol is junk when it comes to uptime, I also have the Web Filter service set to restart the service on the first to third failure and reset the failure count after 10 minutes to combat this a little. I think that one of the main reasons that it is unstable is that it treates its database like a dump and throws every little bit of rubbish at it continuously. Our experience with the software got better when we upgraded to a system with a faster disk system in it. I think that there is a flat file option that dumps the data to plaintext first that may help stability if I/O is a contributing factor.