• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2006 in DMZ: certificate authentication

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> DMZ >> ISA 2006 in DMZ: certificate authentication Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 2006 in DMZ: certificate authentication - 2.Apr.2009 4:10:16 AM   
tvbruwae

 

Posts: 69
Joined: 19.Jul.2005
Status: offline
Hi

We are working on an upgrade for a legacy firewall environment to ISA 2006. The idea is to have 2x2 ISA Servers in a back-to-back configuration, with a DMZ in-between.

Two important questions remain to go ahead with the design.
  1. For various publishing rules we need AD authentication. What is the most secure option to handle this at the edge firewalls?
    1. Install the edge ISA's in a separate AD forest with a one-way trust to the corporate domain
    2. Install them in a workgroup with an LDAP(S) connection to a corporate AD controller, either on the corporate network or in DMZ (read-only AD controller)
    3. Use a RADIUS server in DMZ, with the edge ISA's in a domain or workgroup

  2. We also need certificate authentication for client VPN. While we can let the clients pass the edge firewalls and handle authentication at the back-end servers for sure, we would also like to know if it can be done at the outer firewalls? Both if those are in a separate AD or in a workgroup. We found the recent article at http://technet.microsoft.com/en-us/library/cc752953.aspx, but it doesn't clearly state if it now makes certificate authentication possible when ISA is in another (or no) AD forest.

Thanks,
Tim
Post #: 1
RE: ISA 2006 in DMZ: certificate authentication - 3.May2009 10:00:52 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tim,

In general, in a back to back ISA firewall configuration, I used the front-end firewall array as a stateful packet inspection only solution. This offloads the heavy lifting from the back-end firewall array, and allows you to have a nice anonymous access DMZ between the firewall arrays.

So, I typically put the front-end array into a workgroup, and join the back-end array to the domain.

Certificate authentication is possible on the front-end array using RADIUS.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to tvbruwae)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> DMZ >> ISA 2006 in DMZ: certificate authentication Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts