• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Can ldap be used for Access Rule Authentication?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Can ldap be used for Access Rule Authentication? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Can ldap be used for Access Rule Authentication? - 5.Mar.2007 3:37:59 PM   
emypeople

 

Posts: 2
Joined: 5.Mar.2007
Status: offline
I am trying to use LDAP (on an AD server) for authentication for an access rule on my ISA 2006
server. However, when I add an ldap based user group (which I named
"ldapusers") and try to apply the rule, I get this error message:

"The authentication method (LDAP) selected for user set ldapusers is not
valid for an access rule.
The rule cannot be saved until you change the authentication method or
select a different user set."

Does this mean I can't use LDAP for access rule authentication? That would be pretty worthless!

Thanks,
Darrell
Post #: 1
RE: Can ldap be used for Access Rule Authentication? - 10.Mar.2007 10:49:46 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
No. Join the ISA Firewall to the domain to get group authentication. I always do.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to emypeople)
Post #: 2
RE: Can ldap be used for Access Rule Authentication? - 29.Mar.2007 8:22:03 AM   
Jeroen_317

 

Posts: 75
Joined: 18.Dec.2002
From: Belgium
Status: offline
Darrell,

I just ran into the same issue.
The ISA 2006 is being used as forward and reverse proxy in a DMZ. Sorry dear ISA lovers but this company didn't want to throw out their Check Point investment.
We had to create a domain in the DMZ and create a trust between it and the internal Windows domain.
Then we could use windows authentication. If LDAP would've been possible, then it would've been the ldap_gc port and that's it.

To make a trust between 2 windows domains separated by a firewall you have to open up lots of ports including the TCP 1024-65535 range...why thank you Microsoft. KB 179442) for the LSA RPC services. Which you are supposed to be able to limit to a range but this appears to be done also on the internal DC which we didn't want to touch. Gah...that a trust relationship punches such a hole in the firewall makes me mad...If anyone can give me a nice link to how it can be done please let me know.

LDAP would've been so great there...

J.

(in reply to emypeople)
Post #: 3
RE: Can ldap be used for Access Rule Authentication? - 29.Mar.2007 4:00:42 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
I would have made the ISA Firewall a parallel firewall or a back to back firewall, so that the ISA Firewall would be a domain member. I've done this in hundreds of installation and never had a security issue. Not one -- and I look for them hard.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jeroen_317)
Post #: 4
RE: Can ldap be used for Access Rule Authentication? - 30.Mar.2007 3:36:09 AM   
Jeroen_317

 

Posts: 75
Joined: 18.Dec.2002
From: Belgium
Status: offline
Tom,
thanks for the reply. We could indeed have done that. But then all the current VPN tunnels and access to internal servers would pass ISA too. This means 2 firewalls would have to be made redundant because they are two SPOF's. Of course arrays and clustering is possible but this comes at a price.

I am also wondering a bit how ISA would handle traffic on ports he doesn't know.
It's part my fear that we didn't chose that setup. In ISA 2000 saying "all ports" didn't mean all ports but it meant "all ports that ISA knows". Is unidentified traffic treated better now? I assume this but well...I am not 100% certain.

Tnx,
J.

(in reply to tshinder)
Post #: 5
RE: Can ldap be used for Access Rule Authentication? - 1.Apr.2007 11:37:03 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jeroen,

That's a good question. It's not supposed to, but a few people have reported that SecureNAT clients will support all protocols (as long as they don't require secondary connections) when you create an All Open rule.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jeroen_317)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Can ldap be used for Access Rule Authentication? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts