I've been playing with the new ISA Firewall's new LDAP authentication feature set and I have to admit that I'm impressed. The new feature solves a problem I've seen over the years that required a complex RADIUS network to be designed. That problem was how to pre-authenticate users at the ISA Firewall when those users belong to multiple domains which have no trust relationships with one another.
In ISA 2004, the solution was to install a RADIUS proxy and then configure policies that enabled the RADIUS proxy to forward the authentication requests to the appropriate RADIUS servers. The procedure isn't documented anywhere and if you try to find useful information on how to configure RADIUS proxies and proxy policies on the www.microsoft.com web site, you'll find yourself sad and disappointed.
The new LDAP pre-authentication support in the 2006 ISA Firewall solves this problem and makes supporting multiple domains behind the ISA Firewall very easy to configure. However, there is one tricky situation that you should know about, and that's related to password management. The new ISA Firewall includes new support for password changing and password change notifications that appear right in the log on form. However, if you use LDAP authentication, you need to jump through a few hoops.
First take a look at the salient dialog box, as seen in the figure below:
In order to support password changes and password notification, you need to use LDAPS for a secure connection between the ISA Firewall and the domain controller. You also have to disable the User Global Catalog (GC) setting.
For LDAPS to work, you need to install a machine certificate on the DC and then install the CA certificate of the CA that issued the DCs machine certificate into the ISA Firewall's Trusted Root Certification Authorities machine certificate store. This isn't too terribly difficult, but if you're not aware of the situation you'll wonder what happened with password management for your OWA users.
This week I'm starting a multipart series on how to make this all work by showing you how to pre-authenticate users that are trying to connect to two different Exchange Server located behind an ISA Firewall. Each Exchange Server will belong to a different domain and the domains don't trust each other, and LDAP authentication will be used at the ISA Firewall to pre-authenticate the incoming connections.
I hope you like the series and that it helps you get your ISA Firewalls deployment more quickly and easily. Remember, no other solution can protect your Exchange Servers better than an ISA Firewall! And you can take that to the bank 🙂