• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

dmz publish webserver Ad authentication

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> dmz publish webserver Ad authentication Page: [1]
Login
Message << Older Topic   Newer Topic >>
dmz publish webserver Ad authentication - 20.Nov.2006 3:19:40 AM   
theRob

 

Posts: 103
Joined: 31.Aug.2003
From: The Netherlands
Status: offline
I am currently looking for a solution to get AD authentication for webservers that reside in the DMZ.
These servers will stay standalone servers.

The company only wants users to authenticate first before they can get to resources or information that resides on the webservers in the dmz.
Making these servers a member of AD is no solution, because the internal firewall between intranet and dmz will look like "swiss cheese".

What i am thinking of is to put a couple of standalone unihomed (isa servers may not be connected to the internet directly, company policy) isa 2006 servers in the dmz and let them do AD authentication with webpublishing.

Anyone any experience with this setup?

We are also looking at ADFS, but we are not to happy with that product.
Post #: 1
RE: dmz publish webserver Ad authentication - 20.Nov.2006 9:53:32 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rob,

Whoever made the swiss cheeze statement is an IDIOT who doens't know his arse from a hole in the ground. (even if I was the one who said it at one time).

That argument is NOT valid, and do NOT accept it as a valid security issue.

Now that you know this, what would you like to accomplish?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to theRob)
Post #: 2
RE: dmz publish webserver Ad authentication - 20.Nov.2006 11:26:12 AM   
theRob

 

Posts: 103
Joined: 31.Aug.2003
From: The Netherlands
Status: offline
Hi Thomas,

I also consider making servers that reside in the dmz member of AD on the intranet a bad idea.
You have to open a lot of ports to get this done.

Also not all servers in the dmz will not be microsoft only servers.
So the design has to be as flexible as possible and also secure.

That why i am looking at isa 2006 to do the authentication before a users can access a webserver.

Regards,

Rob

(in reply to tshinder)
Post #: 3
RE: dmz publish webserver Ad authentication - 4.Dec.2006 10:55:30 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rob,

Four ports is a lot of ports? Not in my book.

Keep in mind that the domain members in a DMZ are in a authenticated access DMZ. I wouldn't put them in an anonymous access DMZ.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to theRob)
Post #: 4
RE: dmz publish webserver Ad authentication - 4.Dec.2006 5:11:01 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Using LDAP authentication provides a reasonable compromise solution. Check out Tom's recent articles.

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> dmz publish webserver Ad authentication Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts