Re: AD Proxy
- From: "Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 7 Jul 2005 20:01:02 -0700
I took a quick look at Centrify's web site - it looks very similar to
Vintela's offering. I don't know of any other requirements beyond what you
mentioned.
--
Hugh
"Al Mulnick" wrote:
> I'm not as familiar with Vintella as I am Centrify's solution. What are the
> requirements to be a domain member from the AIX machine's perspective?
> I assume Kerberos (indicates DNS and time sync to at least one DC) and LDAP,
> but are there any others?
>
> "The AIX systems in the SecureNet must be able to be domain members,"
>
> "Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:A9DD6208-66DC-414B-89F7-5F468C0F85C9@xxxxxxxxxxxxxxxx
> > Yes, they would be based on AD credentials. Sorry for the confusion.
> >
> > Specifically, here's what we've got. In the SecureNet, we will have AIX
> > systems which are running Vintela Authentication Services (VAS), which
> > tightly integrates these systems with AD. In fact, the AIX systems are
> > "joined" to AD (via Kerberos) just as any Windows XP PC would be. These
> > AIX
> > systems will be used by individuals in the SecureNet as well as by
> > individuals in the internal network. As an example, when you telnet to
> > the
> > AIX box, the userid and password you enter reside only in AD, not as local
> > accounts on the AIX box. The VAS software then passes the userid and
> > password to AD for authentication. Group membership also provides
> > permissions to the AIX box's filesystems.
> >
> > Any given user may access the AIX box via the SecureNet today and via the
> > internal network tomorrow. Thus, we would prefer a single identity store.
> >
> > The AIX systems in the SecureNet must be able to be domain members, but
> > since the SecureNet will also contain non-company computers (VPN clients),
> > we
> > would prefer not to put a production domain controller in the SecureNet.
> >
> > Since th
> > --
> > Hugh
> >
> >
> > "Al Mulnick" wrote:
> >
> >> You lost me.
> >> If you need AD/Kerberos authentication services, would that not be based
> >> on
> >> AD credentials? You're not interested in allowing services across the
> >> firewall (somehow you'll need time and DNS services that reflect trusted
> >> network information of course), I get that. But you are interested in
> >> authentication services. That is what I'm talking about.
> >>
> >> Maybe there's a bigger picture I'm not seeing? How do you plan to have
> >> the
> >> clients ask for authentication services? Is this something in the VPN
> >> client that allows them to even connect to this network? If so, maybe
> >> there's a better way to do this other than what we've talked about so
> >> far.
> >> RADIUS, AZMAN, or others might be worth investigating.
> >>
> >> Al
> >>
> >>
> >>
> >> "Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:CC52EFEA-A075-4485-8C57-4024B0E5E88D@xxxxxxxxxxxxxxxx
> >> > Active Directory integration seems to be useful for controlling access
> >> > across
> >> > the firewall based upon AD credentials. If so, this isn't what we're
> >> > trying
> >> > to do. We need AD/Kerberos authentication services in the SecureNet,
> >> > but
> >> > no
> >> > other traffic from the SecureNet will be allowed through the firewall.
> >> > --
> >> > Hugh
> >> >
> >> >
> >> > "Al Mulnick" wrote:
> >> >
> >> >> Hopefully you get a good response from that group. I would imagine it
> >> >> can
> >> >> be done fairly easily, but not sure just how easily.
> >> >>
> >> >> Active Directory integration
> >> >> ISA Server can leverage the user database stored in Active
> >> >> Directory
> >> >> to
> >> >> authenticate both inbound and outbound access through the firewall.
> >> >> Active
> >> >> Directory integration is available even when the ISA Server computer
> >> >> is
> >> >> not
> >> >> a member of an Active Directory domain.
> >> >>
> >> >>
> >> >>
> >> >> You can read more about it here:
> >> >> http://www.microsoft.com/isaserver/evaluation/features/default.mspx
> >> >>
> >> >> In my mind, you would basically publish the AD servers via ISA to the
> >> >> VPN
> >> >> network. When you give name resolution information to the vpn client,
> >> >> they
> >> >> would use that information to find the AD servers and the ISA server
> >> >> would
> >> >> proxy the authentication for you. LDAP might be a little more
> >> >> attached
> >> >> to
> >> >> your application if that's what it's for.
> >> >>
> >> >> Al
> >> >>
> >> >>
> >> >> "Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> news:E84980BB-AACF-47E9-BF63-BB873AB5A838@xxxxxxxxxxxxxxxx
> >> >> > I've put a similar post in the ISA Server area, but we have no
> >> >> > experience
> >> >> > with ISA Server at this time.
> >> >> > --
> >> >> > Hugh
> >> >> >
> >> >> >
> >> >> > "Al Mulnick" wrote:
> >> >> >
> >> >> >> Have you already looked at what ISA server can do for you?
> >> >> >>
> >> >> >> Al
> >> >> >>
> >> >> >> "Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> >> news:79DEDFE7-BFA3-46DA-B03B-877C8F70C330@xxxxxxxxxxxxxxxx
> >> >> >> > We are creating a secure DMZ area (VPN access only) and would
> >> >> >> > like
> >> >> >> > to
> >> >> >> > have
> >> >> >> > AD
> >> >> >> > services in this network. This "SecureNet" will be firewalled
> >> >> >> > off
> >> >> >> > from
> >> >> >> > the
> >> >> >> > internal network. Rather than putting a domain controller in the
> >> >> >> > SecureNet,
> >> >> >> > we would prefer to put an LDAP proxy server that would accept
> >> >> >> > LDAP
> >> >> >> > requests
> >> >> >> > from systems in the SecureNet and forward those requests through
> >> >> >> > the
> >> >> >> > firewall
> >> >> >> > to the internal domain controllers. Specifically, I said "AD"
> >> >> >> > proxy
> >> >> >> > instead
> >> >> >> > of "LDAP" proxy because I need Kerberos services to be proxied as
> >> >> >> > well.
> >> >> >> > Thus, I need the proxy server to appear and act just like an AD
> >> >> >> > domain
> >> >> >> > controller for the purposes of authentication. Any thoughts on
> >> >> >> > whether
> >> >> >> > this
> >> >> >> > is possible and, if so, how to accomplish it?
> >> >> >> >
> >> >> >> > --
> >> >> >> > Hugh
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
.
- Follow-Ups:
- Re: AD Proxy
- From: Al Mulnick
- Re: AD Proxy
- References:
- AD Proxy
- From: Hugh
- Re: AD Proxy
- From: Al Mulnick
- Re: AD Proxy
- From: Hugh
- Re: AD Proxy
- From: Al Mulnick
- Re: AD Proxy
- From: Hugh
- Re: AD Proxy
- From: Al Mulnick
- Re: AD Proxy
- From: Hugh
- Re: AD Proxy
- From: Al Mulnick
- AD Proxy
- Prev by Date: Determining authenticating DC
- Next by Date: RE: Member server cannot login to Domain Controller
- Previous by thread: Re: AD Proxy
- Next by thread: Re: AD Proxy
- Index(es):
Relevant Pages
|
