Should You Install Anti-virus Software on Your ISA Firewall?

I get asked a few times a week whether you should install anti-virus software on the ISA firewall. Its a good question and worth a few moments to consider what is being asked.

There are two general types of AV software that you can install on the ISA firewall:

  • AV software designed to protect the host operating system (Windows) on which the ISA firewall runs
  • AV software designed to scan and protect against viruses that might traverse the ISA firewall via HTTP, HTTPS, IM, P2P, FTP or other protocols that can transfer files

The first type of AV software is not required on the ISA firewall. Remember, the ISA firewall is not a workstation, so you never run Internet Explorer, Outlook Express (or any other email client), Kazaa, BitTorrent, FTP client, or any other client software on the firewall. Because there is no client software run on the ISA firewall that would enable downloads of files that would contain viruses, worms or spyware, the ISA firewall is not at risk for infection. However, if you purposely violate network and firewall security principles and use the ISA firewall as a workstation, then you will put yourself at risk for infection. However, if you operate your ISA firewall in a secure and professional fashion, then there is no reason to install host specific AV software on the firewall.

In addition, you should never install server applications that would significantly increase the attack surface on the ISA firewall. This means never installing IIS on the ISA firewall, never making the ISA firewall a DC, never installing MS Exchange on the ISA firewall and not installing any other server software that could harbor viruses and other malcode. Exceptions to this include installing the SMTP service, installing the DHCP service and installing the DNS server on the ISA firewall.

The second type of AV software is designed to work with the ISA firewall components to protect hosts on ISA firewall Protected Networks from malware infection. I highly recommend that you install 3rd party applications, or configure the ISA firewall’s built-in HTTP Security Filter, to protect yourself from viruses, worms, spyware and other code that puts network computers at risk.

Examples of such software include Websense, SurfControl, Akonix, GFI WebMon3 and many others. These third party applications can be installed on-box or off-box. The ISA firewall has an advantage over many other solutions because you can install these applications on-box, which reduces cost and administrative complexity because you don’t have to maintain a second hardware device and worry about connectivity and configuration issues with the second device.

To sum things up: no, you don’t need to install AV software to protect the ISA firewall’s host operating system, and yes, you should install AV software designed to work with the ISA firewall to protect you against downloads of malicious mobile code.



Thomas W Shinder, M.D.




MVP -- ISA Firewalls

Deb Shinder

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Published by
Deb Shinder

Recent Posts

Azure Windows Virtual Desktop: Avoid the fresh hell of stale user sessions

This tutorial on Azure Windows Virtual Desktop and stale users can help you cut down…

20 mins ago

Phishing campaign spoofs domain, targets computer vendors

A convincing-looking phishing campaign purportedly from a Texas government agency is targeting computer vendors in…

4 hours ago

Top 5 cybersecurity innovations and why they’re drawing in the money

With attackers making use of every vulnerability, our sense of security has turned into insecurity.…

7 hours ago

Have you really tested your disaster recovery plan?

How do you simulate a disaster to see whether your disaster recovery plan is ready…

1 day ago

Using conditions in ARM templates when deploying infrastructure-as-code

This Quick Tip shows you a neat little coding trick that will help you when…

1 day ago

Full circle: On-premises Exchange to Microsoft 365 — and back again

Migration from on-premises Exchange to Microsoft 365 may not be a one-way street. What about…

1 day ago