I did it. No – hell didn’t freeze over, and no – pigs aren’t flying. But yes, I just recently did some network reconfiguration here at the office, moving from a dual-nic SBS Premium setup with ISA 2004 to a single-nic setup with a hardware router/firewall instead. Gasp! The horror! . . .
I’ll admit that for a long time I thought it would be a cold day in hell before you could pull ISA from my dead hands – but I would also be lying if I didn’t tell you that I definitely had a love/hate relationship with ISA – and it usually depended on the hour as to whether I was loving it or hating it.
So what is my thinking? You know, if someone figures that one out would you please clue me in?
Like most technology decisions, this was motivated by business needs – both the business needs of our clients as well as our own business needs to profitably deliver quality services to our clients. First – we’re seeing an increased demand in managed security with the SMB client. Second – we are continuously looking for ways to increase productivity and gain efficiency. Third, we’re revamping our product offerings to better line up with our core business as an MSP by adding products that allow for additional recurring revenue opportunities.
So, the big question is what did we decide on to replace ISA 2004 in our office? CheckPoint’s Safe@Office 500W Unified Threat-Management device. Now why did this solution win out?
1) Affordability / Flexibility. The CheckPoint has several base models to choose from (wired or wireless with 5/25/Unlimited clients) And nice add-on services including gateway anti-virus, anti-spam, web content filtering, etc. The base models make it affordable to get this device into smaller clients who wouldn’t normally consider ISA. Additionally, the add-on services allow clients to purchase features cafeteria-style and provide us with additional recurring revenue.
2) Efficiency in Management. CheckPoint offers their Security Management Portal for centralized management of these devices. Their SMP was designed and built from the ground up for target MSPs and how we work:
* Everything you can configure locally via the device can also be configured centrally from the SMP. Additionally, with the SMP we can create groups with common configurations and apply those group settings to multiple devices very quickly and easily.
* The SMP also streamlines setting up site-to-site VPNs between devices. Simply build your VPN community in the SMP and pick the devices you want to belong to that community, then the SMP will generate the necessary configuration and push out to each of the devices. This also allows you to have IPSec VPNs between devices that can only get dynamic public IPs. When one device’s IP changes, it notifies the SMP which automatically updates the configuration on the other devices in the VPN community.
* The SMP allows you to customize both administrative and customer-facing reports, so you can change the layout, the content, and even the look and feel to match your branding. Customer-facing reports offer a lot of nice, colorful graphs which make sense to CXO level individuals at your clients.
* The SMP is available either in a hosted solution, or in a purchase and run on your own server setup.
From a technical standpoint, there are pros and cons to both ISA and the CheckPoint (or other hardware firewalls). There are a lot of things that ISA does better than many hardware devices – primarily web publishing, with its ability to inspect http traffic and route requests based on HTTP host headers, as well as providing egress filtering that integrates with Active Directory. Where ISA falls short is when you have a service provider who needs to efficiently manage multiple installations at different customer sites with different needs. Sure, I could probably build a repository of management scripts, and use Level Platforms’ Managed Workplace to push those scripts out to our managed client base, but why recreate the wheel – and run the risk of having to recreate those scripts as subsequent generations of ISA are released?
Also, I will admit that I am beginning to question the feasibility of ISA on SBS. I still don’t fully buy in to some people’s arguments that ISA on SBS is inherently insecure. I’m beginning to question the feasibility of ISA on SBS not because of the security implications, but of the added complexity in setup and administration. If you look at the SMB space and the SBS customer – their needs are changing. Two years ago we could sell an SBS Premium to a customer who relied on Exchange and file shares. In that scenario, adding ISA to the mix wasn’t that complicated or that big of a deal. The customers we’re encountering today are looking for much more diverse and mature solutions. Our typical SBS-based deployment is now a multiple-server environment. SBSers are doing more with Exchange – particularly in terms of mobility, depending on SharepPoint for workflow management, version controls and increased collaboration, instead of simply document storage. Our SBS clients are also much more likely to be running at least one Line-Of-Business app – in our experience most likely Dynamics GP and/or Dynamics CRM.
When you start putting all of this on to one box, change management becomes a bit of a challenge to say the least. And even us long-time ISA fans have to admit that ISA is usually the first thing to come up when we start thinking about moving services off our SBS. But investing in another box, plus another Windows Server license, plus ISA is often hard to swallow – especially when you look at it from a customer perspective and include services to install and configure that box. From a business standpoint, when you compare that option to a solution like the CheckPoint that offers a significantly lower entry point, provides the MSP with a mechanism to recurring revenue, and provides a pre-build solution to efficiently manage a large number of devices from one central location, and it becomes a bit of a no-brainer.
Now the question is just how well this is going to work. We’re now at 4 days since CheckPoint has replaced ISA in our office, and so far so good. I’ll be sure to report back on my post-ISA experiences