Years ago I published a list of dumb ISA firewall tricks, which was a collection of what I considered “ISA firewall worst practices”. Near the top of the list was putting host based AV software on the ISA firewall.

There are number of reasons why putting a host based AV system on the ISA firewall is a dumb idea. Among the most significant are:

• It’s not required when the ISA firewall is configured an used correctly
• If the ISA firewall isn’t configured and used correctly, you’re going to have much more profound problems than those due to not having host-based AV software on the firewall
• You increase your overall software costs with no return on investment
• You degrade the performance of your ISA firewall
• You interfere with normal firewall operations
• It encourages the mindset that the firewall is a server, which leads panoply of problems. The ISA firewall is a firewall, and must not be thought of, operated as, to managed as a “server”

For a little different perspective on this issue, check out Tristan’s post over at:

http://blogs.technet.com/tristank/archive/2009/04/...r.aspx

(by the way, its a “saving” not a “savings”)

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)