SBS2008 – the best response yet to the "Why no ISA or other built in Firewall" question

Yesterday, I was working my way through my SBS Support posts on Mark Minasi’s forum.   I noticed the question that has come up before from other people regarding why Small Business Server 2008 requires an external hardware firewall.

Well, I wanted to quote Jeff Middleton here, as I thought this was the single best response I have seen so far:

I’m not sure how common the knowledge is about “what’s new” regarding SBS 2008 that is inherited from what’s new about the components that SBS 2008 will included. To some extent it makes a little of this topic a moot debate because what’s going on here is not an independent decision by the SBS team.

In the IT Pro Conference 2008 I hosted last month we devoted a fair amount of time to the firewall discussion. It’s was obvious that we have a lot of shift in the product that pivots around the change of feature where SBS 2008 no longer has any option or role as a firewall. This “feature” change is non-trivial for a lot of people, but you have to see the decision process in the light of day rather than as an instinct based upon history.

Windows 2008 no longer includes RRAS…it doesn’t exist. RRAS was the NAT routing engine that SBS used as it’s SBS Standard Edition “firewall”.

ISA 2006 and later is no longer supported from the ISA team (by design) to operate on a Domain Controller. The product is in fact designed to be on a dedicated box on the edge requiring a pair of NICs.

Windows 200x inherited the Windows NT design that disallows you to bind Client for MS Networks on more than on NIC because it causes the Netbios level operations to fail. (This is really old information)

ISA 2004 didn’t even enter an alpha much less beta code condition until after not only RTM, not only SBS Launch, it was later than first ship of SBS 2003. The commitment to include SBS 2003 Premium with what was supposed to be ISA 2003 (until it missed it’s production dates) was a public commitment by the SBS product team when they were unaware of what the design would be. The were going to drop ISA in the SBS 2003 Premium edition except for the combination of feedback from loyal proponents of that feature and the fact that they had been planning their marketing for the final product based upon that feature and it was a lose-lose situation when ISA wasn’t ready to even beta test….so they continued to use ISA 2000 in their design planning. The reality is that they couldn’t build the wizard front end for ISA 2004 because they had nothing to test or ship.

When ISA 2004 finally entered beta and the decision had been made at that point to have ISA 2004 install directly into the Windows Kernel, this redefined the product scope dramatically. NOTHING in the way of applications installs into the Windows Kernel, Microsoft doesn’t allow that sort of option lightly. But it was clear that in order to accomplish the level of operational behavior and security that the ISA product team and Enterprise target market was looking for would require not just protecting the Windows host machine at the application level, it meant redefining the kernel behavior.

At the point you redefine the kernel behavior you have an “application” that can’t be uninstalled easily, and it doesn’t meet the Windows design model for “disabling the application” because the Kernel doesn’t really allow that feature. This means that if you have a problem with your box where ISA is running on it, the only way to figure out if ISA is part of the problem (because it’s changing the behavior or the kernel and all applications) is to uninstall ISA and reboot the machine to load the kernel cleanly.

That means that in order to troubleshoot a server running ISA 2004 or later you may well need to change it’s role from edge server firewall to internal network only, reset the kernel, change the routing stack, and therefore redefine the entire business network because this is the machine that is the gateway for your entire LAN. Given that this machine is also your DC, Exchange Server and potentially a number of other application roles including web-facing access portal, these are non-trivial alterations.

The fact that you have to unload ISA in order to see the applications in the “clean native state” on a “normally configured Windows Server” becomes even more complicated if you are seeking remote assistance from the outside of your LAN on any of these applications or any aspect of your server. That’s because in addressing the “clean” condition for the server/applications you also took the box off of the web and it’s not available for remote logon! Sure you might say that in SBS 2003 if you uninstall ISA 2004 you can fall back onto the dual-NIC with RRAS configuration and still have remote access even if all your LAN workstations can’t use their default proxy configuration with the SBS in this newly revised condition. But with SBS 2008 there’s no RRAS because Windows 2008 has no RRAS therefore there’s no fallback.

By the time you digest all of this you have to now reflect upon the idea that you can buy a pretty good firewall for between $300-1000 these days. Back in the days when SBS 4.0 shipped with Proxy Server it solved a problem when firewall routers cost about $2500-3500 at a minimum and there were no $100 linksys routers as an option. Today you have options for external firewalls that start at $50 and you can choose to add as much investment as you like above that, but the reality is that very few people in the SBS market would use ISA by choice if they had to actually pay for it. Very few people were using it and even paying the premium price to get it in the SBS 2003 Premium edition pricing. Most people bought premium in the SBS 2000 and 2003 period because of the SQL option. They installed ISA because it was included in the bundle, not because they understood anything about how to configure it.

The majority of people installing ISA on SBS did not enable any rules other than defaults, and were baffled when installing ISA 2004 on an SBS 2003 server caused their email and web operations to stop functioning.

I was one of the very few SBS-MVPs prior to the release of SBS 2003 who offered the opinion to drop ISA from the premium package, this despite being a huge proponent of ISA and using it in all my sites. But I could see that running a proxy/ISA condition on the SBS server was making things more complicated and expensive to support than just moving to a standalone firewall…even in circa 2003.

Now that the reality is that the SBS team truly has no way to provide RRAS or ISA on SBS 2008 because it’s not supported as a feature available to them, it’s a bit moot on whether it would be nice to have what you can’t have. But it begs the question of why wouldn’t you just go buy a software firewall to install on your SBS if you really think your SBS server should be on the edge? Turns out that nobody out there really should think this is a sane suggestion at this point.

Microsoft has for the last 3 years shipped every version of Windows (including Windows 2008) with a Windows Firewall application that is actually a better firewall than RRAS. These application/service level firewalls really complicate internal network management for infrastructure boxes. There’s so much going on with an SBS server that adding a firewall on top as an application if it’s not highly integrated and tested really doesn’t make any sense.

So the end result of the “SBS 2008 Firewall” debate comes down to the idea that a highly integrated application server and domain controller like SBS isn’t well suited to an after-market application level firewall. The incorporated Windows OS no longer has a suitable firewall to use with RRAS. Windows Firewall is not up to the task of managing, logging and filtering at the level people may be accustom with an ISA class design.

There’s really no there there.

All of this is debate against using a less expensive, more reliable, easier to manage approach by not integrating the SBS 2008 on the edge as a firewall. It makes a lot more sense for all the right reasons. SBS 4.0 included a firewall/proxy because it cut the cost of that functionality in half
10 years ago. There’s really not a value proposition that makes sense in 2008 for SBS to have a firewall on it now unless you just believe everything should be free and allowed to be installed without regard to the support complications and costs involved. The SBS team made the right decision on this because it was the only decision that makes any sense going forward. Look at the cost of the EBS product (with ISA on an edge server) and compare that to SBS and if you really want that configuration it’s going to be available to you. You either buy your own ISA server, or buy EBS, but it’s not a feature in SBS anymore for good reason.

– Jeff Middleton SBS-MVP”

You can read the entire thread here

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.