In ISA 2006 beta, you have the option to use LDAP authentication for Web Publishing Rules. Microsoft decided to include LDAP authentication support for Web Publishing Rules to get around several problems:
- Network infrastructure teams were making decisions about network application security, an area they, in general, do not understand well. Application and network security extends far above knowing what “ports” need to be opened and closed
- Because network infrastructure personnel do not understand network and application security, they would not allow the ISA firewall to be a domain member
- When the ISA firewall is not a domain member, the ISA firewall can’t use Active Directory to authenticate incoming Web requests
- An alternative was to use RADIUS authentication. However, RADIUS authentication does not support Active Directory group membership based access controls. In order to support group based access controls, you needed to create ISA firewall Groups and add members one at a time in the ISA firewall console’s interface. This created exceptionally high administrator overhead
ISA 2006 integrated support for LDAP authentication enables the ISA firewall to send LDAP queries to the Active Directory domain controller. The allows the ISA firewall to place AD group based controls on Web Publishing Rules.
The figure below shows the configuration interface for LDAP servers.
Here’s a handy tip for you: before you create a Web Publishing Rule that will use LDAP for user/group based authentication, make sure you configure your LDAP server first. Unlike most of the ISA firewall’s rule wizards, you can’t create LDAP servers on the fly, reminiscent of ISA Server 2000. Hopefully this issue will be worked out during the beta cycles and the RTM version of the 2006 ISA firewall allow “on the fly” configuration of LDAP servers.
Thomas W Shinder, M.D.
MVP — ISA Firewalls