http://www.ISAserver.org ------------------------------------------------------- But that won't work with our Client (user) Certificate Authentication scheme because of the kerberos requirement, right? Or have we not tried it? t -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Wednesday, October 10, 2007 9:17 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Looking for pitfalls http://www.ISAserver.org ------------------------------------------------------- Yes, but you can use LDAPS to authenticate to any Active Directory DC in any domain, even when the ISA Firewall isn't a domain member itself. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > (Hammer of God) > Sent: Wednesday, October 10, 2007 10:58 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Looking for pitfalls > > http://www.ISAserver.org > ------------------------------------------------------- > > Wait- you mean if the ISA is not a member of any domain, that you can > create LDAP Authentication Server sets to authenticate to a "foreign" > domain? Doesn't that mean credentials will be passed in the clear in > that case?? > > And we're not talking about cross-domain traffic "crossing ISA > boundaries" - this is just two different domains behind ISA. > > t > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Wednesday, October 10, 2007 8:40 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Looking for pitfalls > > http://www.ISAserver.org > ------------------------------------------------------- > > That's not true either; ISA can use LDAP to authenticate > foreign domain > accounts without being a member of either - that's exactly > why we added > LDAP auth. > It's the cross-ISA domain traffic that makes it nearly impossible. > IOW, if there exists any form of cross-domain trusted traffic that > crosses ISA boundaries, you will have problems. > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Thor (Hammer of God) > Sent: Wednesday, October 10, 2007 8:30 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Looking for pitfalls > > http://www.ISAserver.org > ------------------------------------------------------- > > Not at all... it is only an "issue" if you need AD-based > authentication > for both domains. If so, then you'll just need to create a trust (one > way will work just fine). What "cross-trust issues" are you referring > to? > > t > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of JB > Sent: Wednesday, October 10, 2007 8:07 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Looking for pitfalls > > http://www.ISAserver.org > ------------------------------------------------------- > > So.... All would agree that having two domains behind ISA 2006 > creates enough complexity (for one who does not enjoy cross-trust > relationship between domains issues) for it to be impractical? > > JB > > > On Oct 8, 2007, at 8:53 AM, Jim Harrison wrote: > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > Actually, it's both. > > Domain traffic across ISA is a great reason to increase your > > illicit substance use. > > Have a peek at the RPC-oriented fixes in ISA; nearly all of them > > have been driven by domain scenarios; some because of RPC protocol > > changes in the OS. > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) > > Sent: Monday, October 08, 2007 8:33 AM > > To: isalist@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Looking for pitfalls > > > > That's what I was going to say ;) > > > > It's not "multiple domains behind ISA," it's the way you want trust > > to work within those "multiple domains behind ISA." > > > > If you don't have some sort of cross-trust relationship between the > > domains, only users within the domain that the ISA server is a > > member of can use rules that require user authentication (including > > certificates). > > > > t > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison > > Sent: Fri 10/5/2007 12:49 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Looking for pitfalls > > > > > > > > http://www.ISAserver.org <http://www.isaserver.org/> > > ------------------------------------------------------- > > > > the question of cross-ISA domain / forest traffic is gonna make you > > drink (more). > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > Sent: Friday, October 05, 2007 11:50 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Looking for pitfalls > > > > http://www.ISAserver.org <http://www.isaserver.org/> > > ------------------------------------------------------- > > > > Ha! I'll brew a pot on your behalf and I already have the skittles > > in my > > desk drawer :) > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > > bounce@xxxxxxxxxxxxx] > > On Behalf Of JB > > Sent: Friday, October 05, 2007 1:37 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Looking for pitfalls > > > > http://www.ISAserver.org <http://www.isaserver.org/> > > ------------------------------------------------------- > > > > Brilliant!!! > > > > How do I send you a pot of coffee and bag of skittles? ;-) > > On Oct 5, 2007, at 11:28 AM, Thomas W Shinder wrote: > > > >> http://www.ISAserver.org <http://www.isaserver.org/> > >> ------------------------------------------------------- > >> > >> Sounds like an excellent scenario for an article! I'll pound it out > >> this > >> weekend. > >> > >> Thanks! > >> > >> Tom > >> > >> -----Original Message----- > >> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > >> bounce@xxxxxxxxxxxxx] > >> On Behalf Of JB > >> Sent: Friday, October 05, 2007 12:12 PM > >> To: isalist@xxxxxxxxxxxxx > >> Subject: [isalist] Looking for pitfalls > >> > >> I would like to indulge the minds of ISA List on the pitfalls of > >> having > >> two separate networks/domains behind one ISA 2006 firewall. > >> > >> The main question: How does authentication in ISA 2006 > work with two > >> domains? > >> > >> Any thoughts would be greatly appreciated - I should probably > >> rephrase > >> this ;-) > >> > >> Scenario: > >> Both domains are Windows 2003. > >> Both domains have Exchange servers publishing OWA etc... > >> Both domains have users requiring RDP and VPN access All > users except > >> admins are not allowed into opposing network > >> > >> > >> ------------------------------------------------------ > >> List Archives: //www.freelists.org/archives/isalist/ > >> ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > >> ISA Server Articles and Tutorials: http://www.isaserver.org/ > >> articles_tutorials/ > >> ISA Server Blogs: http://blogs.isaserver.org/ > >> ------------------------------------------------------ > >> Visit TechGenix.com for more information about our other sites: > >> http://www.techgenix.com <http://www.techgenix.com/> > >> ------------------------------------------------------ > >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > >> Report abuse to listadmin@xxxxxxxxxxxxx > >> > >> > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com <http://www.techgenix.com/> > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: http://www.isaserver.org/ > > articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com <http://www.techgenix.com/> > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: http://www.isaserver.org/ > > articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com <http://www.techgenix.com/> > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: http://www.isaserver.org/ > > articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx