Deploying Unihomed ISA Firewalls
In spite of six years to pushing the ISA firewall as an imminently secure edge and perimeter firewall here on ISAserver.org, there are still many hapless ISA firewall admins who relegate their ISA firewall to simple Web proxy servers. While the ISA firewall certainly makes an excellent Web proxy and Web caching device, the problem with the unihomed ISA firewall is that you lose out on 99% of the security you could get from a fully deployed ISA firewall configuration.
Why? Because when you deploy a unihomed ISA firewall, the ISA firewall cannot be an inline device. Instead, the Web proxy client machines forward only HTTP, HTTPS and HTTP Web proxy tunneled FTP requests to the ISA firewall in unihomed Web Proxy mode. For all other protocols, the clients must use another device on the network for Internet access, and its extremely unlikely that the alternate device can provide the same level of security, access control, logging and reporting that the ISA firewall could provide.
Of course, there are some legitimate scenarios where you might want to deploy a unihomed Web proxy only ISA firewall. For example, you might already have an ISA firewall as an edge or corporate perimeter segment firewall. Now you’d like to add industrial strength Web filtering with add-on products like Websense or SurfControl. You also want to add a device that does anti-spam and antivirus for your organization. Web caching would be a nice thing to have too.
While you could add all these services to your edge or corporate perimeter ISA firewall, why not just add a second (or third or fourth or fifth) ISA firewall to you network and configure it in unihomed Web proxy mode? In this way, you can forward all Web proxy requests to the unihomed ISA firewall device, have comprehensive Web filtering, and also use the device for strong anti-spam and email antivirus protection. This offloads processing and memory resources from the edge or corporate perimeter ISA firewall and increases overall Internet link performance. This also allows you to completely leverage the generous security enhancements you find when you deploy the Firewall client.
If you’re interested in this type of deployment, then watch this space. I’ll have more information for you in the near future about a ISA hardware firewall OEM who’s working on just such a project. I think its a great idea and am looking forward to sharing the details with you!
Thomas W Shinder, M.D.
MVP -- ISA Firewalls