recommend a firewall/internet access monitor?

jackrussell007

hi folks

I'm hoping you can recommend a suitable replacement for the firewall/internet monitor we are currently using.at the moment we have MS ISA running although we only use a fraction of its capabilities it is was probably over kill at the time anyway. We want to decommission this server now. We have about 50 users onsite of which I want to allow internet access to about 20 of them.

1. I need to be able to control access by user rather than by pc because some of the users will be based out on a production floor
2. I dont want internet users to have to input a password evertime they launch a browser
3. maybe the best(only?) way of achieving this is by integrating with active directory so I can control who has access or not with an internet users group
4. I want it to record and store logs of what users have been browsing and I want to be able to disallow facebook etc
5. I need at least 2 VPN channels

Theres probably one or two other things I've forgotten but thats the most of it anyway. I'd imaging these arent unique requirements. so far most of the recommendations I've gotten were for a sonicwal but any of the models I looked at did not integrate with active directory and so you would have to have your internet users inputting a password when they needed to get online. I'd get the sack if I told our engineers that !

anyway, anyone got any suggestions?
thanks

jackrussell007

Maybe I shouldve posted this in the server forum? Can a mod move this on over there please?

thanks

gerryk

Sounds to me like ISA is probably the best man for the job you have specified. Why do you think it's over-spec'd?
Cisco ASAs do have some AD integration for authentication and ACLs, but I don't know if it will do all you require, and they're not cheap.

jackrussell007

Well to be honest, my main motivator is just that the server its running on is not in great shape. We have a stand alone server running ISA and to me it seems a bit over the top for our requirements. It's using electricity, seat of anti virus, takes up some of my time maintaining it etc.

I inherited this setup and at the moment we're looking at upgrading some other servers so I was going to decommission this one while we were at it in the hope that I could bundle all of the above onto one device. If I cant get something that works in pretty much the same way then I may consider holding onto ISA and just installing it on whatever new server we implement.

gerryk

Another possibility is to replace the firewall with a more 'dedicated' box, like a Soekris running pfSense, and relegate the access control to GP, which is, IMO, where it should be in the first place.

jackrussell007

GP?

gerryk

Sorry... Group Policy.
You could create a Group Policy Object that enforced a http proxy on all members of a particular group. Then join all the people that shouldn't be browsing to that group.
You can also all GPOs to stop certain programs executing, like iexplore.exe, firefox.exe and so on.

jackrussell007

that sounds like a plan actually. it would save a few bob as well, and like you said I could just get a dedicated firewall.
thanks for your suggestion