Is this even possible with ISA server? 1

[kmcferrin]

At my company we have Windows 2000 servers with Active Directory. All of our client PCs run Windows XP. We currently have data circuits connecting us to the internet through a Fortinet Fortigate 400 firewall. This firewall does a great job of handling security for traffic coming from the Internet, but we need a proxy server solution. Whatever we go with, it will not replace the Fortinet unit. What we need to be able to do is:

1. Log which web sites users are accessing, including site address, username, date, time, and the PC used for access.

2. Specify a blacklist of sites that users cannot access (porn, ads, warez, etc).

3. Allow various levels of Internet access, including
a. User can access any web site except those explicitly blocked by the blacklist.
b. User can only access web sites from a specific list of approved sites (whitelist).
c. User has no Internet access at all.

4. Integrate with AD so that
a. the users' levels of access can be configured from their AD user objects.
b. the users are not required to enter a password in order to access the Internet.

Because of the needed AD integration, Microsoft looks like our best bet. In the past I would have probably gone with MS Proxy server, but that is no longer available (though it may be available on Ebay somewhere, I need software that is still supported for business continuity purposes). Now ISA Server is supposed to be the next revision of MS Proxy server, but it also incorporates firewall functionality that we do not need. Most of the information that I have seen seems to focus on the ISA server firewall features, which I am not interested in.

So is it possible to get the proxy functionality that I need from ISA server? Is it possible to do so without using the firewall functionality? If this is possible, can it be done with the Standard Edition of ISA server, or do I need the Enterprise edition?

Thanks in advance!

 

[Bifa]

Hi,

I have a similar situation here, except for the AD. I'm still running a NT4 PDC.

But I use ISA Server Standard edition without problems only as a proxy server. I also have a blacklist with almost 3000 forbidden sites.

So I think you won't have problems using it as a proxy server only. Can't tell you about integration to AD, but in my case, users must be members of my NT4 domain to browse the web. IE authenticates them automatically against my PDC so they're never prompted for a username/password.



C ya!

Bif@
"Try to make the best even better"

 

[kmcferrin]

In your setup can you specify different levels of access depending on the user, or is it one-size fits all?

Also, does it have whitelist capability as well, or blacklist only?

 

[Palagast]

Kmcferrin,

Here's some answers to your questions:
"1. Log which web sites users are accessing, including site address, username, date, time, and the PC used for access."
-Possible (is in standard logs, you can configure additional logs yourself)


"2. Specify a blacklist of sites that users cannot access (porn, ads, warez, etc)."
-Possible (applying a content rule to all but a specific destination set)


"3. Allow various levels of Internet access, including
a. User can access any web site except those explicitly blocked by the blacklist."
-Possible (see 2, but now only for certain computers or AD groups)


" b. User can only access web sites from a specific list of approved sites (whitelist)."
-Possible (applying a content rule to a specific destination set)


" c. User has no Internet access at all."
-Possible (apply your contenct rule(s) to groups and don't include this user or specifically deny him)


"4. Integrate with AD so that
a. the users' levels of access can be configured from their AD user objects."
-Possible, you can grant/deny Access to AD groups


" b. the users are not required to enter a password in order to access the Internet."
-If it's AD integrated, ppl don't get authentication screens.


Regards,
Palagast

 

[jcprince]

Works fine with AD. We have a Win2K domain, clients running 98, NT, 2K & XP going to the internet through a Checkpoint Firewall.

Content filtering via SurfControl.

 

[kmcferrin]

Thanks Palagast, that's very helpful. Were you referring to the Enterprise or Standard edition there? I don't think that we're going to need to get into clusters/arrays, and we have no plans to add additional proxies in the future. With that in mind, is the Enterprise edition really necessary, or is it available in Standard?

 

[Palagast]

Kmcferrin,

Forgot to answer that one: all this is possible with the standard edition.
One more tip/reminder: install the ISA server in Caching-only mode. That way you can keep away from all the firewall options you don't need and want.
Make sure that clients aren't allowed to use your firewall as default gateway, or smart users can bypass the proxyserver and have unrestricted internet access.

Good luck with it!
Palagast

 

[stevedeb]

kmcferrin,

If you are still monitoring this I have something a little off topic for you. I am looking at a Fortinet FW. It seems that you are very pleased with yours. Could you post some details for me on what you like about it and how it compares to other products that you have used. I don't know of anyone else who is using one.

Thanks,
Steve

 

[kmcferrin]

Actually, I'm not all that pleased with it. Our Fortigates were sold to us by a design consultant before I came to work here, and before the company was even open for business. Because of that we've discovered that it doesn't really fit our needs exactly. The only thing that is keeping me from replacing them at this point is that they're A) a capital expense and b) less than six months old.

Things that I like about it:

They have Antivirus capabilities built in (requires a subscription). Our Fortinets catch and stop a fair number of virii (and non-virus attacks) before they ever make it to our network. They have a built-in mechanism for automatic updating of virus and attack definitions which works well.

