[isalist] Re: Looking for pitfalls

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Wed, 10 Oct 2007 11:36:38 -0500

http://www.ISAserver.org
-------------------------------------------------------

That's right. User (client) Certificate authentication requires that the
ISA Firewall be a domain member.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

 

> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor 
> (Hammer of God)
> Sent: Wednesday, October 10, 2007 11:27 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Looking for pitfalls
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> But that won't work with our Client (user) Certificate Authentication
> scheme because of the kerberos requirement, right?  Or have 
> we not tried
> it?
> 
> t
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Wednesday, October 10, 2007 9:17 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Looking for pitfalls
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> Yes, but you can use LDAPS to authenticate to any Active 
> Directory DC in
> any domain, even when the ISA Firewall isn't a domain member itself.
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
> 
>  
> 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor 
> > (Hammer of God)
> > Sent: Wednesday, October 10, 2007 10:58 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Looking for pitfalls
> > 
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >   
> > Wait- you mean if the ISA is not a member of any domain, 
> that you can
> > create LDAP Authentication Server sets to authenticate to a 
> "foreign"
> > domain?  Doesn't that mean credentials will be passed in 
> the clear in
> > that case??
> > 
> > And we're not talking about cross-domain traffic "crossing ISA
> > boundaries" - this is just two different domains behind ISA.
> > 
> > t
> > 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: Wednesday, October 10, 2007 8:40 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Looking for pitfalls
> > 
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >   
> > That's not true either; ISA can use LDAP to authenticate 
> > foreign domain
> > accounts without being a member of either - that's exactly 
> > why we added
> > LDAP auth.
> > It's the cross-ISA domain traffic that makes it nearly impossible.
> > IOW, if there exists any form of cross-domain trusted traffic that
> > crosses ISA boundaries, you will have problems.
> > 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thor (Hammer of God)
> > Sent: Wednesday, October 10, 2007 8:30 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Looking for pitfalls
> > 
> > http://www.ISAserver.org
> > -------------------------------------------------------
> > 
> > Not at all... it is only an "issue" if you need AD-based 
> > authentication
> > for both domains. If so, then you'll just need to create a 
> trust (one
> > way will work just fine). What "cross-trust issues" are you 
> referring
> > to?
> > 
> > t
> > 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of JB
> > Sent: Wednesday, October 10, 2007 8:07 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Looking for pitfalls
> > 
> > http://www.ISAserver.org
> > -------------------------------------------------------
> > 
> > So.... All would agree that having two domains behind ISA 2006
> > creates enough complexity (for one who does not enjoy cross-trust
> > relationship between domains issues) for it to be impractical?
> > 
> > JB
> > 
> > 
> > On Oct 8, 2007, at 8:53 AM, Jim Harrison wrote:
> > 
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > Actually, it's both.
> > > Domain traffic across ISA is a great reason to increase your
> > > illicit substance use.
> > > Have a peek at the RPC-oriented fixes in ISA; nearly all of them
> > > have been driven by domain scenarios; some because of RPC protocol
> > > changes in the OS.
> > >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> > > Sent: Monday, October 08, 2007 8:33 AM
> > > To: isalist@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: Looking for pitfalls
> > >
> > > That's what I was going to say ;)
> > >
> > > It's not "multiple domains behind ISA," it's the way you 
> want trust
> > > to work within those "multiple domains behind ISA."
> > >
> > > If you don't have some sort of cross-trust relationship 
> between the
> > > domains, only users within the domain that the ISA server is a
> > > member of can use rules that require user authentication 
> (including
> > > certificates).
> > >
> > > t
> > >
> > > ________________________________
> > >
> > > From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
> > > Sent: Fri 10/5/2007 12:49 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: Looking for pitfalls
> > >
> > >
> > >
> > > http://www.ISAserver.org <http://www.isaserver.org/>
> > > -------------------------------------------------------
> > >
> > > the question of cross-ISA domain / forest traffic is 
> gonna make you
> > > drink (more).
> > >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > > Sent: Friday, October 05, 2007 11:50 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: Looking for pitfalls
> > >
> > > http://www.ISAserver.org <http://www.isaserver.org/>
> > > -------------------------------------------------------
> > >
> > > Ha! I'll brew a pot on your behalf and I already have the skittles
> > > in my
> > > desk drawer :)
> > >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > bounce@xxxxxxxxxxxxx]
> > > On Behalf Of JB
> > > Sent: Friday, October 05, 2007 1:37 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: Looking for pitfalls
> > >
> > > http://www.ISAserver.org <http://www.isaserver.org/>
> > > -------------------------------------------------------
> > >
> > > Brilliant!!!
> > >
> > > How do I send you a pot of coffee and bag of skittles? ;-)
> > > On Oct 5, 2007, at 11:28 AM, Thomas W Shinder wrote:
> > >
> > >> http://www.ISAserver.org <http://www.isaserver.org/>
> > >> -------------------------------------------------------
> > >>
> > >> Sounds like an excellent scenario for an article! I'll 
> pound it out
> > >> this
> > >> weekend.
> > >>
> > >> Thanks!
> > >>
> > >> Tom
> > >>
> > >> -----Original Message-----
> > >> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > >> bounce@xxxxxxxxxxxxx]
> > >> On Behalf Of JB
> > >> Sent: Friday, October 05, 2007 12:12 PM
> > >> To: isalist@xxxxxxxxxxxxx
> > >> Subject: [isalist] Looking for pitfalls
> > >>
> > >> I would like to indulge the minds of ISA List on the pitfalls of
> > >> having
> > >> two separate networks/domains behind one ISA 2006 firewall.
> > >>
> > >> The main question: How does authentication in ISA 2006 
> > work with two
> > >> domains?
> > >>
> > >> Any thoughts would be greatly appreciated - I should probably
> > >> rephrase
> > >> this ;-)
> > >>
> > >> Scenario:
> > >> Both domains are Windows 2003.
> > >> Both domains have Exchange servers publishing OWA etc...
> > >> Both domains have users requiring RDP and VPN access All 
> > users except
> > >> admins are not allowed into opposing network
> > >>
> > >>
> > >> ------------------------------------------------------
> > >> List Archives: //www.freelists.org/archives/isalist/
> > >> ISA Server Newsletter: 
> > http://www.isaserver.org/pages/newsletter.asp
> > >> ISA Server Articles and Tutorials: http://www.isaserver.org/
> > >> articles_tutorials/
> > >> ISA Server Blogs: http://blogs.isaserver.org/
> > >> ------------------------------------------------------
> > >> Visit TechGenix.com for more information about our other sites:
> > >> http://www.techgenix.com <http://www.techgenix.com/>
> > >> ------------------------------------------------------
> > >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > >> Report abuse to listadmin@xxxxxxxxxxxxx
> > >>
> > >>
> > >
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials:
> > > http://www.isaserver.org/articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com <http://www.techgenix.com/>
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials: http://www.isaserver.org/
> > > articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com <http://www.techgenix.com/>
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials: http://www.isaserver.org/
> > > articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com <http://www.techgenix.com/>
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials: http://www.isaserver.org/
> > > articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > 
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/  
> > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp 
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/ 
> > ISA Server Blogs: http://blogs.isaserver.org/ 
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com 
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> > Report abuse to listadmin@xxxxxxxxxxxxx 
> > 
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/  
> > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp 
> > ISA Server Articles and Tutorials: 
> > http://www.isaserver.org/articles_tutorials/ 
> > ISA Server Blogs: http://blogs.isaserver.org/ 
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com 
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> > Report abuse to listadmin@xxxxxxxxxxxxx 
> > 
> > 
> > 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials: 
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> 
> 
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » [isalist] Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls
• » [isalist] Re: Looking for pitfalls

1. Home
2. isalist
3. Archive
4. 10-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---