Configuring Domain Members in a Back to Back ISA Firewall DMZ Part 4: Using RADIUS Authentication on the Front-end ISA Firewall

By /

Configuring Domain Members in a Back to Back ISA Firewall DMZ
Part 4: Using RADIUS Authentication on the Front-end ISA Firewall
by Thomas W Shinder MD, MVP



If you would like to read the other parts in this article series please go to:

RADIUS authentication has some significant limitations (for example, you can’t leverage Active Directory Global Groups for access control and each request is re-authenticated), but may be of value in this scenario, since you might not want to make the front-end ISA firewall a domain member since it doesn’t need to authenticate outbound connections.

In this article we’ll go over the following procedures required to enable the front-end ISA firewall to pre-authenticate connections using RADIUS:

  • Install IAS on the default Internet Network behind the back-end ISA firewall
  • Configure IAS to accept the front-end ISA firewall as a RADIUS client
  • Configure Remote Access Policy on the IAS server
  • Configure the back-end ISA firewall to allow RADIUS communications from the front-end ISA firewall to the IAS server on the default Internal Network behind the back-end ISA firewall
  • Configure the front-end ISA firewall to use the RADIUS server
  • Configure the Web Publishing Rule on the front-end ISA firewall to use RADIUS authentication and forward basic credentials to the Web server
  • Test the solution

Install IAS on the default Internet Network behind the back-end ISA firewall

The IAS server is required for RADIUS authentication. Actually, you don’t need to use the IAS RADIUS server; you can use any RADIUS server since there are no Microsoft proprietary RADIUS components required for the solution to work.

Perform the following steps on the Windows Server 2003 machine that will be the IAS server on your corporate network (in the example used in this article, the IAS server will be installed on the domain controller located on the default Internal Network behind the back-end ISA firewall):

  1. Click Start, point to Control Panel and click Add or Remove Programs.
  2. In the Add or Remove Programs window, click the Add/Remove Windows Components button.
  3. In the Windows Components dialog box, click the Network Services entry in the Components list and click Details.
  4. Put a checkmark in the Internet Authentication Server checkbox and click OK.
  5. Click Next in the Windows Components dialog box.
  6. Click Finish in the Completing the Windows Components Wizard page.

Configure IAS to accept the front-end ISA firewall as a RADIUS client

After the IAS server is installed, the next step is to configure IAS to accept RADIUS client requests from the ISA firewall. Perform the following steps to configure the front-end ISA firewall as a RADIUS client:

  1. On the IAS server, click Start, point to Administrative Tools and click Internet Authentication Services.
  2. In the Internal Authentication Service console, right click the RADIUS Clients node in the left pane of the console and click New RADIUS Client.
  3. On the Name and Address page, enter a friendly name in the Friendly name text box. In this example we’ll use Front-end ISA Firewall. In the Client address (IP or DNS) text box, enter the IP address of the internal interface of the front-end ISA firewall. In this example, we’ll enter 10.0.1.1. Click Next.


Figure 1

  1. In the Additional Information page, confirm that RADIUS Standard is enter in the Client-Vendor list (if you’re using IAS). Enter a Shared secret and Confirm shared secret. Write down this value, since you will need to configure the front-end ISA firewall with the same shared secret later. Put a checkmark in the Request must contain the Message Authenticator attribute checkbox. Click Finish.


Figure 2

  1. You should now see the front-end ISA firewall listed as a RADIUS client in the right pane of the console.


Figure 3

Configure Remote Access Policy on the IAS Server

We now need to create a Remote Access Policy (RAP) that supports Web proxy connections to the front-end ISA firewall. In contrast to forward Web proxy connections, where client systems must be explicitly configured as Web proxy clients to communicate directly with the Web proxy filter, reverse Web proxy filter connections are automatically received by the Web proxy filter via Web Publishing Rules.

Perform the following steps on the IAS server to configure the Remote Access Policy to support Web proxy client authentication to the front-end ISA firewall:

  1. In the Internet Authentication Service console, right click on the Remote Access Policy node in the left pane of the console and click New Remote Access Policy.
  2. Click Next on the Welcome to the New Remote Access Policy page.
  3. On the Policy Configuration Method page, select the Set up a custom policy option. Enter a name for the policy in the Policy name text box. In this example we’ll name the policy Front-end ISA Firewall Web proxy. Click Next.


Figure 4

  1. On the Policy Conditions page, click Add.
  2. In the Select Attribute dialog box, click the Authentication Type entry in the Attribute types list and click Add.


