Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Slow internet access for authenticated users
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Slow internet access for authenticated users - 27.Jul.2004 12:35:00 PM
|
|
|
awj
Posts: 104
Joined: 26.Feb.2004
From: UK
Status: offline
|
I am finding internet access for clients can be slow when set to allow only authenticated users.
I have an ISA2004 machine in its own domain with a one way trust to my internal domain. That way the ISA server can log and control the users based on internal groups/usernames but without exposing my domain accounts on the ISA server. However as i say this seems to make it all pretty slow as the client appears (Secure NAT) to try unauthenticated first fail them get authenticated which all takes time.
Anyone seen anything similar and/or know how to resolve this?
Thanks
Al
Anyone seen similar or have any ideas?
|
|
|
|
|
RE: Slow internet access for authenticated users - 28.Jul.2004 1:18:00 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Al,
If all your rules require authentication, connection requests from SecureNAT clients should be immediately denied.
How are you configuring things so that authentication is required?
Thanks!
Tom
|
|
|
|
|
RE: Slow internet access for authenticated users - 28.Jul.2004 4:42:00 PM
|
|
|
awj
Posts: 104
Joined: 26.Feb.2004
From: UK
Status: offline
|
Hi Tom
All i am doing is against the rule to allow web access i have the condition all authenticated users. I was assuming that they would need to be authenticated to use the firewall and hence i would capture their internal domain based usernames. (which is what appears to me to be happening)
Al
|
|
|
|
|
RE: Slow internet access for authenticated users - 29.Jul.2004 11:25:00 AM
|
|
|
penrose.l@2college.nl
Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
|
Hi AWJ ,
Your setup seems reasonable but in reality it's a fake security. The reason is that when someone hacks your ISA server ( using the 'external' domain ) he / she has full access to all traffic from and to the network , thus it's a matter of time / patience before your passwords / userID's pass the ISA server , which gives your hacker a platform to attack your network from.
Second , making the ISA anything else than ISA server costs precious CPU time, which is better spent at calculating IP packet rules than doing AD domain thingies. I recon your PDC/ISA needs as much as 40% more CPU than when it wouldn't be PDC.
We have thought about making the ISA server member of the domain or making it a DC of it's own domain and we couldn't find a reason to make it a DC of it's own domain. You are not really 'exposing' any AD info to the internet , that's why it's a firewall , it blocks those requests. Furthermore you should have a look at the hardening guides out there , they're pretty good ( especially take a look at the MSA from microsoft which really really explains everything to the last detail which we didn't think of ourselves ).
My advice is to put your ISA as a member server in your Active directory , for performance issues and compatibility and management.
Kind regards,
LEx P
|
|
|
|
|
RE: Slow internet access for authenticated users - 29.Jul.2004 12:16:00 PM
|
|
|
awj
Posts: 104
Joined: 26.Feb.2004
From: UK
Status: offline
|
Hi Lex/Tom
Thanks for your advice so far, please see my post on ISA server hardening in the installation section for continued saga..
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
