Comments on: Should You Install Anti-virus Software on Your ISA Firewall?

by: Mike Hoerner

Wed, 03 Sep 2008 19:46:51 +0000

I have ISA 2004 Server configured in Reverse Proxy Mode (Single NIC). Would your comments above regarding a file-level anti-virus scanner on ISA apply for an ISA Server running as a Reverse Proxy?

by: tshinder

Tue, 06 May 2008 23:23:15 +0000

Hi Paulo,

Not true. You may be thinking of the ISA 2000 networking model. With ISA 2004/2006, internal network users have no more access to the ISA Firewall than external network users. The ISA2004/2006 network model applies stateful packet and application layer inspection on *all* interfaces. So, unless you create a rule that allows internal users and malware access, there’s no reason to install AV software on the ISA Firewall (assuming again, that you do not bring the malware in yourself by using the ISA Firewall as a workstation).

Note that is is NOT true for SBS installations — they broke the ISA networking model to support SBS, so in that case, you would need to use AV/AM software on the SBS machine.

HTH,
Tom

by: paulo.oliveira

Tue, 06 May 2008 21:56:41 +0000

Hi Tom,

this is a very unusual opinion, because even if no one uses ISA as “workstation” (not browsing around, download e-mails…) the people from internal network is in charge to do that and a lot more!
So, ISA is “exposed” to the internal network whose, in my opinion is the most untrusted network. All because of the f… users who download e run viruses, worms…

by: Gary Hawkins

Tue, 11 Mar 2008 13:02:51 +0000

Hi Tom,

Another great informative article but I need a little more info…

We’re running MS ISA 2006 STD both as a web browsing gateway and as a web publisher for internal IIS websites to the external web.

Our outbound web browsing traffic is routed to an MSP and so that traffic does not need AV filtering on-the-box (to reduce user licence costs).

It’s proving difficult to find a product that filters the inbound traffic to published websites and which can also be applied to specific rules/groups.

Are you able to provide any further advice on this?

Regards,
G

by: Neil Scott

Mon, 17 Dec 2007 10:41:59 +0000

I can’t believe this to be the case… if your are running a back-toback firewall then yes I can see that you wouldn’t need it on your front-end ISA servers but what about your CSS server that is on the normal LAN and open to attack?

You are saying never to run Internet Explorer on the servers but every admin does this when they quickly need to check something on the web when they are investigating issues.

by: Tom Shinder

Fri, 09 Jun 2006 14:19:22 +0000

It should be made clear that you SHOULD NOT install a host AV on the ISA firewall. It doesn’t require it if you are a competent ISA firewall admin

by: Joyce

Fri, 09 Jun 2006 07:45:49 +0000

We are living in an internet time where you can not without Anti Virus Software and such. Too bad, but I think it will only get worse by time.

My place for free Anti Virus Software is:
http://www.freespamfilter.nl/uk/anti-virus.htm

They always have the latest and best anti virus available and have good reviews of all available anit virus programs.

Viruses should be stopped and people distributing these viruses should be put in jail. They jeopardize our operating system.

Joyce