MikroTik

Hi guys

A client of mine currently has a draytek router, handling four WAN connections into their office block. I want to sell them a RB1000 or similar but there's a pencil pusher who insists on ISA Server.

Can these co-exist? In other words, can I use RouterOS for the routing/load balancing/QoS etc and leave the ISA Server to handle the firewall and VPN stuff for the LAN? I would assume that my forward rule would just 'accept all'.

Anyone have any input?

Thanks.

was hoping someone would be able to help me here. surely someone has done this in the past, even if it was with another firewall?

sure you can,... why.. got me. but you can.

was hoping someone would be able to help me here. surely someone has done this in the past, even if it was with another firewall?

I've done this a number of times. Client would have ISA server already, then sees the performance and flexibility of ROS and wants to put it in, but doesn't want to kill his I$A. It works fine, but ISA works best when it takes control of everything (ie. like any other MS software, it doesn't cooperate with anything else). Try to take some of the features away from ISA and you're in for a ride..

Thank andreacoppini for this feedback.

My understanding of ISA is that it's just a proxying firewall. Can it really do routing as well? I know it can handle VPNs etc but I thought it wouldn't be able to do stuff like load balance 2 or 3 WANs hence the need for RouterOS.

Please update me.

My understanding of ISA is that it's just a proxying firewall. Can it really do routing as well? I know it can handle VPNs etc but I thought it wouldn't be able to do stuff like load balance 2 or 3 WANs hence the need for RouterOS.

Please update me.

I haven't used ISA recently, but ISA was never designed to be a Cisco-beater. It's primary use is for internet access control and security, so in effect it is just a caching proxy. It uses the underlying Windows Server RRAS to provide routing, VPNs, NAT. I don't believe it can load balance WANs as effectively as RouterOS can.

What you are trying to achieve should be perfectly possible, since to the ISA, the RB1000 will just be an internet connection.

Good luck.

Thanks a lot!

You as ISP it is better to install RB1000 before ISA, and there you can do all the QOS, Queueing, Routing, and then leave the ISA server to manage Proxying, Filtering, Cache-ing, NAT etc etc, and of course leave it as a responsibility of your client so with this you create Demarc point between RB1000 and ISA.
By the way, routing is much better in RouterOS than in ISA.

Regards.

Faton.

Thanks Faton, this is exactly what I had in mind. The customer handles their own security but I do the routing and internet access.

ISA cannot do ANY type of load balancing at all. It is very primitive in that respect. It can routing without any problem via Windows Routing and Remote Access - dont expext miracles beyond basic static routing though. Look at ISA as more of a "client and application management server" rather than packet filter type of system.