Internal and External Accounts

Internal and External Accounts (Full Version)

All Forums >> [ISA 2006 Publishing] >> Web Publishing

Message

Remy -> Internal and External Accounts (13.Oct.2006 11:15:13 AM)
I am looking for ideas on how to implement a "mixed mode" authentication. We have multiple apps to publish, some of them will be accessible to AD users only so a weblistener for these is easy. Other applications are accessed by external customers and I would like to use FBA to authenticate these but do not want their accounts in AD. I was interested in using ADAM for this but it appears ISA only supports LDAP to the domain. What are the best options for segregating internal/external accounts and making account management as simple as possible (ideally web based, would also be interested in a solution which would allow delegations of account management at a group level?) All thoughts are welcome, I'm sure ISA must be used in this fashion by some of you already. best regards, Remy

tshinder -> RE: Internal and External Accounts (15.Oct.2006 2:40:02 PM)
Hi Remy, You can create local accounts ont the ISA Firewall for the external users. HTH, Tom

Remy -> RE: Internal and External Accounts (16.Oct.2006 4:46:17 AM)
Hi Tom, was hoping to avoid local accounts as the ISA servers are in a DMZ which is not accessible to our account administrators. I would like to keep it that way, is there no other way of pointing to an external accounts database? regards, Remy

tshinder -> RE: Internal and External Accounts (16.Oct.2006 9:14:36 AM)
Hi Remy, What kind of "external" accounts database? Why not use local accounts on the ISA Firewall? No one is going to break into the ISA Firewall. It much more secure than your typical "hardware" firewall, so you don't need to worry about local accounts like you do with traditional "hardware" firewalls. Tom

Remy -> RE: Internal and External Accounts (17.Oct.2006 6:13:43 AM)
Thanks Tom, by "external accounts" I simply mean accounts created purely for access to specific applications. I want to use FBA to provide a layer of security and to utilise session based timouts to applications which don't natively support this. Storing the accounts on the ISA box means we have to provide a level of access to the local accounts to junior members of staff for administration. This is not something I am terrible keen on. regards, Remy

tshinder -> RE: Internal and External Accounts (18.Oct.2006 7:09:49 AM)
Hi Remy, OK, the admin level on the ISA Firewall is a real security issue, since you have to grant security risks access to the Firewall, which we clearly don't want to do. You have three options: Local SAM AD domain membership/integrated authentication RADIUS authentication LDAP authentication Which one do you want to use? Thanks! Tom

Remy -> RE: Internal and External Accounts (18.Oct.2006 7:12:56 AM)
Ideally LDAP authentication to a an ADAM source or other LDAP source (not primary AD) was thinking about creating a new domain in the DMZ just to host accounts but that seems a bit extreme. I can't see how LDAP works to non AD source though?

tshinder -> RE: Internal and External Accounts (18.Oct.2006 7:25:12 AM)
Hi Remy, How about using LDAP to the Internal AD? I do that very often with no adverse security implications. HTH, Tom

Remy -> RE: Internal and External Accounts (18.Oct.2006 7:27:43 AM)
Hi Tom, the problem with that is that we don't want to store accounts in AD which only provide access to applications for our external customers. regards, Remy

tshinder -> RE: Internal and External Accounts (21.Oct.2006 12:59:58 PM)
Hi Remy, I suppose you could create a DC to store only those accounts, which would be separate from your internal domain accounts. Tom

Remy -> RE: Internal and External Accounts (23.Oct.2006 4:43:58 AM)
Thanks for your time again Tom. I will recommend that this route be taken, might take a bit of time to convince our tech people that this is a reasonable course to take. AD does offer the simplest means of providing authentication, pity we can't use ADAM since this is perfectly fit for purpose - ISA 2007 team listening???? cheers, Remy

tshinder -> RE: Internal and External Accounts (25.Oct.2006 8:55:47 AM)
Hi Remy, What would be the difference between ADAM and AD in this scenario? In both cases, you have to deploy a second machine for the user accounts database. Thanks! Tom

Remy -> RE: Internal and External Accounts (25.Oct.2006 9:04:20 AM)
ADAM is a ligthweight version of AD, offers LDAP authentication and extensibility for application purposes. Its easily replicated too and doesn't interfere with day to day AD functionality. On another point, I would like to see ISA 2007 allow you to authenticate against DB sources (SQL etc.,) where you could specify the DB schema for the account information. Remy

tshinder -> RE: Internal and External Accounts (27.Oct.2006 9:27:58 AM)
Hi Remy, Yes, I know what ADAM can do. But in this scenario, it still requires a second machine outside of the corpnet, so whether you use ADAM or AD seems immaterial. Tom

Page: [1]