They have rudimentary filtering capabilities. You can block specific web sites from your enterprise, but it is an all or nothing prospect. You can do keyword filtering in email messages and for web sites, which is probably useful to some people (but not to me). You can even block email attachments from being able to come in through your firewall (by filename, document type and protocol, even). You can even set exemptions/exceptions for certain sites/messages/documents by specifying a full name or pattern.

It supports authentication to a RADIUS or LDAP server.

Setting up persistent VPN tunnels is mostly what you would expect. It supports pretty much all of your standard IPSEC, L2TP, PPTP settings. You can create access policies that allow access to specific subnets or even down to specific IP addresses.

It provides logging for most of it's blocking/filtering features.

They have a nice web interface for those who don't like the command line. And their command line interface is pretty simple and easy to learn too.

Things that I don't like:

It has a dialup connection screen that shows current VPN connections in progress, but does not show which account is associated with that connection (more useful for troubleshooting purposes).

Overall, the dialup VPN features suck. By dialup, I mean dynamic connections that can come in over broadband or dialup. Usually this is a user who needs to work from home, etc. The client software does not function like the software that you may be familiar with from Cisco or Nortel, in that you DO get a tunnel into the protected network but you DO NOT get an IP address assigned to your client PC that allows you to work as if you were internal to your network. This has left us with several applications that work fine from the office, but can't be made to work from home.

We have multiple units, but there is no way to centrally administer them from a single interface(with regards to filtering, user accounts, etc). You have to go and make the changes to each unit individually.

Since they're a relatively new company, their firmware doesn't support as robust a feature set as more established names. In particular, we need to set up a persistent tunnel to a vendor, but because of addressing schemes we need to be able to do a NAT within the tunnel. This isn't possible with the Forigate, though a Cisco PIX (and most other firewalls) can do it. This is something that Fortinet has been talking about adding, but still we wait...

Also, their firmware has been somewhat buggy, especially with regards to filtering sites/attachments. We have large lists of blocked sites (porn, ads, malware, etc), but adding or removing a single site to/from the list usually causes the filtering functionality to stop working altogether. There is a capability to delete the filtering lists and then upload new lists from a text file, but sometimes that hoses the filtering as well. Usually bouncing the firewall will fix this, but on more than one occasion I have had to wipe the firewall's config and reload a backup to get everything working again. Obviously, this shouldn't happen with a simple update to a blocklist.

At any rate, I've stopped trying to update the email and web filtering on the Fortigates until we get a better firmware release. In the meantime I can do email blocking at the Exchange server. And as you can see, I'm shopping around for a proxy solution to handle the web filtering because I need a more granular solution.

Overall I guess that they're not that bad. But if you are going to be doing any amount of dialup VPN, I'd go with a Cisco PIX or Nortel Contivity.

 

[stevedeb]

Nortel Contivity? I just picked up a demo unit from our local Nortel rep. I know its a good VPN unit but have you ever used its firewall? I have heard reports that the fw is only so-so. Also, no bells and whistles like AV, just VPN and FW. I know that Nortel offers their Alteon/Checkpoint combo but Checkpoint is way too expensive to liscense.

So if you have used Contivity as a fw please comment. I thought that I wanted to demo a Fortigate but now I am not so sure. Our reason for looking at another solution is to get away from a buggy piece of trash. I don't want to pick up the same problems from a different vendor.

How about other fw like Watchguard Firebox or Netscreen 25. Any comments on those?

Thanks for any and all help, your previous comments gave me something to think about. Without contacting those who actually use a product, its hard to find reliable, unbiased info.

 

[kmcferrin]

We actually used a pair of Netscreen 5XPs when we were still in the planning stages of the business (before we had all the fat pipes in place). Those were pretty solid. The VPN situation is pretty much the same as the Fortigate units (in fact, you can even use the Netscreen VPN client software with the Fortigate). As I understand it, Fortinet was founded by former Netscreen people.

I've used a couple versions of the Watchguard Firebox models and liked them. They're my favorite so far, but I used them in another job and I'm not 100% sure how they would fare with our current reqs.

With reference to the Nortel, it's been a few years since I've used one, but I thought they were pretty good at the time. Of course, nowdays everybody is including a much wider feature set into their firewalls so they may have fallen behind.

By all means, demo the Fortigate. You may like it. They have been consistently rated very highly from a security standpoint, and I'll agree that they're good firewalls. I just have a serious dislike for their VPN implementation and get annoyed by a few of the bugs. But as long as I don't tinker too much with the blocking functionality (which would probably be best handled by a proxy server anyways) then they're pretty good.

Which buggy piece of trash are you currently using?

 

[stevedeb]

Thanks, I think I will try it and evaluate it against the Contivity. If I go with Fortinet and the VPN really stinks on the Fortigate, I can use my current VPN appliance, an Enterasys XSR-1850. It is OK with VPN and as a general router, but it is a terrible and buggy fw. The only thing that I don't like is that it is all command line.

Thanks again for the advice.