RE: Form Based Authentication on ISA2k4
- From: v-edtian@xxxxxxxxxxxxxxxxxxxx (Edward Tian)
- Date: Fri, 07 Oct 2005 02:05:47 GMT
Hi Philip:
Thanks for your kind reply.
I am glad to hear the information I provided is helpful. If you encounter
any difficulties in the future, please submit post to the newsgroup, I am
standing by to help you.
Again, thanks for using newsgroup.
Have a nice weekend!
Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Form Based Authentication on ISA2k4
| thread-index: AcXKgksFiJFPyv/cRn2pjORKmCYULg==
| X-WBNR-Posting-Host: 220.234.172.107
| From: =?Utf-8?B?UGhpbGlw?= <Philip@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <4740B68F-AACA-443E-A459-3BAB1BC6F1FA@xxxxxxxxxxxxx>
<FmSYRGlyFHA.3032@xxxxxxxxxxxxxxxxxxxxx>
| Subject: RE: Form Based Authentication on ISA2k4
| Date: Thu, 6 Oct 2005 07:29:00 -0700
| Lines: 118
| Message-ID: <0C687D8D-9349-461C-9418-F9CB3CB98A13@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:159337
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Thank you Edward! What a excellent explanation!
|
| ---
| Philip
|
| "Edward Tian" wrote:
|
| > Hi Philip:
| > Nice to see you again in the newsgroup.
| >
| > Based on my knowledge, we should NOT enable FBA (Form Based
Authentication)
| > on the ISA Server. The FBA was already enabled on the Exchange Server
once
| > you ran the CEICW and selected to publish the OWA site.
| >
| > Technically speaking, your point is correct that using FBA on the Web
| > Listener of the OWA publishing rule will improve the security level of
the
| > internal network. Outside users who are not authenticated by the ISA
Server
| > will not be allowed to communicated with the Exchange Server. The ISA
will
| > take the resposibility to authenticate the user instead of IIS. Then,
you
| > may be confused that since enabling the FBA on ISA will be more secure,
why
| > not do this on the SBS Server? Let me explain to you.
| >
| > The ISA Server uses Web Listener to receive the incoming HTTP/HTTPS
| > request. We can configure multiple authentication types on the Web
| > Listener: Basic authentication, Windows Integrated authentication, Form
| > based authentication and so on. However, if we enable FBA on the Web
| > Listener, then no other authentication method can be used. This is
| > problematic for users who have only a single IP address bound to the
| > external interface of the ISA Server 2004 firewall and need to publish
both
| > the OWA and Exchange Mobile Access sites (such as OMA, Active-Sync and
| > Exchange RPC/HTTP).
| >
| > Moreover, in SBS environment, there are several components that need to
| > listen on port 80/443 such as RWW/OMA. In this way, if we enable FBA on
the
| > ISA, these web sites will definitely no longer work.
| >
| > However, if you have two external IP address on the SBS Server, you may
| > create two Web Listener that are listening on the different IP address,
one
| > uses FBA for the OWA, and the other uses Windows Integrated
Authentication
| > (NTLM) for the other web sites, whatever you like.
| >
| > In addition, you don't need to worry about the protential security
problem
| > if we only enable the FBA authentication on the Exchange Server.
Because
| > the traffic between the OWA client and the Exchange Server is still
secure
| > since they are using the SSL encryption. The SSL encryption on the
| > connection encrypts the user credentials when they are sent by the
client
| > to the server.
| >
| > Hope the clarification addresses your concern. Thank you .
| >
| > Please feel free to let me know if there is anything I can do for you.
| >
| > Have a nice day!
| >
| > Best Regards
| > Edward Tian(MSFT)
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| > --------------------
| > | Thread-Topic: Form Based Authentication on ISA2k4
| > | thread-index: AcXKCOZ/nIb/QvbJRIqBbAxV3LRN/Q==
| > | X-WBNR-Posting-Host: 220.234.172.107
| > | From: =?Utf-8?B?UGhpbGlw?= <Philip@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > | Subject: Form Based Authentication on ISA2k4
| > | Date: Wed, 5 Oct 2005 17:00:02 -0700
| > | Lines: 5
| > | Message-ID: <4740B68F-AACA-443E-A459-3BAB1BC6F1FA@xxxxxxxxxxxxx>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:159167
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | HI, can I use the Form Based Authentication on ISA 2004 for OWA
| > publishing? I
| > | was told that this was more secure and the unauthenticated user will
not
| > be
| > | able to touch the Exchange Server. Can I do this in SBS 2003 Premium
SP1?
| > | Thanks
| > | Philip
| > |
| >
| >
|
.
- References:
- RE: Form Based Authentication on ISA2k4
- From: Edward Tian
- RE: Form Based Authentication on ISA2k4
- Prev by Date: RE: Monitoring & Reporting email display name
- Next by Date: Re: third-party software passing through ISA
- Previous by thread: RE: Form Based Authentication on ISA2k4
- Next by thread: RE: Windows SBS 2003 SBCore shutdown
- Index(es):
Relevant Pages
|
