Q. Are ISA Server and Internet Connection Firewall (ICF) direct competitors?
A.
No. ISA Server and ICF serve completely different needs. The competitors of ISA Server are enterprise class firewalls, designed to function at the perimeter of the internal network. The competitors of ICF are other personal firewalls, designed for individual desktop and laptop computers with direct Internet connections.
Q. Can I run ICF behind a LAN that is already protected by ISA Server?
A.
Yes, however some functionality will be lost. Because ICF examines all incoming communications, some programs (especially e-mail programs) may behave differently when ICF is enabled. Affected items include file sharing and notifications from remote services ("new mail" and "print job completion" notifications will not be received). It is up to users to choose whether they want this functionality over the advantage that a defense-in-depth security strategy—a corporate firewall and personal firewall in this case—provides.
Q. How do I know when to use ISA Server or ICF?
A.
Use ISA Server to protect the corporate network, and ICF to protect the home user and small businesses (fewer than 5 people). ICF is not required if your network already has a firewall or proxy server—such as ISA Server—but can provide an additional level of protection (see Q: Can I run ICF behind a LAN that is already protected by ISA Server?). ICF should definitely be enabled on any computer running Windows XP or Windows Server 2003 that is connected directly to the Internet.
Q. Should I run ICF on the ISA Server computer?
A.
Absolutely not. If ICF is enabled on the ISA Server computer, the ISA Server Firewall Service will not start at all. ICF is designed for individual desktop and laptop computers with direct Internet connections (see "Q: How do I know when to use ISA Server or ICF?").
Q. In what scenario do ISA Server and ICF work well together?
A.
The best scenario for this is the following: a corporate user enables and configures ICF on the network connection of his/her laptop. The user logs into the corporate domain, which applies the ICF Group Policy object (GPO) to disable ICF. As long as the user is on the corporate network, they will be protected by the corporate ISA Server computer(s) at the corporate perimeter. Later, the user undocks the laptop and goes home or to a wireless lounge. There the laptop connects directly to the Internet. ICF detects that it is no longer connected to the domain that enforces the policy, so ICF automatically enables itself to provide baseline protection while connected directly to the Internet. When the user returns to the corporate network, ICF detects the domain that enforces the GPO and ICF stops again, letting ISA Server protect the user computer.
Q. My medium enterprise is deploying Windows XP and Windows Server 2003. I heard that the ICF that is built into these products provides the same protection that major corporations have. Do I even need ISA Server?
A.
ICF is not intended for use as a perimeter firewall for businesses. It is designed to provide baseline functionality for home and small businesses (fewer than five people) with little or no network management experience. ISA Server is recommended for small, medium, and large businesses. ISA Server is an ICSA certified enterprise-class firewall and Web cache. ISA Server gives network administrators exponentially more flexibility and functionality than ICF.
.gif){kind=icon}
Top of page