Re: AD Auth for standalone ISA in DMZ

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

---

• From: "Jim Harrison \(ISA SE\)" <jmharr@xxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 28 Jun 2007 16:25:09 -0700

---

...it really is your safer, more functional deployment...

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



<doug.masters@xxxxxxxxx> wrote in message
news:1183062829.387567.126860@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Lovely... yet another reason I can add to why it needs to be installed
in the preferred 2 NIC/Firewall configuration. I really don't want
to jack with a RADIUS server.



On Jun 28, 2:00 pm, "Jim Harrison \(ISA SE\)"
<jmh...@xxxxxxxxxxxxxxxxxxxx> wrote:

As stated in the error, you can't use LDAP for access rules.
If you want to authenticate internal accounts fro access rules, RADIUS is
your only non-Windows option.
--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no
rights.http://catb.org/~esr/faqs/smart-questions.html

<doug.mast...@xxxxxxxxx> wrote in message

news:1183038088.944513.315330@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks Jim! I unchecked that box (trust me, it's easier than dealing
with the network boys!)

I was able to create my user set with the <domain>\<group> I want to
use, but when I try to add them to the access rule I get the
following: "The authentication method (LDAP) selected for user set
<user set> is not valid for an access rule. The rule cannot be saved
until you change the authentication method of select a different user
set."

On Jun 27, 7:16 pm, "Jim Harrison \(ISA SE\)"

<jmh...@xxxxxxxxxxxxxxxxxxxx> wrote:

"Use Global Catalog box is checked" - this means that you need TCP:3268
open
through the firewall; not
TCP:389.http://www.microsoft.com/technet/security/smallbusiness/topics/Server...
--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no
rights.http://catb.org/~esr/faqs/smart-questions.html

<doug.mast...@xxxxxxxxx> wrote in message

news:1182955938.166927.305380@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Jun 25, 5:19 pm, doug.mast...@xxxxxxxxx wrote:

Standalone ISA 2006, single nic, in a DMZ. I need to configure ISA
to poll AD to see if a user is allowed access to the internet or
not. The network boys tell me that they have port 389 open between
my ISA server and my DC's.

The information I'm finding is about using LDAP to authenticate
incoming traffic, and I want to authenticate outbound traffic.

OK, I didn't provide much info, so let me add more about what's been
done and what's been tested.

1. The Network boys finally got 389 open, previously I could not
telnet on port 389 to the DC's and now I can.

2. System Policy #1 (Authentication Services) has been enabled. I
created a Computer Set for the DC's and applied them to the
destination of the System Policy.

3. Under Specify RADIUS and LDAP Servers, I created an LDAP Server
Set with the two DC's, the FQDN is entered, the Use Global Catalog box
is checked, and a valid username & password are entered. The
login Expression to <domain>\* and LDAP Server Set is set.

4. When I try to create a new User Set, I choose the LDAP Server Set
I created and enter the group name of the AD Group that is allowed
internet access. After clicking OK I get a username/password prompt,
after entering that I get the error "None of the configured LDAP
servers are available for verifying the user."

What, if anything, am I missing?

.

---

• Follow-Ups:
  • Re: AD Auth for standalone ISA in DMZ
    • From: doug . masters

• References:
  • AD Auth for standalone ISA in DMZ
    • From: doug . masters
  • Re: AD Auth for standalone ISA in DMZ
    • From: doug . masters
  • Re: AD Auth for standalone ISA in DMZ
    • From: Jim Harrison \(ISA SE\)
  • Re: AD Auth for standalone ISA in DMZ
    • From: doug . masters
  • Re: AD Auth for standalone ISA in DMZ
    • From: Jim Harrison \(ISA SE\)
  • Re: AD Auth for standalone ISA in DMZ
    • From: doug . masters

• Prev by Date: Re: ISA 2006 Redirect HTTP to HTTPS Config
• Next by Date: Re: DMZ Help
• Previous by thread: Re: AD Auth for standalone ISA in DMZ
• Next by thread: Re: AD Auth for standalone ISA in DMZ
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: AD Auth for standalone ISA in DMZ ... Jim Harrison (ISA SE) ... but when I try to add them to the access rule I get the ... until you change the authentication method of select a different user ... (microsoft.public.isa.configuration) Re: acces rules ... LDAP users for access rules - can't do it; ... The ISA help covers this. ... "Jim Harrison " wrote: ... full is not valid for an access rule" is the critical point. ... (microsoft.public.isa) Re: AD Auth for standalone ISA in DMZ ... configure using he Edge Firewall template (or Back-end Firewall if they ... Jim Harrison (ISA SE) ... but when I try to add them to the access rule I get the ... (microsoft.public.isa.configuration) Re: Setting up an access rule ... Jim Harrison (ISA SE) ... "Jim Harrison " wrote: ... Create an access rule as ... HTTP from ISA to Computer2 ... (microsoft.public.isa.configuration) Re: Force All to use firewall Client ONLY ... Remove all the browser's proxy settings. ... Definition which will only be true if the ISA is doubling as the LAN Router. ... Create an anonymous Access Rule for HTTP/HTTPS/FTP that only applies to ... (microsoft.public.isa)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isa.configuration  > 2007-06