Celestix MSA 4200i
Strengths: Snaps in perfectly with Windows networks, easy deployment with wizards galore, in-depth reporting, strong URL filtering and anti-virus scanning
Weaknesses: Email security for Exchange servers only
Verdict: Complete UTM appliance solution with the preloaded Microsoft Forefront TMG 2010 offering an impressive array of security measures
Celestix, available from Wick Hill, specialises in plug-and-play network security solutions with a keen focus on Microsoft. We review its latest MSA appliance, the 4200i, which targets businesses of up to 1,000 users and comes with Microsoft's Forefront Threat Management Gateway 2010 (TMG) preloaded. TMG is the successor to ISA Server 2006 and delivers a wealth of new features.
Building on ISA core functions, it also functions as an inbound and outbound security gateway with IPsec VPNs, forward and reverse web proxies and web caching. Along with support for 64-bit Windows Server 2008, TMG adds a pile of extra security functions.
Some are subscription-based and include AV, URL filtering and email protection. SPI firewalling, IPsec VPNs and HTTPS inspection come as standard and its NIS (network inspection system) scans traffic for specific exploits of Microsoft products.
The 4200i comes with TMG Workgroup Edition, which does not support load balancing.
The MSA 4200i is a compact 1U rack appliance, sporting an Intel Core 2 Duo processor with 4GB of memory. Storage is looked after by two mirrored 160GB SATA hard disks. Network connections are via six Gigabit ports.
Windows Server 2008 R2 Standard is loaded. Deployment was easy, but we recommend initially dropping the app into a network with DHCP services.
If you must use a static IP address for it, you'll need to configure it via the jog dial and LCD display. The dial is employed to power the appliance on and to access a set of menus for providing a LAN IP address and creating an initial firewall rule for remote access.
Point a web browser at it and you'll meet Celestix's very own Comet interface, for remote TMG management. A quick-start wizard offers a simple three-step process, which starts with network settings. We opted to deploy the 4200i as an edge firewall in the lab, integrated into our AD domain.
Next are local settings, followed by deployment, where you enable Microsoft's updates and malware/URL filtering and add licences. Comet is a tidy affair, giving swift access to all TMG functions.
Firewall policies secure internet access and you can securely publish LAN resources. Wizards help get Exchange web access, SharePoint sites and web servers.
Web filtering and AV are activated with a subscription to MS Web Protection Service.
Web filtering rules are added to policies where their destination is the 70 categories to be blocked or allowed. TMG provides a handy URL query tool.
The filters worked extremely well, with hardly any dodgy user browsing activities getting past them. Multiple rules can be set to determine web access, making the MSA very flexible.
Reporting is good, with plenty of options, although it is irritating that you can't generate a report on today's activity until the next day.
Email protection comes courtesy of Microsoft's ForeFront Protection for Exchange, which integrates neatly with TMG. Once Exchange servers and domains have been declared to TMG, you can activate its anti-spam arsenal.
The content filter uses an SCL (spam confidence level) scoring system to decide what to do with dubious inbound messages. There are three actions - delete, reject or quarantine - but you can't just tag a message and let it through. Web content and emails can be checked for viruses, using up to five engines, with Kaspersky, Authentium, Norman, VirusBuster and Microsoft all available.
File attachment filters can be applied to inbound and outbound traffic and message bodies scanned for specific keywords and phrases.
It is worth deploying the TMG client to your users as it offers HTTPS inspection notifications plus security, authentication and enhancements, including access controls where it can supply the TMG server with user/app details for logging and reporting.
With Microsoft behind the scenes, the Celestix MSA 4200i is easy to integrate into Windows networks and AD and offers a swift upgrade path from ISA Server 2006. Various options and subscriptions will increase your outlay, but the appliance does offer a cost-effective UTM solution.
Celestix is available to buy from Wick Hill. For more information visit www.wickhill.co.uk