Re: Traffic Routing and Content Filtering

RP wrote:
One more thing. When I go into Server Management under Internet and Email it says "Setup Firewall", is this ISA 2004? Or am I getting this mixed up. Thanks.


It's ISA if installed, or the built-in firewall if not, neither of which can be used with only one NIC. The traffic must pass through the SBS. The minimum-cost option, if you do have SBS Premium and therefore ISA, is to switch to two NICs and use it. If you don't have ISA, then two NICs will allow you to use the built-in firewall, but this has almost no filtering facilities and no web proxy. You have been warned about the next SBS version not having this capability, but this may not be important at the moment. IT planning rarely works years ahead, and nobody upgrades a server operating system unless they need to.

Probably the minimal-disruption method to achieve what you want is a stand-alone firewall appliance placed between the network hub/switch and the Internet router. I understand the cost constraints, which everyone has, but there's no law that says you have to be able to do what you want without it costing anything. I'm quite sure your boss will value network uptime quite highly, and it's up to him how highly he values the abilities he now wants. If you were to go this route, then the connection between router and appliance forms another tiny network, which must use a different network address than your current one, and I'd strongly advise against using the 10.0.0.0 network address.

There is a virtually zero-financial-cost option, that of running one of many free operating systems on a two-NIC computer to implement an ISA-type firewall appliance. There is, of course, a cost in the very steep learning curve involved. It is no more practical to utilise such a system without any knowledge of it than it is to run and troubleshoot ISA on SBS without knowing anything about ISA or SBS.

The drawback to the use of any firewall is your VOIP system. Usually quite a large range of ports must be opened for VOIP, and any firewall, whether 'software' or an 'appliance', will have a CPU-limited throughput which may be heavily utilised by VOIP. Many people implement VOIP as a completely separate IP network running directly from an Internet router port to avoid this, but obviously this cannot be retrofitted easily.
.

Relevant Pages

  • Re: May need to move from SBS because of connection issues
    ... Just to make sure you are clear regarding port 4125, ... access remote systems and you are behind a firewall on a non-SBS network, ... established that RWW worked TO your SBS network from outside. ... have been proof that the required ports were forwarded to the SBS server. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS R2 ISA2004 Dark Arts
    ... ISA in SBS as intended or you'll get into trouble. ... I have to get the back firewall configuration to work with the ... network in the rules/policies. ...
    (microsoft.public.windows.server.sbs)
  • Re: Outgoing VPN Error 619
    ... I've checked in local network rules and I do have a rule called VPN clients ... PPTP clients are configured to use ISA as a hop to the Internet ... SecureNAT Clients while still trying to have Web and Firewall Client ...
    (microsoft.public.isa.vpn)
  • Re: SBS VPN setup?
    ... wouldn't need ISA, so that is completely gone in the matter. ... are you referring to a firewall device hardware type, ... I prefer SBS 2k3 without ISA. ... outlined above...and the firewall appliance is an ISA server, ...
    (microsoft.public.windows.server.sbs)
  • Re: Is my network infected
    ... You are correct to ask here on the basis of 'ISA on SBS' but with the small number of participants using ISA, well, we're a bit light on ISA these days. ... Investigators may also benefit from a logical description of the network. ... I dunno what the Stemmons HWY has to do with anything, maybe better described as 'a device within range of my WAP'. ...
    (microsoft.public.windows.server.sbs)