3

I'm currently running a Windows SBS 2003 with ISA 2000 and will be migrating to a new server containing Windows SBS 2008, Standard Edition.

Since SBS 2008's internal firewall should not be seen as any substitute for an external firewall, I'm looking for feedback as to how to go about and implement a separate firewall to protect my network, given my current hardware and software configuration.

Note: once my old Windows Small Business Server has been demoted from the domain controller, I plan on reusing the old hardware by installing a new operating system.

Hypothetically, is it smart to even attempt to run ISA on the edge of the network with the advent of Forefront Threat Management Gateway 2010?

What hardware or software (or combination of) solutions should I be looking at? I can see things getting rather expensive if opting to buy a new copy of ISA 2006 and a second server license, respectively.

Any insight or possible solutions will be greatly appreciated!

jarek
  • 41
  • 2

5 Answers5

1

I'm in a similar boat. Currently I'm considering running Untangle on a spare server I happen to have. The base package is fairly complete and free. The paid AD Connector is relatively inexpensive.

Boden
  • 4,948
  • 12
  • 48
  • 70
1

I'm busy migrating from SBS 2003 to SBS 2008 (installed this weekend) and I'm busy downloading Forefront TMG 2010 (MSDN). I'll let you guys know how it plays.

0

You can use a watchguard / sonicwall / linksys firewall device.

Imagine that all of your devices are on 192.168.1.X

Save 192.168.1.1 and 192.168.1.0 for your DHCP settings on SBS 2008.

Call your firewall 192.168.2.2.

Use the connect to the internet wizard: http://blogs.technet.com/b/sbs/archive/2008/09/17/introducing-the-connect-to-the-internet-wizard-ctiw.aspx

Put in your router IP address 192.168.2.2 when prompted.

You can do this using only one Network Card.

SLY
  • 1,286
  • 1
  • 13
  • 28
0

Unfortunately if you had the premium edition, it'd come with an extra server license to take care of this exact problem, to install ISA server 2006 on if you wish.

However, I am actually making this exact move, and I am currently looking to use a hardware firewall/router appliance. I still haven't decided which though, I had gotten so used to ISA 2000, with all it's quirks but also AD integration. If you had software assurance, it sure would have helped you as many of us dealing with the same issue.

Here is an article, perhaps it can help you in deciding your SBS 2008 Topology.

http://www.itexpertmag.com/server/sbs-2008-features

As for Forefront, I am not sure I am bought into the technology, if I personally had to choose, I think I'd prefer ISA server. I've used it for almost 6 years and have been relatively well protected, especially with Dynamic port features, caching, filtering, SMTP publishing etc, not to mention application filtering.

AdminAlive
  • 228
  • 1
  • 9
  • Thanks for the link, AdminAlive. I'm also exploring the option of upgrading to the premium edition. We're in the same boat regarding ISA as well as looking into a hardware appliance that integrates with AD. Celestix (although expensive) makes an appliance that is powered by Windows Server 2003 and is equipped with (ISA) Server 2006. I've also looked at Calyptix, Watchguard, Sonicwall and Fortinet to name a few. Any recommendations? – jarek Dec 10 '09 at 17:44
0

Most people with SBS installations are now using DSL routers with integrated firewall. Devices such as the Draytek Vigor are perfectly adequate. ISA was a good product, but since Microsoft decided to remove it from the SBS Premium sku, it's hard to justify the additional cost to many small businesses in the SBS space. However, if you don't mind the cost, it is a good solution and there's no reason why you shouldn't use it. If you;re in a position where you need that level of security, would it be worth considering a solution based on Essential Business Server (EBS) instead?

ISA was excellent for managing server publishing, particulalry its ability to forward traffic based on the incoming URL. ISA also made it possible to do some very sophisticated filtering. It's a sad loss to SBS2008.

Tim Long
  • 1,728
  • 1
  • 20
  • 41