• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How best to publish with a very tight policy

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> How best to publish with a very tight policy Page: [1]
Login
Message << Older Topic   Newer Topic >>
How best to publish with a very tight policy - 3.Jun.2009 12:40:51 PM   
ogcsmith

 

Posts: 5
Joined: 21.Feb.2007
Status: offline
Okay, this is the deal. The company has a crazy strict policy about what can be put on the DMZ and what traffic is allowed from the DMZ to the Internal network.

So I have the go ahead for an ISA 2006 in the DMZ. However, it can't be a domain member ( yes I have shown them Tom's article, still no go!!).

I have setup a single NIC ISA in the test bubble and configured all the SSL which is great. However, I'm now trying to work out the best way of doing secure authentication. I have tried RADIUS and LDAP authentication which I can get working but I'm worried these will not get through the security folk. I know that RADIUS with ISA only uses PAP and I don't think the LDAP traffic is encrypted.

Anyone have any advice on this? I mean someone would have to be sniffing the traffic from the DMZ to the Internal LAN for this to be an issue ( I think) but the security folk might still deny it.

I have thought about possibly doing an IPSEC tunnel or even using LDAPS ( assuming this is possible) but this does seem like overkill to me :)
Post #: 1
RE: How best to publish with a very tight policy - 3.Jun.2009 2:32:03 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
The best solution (as you eluded to) for this typical scenario is to use LDAPS for authentication. This is a requirement for the password change feature of HTML forms if you choose to use it, as MS dictate that password changes must be done over a secure connection.

For general authentication, you can use either LDAP or LDAPS, but LDAPS is generally recommended and would probably be requested/preferred by your security folk. RADIUS is non-starter IMHO.

LDAPS isn't so complicated, epsecially if you have a Microsoft Enterprise CA as the DCs will already have certs. If not, it's not too hard to purchase and install them from a  public CA: http://support.microsoft.com/kb/321051

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to ogcsmith)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> How best to publish with a very tight policy Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts