Need to provide Internet blocking based on AD users and Load balancing. What to use?

S

Starriol

Limp Gawd
Joined
Jan 3, 2006
Messages
191
At my company we want to give certain people (users in our Windows 2003 Active Directory) limited access to the Internet. That is, block all ports except 80 (web) and only provide access to a list of aproved sites, while other users should have irrestricted access.

Also, since the company has grown very dependant on Internet, we need to have 2 ISP in case one fails, which has been happening a lot recently.

We have 2 servers right now, one which is a Core 2 Duo with 2 GB of RAM that we use as a file server & application server for an accounting software.

The other server (Pentium 4, 3 Ghz with 512 of ram) we use as a mail server with mail daemon. It works perfectly well in that function.

What I was thinking about doing is to move the Mdaemon server to the Core 2 duo with 2 GB of ram, since it should be more than enough to handle all the services and use the "slow" Pentium 4 (upgrading it to 1 GB of RAM) as Router, DHCP server, firewall and load balancing server with ISA server 2006 under Windows 2003.

Does ISA server have the capabilitie to establish rules of Internet access based on users? Can a machine like this handle the load balancing in both software and hardware?
We don't have too many traffic and currently we have a Linksys BEFSR41 ver. 3 which works OK with just one ISP.

Do you guys think this will work out? I can't buy a great cisco router since they are too expensive for our company and I don't trust Linksys/d-link routers for this kind of operation....

Thanks for your ideas.
 
First: I think you mean ISA Server 2004 or 2006. There is no 2005. Second: Yes, ISA Server 2004/2006 are both fully AD integrated. You can rules based on groups of users in AD. You may need to install the firewall client on the PCs though.

Also, ISA 2004 only supports one gateway/default route. I don't know exactly why, but I have read this several places. I don't know if this changed with ISA 2006. If you are trying to load balance your outbound connections, you might want to place something like a pfSense box in front of ISA to do your load balancing.
 
What about installing Pfsense as a VM ware OS and using it's virtual IP as the default gateway for ISA server?

That way, users connect to the ISA proxy/firewall, I block all I don't want out (does ISA allow url blocking or what I want, some users entering to just some allowed urls) and then ISA server routes to the Pfsense which routes to one of the two ISPs?

That's complicated, just the way I LOVE thigs :D

But it can work, right?
 
I definitely would not recommend running a production firewall in a virtual machine. I have tried this with both IPCop and Endian. Both had the same result. I was constantly getting dropped packets, session timeouts, and general goofiness.

As far as URL blocking, yes ISA supports both URL and Domain Name blocking.

You are correct on the general setup of the system.
 
Ok, let's say I have one machine as a dedicated Pfsense firewall... the problem is that I just checked Pfsense FAQs and it said that it DOES support mutiple WANs, but no failover.

Does it means that if a connection goes down, the Pfsense router doens't notice and loses packets? Anyone had this scenary happening? Will it just make the network a little more saturated in case a of link going down or does it cause major problems?
 
You must log in or register to reply here.
Back
Top