Currently we are using an MS ISA Server to secure and publish our internal web services like Exchange OWA, SharePoint and many other services.
MS ISA is able to inspect traffic even if it is ssl encrypted by placing the corresponding ssl certificate to the ISA server.
Now our question is, if any of the SRX products (maybe be using the various filters) would also be able to handle such features like MS ISA does?
The fact is, that MS ISA has reached its end of life soon, and we are looking for good alternative products to replace our MS ISA server. And as our experiences with Juniper SRX is very good, we are asking us, if a SRX or maby any other product from Juniper can handle the main features like secure publishing, inspecting of ssl traffic etc. like an MS ISA server does?
We are thankful for any hints, thoughts or inputs...
Re: SRX240 (650) as a replacement for MS-ISA Server?
I could be wrong, but I believe that SSL inspection is [currently] only supported on the SRX1400 and higher, likely due to the very high processing load it incurs. I would imagine there are also some guidelines on implementation as it's going to carry with it a pretty hefty performance penalty.
There may be other ways to architect your solution that wouldn't require in-line SSL decrypt/inspection in the firewall path. Perhaps you could introduce a load balancer with SSL offload and then pass your traffic through the firewall(s) in clear text on the back end? One of a few different possible solutions.
Your friendly neighborhood Juniper sales team can answer more questions as to SSL inspection supported platforms, performance hits, caveats, etc.
--- If this solves your problem, please mark this post as "Accepted Solution." Kudos are always appreciated.