ISA Caching Server with RADIUS Authentication (Full Version)

All Forums >> [ISA Server 2004 Cache] >> General



Message


beeltink -> ISA Caching Server with RADIUS Authentication (26.Mar.2007 8:14:29 AM)

I'm currently working on configuring an ISA 2004 System.
I'm very new to ISA 2004, but so far I could figure out how to get things working.
The way the contractor wants to see it:

WWW - FW1 (NAT) - "DMZ with private IP-range" - ISA-Server - "DMZ with private IP-range" - FW2 (router) - 6 client segments.

The 1st Firewall uses NAT:
- one side is connected to the internet with a public ip-address
- one side is connected to the "DMZ" with IP-range 192.168.0.0/29

The ISA-Server has 2 network cards:
- one connected to the FW1 in IP-range 192.168.0.0/29
- one connected to the FW2 in IP-range 192.168.1.0/30

The 2nd Firewall is more or less used as an advanced router with port-blocking
- one side is connected to the "DMZ" with IP-range 192.168.1.0/30
- one side is connected to the LAN with IP-range 10.0.0.0/22

The LAN-clients connect to the ISA-Server using port 8080.
Some LAN-admin-clients connect to the ISA-Server using port 3389 for RDP.

There are no connections (not even VPN) allowed from the internet to the LAN.

At the moment, the ISA-Server is just used for caching and contains local accounts to give some users on the LAN access to the internet. However they want to make administering internet access easier, so they're considering implementing RADIUS.

1. can one actually speak of a DMZ in this case? I thought a server in the DMZ always has a public IP-address and is not connected through NAT.
2. is it a good idea to use RADIUS in this case? I read something that in a scenario like this, authentication using RADIUS is done with PAP/SPAP, which is unencrypted.
3. wouldn't it be a better idea to put the ISA-Server on the other side of Firewall 2, make it a member of the domain and use domain security groups to give clients access to the internet? That would eliminate the need to use a RADIUS-configuration and it would make the entire construct easier to administer, since then only ports 80 and 443 need to be ported from the ISA-server through the firewalls.




Page: [1]