Re: Secure Nat clients authentication
- From: Kenneth Attard <KennethAttard@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 8 Sep 2006 06:16:01 -0700
Phillip with the Pix there is a radius server which is authenticating users.
The problem is that we need http https and ftp service authenicated and make
ISA act like a transparent device will still authenticating the services
mentioned. As you have mentioned the ISA server with be a member server of
the domain. As regards to the DHCP, the lease is long enough and it should
not be a problem.
Basically what we are looking for is to replace the authentication
mechanism from PIX to ISA ideally without installing the firewall client and
using the wpad.dat option if this is possible otherwise we have to adopt the
wpad.dat and enforce the automatic detect settings parameter via gpos as we
require authentication
thks a lot for your help
Kenneth
"Phillip Windell" wrote:
"Kenneth Attard" <KennethAttard@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message.
news:78B1C460-EA17-4A58-8F87-8B7FFF99216A@xxxxxxxxxxxxxxxx
The PIX receives an HTTP request from an internal client, the PIX checks
if
the client IP is authenticated if not the PIX forwards an authentiction
windows to the client workstation. The user will forward back the
username
and password and the PIX will verify the information if authenticated the
session is forwarded to the Internet
EIther the PIX has had duplicated accounts created on itself that match the
domain accounts or there is a RADIUS Server in use. Our Watchguard box is
the same way.
ISA receives the http packet and forward the authentication window to the
client and once it is verified to be ok and the http reqeust can be natted
and forwarded to the internet
You can create duplicate accounts on the ISA, but that is pointless since
the ISA is perfectly capable of being a domain member and using the Domain
accounts. SecureNAT Clients of ISA have to use anonymous accounts.
The IP#s cannot dependably be "authenticated" if the LAN uses DHCP since the
IP#s of the workstation may change over time,...so the whole thing is kind
of pointless anyway. ISA's way of using Integrated Authentication is the
best way to do it and the user is not "pestered" with a login prompt.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------
- References:
- Re: Secure Nat clients authentication
- From: Kenneth Attard
- Re: Secure Nat clients authentication
- Prev by Date: RE: Migrate ISA Server 2004 to a different hardware
- Next by Date: Re: Secure Nat clients authentication
- Previous by thread: Re: Secure Nat clients authentication
- Next by thread: Re: Secure Nat clients authentication
- Index(es):
Relevant Pages
|
Loading