Figure 5

  1. In the Authentication Type dialog box, click the PAP entry and click Add. Click OK.


Figure 6

  1. Click Add on the Policy Conditions page.
  2. In the Select Attribute dialog box, click the NAS-IP-Identifier entry in the Attribute types list. Click Add.


Figure 7

  1. In the NAS-IP-Address dialog box, enter the IP address on the internal interface of the front-end ISA firewall. Click OK.


Figure 8

  1. Click Add on the Policy Conditions page.
  2. In the Select Attribute dialog box, click the Windows-Groups entry in the Attribute types list. Click Add.


Figure 9

  1. In the Groups dialog box, click the Add button.
  2. In the Select Groups dialog box, enter the name of an Active Directory Global Group that you want to allow access. In this example we’ll use the Domain Users group. Enter Domain Users in the Enter the object names to select text box and click Check Names. Click OK.
  3. Click OK in the Groups dialog box.
  4. Click Next on the Policy Conditions page.


Figure 10

  1. On the Permissions page, select the Grant remote access permission option and click Next.
  2. On the Profiles page, click the Edit Profile button.
  3. In the Edit Dial-in Profile dialog box, click the Authentication tab. On the Authentication tab, remove the checkmarks from all the checkboxes. Then put a checkmark in the Unencrypted authentication (PAP, SPAP) checkbox.


Figure 11

  1. Click the Encryption tab. On the Encryption tab, put a checkmark in the No encryption checkbox. Click Apply and then click OK. Click No in the Dial-in dialog box.


Figure 12

  1. Click Next on the Profile page.
  2. Click Finish on the Completing the New Remote Access Policy Wizard page.
  3. The new RAP appears in the right pane of the console.


Figure 13

Configure the back-end ISA firewall to allow RADIUS communications from the front-end ISA firewall to the IAS server on the default Internal Network behind the back-end ISA firewall

The back-end ISA firewall needs an Access Rule allowing RADIUS communications to pass from the front-end ISA firewall to the IAS server on the corporate network behind the back-end ISA firewall.

Perform the following steps to create the Access Rule:

  1. In the ISA firewall console, expand the server name and click the Firewall Policy node.
  2. On the Firewall Policy node, click the Tasks tab in the Task Pane. Click the Create a New Access Rule link.
  3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule RADIUS Local Host to IAS and click Next.
  4. On the Rule Action page, select the Allow option and click Next.
  5. On the Protocols page, select the Selected protocols option from the This rule applies to list, then click Add.
  6. In the Add Protocols dialog box, click the All Protocols folder. Double click the RADIUS and RADIUS Accounting entries and click Close.


Figure 14

  1. Click Next on the Protocols page.
  2. On the Access Rule Sources page, click the Add button.
  3. In the Add Network Entities dialog box, click the New button and click Computer.
  4. In the New Computer Rule Element dialog box, enter a name for the front-end ISA firewall in the Name text box. In this example we’ll name the front-end ISA firewall FE ISA Firewall. Enter the IP address of the internal interface of the front-end ISA firewall in the Computer IP Address text box. In this example, the IP address on the internal interface of the front-end ISA firewall is 10.0.1.1. Enter a description if you like. Click OK.


Figure 15

  1. In the Add Network Entities dialog box, click the New button and click Computer.
  2. In the New Computer Rule Element dialog box, enter a name for the IAS server in the Name text box. In this example, we’ll name the IAS server IAS Server. Enter the IP address of the IAS server in the Computer IP Address text box. In this example the IP address of the IAS server is 10.0.0.2. Enter an option description if you like. Click OK.


Figure 16

  1. In the Add Network Entities dialog box, click the Computers folder. Double click on the FE ISA Firewall entry and click Close.
  2. Click Next on the Access Rule Sources page.
  3. On the Access Rule Destinations page, click the Add button.
  4. In the Add Network Entities dialog box, click the Computers folder. Double click the IAS Server entry. Click Close.


Figure 17

  1. Click Next on the Access Rule Destinations page.
  2. Click Next on the User Sets page.
  3. Click Finish on the Completing the New Access Rule Wizard page.

Configure the front-end ISA firewall to use the RADIUS server

The front-end ISA firewall must be configured to use the RADIUS server on the corporate network located behind the back-end ISA firewall. We can then configure the Web Publishing Rule to use this RADIUS server after making this configuration change.

