Welcome to ISAserver.org

Two Internal networks with AD

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> Two Internal networks with AD

Page: [1]

Message

<< Older Topic Newer Topic >>

Two Internal networks with AD - 8.Sep.2005 5:18:00 PM

curruscanis

Posts: 8
Joined: 8.Sep.2005
Status: offline

I am trying to figure out a method in a lab enviorment two protect a very secure network with a ISA 2004 Firewall.

My lab is setup with a ISA firewall with three interfaces:
Internal / Servers Network <- secure network with Active Directory Domain controllers and other servers.

Internal / Client Network <- internal network consisting of client pc's, and other misc.

External / internet <- the internet

I am trying to setup an enviorment that will allow the client PC's that are in the second internal network to access the secure internal network only if they are members of the domain.

I have attempted installing the Firewall Client on the clients and setup an "Allow all traffic" policy between the two internal networks with the condition that the "user" must be a domain user. The ISA firewall is also a member of the Domain, allowing the creation of a domain users group identity. This so far has proved unsuccessfull as the clients attempting to connect, with or without the firewall client, do not seem pass their username credentials for access other than HTTP/HTTPS.

How do I get the clients to send their username credentials for access to ports other than HTTP? So that my clients on a different interface than my servers can authenticate and send data back and forth.

Thanks in advance... beer to the successful assistance!

Post #: 1

Featured Links*

RE: Two Internal networks with AD - 12.Sep.2005 9:40:00 AM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Currus,

You can't force authentication for intradomain communications, because the Firewall client must be able to communicate with the DC. Once authenticated, then the user can be auth'd for all other communications.

HTH,
Tom

(in reply to curruscanis)

Post #: 2

RE: Two Internal networks with AD - 12.Sep.2005 11:53:00 AM

curruscanis

Posts: 8
Joined: 8.Sep.2005
Status: offline

Thank you Tom, does that mean if I have a domain controller in the Internal Client Network that my clients can authenticate to it and then have pass through authentication using the firewall client from then on? Using all TCP / UDP ports?

It would seem from this, that I will have to use a dynamic VLAN technology like Cisco to acomplish my goals instead of ISA server.

To clarify I am attempting to secure a wired building from people plugging in that are not members of a domain. I still want to give them guest access ( internet, possible access to pubilic resources. ) but no direct secured access.

(in reply to curruscanis)

Post #: 3

RE: Two Internal networks with AD - 14.Sep.2005 7:59:00 AM

vamram

Posts: 44
Joined: 19.Dec.2003
Status: offline

Curriscanis,

Take a look at my post yesterday. I'm doing the same thing, w/out having to put a domain controller on the Client network segment.

Basically, you have to create a policy that includes the minimum necessary protocols for domain authentication that allows the All Users group, rather than domain groups, access to your Internal segment.

Create another policy and place it lower in the list for all the other protocols that are NOT needed for domain auth, but which you want the Client network to have access to. This policy can be applied to windows domain groups and will work because the user was allowed to log on by the previous rule.

Not sure my complete setup is very clean, but I have been able to restrict our Client (Dev) network to only those protocols and servers that they require access to.

Hope this helps.

JQ [Cool]