[RayPesek]

It's a complementing scenario. We use ISA behind FW-1 for a number of purposes, one of which is end user browsing monitoring and control. We have a number of domain groups set up and we stick people in whatever group most closely meets their needs. It also performs HTTP virus scanning for us. If you're not doing HTTP scanning, there is a lot of rubbish out there that you're letting in the door.

After we added ISA, its caching ability caused our Internet line utilization to drop by a full third, enabling us to defer increasing our capacity for three years. The entire ISA system was paid for in less than a year because of this. We were in the high 90% and up utilization, pre-ISA, and things were getting bad.

Because all web browsing is NAT'ed behind ISA, the number of concurrent connections shown in FW-1 drops through the floor because they all appear to originate from just ISA's external interface IP address. My audit log in FW-1 rarely has more than 500 active connections for a 1,700 employee company with a lot of 100% remote employees.

We also use it for Outlook Web Access publishing because ISA has SSL termination, something that I think is a major omission in FW-1.

HTH,

Ray