Domain Authentication (Full Version)

All Forums >> [ISA 2006 General] >> Installation and Planning


noddles -> Domain Authentication (13.Jul.2011 11:52:32 AM)

Hello Guys,
Please i am having a serious problem.

I want to lock down my network and enable only domain users access to any network resource (any of my Servers and Internet).

On my network, i am running ISA Server 2006 (SP1) and Server 2003 Std. I have a domain which my users log into. I joined the ISA Server to XXX domain (to enable the machine pull user accounts).

Please can anyone help me with the correct steps to enable only XXXX Domain users to access the network. I know i have to change the users tab from all users to a specified user but i cant see where ISA allows OU's. Even if i add a group, and maybe later i add a new person to the domain, i have to go to the ISA and re-add that user before he / she can access the network.

I think i am doing something wrong..

renatomarson -> RE: Domain Authentication (13.Jul.2011 4:30:40 PM)

Hi Noddles,

On ISA Server go to Firewall Policy. On the right panel, you'll find the tab Toolbox.

On the Toolbox, go to Users -> New and create a new group name, on next step you'll be able to choose which AD group you want to add on this group that you created.

So, when you add a new user on that group on AD, this user will be automatically added to this group that you created.

On Access rules, replace the ALL Users per the group you created


Renato Marson Pagan

noddles -> RE: Domain Authentication (15.Jul.2011 2:20:20 PM)

Hi renatomarson,
i am very grateful for your assistance, it worked. I actually thought that the ISA would lift the OU's i created on the Domain controller but i used your advise and its working.

I created a security group and added everyone in my domain to that group, now on the ISA i changed the all users to the group i created on the Domain controller. Now, ant request that come through the ISA, it looks at the group members on the DC and either allows or denies access. But, it also means that anytime i create a user on the DC, i must add the user to that security group. A little bit tasking but manageable.

Or, does anyone have any other ideas?


renatomarson -> RE: Domain Authentication (15.Jul.2011 2:45:04 PM)

Hi Noodles.

On ISA and TMG there is a built-in group called All Authenticated Users.

If you choose this group instead of All Users, the TMG will request authentication to all users and you don't need to add the users to any group.


noddles -> RE: Domain Authentication (15.Jul.2011 3:05:03 PM)

Hi renatomarson,
Is there anywhere on the ISA i can specify the authentication should come from?

renatomarson -> RE: Domain Authentication (15.Jul.2011 3:26:53 PM)


If your ISA is a domain member, you can use Domain Users.

Or you can configure Radius or LDAP servers.

On the left panel go to General -> Specify RADIUS and LDAP Servers.

After you configure RADIUS or LDAP, you can use this servers to authenticate users.

noddles -> RE: Domain Authentication (17.Jul.2011 4:15:56 PM)

Hi renatomarson and everyone,
I am still having problems with my ISA Server. Now on my HQ ISA, the security group i created works very well. All i have to do is, add users to the security group on my DC and immediately they can access my network (I changed the all users to the security group i created on my DC).
Now, on one of my branch offices, i created the same group on the DC over there, added users to that security group, now when i try to access the DC from the ISA (or rather create the security group on the users tab), i get the following error "Windows cannot resolve, either the domain cannot be contacted or not reachable".
Please can anyone help resolve this?

Page: [1]