I work for a company of 100+ people in the UK. We use MS ISA 2004 running SurfControl. We use www.MessageLabs.com for email scanning and web content scanning. The web scanning works by pointing our ISA server to an upstream proxy at MessageLabs. This works well and has minimal administrative overhead but it is rather expensive at about GBP5,000 per year. There are various web scanning applications out there that sit on the ISA server such as the one from Kaspersky labs - http://www.kaspersky.com/anti-virus_ms_isa_server. This will work out significantly cheaper than using the Messagelabs web scanner. However, I worry about the performance and reliability of installing both this and SurfControl on my ISA server. Today I came across Kaspersky's Anti-Virus for Proxy Server which requires Squid - http://www.kaspersky.com/anti-virus_linux_proxy_server. Using this on a Linux box and pointing the ISA server at it as an upstream proxy would appear to get around my concerns about reliability and performance. Having such a server might also allow me to install MailScanner - www.mailscanner.info - with SpamAssassin and a couple of anti-virus products and use it as a replacement for the MessageLabs mail scanning service. Voila, 2 invoices killed with one server! I have several questions: 1. Can the Squid server handle being a mail server too? I'd invest in something like a HP DL360 rackmount server with say a 3.x GHZ processor, 1 GB RAM and 2 x 70 GB or 140 GB disks in a RAID 10 configuration. We're not heavy mail users. 2. Having thought about the network topology I am seriously considering putting two NICs in the Squid server, one on the DMZ of the ISA server and the other on the Internet using one of our spare public IPs. This would get around what I see as a potential performance issue of the ISA server passing requests for web sites to the Squid server over the DMZ connection and the Squid server then passing the same request to the Internet via the DMZ port of the ISA server. Does this make sense, or am I exaggerating the performance hit on the ISA server and would be better off just putting the Squid server on the DMZ with a single NIC and using rules on the ISA server to allow it access to the Internet etc? Bear in mind the Squid server will be used for SMTP too so I'd need to permit incoming SMTP via the ISA server, etc. 3. How about if I give the Squid server its own high speed ADSL connection? I'd do this to conserve bandwidth on our expensive leased line (bandwidth needed for incoming requests to our web servers). In this scenario, which is a likely change within the next few months, I believe I'd need to put a 2nd NIC in the Squid server and pass all web requests over that 2nd card to the ADSL connection with web page requests from the ISA server going over the DMZ. Does this make sense? Clearly, the Squid server would need to run firewall software or use simple port forwarding on the ADSL router. 4. I could simply leave things as they are. The current system works fine and the company can afford the GBP5k or so per year that we currently pay. By taking web page scanning and mail scanning in-house I get administrative hassle and end up relying on one server rather than utilising the hundreds of servers and human resources that a company like MessageLabs has to draw on. Thanks for reading this far and I welcome any comments or advice. -- 512k Broadband £14.99 per month Unlimited Downloads - No extra Costs £14.99 per month (inc. VAT) Order Now www.adsl4less.com
