http://www.ISAserver.org ------------------------------------------------------- That's right. User (client) Certificate authentication requires that the ISA Firewall be a domain member. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > (Hammer of God) > Sent: Wednesday, October 10, 2007 11:27 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Looking for pitfalls > > http://www.ISAserver.org > ------------------------------------------------------- > > But that won't work with our Client (user) Certificate Authentication > scheme because of the kerberos requirement, right? Or have > we not tried > it? > > t > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Wednesday, October 10, 2007 9:17 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Looking for pitfalls > > http://www.ISAserver.org > ------------------------------------------------------- > > Yes, but you can use LDAPS to authenticate to any Active > Directory DC in > any domain, even when the ISA Firewall isn't a domain member itself. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > > (Hammer of God) > > Sent: Wednesday, October 10, 2007 10:58 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Looking for pitfalls > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > Wait- you mean if the ISA is not a member of any domain, > that you can > > create LDAP Authentication Server sets to authenticate to a > "foreign" > > domain? Doesn't that mean credentials will be passed in > the clear in > > that case?? > > > > And we're not talking about cross-domain traffic "crossing ISA > > boundaries" - this is just two different domains behind ISA. > > > > t > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Jim Harrison > > Sent: Wednesday, October 10, 2007 8:40 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Looking for pitfalls > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > That's not true either; ISA can use LDAP to authenticate > > foreign domain > > accounts without being a member of either - that's exactly > > why we added > > LDAP auth. > > It's the cross-ISA domain traffic that makes it nearly impossible. > > IOW, if there exists any form of cross-domain trusted traffic that > > crosses ISA boundaries, you will have problems. > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Thor (Hammer of God) > > Sent: Wednesday, October 10, 2007 8:30 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Looking for pitfalls > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > Not at all... it is only an "issue" if you need AD-based > > authentication > > for both domains. If so, then you'll just need to create a > trust (one > > way will work just fine). What "cross-trust issues" are you > referring > > to? > > > > t > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of JB > > Sent: Wednesday, October 10, 2007 8:07 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Looking for pitfalls > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > So.... All would agree that having two domains behind ISA 2006 > > creates enough complexity (for one who does not enjoy cross-trust > > relationship between domains issues) for it to be impractical? > > > > JB > > > > > > On Oct 8, 2007, at 8:53 AM, Jim Harrison wrote: > > > > > http://www.ISAserver.org > > > ------------------------------------------------------- > > > > > > Actually, it's both. > > > Domain traffic across ISA is a great reason to increase your > > > illicit substance use. > > > Have a peek at the RPC-oriented fixes in ISA; nearly all of them > > > have been driven by domain scenarios; some because of RPC protocol > > > changes in the OS. > > > > > > -----Original Message----- > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) > > > Sent: Monday, October 08, 2007 8:33 AM > > > To: isalist@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx > > > Subject: [isalist] Re: Looking for pitfalls > > > > > > That's what I was going to say ;) > > > > > > It's not "multiple domains behind ISA," it's the way you > want trust > > > to work within those "multiple domains behind ISA." > > > > > > If you don't have some sort of cross-trust relationship > between the > > > domains, only users within the domain that the ISA server is a > > > member of can use rules that require user authentication > (including > > > certificates). > > > > > > t > > > > > > ________________________________ > > > > > > From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison > > > Sent: Fri 10/5/2007 12:49 PM > > > To: isalist@xxxxxxxxxxxxx > > > Subject: [isalist] Re: Looking for pitfalls > > > > > > > > > > > > http://www.ISAserver.org <http://www.isaserver.org/> > > > ------------------------------------------------------- > > > > > > the question of cross-ISA domain / forest traffic is > gonna make you > > > drink (more). > > > > > > -----Original Message----- > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > > Sent: Friday, October 05, 2007 11:50 AM > > > To: isalist@xxxxxxxxxxxxx > > > Subject: [isalist] Re: Looking for pitfalls > > > > > > http://www.ISAserver.org <http://www.isaserver.org/> > > > ------------------------------------------------------- > > > > > > Ha! I'll brew a pot on your behalf and I already have the skittles > > > in my > > > desk drawer :) > > > > > > -----Original Message----- > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > > > bounce@xxxxxxxxxxxxx] > > > On Behalf Of JB > > > Sent: Friday, October 05, 2007 1:37 PM > > > To: isalist@xxxxxxxxxxxxx > > > Subject: [isalist] Re: Looking for pitfalls > > > > > > http://www.ISAserver.org <http://www.isaserver.org/> > > > ------------------------------------------------------- > > > > > > Brilliant!!! > > > > > > How do I send you a pot of coffee and bag of skittles? ;-) > > > On Oct 5, 2007, at 11:28 AM, Thomas W Shinder wrote: > > > > > >> http://www.ISAserver.org <http://www.isaserver.org/> > > >> ------------------------------------------------------- > > >> > > >> Sounds like an excellent scenario for an article! I'll > pound it out > > >> this > > >> weekend. > > >> > > >> Thanks! > > >> > > >> Tom > > >> > > >> -----Original Message----- > > >> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > > >> bounce@xxxxxxxxxxxxx] > > >> On Behalf Of JB > > >> Sent: Friday, October 05, 2007 12:12 PM > > >> To: isalist@xxxxxxxxxxxxx > > >> Subject: [isalist] Looking for pitfalls > > >> > > >> I would like to indulge the minds of ISA List on the pitfalls of > > >> having > > >> two separate networks/domains behind one ISA 2006 firewall. > > >> > > >> The main question: How does authentication in ISA 2006 > > work with two > > >> domains? > > >> > > >> Any thoughts would be greatly appreciated - I should probably > > >> rephrase > > >> this ;-) > > >> > > >> Scenario: > > >> Both domains are Windows 2003. > > >> Both domains have Exchange servers publishing OWA etc... > > >> Both domains have users requiring RDP and VPN access All > > users except > > >> admins are not allowed into opposing network > > >> > > >> > > >> ------------------------------------------------------ > > >> List Archives: //www.freelists.org/archives/isalist/ > > >> ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > >> ISA Server Articles and Tutorials: http://www.isaserver.org/ > > >> articles_tutorials/ > > >> ISA Server Blogs: http://blogs.isaserver.org/ > > >> ------------------------------------------------------ > > >> Visit TechGenix.com for more information about our other sites: > > >> http://www.techgenix.com <http://www.techgenix.com/> > > >> ------------------------------------------------------ > > >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > >> Report abuse to listadmin@xxxxxxxxxxxxx > > >> > > >> > > > > > > ------------------------------------------------------ > > > List Archives: //www.freelists.org/archives/isalist/ > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server Articles and Tutorials: > > > http://www.isaserver.org/articles_tutorials/ > > > ISA Server Blogs: http://blogs.isaserver.org/ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com <http://www.techgenix.com/> > > > ------------------------------------------------------ > > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > ------------------------------------------------------ > > > List Archives: //www.freelists.org/archives/isalist/ > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server Articles and Tutorials: http://www.isaserver.org/ > > > articles_tutorials/ > > > ISA Server Blogs: http://blogs.isaserver.org/ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com <http://www.techgenix.com/> > > > ------------------------------------------------------ > > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > > > List Archives: //www.freelists.org/archives/isalist/ > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server Articles and Tutorials: http://www.isaserver.org/ > > > articles_tutorials/ > > > ISA Server Blogs: http://blogs.isaserver.org/ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com <http://www.techgenix.com/> > > > ------------------------------------------------------ > > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > ------------------------------------------------------ > > > List Archives: //www.freelists.org/archives/isalist/ > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server Articles and Tutorials: http://www.isaserver.org/ > > > articles_tutorials/ > > > ISA Server Blogs: http://blogs.isaserver.org/ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx