1 listener, 2 different authentication methods (Full Version)

All Forums >> [ISA 2006 Publishing] >> Exchange Publishing



Message


rosscoid -> 1 listener, 2 different authentication methods (13.Oct.2006 6:59:05 AM)

I am publishing an Exchange server through ISA2006 and would like to make OWA and ActiveSync available to the outside world.  This in itself is no problem and works great with forms based authentication.

However, we have a RADIUS server (2-factor solution - one time password) that I would like to use to further secure the OWA access, so for the listener properties I change the 'authentication validation method' to RADIUS OTP and tick the 'collect additional delegation credentials in the form' and this works brilliantly for OWA, but it breaks ActiveSync from my Windows Mobile 5 clients.  I guess this problem occurs because the mobile clients are also being asked for a OTP which I don't want to happen, since they just need to use basic authentication with their cached AD credentials.

So, is it possible to define these 2 different authentication methods in one listener / IP address?  Or is there a better way to acheive what I am trying to do?

Thanks for any advice.





simek -> RE: 1 listener, 2 different authentication methods (13.Oct.2006 8:10:20 AM)

Have you considered Kerberos delegation, that way all that the user would require to provide is the OTP and no domain password - this works for OWA. I'm not really sure if Kerberos would work for EAS.

But i Think you could use one listener, just add a publishing rule, with a different auhentication delegation for the EAS.
What kind of credential delegation do you have defined now?

Rgrds

S




rosscoid -> RE: 1 listener, 2 different authentication methods (13.Oct.2006 10:52:40 AM)

Thanks for the reponse simek.  I've not tried using Kerberos delegation before, and if I'm honest having read a few technotes and looking at the settings / help about it in ISA it sounds complicated.

Not sure that I can use the same listener because the RADIUS OTP setting is within the listener's properties.  I'd need one rule using Active Directory (for ActiveSync) and one rule using RADIUS OTP (for OWA) that would have to be 2 different listeners, but it's not possible for 2 listeners to listen on the same IP address and port (HTTPS).  So, I could use different IP addresses for each listener, but that means different certificates, and I'm not sure if it's possible to then bridge to a single IIS server (which only has 1 certificate).

?




Page: [1]