From time to time, I have discussions about Microsoft Internet Acceleration Server (ISA) with people questioning if ISA is a real Firewall product. Many companies use ISA server, but as a proxy server or to protect their Windows servers (publishing exchange, etc.) only. In this cases, they put another (a real) firewall in front of ISA.
But there are others as well, that protect their companies borders only with ISA server, that use all functionality of ISA server, including VPN and Firewall functionality. Crazy people?
Let's start with the (long) history of ISA server, and probably the main source of their concerns, that started with a product called Proxy Server, which was - exactly as the name tells - a proxy server! Since then, a lot of IT Pros still believe, that this is all what ISA server is doing (well). However, since then, a lot changed and ISA server has nothing in common with the initial product.
If you are interested in the technical details of the ISA architecture, please have a look at the following document:http://www.microsoft.com/isaserver/prodinfo/firewall_corewp.mspx
And, in addition, some facts around ISA Server:
Interestingly, Tom Shinder has a similar article on his website:http://blogs.isaserver.org/shinder/2008/07/06/auditors-you-do-not-need-to-put-a-firewall-in-front-of-the-isa-firewall/
See also my last blog post:Microsoft ISA Server 2006 SP1 released:http://blogs.technet.com/ms_schweiz_security_blog/archive/2008/07/07/microsoft-isa-server-service-pack-1-sp1-released.aspx(Product updates yes, but no security updates)
Now, I hear some voices: Yes, probably ISA is doing well, but it's on Windows! True, but interestingly, ISA properly configured, is protecting the OS as well (of corse, software updates are still a must!). Remember, no hacked ISA server so far.
[Thanks also to Sasa, which helped to put this together.]