ISA as a proxy

hi
i was wandering if anyone has any experiance with ISA 2006 functioning as a proxy and what are the conclusions

thanks

Wow; that's a loaded question if ever there was one. <VBG>

If you ask me (an avowed ISA aficionado), ISA 2006 simply rocks.
No vulnerabilities, never been compromised; great IPv4 firewall and web proxy.
What are your specific goals for deploying a proxy?

Jim

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of raz@...
Sent: Tuesday, May 27, 2008 11:19 PM
To: focus-ms@...
Subject: ISA as a proxy

hi
i was wandering if anyone has any experiance with ISA 2006 functioning as a proxy and what are the conclusions

thanks

It is quite good.

It can function as a transparent proxy, so you don't need to setup your
clients, which is nice.  I used that to make sure everyone's downloads get
screened via GFI's webmon antivirus.  I also use a web-chaining rule to
forward to a privoxy server for ad filtering (I'm sure there are ways to do
this with an ISA plugin) which is great because now I'm not downloading
flash take-overs that cause some of the older workstations to slow to a
crawl.

I put the ad filter in front of ISA because I wanted to kill that crap
before ISA wasted disk space by caching it.  I'd like to get prefetching
added in there somewhere as well, but I haven't found a good way to
implement that.

Every so often, I use it via a VPN link from a remote office when I need to
figure out if there's a problem with my network, the ISP, the remote server,
etc.

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Jim Harrison
Sent: Wednesday, May 28, 2008 1:47 PM
To: raz@...; focus-ms@...
Subject: RE: ISA as a proxy

Wow; that's a loaded question if ever there was one. <VBG>

If you ask me (an avowed ISA aficionado), ISA 2006 simply rocks.
No vulnerabilities, never been compromised; great IPv4 firewall and web
proxy.
What are your specific goals for deploying a proxy?

Jim

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of raz@...
Sent: Tuesday, May 27, 2008 11:19 PM
To: focus-ms@...
Subject: ISA as a proxy

hi
i was wandering if anyone has any experiance with ISA 2006 functioning as a
proxy and what are the conclusions

thanks

Hello

I have been using ISA 2006 as a web proxy for a year or so. It is used
also as a reverse proxy (web publishing), and so far it's a stable
product without any problems.

It is important to dimension the size of the cache in advance so you
don't have to resize it later. I'm currently using aprox. 30 GB and
it's a fine size for 120 users.

Regards,

Willy


On Wed, May 28, 2008 at 3:19 AM, <raz@...> wrote:
>
> hi
>
> i was wandering if anyone has any experiance with ISA 2006 functioning as a proxy and what are the conclusions
>
>
> thanks

Proxy or reverse proxy?

-W

Wayne S. Anderson
http://www.linkedin.com/in/wayneanderson

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of raz@...
Sent: Wednesday, May 28, 2008 12:19 AM
To: focus-ms@...
Subject: ISA as a proxy

hi
i was wandering if anyone has any experiance with ISA 2006 functioning as a
proxy and what are the conclusions

thanks

Greetings,

I am running ISA 2006 as the main firewall and also integrates into ISA
appliances using Branch Office Site-To-Site VPN and it has been great.
A little painful getting the Celestix appliances working for the
site-to-site VPN.


ISA is used to publish multiple SharePoint sites (extranet and internet),
Exchange (webmail, rpc-http, activeSync).

It has been great :)

Kind Regards
Sarbjit Singh Gill



-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Guillermo Fontana
Sent: Friday, May 30, 2008 12:05 AM
To: focus-ms@...
Subject: Re: ISA as a proxy

Hello

I have been using ISA 2006 as a web proxy for a year or so. It is used
also as a reverse proxy (web publishing), and so far it's a stable
product without any problems.

It is important to dimension the size of the cache in advance so you
don't have to resize it later. I'm currently using aprox. 30 GB and
it's a fine size for 120 users.

