Unless it’s ISA 2004 on an SBS 2003 Premium or SBS 2003 R2 Premium server. Microsoft has withdrawn support for ISA 2004 or ISA 2006 on a Domain Controller in certain scenarios. http://www.microsoft.com/technet/isa/2004/plan/unsupportedconfigs.mspx#Installation
They have also further clarified that they do not support ISA 2006 to be installed on an SBS 2003 Premium or R2 Premium Server. I’m ok with the later bit as we all knew that anyway. My concern though is that ISA is a damn good security product and in a small business design decisions are always based on cost vs return. It’s often very hard for a business owner to place a cost on the “what if our security was breached” scenario. ISA in my mind when properly configured has always given a good comfort factor. I can’t say that I get that same comfort factor from any of the low end firewall devices on the market. I love the interface to ISA, the way we can easily see the firewall logging of what’s denied and what’s allowed (available on ISA 2004 with SP3 and ISA 2006 with SP1).
The upside of this revision to supported scenarios is that now finally we the IT consultant can point to a Microsoft resource that says “You can’t do that!”, whereas before we could only say “You should not do that”.
I think it’s a shame that MS don’t have a “cheap” Small business sized ISA Firewall appliance now that would really kick butt.
To be clear, ISA on a DC other than SBS never really was supported; it was just never stated so plainly.
This is one of my personal jihad’s – to get the ISA supported scenarios out there in plain English.