• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Network Ports for communication with Active Directory?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Network Ports for communication with Active Directory? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Network Ports for communication with Active Directory? - 23.Jan.2008 4:23:55 PM   
goarora

 

Posts: 1
Joined: 23.Jan.2008
Status: offline
Currently there are no ISA Servers in my company's network environment.  I am interested in deploying ISA Server 2006 in our DMZ to securely publish ActiveSync using Exchange Server 2003 Service Pack 2.

After some research and testing I realized that in order to use SSL Client Certificate Authentication & Kerberos Constrained Delegation, I MUST join the ISA Server to an Active Directory Domain which also hosts our PKI and Exchange Servers.

I reviewed Steve Riley and Thomas Shinder's articles about why it is OK to join ISA Server to Active Directory, and am trying to present potential solutions to our company's security team.

Here are three areas where I would like to seek some guidance:
  1. ISA Server 2006 will be deployed in our DMZ between two firewalls (non-Microsoft).  I would like to know what network ports need to be opened on the internal firewall to allow traffic between ISA Server in the DMZ and the internal network (considering that ISA Server will be joined to Active Directory). i.e. What ports (minimum) are required to permit communications with Active Directory?
  2. For a risk-averse company - would you recommend a back-to-back ISA Server deployment where only the back-end ISA Server is joined to the domain?  Would this architecture still permit usage of SSL Client Certificate Authentication and KCD?
  3. This one is a stretch so don't shoot me: Could I deploy ISA Server 2006 in its own Forest in the DMZ and create a Trust between the Two Forests using Selective Authentication?  Would this solution allow me to use SSL Client Certificate Authentication and KCD?

Any help or guidance will be greatly appreciated.

Regards,

Sanjeev
Post #: 1
RE: Network Ports for communication with Active Directory? - 29.Jan.2008 6:39:07 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
  1. ISA Server 2006 will be deployed in our DMZ between two firewalls (non-Microsoft).  I would like to know what network ports need to be opened on the internal firewall to allow traffic between ISA Server in the DMZ and the internal network (considering that ISA Server will be joined to Active Directory). i.e. What ports (minimum) are required to permit communications with Active Directory?
    TOM: The back end firewall should be an ISA Firewall. There's no reason to expose the back-end ISA Firewall to the security issues that might exist with that firewall. Also, it's important to bring the most secure firewall closest to the assets being protected, so if you're going to use three firewalls, put the packet filtering firewalls in front of the back-end ISA Firewall.
  2. For a risk-averse company - would you recommend a back-to-back ISA Server deployment where only the back-end ISA Server is joined to the domain?  Would this architecture still permit usage of SSL Client Certificate Authentication and KCD?
    TOM: In general, I don't join the front-end ISA Firewall to the domain, since it's really not required. Note that there is no security issues being addressed here -- domain membership is in general the more secure configuration, but if you're not going to leverage any of the domain membership security features on the front-end, why extend the domain to the edge? Having the back-end ISA Firewalls as domain members will provide the security feature set you need to have superior level of protection over the packet filtering firewalls you might have in place now.
  3. This one is a stretch so don't shoot me: Could I deploy ISA Server 2006 in its own Forest in the DMZ and create a Trust between the Two Forests using Selective Authentication?  Would this solution allow me to use SSL Client Certificate Authentication and KCD?
    TOM: No, bad bad, very bad idea. There are a lot of reasons why this is a bad idea, but that's the subject for another article. Do this only at your own risk and don't be surprised when it blows up and no one will be able to fix it :)
    HTH,

  4. Tom


_____________________________

Thomas W Shinder, M.D.

(in reply to goarora)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Network Ports for communication with Active Directory? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts