• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA Caching Server with RADIUS Authentication

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Cache] >> General >> ISA Caching Server with RADIUS Authentication Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA Caching Server with RADIUS Authentication - 26.Mar.2007 8:14:29 AM   
beeltink

 

Posts: 4
Joined: 4.Nov.2002
From: Germany
Status: offline
I'm currently working on configuring an ISA 2004 System.
I'm very new to ISA 2004, but so far I could figure out how to get things working.
The way the contractor wants to see it:

WWW - FW1 (NAT) - "DMZ with private IP-range" - ISA-Server - "DMZ with private IP-range" - FW2 (router) - 6 client segments.

The 1st Firewall uses NAT:
- one side is connected to the internet with a public ip-address
- one side is connected to the "DMZ" with IP-range 192.168.0.0/29

The ISA-Server has 2 network cards:
- one connected to the FW1 in IP-range 192.168.0.0/29
- one connected to the FW2 in IP-range 192.168.1.0/30

The 2nd Firewall is more or less used as an advanced router with port-blocking
- one side is connected to the "DMZ" with IP-range 192.168.1.0/30
- one side is connected to the LAN with IP-range 10.0.0.0/22

The LAN-clients connect to the ISA-Server using port 8080.
Some LAN-admin-clients connect to the ISA-Server using port 3389 for RDP.

There are no connections (not even VPN) allowed from the internet to the LAN.

At the moment, the ISA-Server is just used for caching and contains local accounts to give some users on the LAN access to the internet. However they want to make administering internet access easier, so they're considering implementing RADIUS.

1. can one actually speak of a DMZ in this case? I thought a server in the DMZ always has a public IP-address and is not connected through NAT.
2. is it a good idea to use RADIUS in this case? I read something that in a scenario like this, authentication using RADIUS is done with PAP/SPAP, which is unencrypted.
3. wouldn't it be a better idea to put the ISA-Server on the other side of Firewall 2, make it a member of the domain and use domain security groups to give clients access to the internet? That would eliminate the need to use a RADIUS-configuration and it would make the entire construct easier to administer, since then only ports 80 and 443 need to be ported from the ISA-server through the firewalls.
Post #: 1

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Cache] >> General >> ISA Caching Server with RADIUS Authentication Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts