Suffice it to say that we are very impressed with the Cisco SA 520 security appliance.
The start to finish configuration of the SA 520 was about 30-45 minutes including the firmware update process.
We set the box to Deny all outbound IPv4 packets by default with IPv6 being disabled for now.
We then built in a standard rule set for server based services and client Web access. That rule set was based on the ISA rule set in SBS 2003 as well as Eriq Neale’s and SmallBizServer.net’s articles on setting up an ISA 2006 server to work with SBS 2008.
Before we could create the inbound and outbound rule set, we needed to create a few custom services ports to cover our SBS needs:
- NTP-(UDP) 123
- Server uses to connect to pool.ntp.org to keep time sync.
- SBS2K3-4125 TCP 4125
- Outbound using this port for connecting to the SBS 2003 RDP proxy port.
- RDP TCP 3389
- RDP outbound only.
- SBS_SharePoint-987 TCP 987
- For publishing our internal Companyweb SharePoint site.
- SBS2K3_SharePoint-444 TCP 444
- Access to client’s SBS 2003 Companyweb SharePoint sites.
Once all of our rules are configured we end up with the following outbound and inbound set:
Note that the SBS services publishing rules are on the bottom with the ExchangeDefender services server’s subnets (ED Deployment Guide) being the only SMTP sources allowed to travel in to our SBS v7 setup.
BTW, we have slowly stopped paying attention to the SMTP inbound protocol in our previous ISA logging because the longer we have had our e-mail domains on the ExchangeDefender service, the less spammers have tried to connect directly to what was once our public SMTP IP.
And, also take note that the rules that have 192.168.Subnet – 192.168.Subnet are actually filters that only allow an internal IP subset to send those protocols out to the Internet. That subset contains the IP addresses of our internal servers.
This setup virtually eliminates any possible rogue SMTP traffic from a system that receives its IP via the SBS v7 DHCP service.
We had the SA 520 sitting on the bench with a laptop connected to it. We brought the firmware update over via USB flash drive using the URL set on the firmware update page to get to it fairly quickly.
Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book
*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.
Looks nice, I just ordered 8 of 520w's for our offices.
ReplyDeleteGreat review. Wondering if it is possible to use the Windows 7 built-in VPN to connect to the Cisco SA 520?
ReplyDeleteThanks.
A,
ReplyDeleteWhile we have no real need to set up a client/server type PPTP VPN anymore, it does look like the Cisco supports PPTP connections which is one of the Windows VPN client's supported protocols.
Cisco Small Business Pro SA 500 Series Comparison.
Philip
Thank you for your answer, it's really appreciated.
ReplyDelete