Re: Active directory authentication
From: Tony Su (anonymous_at_discussions.microsoft.com)
Date: 06/22/04
- Next message: Zane: "IPSec and Client Restriction"
- Previous message: Jared: "Re: CPU 100% UTILIZED"
- In reply to: Dean: "Re: Active directory authentication"
- Next in thread: Tony Su: "Re: Active directory authentication"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 21 Jun 2004 21:06:42 -0700
Dean,
Trying to grasp most of what you described, let me try to
describe a few concepts which ought to be helpful...
One of your questions is for ISA to authenticate inbound
Users to AD...
- ISA does this only when Web Publishing websites. For any
other protocol or method, ISA passes the query to the
internal Service and the Service authenticates the User,
not ISA.
- It's probably possible for ISA to authenticate for other
protocols, but would require third party ISAPI filters,
which may already exist.
Another question was that you feel you may be running out
of IP addresses...
- You should be able to supernet your Class B network to
support alot more than 600 hosts... I assume that you
don't have to support a large number of different Class B
networks, so you should be able to support many, many
times that many addresses by simply modifying the subnet
mask you use.
If I understand what you're trying to achieve and based on
the fact you already have partitioned your network between
trusted machines and machines which require additional
security (very good!), instead of what you're doing I
would recommend a tri-homed ISA. Although the article at
isaserver.org is intended for supporting a WAP, you should
find that the configuration should support your objectives
as well...
http://www.isaserver.org/tutorials/trihomedwirelessdmz.html
HTH,
Tony Su
>-----Original Message-----
>Let me explain further: I have 254 addresses in the
172.28.address range (routing and NAT is handled at the
state level), all of the rest of my 600 machines use
10.0.0.0 network addresses. I?T been using Proxy 2.0, but
on July 30, all machines must authenticate to the AD
domain or be removed from the ?oproduction network?.
That means no internet, email, or access to any state
systems or databases. I usually put troublesome users
behind the proxy for an added layer of security, antivirus
protection, or controlling the web site they can visit.
The proxy is coming down and at this time I?Tve set up
local NAT to translate the 10.0.addresses to a single
172.28 address. I had to add several ?oapplications? to
NAT (Kerberos, LDAP, etc.) to authenticate through it, and
would like to know what I have to add to get ISA to do the
same, and where it is. I want the security, caching, and
other features of ISA that NAT doesn?Tt provide. I know
there are several ways to translate the 10.0 addresses but
I really want the features ISA offers. I?Tve searched
Microsoft and other sites and can?Tt find out what I need
to do. I can get ISA to do everything except AD
authentication.
>
>Dean
>
>
>"Tony Su" wrote:
>
>> Don't use public addresses.
>>
>> If you're using a class C address space (192.168.x.y),
you
>> should be able to supernet your existing subnet to add
>> addresses... so unless you're supporting more than
approx.
>> 65,000 devices you shouldn't have a problem...
>>
>> Tony Su
>>
>>
>>
>>
>> >-----Original Message-----
>> >Hmmm... pretty complicated :)
>> >This look more like a design problem. I have never
>> heard "I don't have
>> >enough private IP addresses an I must use public
>> addresses". You should
>> >install and configure just a simple router. there is
no
>> need of ISA Server.
>> >
>> >Andrei Ungureanu
>> >www.eventid.net
>> >
>> >
>> >"Dean" <Dean@discussions.microsoft.com> wrote in
message
>> >news:7F372BDC-9096-4CC6-8B42-
702AA6B381DC@microsoft.com...
>> >> I'm sure this is a simple problem, but I can't find
the
>> solution. I'm
>> >trying to complete a client logon to an Active
Directory
>> domain, and be able
>> >to join machines to the domain from behind ISA Server.
I
>> can get everything
>> >to work thru the ISA server (web browsing, remote
>> desktop, FTP, etc) except
>> >whenever I try to add the machine to the domain, or
log
>> into the domain from
>> >a machine allready joined, I get the "domain
unavailable"
>> error. I don't
>> >have enough private IP addresses to accomodate all the
>> machine I take care
>> >of, so I must find a way to get these machines to
>> authenticate to the domain
>> >from a public IP range.
>> >>
>> >> Can I authenticate thru ISA Server? What type of
>> authentication type
>> >should I use? Should I enable the firewall and use the
>> client, or setup
>> >SNAT? I would like to make this invisable to the
>> machines, so I can join
>> >machines to the domain, and log into the domain for
>> client authentication
>> >like it has one of the private addresses, and all
domain
>> admin functions
>> >work the same in both address ranges.
>> >>
>> >> not asking for much,
>> >> Dean
>> >
>> >
>> >.
>> >
>>
>.
>
- Next message: Zane: "IPSec and Client Restriction"
- Previous message: Jared: "Re: CPU 100% UTILIZED"
- In reply to: Dean: "Re: Active directory authentication"
- Next in thread: Tony Su: "Re: Active directory authentication"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
