Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Internal and External Accounts
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Internal and External Accounts - 13.Oct.2006 11:15:13 AM
|
|
|
Remy
Posts: 15
Joined: 14.Aug.2006
Status: offline
|
I am looking for ideas on how to implement a "mixed mode" authentication. We have multiple apps to publish, some of them will be accessible to AD users only so a weblistener for these is easy.
Other applications are accessed by external customers and I would like to use FBA to authenticate these but do not want their accounts in AD. I was interested in using ADAM for this but it appears ISA only supports LDAP to the domain.
What are the best options for segregating internal/external accounts and making account management as simple as possible (ideally web based, would also be interested in a solution which would allow delegations of account management at a group level?)
All thoughts are welcome, I'm sure ISA must be used in this fashion by some of you already.
best regards,
Remy
|
|
|
|
|
RE: Internal and External Accounts - 16.Oct.2006 4:46:17 AM
|
|
|
Remy
Posts: 15
Joined: 14.Aug.2006
Status: offline
|
Hi Tom,
was hoping to avoid local accounts as the ISA servers are in a DMZ which is not accessible to our account administrators. I would like to keep it that way, is there no other way of pointing to an external accounts database?
regards,
Remy
|
|
|
|
|
RE: Internal and External Accounts - 16.Oct.2006 9:14:36 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Remy,
What kind of "external" accounts database?
Why not use local accounts on the ISA Firewall? No one is going to break into the ISA Firewall. It much more secure than your typical "hardware" firewall, so you don't need to worry about local accounts like you do with traditional "hardware" firewalls.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Internal and External Accounts - 17.Oct.2006 6:13:43 AM
|
|
|
Remy
Posts: 15
Joined: 14.Aug.2006
Status: offline
|
Thanks Tom,
by "external accounts" I simply mean accounts created purely for access to specific applications. I want to use FBA to provide a layer of security and to utilise session based timouts to applications which don't natively support this.
Storing the accounts on the ISA box means we have to provide a level of access to the local accounts to junior members of staff for administration. This is not something I am terrible keen on.
regards,
Remy
|
|
|
|
|
RE: Internal and External Accounts - 18.Oct.2006 7:09:49 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Remy,
OK, the admin level on the ISA Firewall is a real security issue, since you have to grant security risks access to the Firewall, which we clearly don't want to do.
You have three options:
Local SAM
AD domain membership/integrated authentication
RADIUS authentication
LDAP authentication
Which one do you want to use?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Internal and External Accounts - 18.Oct.2006 7:12:56 AM
|
|
|
Remy
Posts: 15
Joined: 14.Aug.2006
Status: offline
|
Ideally LDAP authentication to a an ADAM source or other LDAP source (not primary AD) was thinking about creating a new domain in the DMZ just to host accounts but that seems a bit extreme.
I can't see how LDAP works to non AD source though?
|
|
|
|
|
RE: Internal and External Accounts - 18.Oct.2006 7:27:43 AM
|
|
|
Remy
Posts: 15
Joined: 14.Aug.2006
Status: offline
|
Hi Tom,
the problem with that is that we don't want to store accounts in AD which only provide access to applications for our external customers.
regards,
Remy
|
|
|
|
|
RE: Internal and External Accounts - 23.Oct.2006 4:43:58 AM
|
|
|
Remy
Posts: 15
Joined: 14.Aug.2006
Status: offline
|
Thanks for your time again Tom.
I will recommend that this route be taken, might take a bit of time to convince our tech people that this is a reasonable course to take. AD does offer the simplest means of providing authentication, pity we can't use ADAM since this is perfectly fit for purpose - ISA 2007 team listening????
cheers,
Remy
|
|
|
|
|
RE: Internal and External Accounts - 25.Oct.2006 8:55:47 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Remy,
What would be the difference between ADAM and AD in this scenario? In both cases, you have to deploy a second machine for the user accounts database.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Internal and External Accounts - 25.Oct.2006 9:04:20 AM
|
|
|
Remy
Posts: 15
Joined: 14.Aug.2006
Status: offline
|
ADAM is a ligthweight version of AD, offers LDAP authentication and extensibility for application purposes. Its easily replicated too and doesn't interfere with day to day AD functionality.
On another point, I would like to see ISA 2007 allow you to authenticate against DB sources (SQL etc.,) where you could specify the DB schema for the account information.
Remy
|
|
|
|
|
RE: Internal and External Accounts - 27.Oct.2006 9:27:58 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Remy,
Yes, I know what ADAM can do. But in this scenario, it still requires a second machine outside of the corpnet, so whether you use ADAM or AD seems immaterial.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
