• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on ISA FBA for Internal and External client part 1

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion about article on ISA FBA for Internal and External client part 1 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion about article on ISA FBA for Internal and Ex... - 20.Sep.2005 8:10:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on enabling ISA firewall FBA access for both internal and external network clients at http://isaserver.org/tutorials/Enabling-IS A-Firewall-Forms-based-Authentication-OWA-Connections-Internal-External-Clients-Part1.html

Thanks!
Tom

[ September 20, 2005, 08:14 AM: Message edited by: tshinder ]
Post #: 1
RE: Discussion about article on ISA FBA for Internal an... - 20.Sep.2005 10:37:00 AM   
TimTrace

 

Posts: 119
Joined: 31.Oct.2001
From: St. Louis MO
Status: offline
Neat solution, a second listener for the internal clients. No wonder you make the big bucks. I'm eager to experiment with this idea!

A question for you about Part 1:
quote:
If we put external addresses in our internal zones, then this could start a trail of other compromises to a well-designed network infrastructure, such as using the .local for your internal Active Directory top level domain ;-)
I'm confused by your wording; are you saying that you should not use a non-public TLD in your AD design? MSKB 296250 (at least) seems to suggest that it is best practice to use a non-public TLD...

Best regards,

Tim ==

[ September 20, 2005, 10:39 AM: Message edited by: timtrace ]

(in reply to tshinder)
Post #: 2
RE: Discussion about article on ISA FBA for Internal an... - 20.Sep.2005 12:33:00 PM   
TheCleaner

 

Posts: 74
Joined: 2.Apr.2004
Status: offline
Tim,

I think he's saying that .local is the acceptable practice, while using external public addresses internally isn't.

Personally, I use the same domain.com for both internal and external with a split-DNS and it works just fine and is easier to understand for us.

Course, we don't publish anything besides mail servers, our websites are hosted externally.

(in reply to tshinder)
Post #: 3
RE: Discussion about article on ISA FBA for Internal an... - 20.Sep.2005 4:46:00 PM   
TheCleaner

 

Posts: 74
Joined: 2.Apr.2004
Status: offline
Dr. Tom,

After reading the article, it all makes sense...however, I don't understand the trouble of going through all of that versus just enabling the FBA on the Exchange server, and then not using it on the ISA server. I know the thought is to prevent unneeded access to the Exchange server before authentication, but at what point is the trade-off necessary. I guess what I'm saying is, you are trading a little bit of security for the increased load of the loop-back.

(in reply to tshinder)
Post #: 4
RE: Discussion about article on ISA FBA for Internal an... - 21.Sep.2005 5:05:00 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
I understand the benefits for FBA, especially when accessing OWA externally, but is FBA really necessary internally?

Why not just configure the split DNS so that external users resolve to the ISA external interface, whilst internal users resolve to the front-end server? Obviously, the internal auth will only be basic auth over SSL (assuming you are doing SSL-to-SSL bridging with ISA and FE has a cert installed). Is this really that bad?

The only argument I can see is that of a unified FBA login for users, irrespective of their location and the fact that FBA is 'nice to have', even on the LAN.

Persoanlly I would prefer to avoid loopback and if people use OWA internally then they just auth using basic over SSL. This is exactly what you need to do if using PDA's with ActiveSync anyhow.

Interesting idea of using an extra web listener though, I am curious now! [Smile]

JJ

(in reply to tshinder)
Post #: 5
RE: Discussion about article on ISA FBA for Internal an... - 21.Sep.2005 6:12:00 PM   
TheCleaner

 

Posts: 74
Joined: 2.Apr.2004
Status: offline
Jason Jones,

Can you explain what you mean by:
quote:
Persoanlly I would prefer to avoid loopback and if people use OWA internally then they just auth using basic over SSL. This is exactly what you need to do if using PDA's with ActiveSync anyhow.

Because after enabling FBA on the Exchange server, and then setting up the listener for everything on the ISA server as SSL and Integrated, we are having flakey issues with Activesync on some phones.

See my thread just below this one in the forum for more info.

(in reply to tshinder)
Post #: 6
RE: Discussion about article on ISA FBA for Internal an... - 21.Sep.2005 6:20:00 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
The best setup is to use FBA on ISA and not on exchange...this IS do-able (we do it and do it for customers) and this ensures that ISA pre-authenticates users *BEFORE* passing any traffic to the FE exchange server.

Once you do this, the FE will then need to be configured for basic auth using SSL, as per MS bets practise. Once you do this, your split internal DNS should point users to the FE and not ISA hence ActiveSync can auth and will work. When PDA's are out on the internet your external DNS will point to ISA and it will reverse proxy these connections to the FE assuming you have the correct config for you publishing rules.

Do this explain it ok?

Be intersting to see if Tom's solution works for PDA's too...

JJ

(in reply to tshinder)
Post #: 7
RE: Discussion about article on ISA FBA for Internal an... - 21.Sep.2005 8:10:00 PM   
TheCleaner

 

Posts: 74
Joined: 2.Apr.2004
Status: offline
Jason,

Yes, that all makes sense...guess it really is time to revamp and quit using a single Exchange2k3 box.

Currently we have it setup as:

FBA on the exchange server (only 1 server)
IIS on the exchange server hosting OWA/AS/OMA

ISA publishes the mail server and then the web listener is set to SSL and Integrated.

Seems to work fine for us, but we don't get the "advantage of FBA on the ISA"

(in reply to tshinder)
Post #: 8
RE: Discussion about article on ISA FBA for Internal an... - 22.Sep.2005 10:15:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by timtrace:
Neat solution, a second listener for the internal clients. No wonder you make the big bucks. I'm eager to experiment with this idea!

A question for you about Part 1:
quote:
If we put external addresses in our internal zones, then this could start a trail of other compromises to a well-designed network infrastructure, such as using the .local for your internal Active Directory top level domain ;-)
I'm confused by your wording; are you saying that you should not use a non-public TLD in your AD design? MSKB 296250 (at least) seems to suggest that it is best practice to use a non-public TLD...

Best regards,

Tim ==

Hi Tim,

I'm a *major* fan of the split DNS infrastructure, and always use legal names for the internal domain. It makes life a lot more simple and there are only a couple of caveats. It was also meant as a dig to the SBS PG, who chose the .local domain name. [Big Grin]

Thanks!
Tom

(in reply to tshinder)
Post #: 9
RE: Discussion about article on ISA FBA for Internal an... - 22.Sep.2005 10:16:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by TheCleaner:
Tim,

I think he's saying that .local is the acceptable practice, while using external public addresses internally isn't.

Personally, I use the same domain.com for both internal and external with a split-DNS and it works just fine and is easier to understand for us.

Course, we don't publish anything besides mail servers, our websites are hosted externally.

Hi Cleaner,

YES! Welcome to the cool and flexible world of split DNS!

Thanks!
Tom

(in reply to tshinder)
Post #: 10
RE: Discussion about article on ISA FBA for Internal an... - 22.Sep.2005 10:20:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by TheCleaner:
Dr. Tom,

After reading the article, it all makes sense...however, I don't understand the trouble of going through all of that versus just enabling the FBA on the Exchange server, and then not using it on the ISA server. I know the thought is to prevent unneeded access to the Exchange server before authentication, but at what point is the trade-off necessary. I guess what I'm saying is, you are trading a little bit of security for the increased load of the loop-back.

Hi Cleaner,

Exactly. Its a trade-off, but I'm erring on the side of security over performance. We can always upgrade the proc and memory, and use SSL offload for performance enhancement, but there's nothing we can do to mitigate the security issues with allowing anonymous connections to the OWA site. Of course, we could deal with dual authentication prompts, but that's a bummer [Frown]

HTH,
Tom

(in reply to tshinder)
Post #: 11
RE: Discussion about article on ISA FBA for Internal an... - 3.Oct.2005 5:33:00 PM   
bassque

 

Posts: 33
Joined: 21.Aug.2001
From: St. Louis
Status: offline
Hey all. I'm having some issues but I posted them in the part 2 discussion board. Appreciate the help if possible:

http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000774#000002

(in reply to tshinder)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion about article on ISA FBA for Internal and External client part 1 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts