[isalist] Re: Looking for pitfalls
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 10 Oct 2007 10:16:38 -0700
http://www.ISAserver.org
-------------------------------------------------------
According to the original description, they're not.
ISA physically separates the two networks.
If the customer is willing to redesign this so that ISA isn't required to
communicate between the domains, then the cross-ISA issue is effectively
resolved.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: Wednesday, October 10, 2007 9:57 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls
http://www.ISAserver.org
-------------------------------------------------------
If the 2 domains are on the same segment (as far as ISA in concerned,
anyway) how is the domain trust "cross ISA boundary traffic?"
t
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Wednesday, October 10, 2007 9:48 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls
http://www.ISAserver.org
-------------------------------------------------------
Don't bail; take the challenge and drink happily from the firehose that
surely awaits!
Just make sure that these folks understand that their chosen deployment
is not nearly as simple as they believe and to quote "eye-gor", "of
course, the rates have gone up" (three anti-social points for that
quote).
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of JB
Sent: Wednesday, October 10, 2007 9:37 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls
Thank you to all participants.
As I've read the responses, I have been doing the Hokey Pokey ;-)
As of right now...I am bailing on this scenario. It sounds like a fun
challenge for someone other than me.
Thanks again.
JB
On Oct 10, 2007, at 9:28 AM, Thomas W Shinder wrote:
OK, so there are two different domains, each on a different ISA
Firewall Network. Therefore, that brings Jim's concerns into play if you
want to create a trust between these networks.
So, if you want strong outbound access control with user/group
outbound authentication, you'll only have it for one of the domains, and
the ISA Firewall will be joined to that domain.
If you want strong authenticated outbound access control for
only HTTP/HTTPS/FTP(over Web proxy), then you can use RADIUS Proxy and
RADIUS servers. Have fun with that ;) (undocumented, but theoretically
it should work)
If your publishing OWA sites for both domain, that's totally no
brainer easy with LDAP authentication.
The ISA Firewall doesn't pre-auth RDP, so it doesn't matter.
For VPN, you get to learn about RADIUS and RADIUS Proxy and how
to make it work with the ISA firewall (undocumented, but theoretically
should work)
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of JB
Sent: Wednesday, October 10, 2007 11:14 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls
The Domains are separate and do not need to talk to each
other.
No cross traffic between domains is necessary.
Original question:
Scenario:
Both domains are Windows 2003.
Both domains have Exchange servers publishing OWA etc...
Both domains have users requiring RDP and VPN access
All users except admins are not allowed into opposing
network
<New-Network.jpg>
On Oct 10, 2007, at 8:58 AM, Thor (Hammer of God) wrote:
http://www.ISAserver.org
-------------------------------------------------------
Wait- you mean if the ISA is not a member of any
domain, that you can
create LDAP Authentication Server sets to
authenticate to a "foreign"
domain? Doesn't that mean credentials will be
passed in the clear in
that case??
And we're not talking about cross-domain traffic
"crossing ISA
boundaries" - this is just two different domains
behind ISA.
t
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Wednesday, October 10, 2007 8:40 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls
http://www.ISAserver.org
-------------------------------------------------------
That's not true either; ISA can use LDAP to
authenticate foreign domain
accounts without being a member of either -
that's exactly why we added
LDAP auth.
It's the cross-ISA domain traffic that makes it
nearly impossible.
IOW, if there exists any form of cross-domain
trusted traffic that
crosses ISA boundaries, you will have problems.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Wednesday, October 10, 2007 8:30 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls
http://www.ISAserver.org
-------------------------------------------------------
Not at all... it is only an "issue" if you need
AD-based authentication
for both domains. If so, then you'll just need
to create a trust (one
way will work just fine). What "cross-trust
issues" are you referring
to?
t
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of JB
Sent: Wednesday, October 10, 2007 8:07 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls
http://www.ISAserver.org
-------------------------------------------------------
So.... All would agree that having two domains
behind ISA 2006
creates enough complexity (for one who does not
enjoy cross-trust
relationship between domains issues) for it to
be impractical?
JB
On Oct 8, 2007, at 8:53 AM, Jim Harrison wrote:
http://www.ISAserver.org
-------------------------------------------------------
Actually, it's both.
Domain traffic across ISA is a great
reason to increase your
illicit substance use.
Have a peek at the RPC-oriented fixes in
ISA; nearly all of them
have been driven by domain scenarios;
some because of RPC protocol
changes in the OS.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-
bounce@xxxxxxxxxxxxx] On Behalf Of Thor
(Hammer of God)
Sent: Monday, October 08, 2007 8:33 AM
To: isalist@xxxxxxxxxxxxx;
isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for
pitfalls
That's what I was going to say ;)
It's not "multiple domains behind ISA,"
it's the way you want trust
to work within those "multiple domains
behind ISA."
If you don't have some sort of
cross-trust relationship between the
domains, only users within the domain
that the ISA server is a
member of can use rules that require
user authentication (including
certificates).
t
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on
behalf of Jim Harrison
Sent: Fri 10/5/2007 12:49 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for
pitfalls
http://www.ISAserver.org
<http://www.isaserver.org/>
-------------------------------------------------------
the question of cross-ISA domain /
forest traffic is gonna make you
drink (more).
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-
bounce@xxxxxxxxxxxxx] On Behalf Of
Thomas W Shinder
Sent: Friday, October 05, 2007 11:50 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for
pitfalls
http://www.ISAserver.org
<http://www.isaserver.org/>
-------------------------------------------------------
Ha! I'll brew a pot on your behalf and I
already have the skittles
in my
desk drawer :)
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-
bounce@xxxxxxxxxxxxx]
On Behalf Of JB
Sent: Friday, October 05, 2007 1:37 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for
pitfalls
http://www.ISAserver.org
<http://www.isaserver.org/>
-------------------------------------------------------
Brilliant!!!
How do I send you a pot of coffee and
bag of skittles? ;-)
On Oct 5, 2007, at 11:28 AM, Thomas W
Shinder wrote:
http://www.ISAserver.org
<http://www.isaserver.org/>
-------------------------------------------------------
Sounds like an excellent
scenario for an article! I'll pound it out
this
weekend.
Thanks!
Tom
-----Original Message-----
From:
isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
bounce@xxxxxxxxxxxxx]
On Behalf Of JB
Sent: Friday, October 05, 2007
12:12 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Looking for
pitfalls
I would like to indulge the
minds of ISA List on the pitfalls of
having
two separate networks/domains
behind one ISA 2006 firewall.
The main question: How does
authentication in ISA 2006 work with two
domains?
Any thoughts would be greatly
appreciated - I should probably
rephrase
this ;-)
Scenario:
Both domains are Windows 2003.
Both domains have Exchange
servers publishing OWA etc...
Both domains have users
requiring RDP and VPN access All users except
admins are not allowed into
opposing network
------------------------------------------------------
List Archives:
//www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and
Tutorials: http://www.isaserver.org/
articles_tutorials/
ISA Server Blogs:
http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more
information about our other sites:
http://www.techgenix.com
<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to
listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives:
//www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs:
http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information
about our other sites:
http://www.techgenix.com
<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives:
//www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/
articles_tutorials/
ISA Server Blogs:
http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information
about our other sites:
http://www.techgenix.com
<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives:
//www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/
articles_tutorials/
ISA Server Blogs:
http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information
about our other sites:
http://www.techgenix.com
<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives:
//www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/
articles_tutorials/
ISA Server Blogs:
http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information
about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives:
//www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about
our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives:
//www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about
our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives:
//www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about
our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives:
//www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about
our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
