Re: AD Auth for standalone ISA in DMZ

Thanks Jim! I unchecked that box (trust me, it's easier than dealing
with the network boys!)

I was able to create my user set with the <domain>\<group> I want to
use, but when I try to add them to the access rule I get the
following: "The authentication method (LDAP) selected for user set
<user set> is not valid for an access rule. The rule cannot be saved
until you change the authentication method of select a different user
set."


On Jun 27, 7:16 pm, "Jim Harrison \(ISA SE\)"
<jmh...@xxxxxxxxxxxxxxxxxxxx> wrote:
"Use Global Catalog box is checked" - this means that you need TCP:3268 open
through the firewall; not TCP:389.http://www.microsoft.com/technet/security/smallbusiness/topics/Server...
--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.http://catb.org/~esr/faqs/smart-questions.html

<doug.mast...@xxxxxxxxx> wrote in message

news:1182955938.166927.305380@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Jun 25, 5:19 pm, doug.mast...@xxxxxxxxx wrote:

Standalone ISA 2006, single nic, in a DMZ. I need to configure ISA
to poll AD to see if a user is allowed access to the internet or
not. The network boys tell me that they have port 389 open between
my ISA server and my DC's.

The information I'm finding is about using LDAP to authenticate
incoming traffic, and I want to authenticate outbound traffic.

OK, I didn't provide much info, so let me add more about what's been
done and what's been tested.

1. The Network boys finally got 389 open, previously I could not
telnet on port 389 to the DC's and now I can.

2. System Policy #1 (Authentication Services) has been enabled. I
created a Computer Set for the DC's and applied them to the
destination of the System Policy.

3. Under Specify RADIUS and LDAP Servers, I created an LDAP Server
Set with the two DC's, the FQDN is entered, the Use Global Catalog box
is checked, and a valid username & password are entered. The
login Expression to <domain>\* and LDAP Server Set is set.

4. When I try to create a new User Set, I choose the LDAP Server Set
I created and enter the group name of the AD Group that is allowed
internet access. After clicking OK I get a username/password prompt,
after entering that I get the error "None of the configured LDAP
servers are available for verifying the user."

What, if anything, am I missing?


.

Relevant Pages

  • RE: SBS2K3 Prem Symantec Security Gaeway
    ... Start the ISA Management snap-in. ... In the Access Rule Sources dialog box, ... Locate, and then click the network entity that you want to add, and then ... default All Users user set option. ...
    (microsoft.public.windows.server.sbs)
  • Re: renaming domain controller
    ... tread wrote: ... > I just installed SBS2003 for a new business, and creating a test Domain Name ... This is the only computer on the network, ... > user set up. ...
    (microsoft.public.windows.server.sbs)
  • RE: OpenLDAP + User Authentication
    ... Who is ultimately responsible for your network? ... I have an LDAP server which I'm using to authenticate my users from. ... but no detailed information on how it ...
    (RedHat)
  • Re: Entourage cannot send calendar events
    ... LDAP Server error Error: -3260. ... Ask your network administrator or Help Desk for the address of a Global catalog server on your network. ... Enter that address in the LDAP server settings in your Exchange account in Entourage. ... Entourage Help Blog ...
    (microsoft.public.mac.office.entourage)
  • Re: leaving and returning to a network w/o logging off
    ... I have seen a product called Mobile Net Switch, that lets a user set up multiple 'profiles' for different networks, along with storing login information. ... She would like to not have to log out and back in again to be able to access network resources. ...
    (microsoft.public.win2000.networking)