You know, you don't have to have the two domains on different physical networks... t From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of JB Sent: Wednesday, October 10, 2007 9:37 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Looking for pitfalls Thank you to all participants. As I've read the responses, I have been doing the Hokey Pokey ;-) As of right now...I am bailing on this scenario. It sounds like a fun challenge for someone other than me. Thanks again. JB On Oct 10, 2007, at 9:28 AM, Thomas W Shinder wrote: OK, so there are two different domains, each on a different ISA Firewall Network. Therefore, that brings Jim's concerns into play if you want to create a trust between these networks. So, if you want strong outbound access control with user/group outbound authentication, you'll only have it for one of the domains, and the ISA Firewall will be joined to that domain. If you want strong authenticated outbound access control for only HTTP/HTTPS/FTP(over Web proxy), then you can use RADIUS Proxy and RADIUS servers. Have fun with that ;) (undocumented, but theoretically it should work) If your publishing OWA sites for both domain, that's totally no brainer easy with LDAP authentication. The ISA Firewall doesn't pre-auth RDP, so it doesn't matter. For VPN, you get to learn about RADIUS and RADIUS Proxy and how to make it work with the ISA firewall (undocumented, but theoretically should work) HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of JB Sent: Wednesday, October 10, 2007 11:14 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Looking for pitfalls The Domains are separate and do not need to talk to each other. No cross traffic between domains is necessary. Original question: Scenario: Both domains are Windows 2003. Both domains have Exchange servers publishing OWA etc... Both domains have users requiring RDP and VPN access All users except admins are not allowed into opposing network <New-Network.jpg> On Oct 10, 2007, at 8:58 AM, Thor (Hammer of God) wrote: http://www.ISAserver.org ------------------------------------------------------- Wait- you mean if the ISA is not a member of any domain, that you can create LDAP Authentication Server sets to authenticate to a "foreign" domain? Doesn't that mean credentials will be passed in the clear in that case?? And we're not talking about cross-domain traffic "crossing ISA boundaries" - this is just two different domains behind ISA. t -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Wednesday, October 10, 2007 8:40 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Looking for pitfalls http://www.ISAserver.org ------------------------------------------------------- That's not true either; ISA can use LDAP to authenticate foreign domain accounts without being a member of either - that's exactly why we added LDAP auth. It's the cross-ISA domain traffic that makes it nearly impossible. IOW, if there exists any form of cross-domain trusted traffic that crosses ISA boundaries, you will have problems. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Wednesday, October 10, 2007 8:30 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Looking for pitfalls http://www.ISAserver.org ------------------------------------------------------- Not at all... it is only an "issue" if you need AD-based authentication for both domains. If so, then you'll just need to create a trust (one way will work just fine). What "cross-trust issues" are you referring to? t -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of JB Sent: Wednesday, October 10, 2007 8:07 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Looking for pitfalls http://www.ISAserver.org ------------------------------------------------------- So.... All would agree that having two domains behind ISA 2006 creates enough complexity (for one who does not enjoy cross-trust relationship between domains issues) for it to be impractical? JB On Oct 8, 2007, at 8:53 AM, Jim Harrison wrote: http://www.ISAserver.org ------------------------------------------------------- Actually, it's both. Domain traffic across ISA is a great reason to increase your illicit substance use. Have a peek at the RPC-oriented fixes in ISA; nearly all of them have been driven by domain scenarios; some because of RPC protocol changes in the OS. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Monday, October 08, 2007 8:33 AM To: isalist@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Looking for pitfalls That's what I was going to say ;) It's not "multiple domains behind ISA," it's the way you want trust to work within those "multiple domains behind ISA." If you don't have some sort of cross-trust relationship between the domains, only users within the domain that the ISA server is a member of can use rules that require user authentication (including certificates). t ________________________________ From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison Sent: Fri 10/5/2007 12:49 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Looking for pitfalls http://www.ISAserver.org <http://www.isaserver.org/> ------------------------------------------------------- the question of cross-ISA domain / forest traffic is gonna make you drink (more). -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Friday, October 05, 2007 11:50 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Looking for pitfalls http://www.ISAserver.org <http://www.isaserver.org/> ------------------------------------------------------- Ha! I'll brew a pot on your behalf and I already have the skittles in my desk drawer :) -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of JB Sent: Friday, October 05, 2007 1:37 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Looking for pitfalls http://www.ISAserver.org <http://www.isaserver.org/> ------------------------------------------------------- Brilliant!!! How do I send you a pot of coffee and bag of skittles? ;-) On Oct 5, 2007, at 11:28 AM, Thomas W Shinder wrote: http://www.ISAserver.org <http://www.isaserver.org/> ------------------------------------------------------- Sounds like an excellent scenario for an article! I'll pound it out this weekend. Thanks! Tom -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of JB Sent: Friday, October 05, 2007 12:12 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Looking for pitfalls I would like to indulge the minds of ISA List on the pitfalls of having two separate networks/domains behind one ISA 2006 firewall. The main question: How does authentication in ISA 2006 work with two domains? Any thoughts would be greatly appreciated - I should probably rephrase this ;-) Scenario: Both domains are Windows 2003. Both domains have Exchange servers publishing OWA etc... Both domains have users requiring RDP and VPN access All users except admins are not allowed into opposing network ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/ articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com <http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com <http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/ articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com <http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/ articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com <http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/ articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx