I'm in the process of implementing UT having tired and tested it and read some very favourable things about it. One thing that strikes me is that I would still need protection on the network clients (Windows) and file servers (Windows server).

I've come to the conclusion that my Exchange server (part of SBS2003) does not need the additional burden of spam detection and virus protection as this is adequately catered for by the UT box - or am I taking unnecessary risks there?

I had Trend but found it wasn't that great at dealing with viruses. I'm currently inclined to install Kaspersky on all the clients and NOD32 on the 5 servers. Comments, criticsm, suggestions are all welcome.

So what do *real* UT users use to protect their internal network?

I use it at home without accessible servers, and at work to provide support. Having said that, I would always recommend having anti-virus installed on each workstation at a minimum. Untangle will protect the perimeter, but internal users can always bring in something on a USB drive or CD that can propagate at a frantic pace internally before it ever tries to hit the perimeter. The servers would have protection from inside and outside threats in this manner. Others will likely say to install on the servers as well. When it comes to protection of your infrastructure, I wouldn't take chances.

In our organisation, anti-virus software is installed on all servers and all workstations as standard practise for end-to-end protection.

Yep, I definitely agree with having client side antivirus/antispy for the same reasons you mention. The main reason I would put antivirus on the servers too is due to terminal server sessions and VPN connections as I can't trust users to make sure their home PCs have upt to date antivirus. I know Server 2008 has a good VPN policy management which prevents connections if security isn't installed/up-to-date, but I'm not there yet.

The managed solutions often come with Exchange security and push updates etc but in my experience I have found them to be clunky and generally ineffective. Standalone desktop security which can be scheduled to update at staggered times is far more effective and not as bandwidth heavy as you might think.

Just wondering if UT is good enough to provide the email-borne protection wiithout having a second system installed on the server. (Cost is a bit issue here due to current finance problems around world).