I am trying to use LDAP (on an AD server) for authentication for an access rule on my ISA 2006 server. However, when I add an ldap based user group (which I named "ldapusers") and try to apply the rule, I get this error message:
"The authentication method (LDAP) selected for user set ldapusers is not valid for an access rule. The rule cannot be saved until you change the authentication method or select a different user set."
Does this mean I can't use LDAP for access rule authentication? That would be pretty worthless!
I just ran into the same issue. The ISA 2006 is being used as forward and reverse proxy in a DMZ. Sorry dear ISA lovers but this company didn't want to throw out their Check Point investment. We had to create a domain in the DMZ and create a trust between it and the internal Windows domain. Then we could use windows authentication. If LDAP would've been possible, then it would've been the ldap_gc port and that's it.
To make a trust between 2 windows domains separated by a firewall you have to open up lots of ports including the TCP 1024-65535 range...why thank you Microsoft. KB 179442) for the LSA RPC services. Which you are supposed to be able to limit to a range but this appears to be done also on the internal DC which we didn't want to touch. Gah...that a trust relationship punches such a hole in the firewall makes me mad...If anyone can give me a nice link to how it can be done please let me know.
I would have made the ISA Firewall a parallel firewall or a back to back firewall, so that the ISA Firewall would be a domain member. I've done this in hundreds of installation and never had a security issue. Not one -- and I look for them hard.
Tom, thanks for the reply. We could indeed have done that. But then all the current VPN tunnels and access to internal servers would pass ISA too. This means 2 firewalls would have to be made redundant because they are two SPOF's. Of course arrays and clustering is possible but this comes at a price.
I am also wondering a bit how ISA would handle traffic on ports he doesn't know. It's part my fear that we didn't chose that setup. In ISA 2000 saying "all ports" didn't mean all ports but it meant "all ports that ISA knows". Is unidentified traffic treated better now? I assume this but well...I am not 100% certain.
That's a good question. It's not supposed to, but a few people have reported that SecureNAT clients will support all protocols (as long as they don't require secondary connections) when you create an All Open rule.