[isalist] Re: Looking for pitfalls
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 10 Oct 2007 09:21:07 -0700
http://www.ISAserver.org
-------------------------------------------------------
See; this is why you needed to let me give my "ISA Auth" presentation at BH...
To clarify:
1. I understand that the original query was about authenticating to ISA, and as
Tom stated, this falls into two categories: inbound & outbound
For outbound
- web proxy auth, ISA is limited to either Windows or RADIUS as the
credentials authority.
- FWC auth, ISA can only use Windows (Kerberos; NTLM) auth and can only
use Windows as the credentials authority
For inbound web proxy auth, ISA is capable of using Certs, SPNEGO, NTLM,
BASIC, Digest auth and can use either Windows, LDAP, RADIUS or SecurID as the
credentials authority
ISA can delegate credentials upstream in several ways, depending on :
- inbound or outbound traffic
- original authentication method
2. if ISA is expected to authenticate web traffic from both domains, then
either RADIUS or Windows can serve as the credentials authority
3. if ISA is expected to authenticate FWC traffic, then only Windows AD can
serve as the credentials authority unless you're willing to sync all accounts
*and passwords* to the ISA local SAM.
4. if ISA is expected to authenticate users from both domains using Windows
auth, the a domain (or forest) trust *must* exist, since ISA cannot join both
domains.
5. if there is a trust between the two domains or forests, *this traffic must
cross ISA boundaries*
Basically, this scenario screams Trust traffic across ISA boundaries!"
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: Wednesday, October 10, 2007 9:04 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls
http://www.ISAserver.org
-------------------------------------------------------
Right. That's what I was on about ;)
t
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Wednesday, October 10, 2007 8:51 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls
http://www.ISAserver.org
-------------------------------------------------------
Only for inbound authentication. For outbound you have to use RADIUS and
RADIUS proxy, as that's only for Web applications.
I don't think the issue here is intradomain communiations through the
ISA Firewall -- its having multiple domain support behind the ISA
Firewall for outbound access control and authentication.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Wednesday, October 10, 2007 10:40 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Looking for pitfalls
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> That's not true either; ISA can use LDAP to authenticate
> foreign domain accounts without being a member of either -
> that's exactly why we added LDAP auth.
> It's the cross-ISA domain traffic that makes it nearly impossible.
> IOW, if there exists any form of cross-domain trusted traffic
> that crosses ISA boundaries, you will have problems.
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> (Hammer of God)
> Sent: Wednesday, October 10, 2007 8:30 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Looking for pitfalls
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Not at all... it is only an "issue" if you need AD-based
> authentication
> for both domains. If so, then you'll just need to create a trust (one
> way will work just fine). What "cross-trust issues" are you referring
> to?
>
> t
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of JB
> Sent: Wednesday, October 10, 2007 8:07 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Looking for pitfalls
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> So.... All would agree that having two domains behind ISA 2006
> creates enough complexity (for one who does not enjoy cross-trust
> relationship between domains issues) for it to be impractical?
>
> JB
>
>
> On Oct 8, 2007, at 8:53 AM, Jim Harrison wrote:
>
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > Actually, it's both.
> > Domain traffic across ISA is a great reason to increase your
> > illicit substance use.
> > Have a peek at the RPC-oriented fixes in ISA; nearly all of them
> > have been driven by domain scenarios; some because of RPC protocol
> > changes in the OS.
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> > Sent: Monday, October 08, 2007 8:33 AM
> > To: isalist@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Looking for pitfalls
> >
> > That's what I was going to say ;)
> >
> > It's not "multiple domains behind ISA," it's the way you want trust
> > to work within those "multiple domains behind ISA."
> >
> > If you don't have some sort of cross-trust relationship between the
> > domains, only users within the domain that the ISA server is a
> > member of can use rules that require user authentication (including
> > certificates).
> >
> > t
> >
> > ________________________________
> >
> > From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
> > Sent: Fri 10/5/2007 12:49 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Looking for pitfalls
> >
> >
> >
> > http://www.ISAserver.org <http://www.isaserver.org/>
> > -------------------------------------------------------
> >
> > the question of cross-ISA domain / forest traffic is gonna make you
> > drink (more).
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > Sent: Friday, October 05, 2007 11:50 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Looking for pitfalls
> >
> > http://www.ISAserver.org <http://www.isaserver.org/>
> > -------------------------------------------------------
> >
> > Ha! I'll brew a pot on your behalf and I already have the skittles
> > in my
> > desk drawer :)
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx]
> > On Behalf Of JB
> > Sent: Friday, October 05, 2007 1:37 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Looking for pitfalls
> >
> > http://www.ISAserver.org <http://www.isaserver.org/>
> > -------------------------------------------------------
> >
> > Brilliant!!!
> >
> > How do I send you a pot of coffee and bag of skittles? ;-)
> > On Oct 5, 2007, at 11:28 AM, Thomas W Shinder wrote:
> >
> >> http://www.ISAserver.org <http://www.isaserver.org/>
> >> -------------------------------------------------------
> >>
> >> Sounds like an excellent scenario for an article! I'll pound it out
> >> this
> >> weekend.
> >>
> >> Thanks!
> >>
> >> Tom
> >>
> >> -----Original Message-----
> >> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> >> bounce@xxxxxxxxxxxxx]
> >> On Behalf Of JB
> >> Sent: Friday, October 05, 2007 12:12 PM
> >> To: isalist@xxxxxxxxxxxxx
> >> Subject: [isalist] Looking for pitfalls
> >>
> >> I would like to indulge the minds of ISA List on the pitfalls of
> >> having
> >> two separate networks/domains behind one ISA 2006 firewall.
> >>
> >> The main question: How does authentication in ISA 2006
> work with two
> >> domains?
> >>
> >> Any thoughts would be greatly appreciated - I should probably
> >> rephrase
> >> this ;-)
> >>
> >> Scenario:
> >> Both domains are Windows 2003.
> >> Both domains have Exchange servers publishing OWA etc...
> >> Both domains have users requiring RDP and VPN access All
> users except
> >> admins are not allowed into opposing network
> >>
> >>
> >> ------------------------------------------------------
> >> List Archives: //www.freelists.org/archives/isalist/
> >> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server Articles and Tutorials: http://www.isaserver.org/
> >> articles_tutorials/
> >> ISA Server Blogs: http://blogs.isaserver.org/
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our other sites:
> >> http://www.techgenix.com <http://www.techgenix.com/>
> >> ------------------------------------------------------
> >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >>
> >>
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com <http://www.techgenix.com/>
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials: http://www.isaserver.org/
> > articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com <http://www.techgenix.com/>
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials: http://www.isaserver.org/
> > articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com <http://www.techgenix.com/>
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials: http://www.isaserver.org/
> > articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
