And EOL with a full dead stop!
Service and support comes to a full stop on April 30th, 2014.
Cisco is recommending the ISA500 Series Integrated Security Appliances.
Now, as a rule our preference it so utilize ExchangeDefender to sanitize all e-mail prior to it getting remotely close to the production network.
We then have the ability to allow the ExchangeDefender server’s subnets inbound for SMTP traffic thus avoiding SMTP authorization attempts.
And, because we tend to have only one MX record registered we don’t have to worry about spammers pumping spam into secondary MX servers which in some cases will not have any or very little spam protection.
Our primary goal is to filter all inbound and all outbound WAN based traffic. That is, we set up whitelists for Internet bound and server services bound Internet traffic.
Besides filtering inbound SMTP traffic we set an outbound SMTP rule to be allowed only from the on-premises Exchange server as well as other server(s) on the network. If a user gets compromised by something that tries to spew e-mail via SMTP it stops there and we get a call for a machine that’s dragging its feet. :)
We have applied for an ISA550 demo unit from our Cisco rep at D&H Canada. Once we receive it we will post our experience with it as well as a configuration guide.
Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book
Find out more at
www.thirdtier.net/enterprise-solutions-for-small-business/
Have you considered giving Sophos UTM a try instead of the Cisco ASA? We've been using them for years. I love them, my techs love them, and our clients love them.
ReplyDeleteA few tips... Their hardware appliances are the way to go, but you can download a Hyper-V compatible software ISO version from Sophos' FTP server (email/IM/twitter me if you need help finding it); just make sure to give all the NICS (make all 8x of them static MAC addresses and know that I've never been able to get VLANs to pass through unless I controlled them from Hyper-V. On the hardware device you can more simply assign multiple 802.1q trunks to a single interface.
Let me know what you think if you give them a try.