I am looking for ideas on how to implement a "mixed mode" authentication. We have multiple apps to publish, some of them will be accessible to AD users only so a weblistener for these is easy.
Other applications are accessed by external customers and I would like to use FBA to authenticate these but do not want their accounts in AD. I was interested in using ADAM for this but it appears ISA only supports LDAP to the domain.
What are the best options for segregating internal/external accounts and making account management as simple as possible (ideally web based, would also be interested in a solution which would allow delegations of account management at a group level?)
All thoughts are welcome, I'm sure ISA must be used in this fashion by some of you already.
was hoping to avoid local accounts as the ISA servers are in a DMZ which is not accessible to our account administrators. I would like to keep it that way, is there no other way of pointing to an external accounts database?
Why not use local accounts on the ISA Firewall? No one is going to break into the ISA Firewall. It much more secure than your typical "hardware" firewall, so you don't need to worry about local accounts like you do with traditional "hardware" firewalls.
by "external accounts" I simply mean accounts created purely for access to specific applications. I want to use FBA to provide a layer of security and to utilise session based timouts to applications which don't natively support this.
Storing the accounts on the ISA box means we have to provide a level of access to the local accounts to junior members of staff for administration. This is not something I am terrible keen on.
OK, the admin level on the ISA Firewall is a real security issue, since you have to grant security risks access to the Firewall, which we clearly don't want to do.
You have three options:
Local SAM AD domain membership/integrated authentication RADIUS authentication LDAP authentication
Ideally LDAP authentication to a an ADAM source or other LDAP source (not primary AD) was thinking about creating a new domain in the DMZ just to host accounts but that seems a bit extreme.
I can't see how LDAP works to non AD source though?
I will recommend that this route be taken, might take a bit of time to convince our tech people that this is a reasonable course to take. AD does offer the simplest means of providing authentication, pity we can't use ADAM since this is perfectly fit for purpose - ISA 2007 team listening????
ADAM is a ligthweight version of AD, offers LDAP authentication and extensibility for application purposes. Its easily replicated too and doesn't interfere with day to day AD functionality.
On another point, I would like to see ISA 2007 allow you to authenticate against DB sources (SQL etc.,) where you could specify the DB schema for the account information.
Yes, I know what ADAM can do. But in this scenario, it still requires a second machine outside of the corpnet, so whether you use ADAM or AD seems immaterial.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Internal and External Accounts 
Internal and External Accounts - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread