Re: AD Auth for standalone ISA in DMZ
- From: "Jim Harrison \(ISA SE\)" <jmharr@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 29 Jun 2007 12:34:34 -0700
Nuke & Pave is certainly the simplest method.
If you don't have that option:
1. export your firewall policies (*not* a full backup)
2. install the additional NIC
3. configure using he Edge Firewall template (or Back-end Firewall if they
insist on maintaining the edge device)
4. import your rules
--
Jim Harrison (ISA SE)
This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html
<doug.masters@xxxxxxxxx> wrote in message
news:1183141976.325642.114970@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Question/Advice:
If it were you, would you scratch & reload or just reconfigure from
one to two NICs?
On Jun 28, 6:25 pm, "Jim Harrison \(ISA SE\)"
<jmh...@xxxxxxxxxxxxxxxxxxxx> wrote:
..it really is your safer, more functional deployment...
--
Jim Harrison (ISA SE)
This posting implies no warranty and confers no
rights.http://catb.org/~esr/faqs/smart-questions.html
<doug.mast...@xxxxxxxxx> wrote in message
news:1183062829.387567.126860@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Lovely... yet another reason I can add to why it needs to be installed
in the preferred 2 NIC/Firewall configuration. I really don't want
to jack with a RADIUS server.
On Jun 28, 2:00 pm, "Jim Harrison \(ISA SE\)"
<jmh...@xxxxxxxxxxxxxxxxxxxx> wrote:
As stated in the error, you can't use LDAP for access rules.
If you want to authenticate internal accounts fro access rules, RADIUS
is
your only non-Windows option.
--
Jim Harrison (ISA SE)
This posting implies no warranty and confers no
rights.http://catb.org/~esr/faqs/smart-questions.html
<doug.mast...@xxxxxxxxx> wrote in message
news:1183038088.944513.315330@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks Jim! I unchecked that box (trust me, it's easier than dealing
with the network boys!)
I was able to create my user set with the <domain>\<group> I want to
use, but when I try to add them to the access rule I get the
following: "The authentication method (LDAP) selected for user set
<user set> is not valid for an access rule. The rule cannot be saved
until you change the authentication method of select a different user
set."
On Jun 27, 7:16 pm, "Jim Harrison \(ISA SE\)"
<jmh...@xxxxxxxxxxxxxxxxxxxx> wrote:
"Use Global Catalog box is checked" - this means that you need
TCP:3268
open
through the firewall; not
TCP:389.http://www.microsoft.com/technet/security/smallbusiness/topics/Server...
--
Jim Harrison (ISA SE)
This posting implies no warranty and confers no
rights.http://catb.org/~esr/faqs/smart-questions.html
<doug.mast...@xxxxxxxxx> wrote in message
news:1182955938.166927.305380@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Jun 25, 5:19 pm, doug.mast...@xxxxxxxxx wrote:
Standalone ISA 2006, single nic, in a DMZ. I need to configure ISA
to poll AD to see if a user is allowed access to the internet or
not. The network boys tell me that they have port 389 open between
my ISA server and my DC's.
The information I'm finding is about using LDAP to authenticate
incoming traffic, and I want to authenticate outbound traffic.
OK, I didn't provide much info, so let me add more about what's been
done and what's been tested.
1. The Network boys finally got 389 open, previously I could not
telnet on port 389 to the DC's and now I can.
2. System Policy #1 (Authentication Services) has been enabled. I
created a Computer Set for the DC's and applied them to the
destination of the System Policy.
3. Under Specify RADIUS and LDAP Servers, I created an LDAP Server
Set with the two DC's, the FQDN is entered, the Use Global Catalog box
is checked, and a valid username & password are entered. The
login Expression to <domain>\* and LDAP Server Set is set.
4. When I try to create a new User Set, I choose the LDAP Server Set
I created and enter the group name of the AD Group that is allowed
internet access. After clicking OK I get a username/password prompt,
after entering that I get the error "None of the configured LDAP
servers are available for verifying the user."
What, if anything, am I missing?
.
- Follow-Ups:
- Re: AD Auth for standalone ISA in DMZ
- From: doug . masters
- Re: AD Auth for standalone ISA in DMZ
- References:
- AD Auth for standalone ISA in DMZ
- From: doug . masters
- Re: AD Auth for standalone ISA in DMZ
- From: doug . masters
- Re: AD Auth for standalone ISA in DMZ
- From: Jim Harrison \(ISA SE\)
- Re: AD Auth for standalone ISA in DMZ
- From: doug . masters
- Re: AD Auth for standalone ISA in DMZ
- From: Jim Harrison \(ISA SE\)
- Re: AD Auth for standalone ISA in DMZ
- From: doug . masters
- Re: AD Auth for standalone ISA in DMZ
- From: Jim Harrison \(ISA SE\)
- Re: AD Auth for standalone ISA in DMZ
- From: doug . masters
- AD Auth for standalone ISA in DMZ
- Prev by Date: Re: AD Auth for standalone ISA in DMZ
- Next by Date: Re: AD Auth for standalone ISA in DMZ
- Previous by thread: Re: AD Auth for standalone ISA in DMZ
- Next by thread: Re: AD Auth for standalone ISA in DMZ
- Index(es):
Relevant Pages
|
