Microsoft ISA Server Replacement

[Gaprofitt]

HI,

We are currently running Microsoft ISA Server on a box that we would like to replace. We

are not too crazy about Microsoft ISA server. We would like the following and i'm

looking for recommendations. It's not a huge company so we are looking to spend

between 1000-2000k.

We need something that supports L2TP and IPSEC via VPN, and we would like it to have

some sort of Internet content filtering built in. Keep people off porn sites, etc. It

needs to be rack mountable..

Thanks,

Greg

[tain]

Lots of ISA questions lately...

I'd like to refine your requirements. Does it matter if the software is windows- or unix-based? Do you have to spend money or are you able to use open-source? (some people refuse because of support issues)

What specifically don't you like about ISA so that we can work around that?

Not sure how being rack-mountable fits into a software selection...unless your train of thought is on one of those fancy proprietary boxes like these.

[Gaprofitt]

We have all kinds of issues with VPN connectivity with ISA Server. Especially with Windows Mobile devices. We would prefer it runs a Windows environment. An appliance type devices that has content filtering, VPN, Firewall etc would be ideal. Of course Cisco is eliminated based on price.

[tain]

An appliance that meets your requirements in that price range is a tall order. Maybe eBay...

[hosebeast]

We have all kinds of issues with VPN connectivity with ISA Server. Especially with Windows Mobile devices. We would prefer it runs a Windows environment. An appliance type devices that has content filtering, VPN, Firewall etc would be ideal. Of course Cisco is eliminated based on price.

You're still running ISA Server 2000 on Windows 2000 Server, aren't you?

ISA 2004 on WS 2003 handles VPNs great. The product was almost entirely overhauled, and the management UI makes it much easier to get configuration right, and you can download the ISA 2004 BPA (Best Practices Analyzer) to check everything. ISA 2006 will be shipping soon.

The big problem with your wishlist is the content filtering. Nobody provides true content filtering in a standalone product for cheap. All the free/cheap choices which claim to offer content filtering are ridiculously primitive. If you have a very small number of users, you could look at Sonicwall's low-end boxes. Otherwise, there's really nothing worthwhile available in your budget range.

But if you go with ISA 2004, you can get free and customizable Destination Sets to do filtering:

http://www.isaserver.bm/destination_sets.html

Other must-know sites for ISA resources:

http://www.isatools.org/

http://www.isaserver.org/

[tain]

Thanks for those links. I bookmarked them and hope to use them to get smarter on ISA

[Gaprofitt]

We have all kinds of issues with VPN connectivity with ISA Server. Especially with Windows Mobile devices. We would prefer it runs a Windows environment. An appliance type devices that has content filtering, VPN, Firewall etc would be ideal. Of course Cisco is eliminated based on price.

You're still running ISA Server 2000 on Windows 2000 Server, aren't you?

ISA 2004 on WS 2003 handles VPNs great. The product was almost entirely overhauled, and the management UI makes it much easier to get configuration right, and you can download the ISA 2004 BPA (Best Practices Analyzer) to check everything. ISA 2006 will be shipping soon.

The big problem with your wishlist is the content filtering. Nobody provides true content filtering in a standalone product for cheap. All the free/cheap choices which claim to offer content filtering are ridiculously primitive. If you have a very small number of users, you could look at Sonicwall's low-end boxes. Otherwise, there's really nothing worthwhile available in your budget range.

But if you go with ISA 2004, you can get free and customizable Destination Sets to do filtering:

http://www.isaserver.bm/destination_sets.html

Other must-know sites for ISA resources:

http://www.isatools.org/

http://www.isaserver.org/

Actually we are running it on the Server 2003 OS. Here is one issue for example we are having. We have a big need to utilize VPN with Windows Mobile 5.0 devices. We have a bunch of Cingular PDA's. We have tried using both IPSEC and L2TP. What happens is the first time the unit connects it works fine, the next time it will not connect unless the unit is rebooted. I don't experience this problem when connecting to my old work's Cisco unit. Any suggestions? We get a generic timeout error when connecting the 2nd time.

[hosebeast]

Actually we are running it on the Server 2003 OS.

It? What is "it"? ISA 2000? ISA 2000 SP1? ISA 2000 FP1? ISA 2004? ISA 2004 SP1? ISA 2004 SP2?

Your problems are going to stay unsolved for a long time if you can't get used to being specific.

We have a big need to utilize VPN with Windows Mobile 5.0 devices. We have a bunch of Cingular PDA's.

And those would be? Again, you're not going to get anywhere if you can't be specific. Perhaps the Cingular 8125? If so, have you updated your firmware yet? Check it by going to Start, Settings, System tab, Device Information. You should see:

ROM version: 2.25.11.1 WWE

ROM date: 05/11/06

Radio version: 02.25.11

Protocol version: 4.1.13.12

ExtROM version: 2.25.11.102

We have tried using both IPSEC and L2TP.

And that would be with PSK or certificates? With the built-in VPN client or Bluefire or NetMotion? Test with Bluefire before you decide that the problem is ISA; it's far more likely that you're running into the many bugs in the WM5 VPN client. The VPN client in WM 2003 had fewer features but was more stable.

The fact that you can connect consistently to a Cisco box doesn't necessarily mean that the client is reliable, just that its bugs may be less sensitive to a particular PIX or IOS firmware build than to whatever version of ISA you're running. IPSEC implementations can be extremely finicky.