Perform the following steps to create the RADIUS server entry on the front-end ISA firewall:

  1. At the front-end ISA firewall, open the ISA firewall console and expand the server name, then expand the Configuration node.
  2. Click the General node. In the Details pane, click the Define RADIUS Servers link.
  3. In RADIUS Servers dialog box, click the Add button.
  4. In the Add RADIUS Server dialog box, enter the IP address of the IAS server in the Server name text box. In this example, the IP address of the IAS server is 10.0.0.2. Enter an optional description in the Server description text box. Click the Change button.
  5. In the Shared Secret dialog box, enter the same shared secret you created when you configured the IAS server to use the front-end ISA firewall as a RADIUS client. Click OK.


Figure 18

  1. Put a checkmark in the Always use message authenticator checkbox and click OK.


Figure 19

  1. Click OK in the RADIUS Servers dialog box.

Configure the Web Publishing Rule on the front-end ISA Firewall to use RADIUS authentication and Forward Basic Credentials to the Web Server

Now we’ll configure the Web Publishing Rule used to publish the DMZ Web server to use RADIUS authentication to pre-authenticate users at the ISA firewall before the connections are forwarded to the DMZ Web server. This significantly increases the level of security provided by the ISA firewall to protect the published Web server.

An interesting issue regarding RADIUS authentication is that clients send credentials using basic authentication when authenticating via RADIUS. This means you can obtain single sign-on with the published Web server by delegating basic authentication in the Web Publishing Rule. You must enable basic authentication on the published Web server for this to work correctly. You cannot use integrated authentication on the Web server if you wish to avoid multiple authentication prompts.

Perform the following steps to configure the Web Publishing Rule to use basic authentication and forward basic credentials to the published Web site:

  1. In the ISA firewall console on the front-end ISA firewall, expand the server name and then click the Firewall Policy node.
  2. On the Firewall Policy node, double click the Web Publishing Rule you created for publish the DMZ Web server.
  3. In the Properties dialog box for the Web Publishing Rule, click the Listener tab.
  4. On the Listener tab, click the Properties button.
  5. In the Listener’s Properties dialog box, click the Preferences tab.
  6. On the Preferences tab, click the Authentication button.
  7. In the Authentication dialog box, remove checkmarks from other authentication methods. Put a checkmark in the RADIUS checkbox. Put a checkmark in the Require all users to authenticate checkbox. Click the Select Domain button.


Figure 20

  1. In the Select Domain dialog box, enter the name of the corporate network user domain. In this example our internal user domain is named msfirewall.org, so we’ll enter MSFIREWALL in the Domain Name text box. Click OK


Figure 21

  1. Click OK in the Authentication dialog box.
  2. Click OK in the Listener’s Properties dialog box.
  3. Click the Users tab in the Web Publishing Rule’s Properties dialog box.
  4. Pub a checkmark in the Forward Basic authentication credentials (Basic delegation) checkbox. Click OK.


Figure 22

  1. Click Apply to save the changes and update the firewall policy.
  2. Click OK in the Apply New Configuration dialog box.

Our firewall policy looks like that in the figure below.


Figure 23

Test the solution

At an external client, make a connection to the published Web site using the URL the ISA firewall’s Web Publishing Rule is configured to listen for. You will be presented with an authentication dialog box. Enter your credentials and click OK. You should see only a single authentication dialog box.

If you see a second authentication dialog box, then it’s likely that the Web site is not configured to support basic authentication. Check the Security tab in the Properties dialog box of the Web site and confirm that Basic authentication is enabled.

Note that since credentials are sent using basic authentication, it’s critical that you use SSL to secure the information from end to end. If you plan on using RADIUS authentication on the front-end ISA firewall, then make sure your production deployment uses SSL to secure the connection from the client to the front-end ISA firewall, and SSL from the front-end ISA firewall to the published Web server in the DMZ. Alternatively, you could use IPSec to secure the connection between the ISA firewall and the published Web server, although this adds a layer of complexity that isn’t required.

Summary

In this article series we went over the concepts and procedures involved in placing a domain member computer on a DMZ segment in a back to back ISA firewall configuration. In this, part 4 of the series, we went over the procedures involved with enabling RADIUS authentication on the front-end ISA firewall so that incoming connections to the DMZ Web server can be pre-authenticated by the ISA firewall before being forwarded to the Web server.

If you would like to read the other parts in this article series please go to:

About The Author

Tom Shinder is a Program Manager at Microsoft and has two decades of networking and security experience. He has written dozens of books, thousands of articles, and spoken at large industry conferences on the topics of IT infrastructure, Cloud computing, and cybersecurity. In his free time, Tom enjoys participating in equine prediction markets.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top