[isalist] Re: Looking for pitfalls

  • From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 10 Oct 2007 09:25:53 -0700

http://www.ISAserver.org
-------------------------------------------------------

That is cool.  I didn't know that.  Thanks!
t

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Wednesday, October 10, 2007 9:17 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls

http://www.ISAserver.org
-------------------------------------------------------
  
Yes, but you can use LDAPS to authenticate to any Active Directory DC in
any domain, even when the ISA Firewall isn't a domain member itself.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

 

> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor 
> (Hammer of God)
> Sent: Wednesday, October 10, 2007 10:58 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Looking for pitfalls
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> Wait- you mean if the ISA is not a member of any domain, that you can
> create LDAP Authentication Server sets to authenticate to a "foreign"
> domain?  Doesn't that mean credentials will be passed in the clear in
> that case??
> 
> And we're not talking about cross-domain traffic "crossing ISA
> boundaries" - this is just two different domains behind ISA.
> 
> t
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Wednesday, October 10, 2007 8:40 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Looking for pitfalls
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> That's not true either; ISA can use LDAP to authenticate 
> foreign domain
> accounts without being a member of either - that's exactly 
> why we added
> LDAP auth.
> It's the cross-ISA domain traffic that makes it nearly impossible.
> IOW, if there exists any form of cross-domain trusted traffic that
> crosses ISA boundaries, you will have problems.
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thor (Hammer of God)
> Sent: Wednesday, October 10, 2007 8:30 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Looking for pitfalls
> 
> http://www.ISAserver.org
> -------------------------------------------------------
> 
> Not at all... it is only an "issue" if you need AD-based 
> authentication
> for both domains. If so, then you'll just need to create a trust (one
> way will work just fine). What "cross-trust issues" are you referring
> to?
> 
> t
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of JB
> Sent: Wednesday, October 10, 2007 8:07 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Looking for pitfalls
> 
> http://www.ISAserver.org
> -------------------------------------------------------
> 
> So.... All would agree that having two domains behind ISA 2006
> creates enough complexity (for one who does not enjoy cross-trust
> relationship between domains issues) for it to be impractical?
> 
> JB
> 
> 
> On Oct 8, 2007, at 8:53 AM, Jim Harrison wrote:
> 
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > Actually, it's both.
> > Domain traffic across ISA is a great reason to increase your
> > illicit substance use.
> > Have a peek at the RPC-oriented fixes in ISA; nearly all of them
> > have been driven by domain scenarios; some because of RPC protocol
> > changes in the OS.
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> > Sent: Monday, October 08, 2007 8:33 AM
> > To: isalist@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Looking for pitfalls
> >
> > That's what I was going to say ;)
> >
> > It's not "multiple domains behind ISA," it's the way you want trust
> > to work within those "multiple domains behind ISA."
> >
> > If you don't have some sort of cross-trust relationship between the
> > domains, only users within the domain that the ISA server is a
> > member of can use rules that require user authentication (including
> > certificates).
> >
> > t
> >
> > ________________________________
> >
> > From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
> > Sent: Fri 10/5/2007 12:49 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Looking for pitfalls
> >
> >
> >
> > http://www.ISAserver.org <http://www.isaserver.org/>
> > -------------------------------------------------------
> >
> > the question of cross-ISA domain / forest traffic is gonna make you
> > drink (more).
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > Sent: Friday, October 05, 2007 11:50 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Looking for pitfalls
> >
> > http://www.ISAserver.org <http://www.isaserver.org/>
> > -------------------------------------------------------
> >
> > Ha! I'll brew a pot on your behalf and I already have the skittles
> > in my
> > desk drawer :)
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx]
> > On Behalf Of JB
> > Sent: Friday, October 05, 2007 1:37 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Looking for pitfalls
> >
> > http://www.ISAserver.org <http://www.isaserver.org/>
> > -------------------------------------------------------
> >
> > Brilliant!!!
> >
> > How do I send you a pot of coffee and bag of skittles? ;-)
> > On Oct 5, 2007, at 11:28 AM, Thomas W Shinder wrote:
> >
> >> http://www.ISAserver.org <http://www.isaserver.org/>
> >> -------------------------------------------------------
> >>
> >> Sounds like an excellent scenario for an article! I'll pound it out
> >> this
> >> weekend.
> >>
> >> Thanks!
> >>
> >> Tom
> >>
> >> -----Original Message-----
> >> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> >> bounce@xxxxxxxxxxxxx]
> >> On Behalf Of JB
> >> Sent: Friday, October 05, 2007 12:12 PM
> >> To: isalist@xxxxxxxxxxxxx
> >> Subject: [isalist] Looking for pitfalls
> >>
> >> I would like to indulge the minds of ISA List on the pitfalls of
> >> having
> >> two separate networks/domains behind one ISA 2006 firewall.
> >>
> >> The main question: How does authentication in ISA 2006 
> work with two
> >> domains?
> >>
> >> Any thoughts would be greatly appreciated - I should probably
> >> rephrase
> >> this ;-)
> >>
> >> Scenario:
> >> Both domains are Windows 2003.
> >> Both domains have Exchange servers publishing OWA etc...
> >> Both domains have users requiring RDP and VPN access All 
> users except
> >> admins are not allowed into opposing network
> >>
> >>
> >> ------------------------------------------------------
> >> List Archives: //www.freelists.org/archives/isalist/
> >> ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server Articles and Tutorials: http://www.isaserver.org/
> >> articles_tutorials/
> >> ISA Server Blogs: http://blogs.isaserver.org/
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our other sites:
> >> http://www.techgenix.com <http://www.techgenix.com/>
> >> ------------------------------------------------------
> >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >>
> >>
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com <http://www.techgenix.com/>
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials: http://www.isaserver.org/
> > articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com <http://www.techgenix.com/>
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials: http://www.isaserver.org/
> > articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com <http://www.techgenix.com/>
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials: http://www.isaserver.org/
> > articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials: 
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> 
> 
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts: