Cisco Pix and ISA Server

g-pate · ‎02-07-2005

Does anyone know if a Microsoft ISA server can be used in conjunction with a Pix firewall? I know the PIX works with N2H2 and websense for filtering, but can it work with ISA? The workstations have a "client" loaded on them, and if the ISA server becomes unavailable, then the clients cannot access the Internet. I would like to have a redundant solution in place that prevents this single point of failure.

jrtaylor3 · ‎02-07-2005

My company has run into the same issues and what we do is "not" install the proprietary WINSOCK on the PC. We use the "Proxy" capable applications like IE and or any IM client and stop end users from going through the PIX. The servers and specified applications may go through the PIX, but any Proxy capable applications use the ISA server. There is a document at isaserver.org or Microsoft.com that describes to use it as a proxy only server.

Having two logs to review can be a pain. Both devices support a syslog function even though the one from ISA server is more encompassing. If you are looking to avoid the cost of Websense and N2H2 then this might be the best option. If there is a problem with the Proxy server there are forwarding capabilities in the ISA server, but if it is down, then you do have some problems. The router can intercept the port 80 or 8080 HTTP request and have policy route for it, but this does get complex.

g-pate · ‎02-07-2005

Okay, so you have your Proxy aware clients set the proxy value, and then have an access-list or something preventing them from going through the Pix. I guess, worse case, I could have them remove the Proxy check box, and allow them access to the Internet through the Pix for the time that the ISA/Proxy server is having a problem. Thanks