[isalist] Re: Looking for pitfalls
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 10 Oct 2007 09:35:11 -0700
http://www.ISAserver.org
-------------------------------------------------------
"Both domains have users requiring RDP and VPN access All users except admins
are not allowed into opposing net"
How is ISA to identify users without authenticating?
Basically, this requirement imposes the following configuration:
1. RDP traffic across ISA must be authenticated
2. in order to authenticate DRP traffic, it can only be handled by the FWC
3. in order to authenticate FWC traffic for a domain user, ISA must be a member
of that domain
4. in order to authenticate a foreign domain user, the domain in which ISA
participates must trust the foreign domain
How is a domain trust not required here?
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of JB
Sent: Wednesday, October 10, 2007 9:14 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls
The Domains are separate and do not need to talk to each other.
No cross traffic between domains is necessary.
Original question:
Scenario:
Both domains are Windows 2003.
Both domains have Exchange servers publishing OWA etc...
Both domains have users requiring RDP and VPN access All users except admins
are not allowed into opposing network
On Oct 10, 2007, at 8:58 AM, Thor (Hammer of God) wrote:
http://www.ISAserver.org
-------------------------------------------------------
Wait- you mean if the ISA is not a member of any domain, that you can
create LDAP Authentication Server sets to authenticate to a "foreign"
domain? Doesn't that mean credentials will be passed in the clear in
that case??
And we're not talking about cross-domain traffic "crossing ISA
boundaries" - this is just two different domains behind ISA.
t
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Wednesday, October 10, 2007 8:40 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls
http://www.ISAserver.org
-------------------------------------------------------
That's not true either; ISA can use LDAP to authenticate foreign domain
accounts without being a member of either - that's exactly why we added
LDAP auth.
It's the cross-ISA domain traffic that makes it nearly impossible.
IOW, if there exists any form of cross-domain trusted traffic that
crosses ISA boundaries, you will have problems.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Wednesday, October 10, 2007 8:30 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls
http://www.ISAserver.org
-------------------------------------------------------
Not at all... it is only an "issue" if you need AD-based authentication
for both domains. If so, then you'll just need to create a trust (one
way will work just fine). What "cross-trust issues" are you referring
to?
t
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of JB
Sent: Wednesday, October 10, 2007 8:07 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls
http://www.ISAserver.org
-------------------------------------------------------
So.... All would agree that having two domains behind ISA 2006
creates enough complexity (for one who does not enjoy cross-trust
relationship between domains issues) for it to be impractical?
JB
On Oct 8, 2007, at 8:53 AM, Jim Harrison wrote:
http://www.ISAserver.org
-------------------------------------------------------
Actually, it's both.
Domain traffic across ISA is a great reason to increase your
illicit substance use.
Have a peek at the RPC-oriented fixes in ISA; nearly all of them
have been driven by domain scenarios; some because of RPC
protocol
changes in the OS.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Monday, October 08, 2007 8:33 AM
To: isalist@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls
That's what I was going to say ;)
It's not "multiple domains behind ISA," it's the way you want
trust
to work within those "multiple domains behind ISA."
If you don't have some sort of cross-trust relationship between
the
domains, only users within the domain that the ISA server is a
member of can use rules that require user authentication
(including
certificates).
t
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
Sent: Fri 10/5/2007 12:49 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls
http://www.ISAserver.org <http://www.isaserver.org/>
-------------------------------------------------------
the question of cross-ISA domain / forest traffic is gonna make
you
drink (more).
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Friday, October 05, 2007 11:50 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls
http://www.ISAserver.org <http://www.isaserver.org/>
-------------------------------------------------------
Ha! I'll brew a pot on your behalf and I already have the
skittles
in my
desk drawer :)
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
bounce@xxxxxxxxxxxxx]
On Behalf Of JB
Sent: Friday, October 05, 2007 1:37 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Looking for pitfalls
http://www.ISAserver.org <http://www.isaserver.org/>
-------------------------------------------------------
Brilliant!!!
How do I send you a pot of coffee and bag of skittles? ;-)
On Oct 5, 2007, at 11:28 AM, Thomas W Shinder wrote:
http://www.ISAserver.org <http://www.isaserver.org/>
-------------------------------------------------------
Sounds like an excellent scenario for an article! I'll
pound it out
this
weekend.
Thanks!
Tom
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
bounce@xxxxxxxxxxxxx]
On Behalf Of JB
Sent: Friday, October 05, 2007 12:12 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Looking for pitfalls
I would like to indulge the minds of ISA List on the
pitfalls of
having
two separate networks/domains behind one ISA 2006
firewall.
The main question: How does authentication in ISA 2006
work with two
domains?
Any thoughts would be greatly appreciated - I should
probably
rephrase
this ;-)
Scenario:
Both domains are Windows 2003.
Both domains have Exchange servers publishing OWA etc...
Both domains have users requiring RDP and VPN access
All users except
admins are not allowed into opposing network
------------------------------------------------------
List Archives:
//www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/
articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our
other sites:
http://www.techgenix.com <http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/
articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/
articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/
articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