Regards,

Willy


On Wed, May 28, 2008 at 3:19 AM, <raz@...> wrote:
>
> hi
>
> i was wandering if anyone has any experiance with ISA 2006 functioning as
a proxy and what are the conclusions
>
>
> thanks

Hello there,

we are using ISA 2004 and ISA 2006 as a proxy with strong MIME and URL based filtering
to securley  grant web access to several computer classroom installations.

It is robost and secure (almost no vulns and no patching needed).
Three things to mention:
1) isa server needed more hardware-power than i expected upfront.
With a lot of filtering, (AV) scanning and logging (separate server) going on, you'll need to size your servers accordingly.
2) i dont like the ISA Site to Site VPN. There are many other secure VPN solutions out there that are easier to  set up.
3) price tag of the enterprise editon. For what?

Hth
Gregor Stefka

-----Ursprüngliche Nachricht-----
Von: listbounce@... [mailto:listbounce@...] Im Auftrag von Sarbjit Singh Gill
Gesendet: Freitag, 30. Mai 2008 03:46
An: focus-ms@...
Betreff: RE: ISA as a proxy

Greetings,

I am running ISA 2006 as the main firewall and also integrates into ISA
appliances using Branch Office Site-To-Site VPN and it has been great.
A little painful getting the Celestix appliances working for the
site-to-site VPN.


ISA is used to publish multiple SharePoint sites (extranet and internet),
Exchange (webmail, rpc-http, activeSync).

It has been great :)

Kind Regards
Sarbjit Singh Gill



-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Guillermo Fontana
Sent: Friday, May 30, 2008 12:05 AM
To: focus-ms@...
Subject: Re: ISA as a proxy

Hello

I have been using ISA 2006 as a web proxy for a year or so. It is used
also as a reverse proxy (web publishing), and so far it's a stable
product without any problems.

It is important to dimension the size of the cache in advance so you
don't have to resize it later. I'm currently using aprox. 30 GB and
it's a fine size for 120 users.

Regards,

Willy


On Wed, May 28, 2008 at 3:19 AM, <raz@...> wrote:
>
> hi
>
> i was wandering if anyone has any experiance with ISA 2006 functioning as
a proxy and what are the conclusions
>
>
> thanks

So I guess I have a question on ISA as a reverse proxy (as I'm not too
familiar with the product).

Does ISA support HTTPS/SSL through the proxy? How about to separate
servers?

Kelly


-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On
Behalf Of Guillermo Fontana
Sent: Friday, May 30, 2008 12:05 AM
To: focus-ms@...
Subject: Re: ISA as a proxy

Hello

I have been using ISA 2006 as a web proxy for a year or so. It is used
also as a reverse proxy (web publishing), and so far it's a stable
product without any problems.

It is important to dimension the size of the cache in advance so you
don't have to resize it later. I'm currently using aprox. 30 GB and
it's a fine size for 120 users.

Regards,

Willy


On Wed, May 28, 2008 at 3:19 AM, <raz@...> wrote:
>
> hi
>
> i was wandering if anyone has any experiance with ISA 2006 functioning
as
a proxy and what are the conclusions
>
>
> thanks

ISA supports HTTP(S) bridging (web publishing) or tunneling (server publishing).
Web publishing can operate in either symmetric (same protocol external/internal) or asymmetric (different internal/external) and supports HTTP-FTP publishing as well (no FTPS, though).
Either web publishing or server publishing can also perform PAT.

Jim


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of Kelly Martinez
Sent: Friday, May 30, 2008 8:51 AM
To: focus-ms@...
Subject: RE: ISA as a proxy

So I guess I have a question on ISA as a reverse proxy (as I'm not too
familiar with the product).

Does ISA support HTTPS/SSL through the proxy? How about to separate
servers?

Kelly


-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On
Behalf Of Guillermo Fontana
Sent: Friday, May 30, 2008 12:05 AM
To: focus-ms@...
Subject: Re: ISA as a proxy

Hello

I have been using ISA 2006 as a web proxy for a year or so. It is used
also as a reverse proxy (web publishing), and so far it's a stable
product without any problems.

It is important to dimension the size of the cache in advance so you
don't have to resize it later. I'm currently using aprox. 30 GB and
it's a fine size for 120 users.

Regards,

Willy


On Wed, May 28, 2008 at 3:19 AM, <raz@...> wrote:
>
> hi
>
> i was wandering if anyone has any experiance with ISA 2006 functioning
as
a proxy and what are the conclusions
>
>
> thanks

Yes - it does. We publish several SSL sites through ISA and also through an
mIAG appliance built on top of ISA.

Stuart


On 5/30/08 11:51 AM, "Kelly Martinez" <Kelly.Martinez@...> wrote:

Yes, ISA supports publishing multiple web sites (secure or otherwise). Note, however, that if you're trying to publish multiple SSL sites you will need to place them on separate combinations of external ports and IP addresses (that is, a separate IP address for each site on port 443, a single IP address for all sites on separate ports, or some combination thereof) -- ISA does not have the built-in ability to concentrate multiple SSL sites into one external port/IP address.

The Microsoft Internet Application Gateway appliance (formerly Whale Communications) does have that functionality, as another poster mentioned; it's built on top of ISA and is specifically designed for that scenario while providing a whole bunch of other cool functionality.

--
Devin L. Ganger, Exchange MVP      Email: deving@...
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of Kelly Martinez
Sent: Friday, May 30, 2008 8:51 AM
To: focus-ms@...
Subject: RE: ISA as a proxy

So I guess I have a question on ISA as a reverse proxy (as I'm not too
familiar with the product).

Does ISA support HTTPS/SSL through the proxy? How about to separate
servers?

Kelly


-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On
Behalf Of Guillermo Fontana
Sent: Friday, May 30, 2008 12:05 AM
To: focus-ms@...
Subject: Re: ISA as a proxy

Hello

I have been using ISA 2006 as a web proxy for a year or so. It is used
also as a reverse proxy (web publishing), and so far it's a stable
product without any problems.

It is important to dimension the size of the cache in advance so you
don't have to resize it later. I'm currently using aprox. 30 GB and
it's a fine size for 120 users.

Regards,

Willy


On Wed, May 28, 2008 at 3:19 AM, <raz@...> wrote:
>
> hi
>
> i was wandering if anyone has any experiance with ISA 2006 functioning
as
a proxy and what are the conclusions
>
>
> thanks

To further expand on what Devin said, you could always utilize a wildcard
certificate such as *.yourcompany.com to enable ISA to publish multiple SSL
websites on port 443.  Of course, you're limited to websites with
*.yourcompany.com but it might address your requirements.

--
Przemek (Shem) Radzikowski  -  ICT Solutions Architect / Security Specialist
MSc, BEng, BSc, MCP, MCPS, MCNPS, CPSA, TCSS, TCSP
NA +264 813641435 | BW +267 74639428 | MT +356 99431823 | AU +61 417952048 |
UK +44 7983105179
Capitalhead Ltd | http://capitalhead.com | skype: capitalhead

To further expand on what Devin said, you could always utilize a wildcard certificate such as *.yourcompany.com to enable ISA to publish multiple SSL websites on port 443.  Of course, you're limited to websites with *.yourcompany.com but it might address your requirements.

--
Przemek (Shem) Radzikowski  -  ICT Solutions Architect / Security Specialist MSc, BEng, BSc, MCP, MCPS, MCNPS, CPSA, TCSS, TCSP NA +264 813641435 | BW +267 74639428 | MT +356 99431823 | AU +61 417952048 | UK +44 7983105179 Capitalhead Ltd | http://capitalhead.com | skype: capitalhead

..to be clear; no Windows server application has this ability.
RFC 4366 "Server Name Indication" is not implemented in the server side of SChannel.
Vista / WS08 SChannel have it and IE knows how to use it.

Jim

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of Devin Ganger
Sent: Friday, May 30, 2008 10:57 AM
To: Kelly Martinez; focus-ms@...
Subject: RE: ISA as a proxy

Yes, ISA supports publishing multiple web sites (secure or otherwise). Note, however, that if you're trying to publish multiple SSL sites you will need to place them on separate combinations of external ports and IP addresses (that is, a separate IP address for each site on port 443, a single IP address for all sites on separate ports, or some combination thereof) -- ISA does not have the built-in ability to concentrate multiple SSL sites into one external port/IP address.

The Microsoft Internet Application Gateway appliance (formerly Whale Communications) does have that functionality, as another poster mentioned; it's built on top of ISA and is specifically designed for that scenario while providing a whole bunch of other cool functionality.

--
Devin L. Ganger, Exchange MVP      Email: deving@...
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of Kelly Martinez
Sent: Friday, May 30, 2008 8:51 AM
To: focus-ms@...
Subject: RE: ISA as a proxy

So I guess I have a question on ISA as a reverse proxy (as I'm not too
familiar with the product).

Does ISA support HTTPS/SSL through the proxy? How about to separate
servers?

Kelly


-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On
Behalf Of Guillermo Fontana
Sent: Friday, May 30, 2008 12:05 AM
To: focus-ms@...
Subject: Re: ISA as a proxy

Hello

I have been using ISA 2006 as a web proxy for a year or so. It is used
also as a reverse proxy (web publishing), and so far it's a stable
product without any problems.

It is important to dimension the size of the cache in advance so you
don't have to resize it later. I'm currently using aprox. 30 GB and
it's a fine size for 120 users.

Regards,

Willy


On Wed, May 28, 2008 at 3:19 AM, <raz@...> wrote:
>
> hi
>
> i was wandering if anyone has any experiance with ISA 2006 functioning
as
a proxy and what are the conclusions
>
>
> thanks

AFAIK, IAG does not use RFC 4366; it's an application-level SSL VPN that performs SSL bridging to allow the same effect. The RFC 4366 "Server Name Indication" mechanism (section 3.1) allows a single web server to host multiple SSL-protected sites off the same IP/port combination. IAG is a separate appliance in your perimeter and can allow users to use a single SSL/TLS browser connection to reach multiple internal websites that probably are not on the same physical server, such as OWA, SharePoint, and others.

--
Devin L. Ganger, Exchange MVP      Email: deving@...
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/


-----Original Message-----
From: Jim Harrison [mailto:Jim@...]
Sent: Friday, May 30, 2008 11:57 AM
To: Devin Ganger; Kelly Martinez; focus-ms@...
Subject: RE: ISA as a proxy

..to be clear; no Windows server application has this ability.
RFC 4366 "Server Name Indication" is not implemented in the server side of SChannel.
Vista / WS08 SChannel have it and IE knows how to use it.

Jim

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of Devin Ganger
Sent: Friday, May 30, 2008 10:57 AM
To: Kelly Martinez; focus-ms@...
Subject: RE: ISA as a proxy

Yes, ISA supports publishing multiple web sites (secure or otherwise). Note, however, that if you're trying to publish multiple SSL sites you will need to place them on separate combinations of external ports and IP addresses (that is, a separate IP address for each site on port 443, a single IP address for all sites on separate ports, or some combination thereof) -- ISA does not have the built-in ability to concentrate multiple SSL sites into one external port/IP address.

The Microsoft Internet Application Gateway appliance (formerly Whale Communications) does have that functionality, as another poster mentioned; it's built on top of ISA and is specifically designed for that scenario while providing a whole bunch of other cool functionality.

--
Devin L. Ganger, Exchange MVP      Email: deving@...
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of Kelly Martinez
Sent: Friday, May 30, 2008 8:51 AM
To: focus-ms@...
Subject: RE: ISA as a proxy

So I guess I have a question on ISA as a reverse proxy (as I'm not too
familiar with the product).

Does ISA support HTTPS/SSL through the proxy? How about to separate
servers?

Kelly


-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On
Behalf Of Guillermo Fontana
Sent: Friday, May 30, 2008 12:05 AM
To: focus-ms@...
Subject: Re: ISA as a proxy

Hello

I have been using ISA 2006 as a web proxy for a year or so. It is used
also as a reverse proxy (web publishing), and so far it's a stable
product without any problems.

It is important to dimension the size of the cache in advance so you
don't have to resize it later. I'm currently using aprox. 30 GB and
it's a fine size for 120 users.

Regards,

Willy


On Wed, May 28, 2008 at 3:19 AM, <raz@...> wrote:
>
> hi
>
> i was wandering if anyone has any experiance with ISA 2006 functioning
as
a proxy and what are the conclusions
>
>
> thanks

Correct, but the question of "multiple SSL sites" applies to IAG as well as any other Windows-based, SSL-enabled server.  You can have only one certificate associated with a specific listener.  What you do through that session is a completely different question.

RFC 4366 server name indication potentially applies to any SSL-based server- not just web services.  In theory, you could have a single SMTPS server serving multiple identities via this same mechanism.

Jim

-----Original Message-----
From: Devin Ganger [mailto:DevinG@...]
Sent: Friday, May 30, 2008 12:08 PM
To: Jim Harrison; Kelly Martinez; focus-ms@...
Subject: RE: ISA as a proxy

AFAIK, IAG does not use RFC 4366; it's an application-level SSL VPN that performs SSL bridging to allow the same effect. The RFC 4366 "Server Name Indication" mechanism (section 3.1) allows a single web server to host multiple SSL-protected sites off the same IP/port combination. IAG is a separate appliance in your perimeter and can allow users to use a single SSL/TLS browser connection to reach multiple internal websites that probably are not on the same physical server, such as OWA, SharePoint, and others.

--
Devin L. Ganger, Exchange MVP      Email: deving@...
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/


-----Original Message-----
From: Jim Harrison [mailto:Jim@...]
Sent: Friday, May 30, 2008 11:57 AM
To: Devin Ganger; Kelly Martinez; focus-ms@...
Subject: RE: ISA as a proxy

..to be clear; no Windows server application has this ability.
RFC 4366 "Server Name Indication" is not implemented in the server side of SChannel.
Vista / WS08 SChannel have it and IE knows how to use it.

Jim

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of Devin Ganger
Sent: Friday, May 30, 2008 10:57 AM
To: Kelly Martinez; focus-ms@...
Subject: RE: ISA as a proxy

Yes, ISA supports publishing multiple web sites (secure or otherwise). Note, however, that if you're trying to publish multiple SSL sites you will need to place them on separate combinations of external ports and IP addresses (that is, a separate IP address for each site on port 443, a single IP address for all sites on separate ports, or some combination thereof) -- ISA does not have the built-in ability to concentrate multiple SSL sites into one external port/IP address.

The Microsoft Internet Application Gateway appliance (formerly Whale Communications) does have that functionality, as another poster mentioned; it's built on top of ISA and is specifically designed for that scenario while providing a whole bunch of other cool functionality.

--
Devin L. Ganger, Exchange MVP      Email: deving@...
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of Kelly Martinez
Sent: Friday, May 30, 2008 8:51 AM
To: focus-ms@...
Subject: RE: ISA as a proxy

So I guess I have a question on ISA as a reverse proxy (as I'm not too
familiar with the product).

Does ISA support HTTPS/SSL through the proxy? How about to separate
servers?

Kelly


-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On
Behalf Of Guillermo Fontana
Sent: Friday, May 30, 2008 12:05 AM
To: focus-ms@...
Subject: Re: ISA as a proxy

Hello

I have been using ISA 2006 as a web proxy for a year or so. It is used
also as a reverse proxy (web publishing), and so far it's a stable
product without any problems.

It is important to dimension the size of the cache in advance so you
don't have to resize it later. I'm currently using aprox. 30 GB and
it's a fine size for 120 users.

Regards,

Willy


On Wed, May 28, 2008 at 3:19 AM, <raz@...> wrote:
>
> hi
>
> i was wandering if anyone has any experiance with ISA 2006 functioning
as
a proxy and what are the conclusions
>
>
> thanks