Installing and configuring the 2004 ISA Server Firewall - Chapter 3

Microsoft Internet Authentication Server (IAS) is a standard of type RADIUS (Remote Authentication Dial In User Service) server used to authenticate Users connecting to the ISA Server 2004 Firewall machine.

CHAPTER 3: Install and configure Microsoft Internet Authentication Service

Microsoft Internet Authentication Server (IAS) is a standard of type RADIUS (Remote Authentication Dial In User Service) server used to authenticate Users connecting to the ISA Server 2004 Firewall machine. You can use IAS to authenticate Web Proxy clients on the Internal Network or VPN clients, VPN gateways that are connecting from an External Network location (for example, from a branch office of the company). In addition, RADIUS authentication for remote users can be used when these objects connect to Web servers published through Web Publishing rules on ISA Server 2004.

 

The main advantage of using RADIUS to authenticate Web proxies and VPN connections is SA Server 2004 Firewall computers do not need to be a member of Active Directory Domain to authenticate Users, when the accounts of these Usrs are in Active The database directory belongs to the Internal Network.Many Firewall administrators recommend that the Firewall Computer not be a member of the User Domain . Because this can prevent Attackers from entering the Firewall, and thereby gain the Domain Member rights from this Firewall, extend the attack direction to the Internal Network.

Installing and configuring the 2004 ISA Server Firewall - Chapter 3 Picture 1Installing and configuring the 2004 ISA Server Firewall - Chapter 3 Picture 1

However, the major drawback to not having ISA Server 2004 Firewall as a member of the Internal Network domain is that we won't be able to use the ISA Firewall Client to provide legitimate authentication to ISA Server when these Firewall Clients access All TCP and UDP protocols. For this reason, we will create an ISA Server 2004 Firewall computer as a member of the Internal Domain. However, if you do not join the firewall to the domain, you can still use IAS to authenticate VPNs and Web Proxy clients.

The next work will be:

Install and configure Microsoft Internet Authentication Service

Microsoft Internet Authentication Service server is a RADIUS server. We will use this RADIUS server in the following sections of this tutorial (enable RADIUS authentication for Web Publishing Rules and learn how a RADIUS server authenticates PN clients)

Perform the following steps to install Microsoft Internet Authentication Server on domain controller EXCHANGE2003BE on the Internal Network:

1. Click Start , Control Panel . Click Add or Remove Programs .

2. In Add or Remove Programs , click Add / Remove Windows Components

3. On the Windows Components page, scroll down to Components list and select Networking Services entry. Click Details.

4. Check Internet Authentication Service checkbox and click OK.

Installing and configuring the 2004 ISA Server Firewall - Chapter 3 Picture 2Installing and configuring the 2004 ISA Server Firewall - Chapter 3 Picture 2

5. Click Next on the Windows Components page.

6. Click Finish on the Completing the Windows Components Wizard page.

7. Close Add or Remove Programs

Next we will configure Internet Authentication Service

Configuration of Microsoft Internet Authentication Service

You need to configure the IAS server properly to work with the ISA Server 2004 Firewall computer. At this point, we will configure the IAS Server to work with ISA Server 2004 Firewall. The firewall will then be configured to communicate with the IAS server.

Follow these steps with the domain controller on the Internal Network to configure the IAS server:

1. Click Start , Administrative Tools. Click Internet Authentication Service.

2. In Internet Authentication Service console, expand Internet Authentication

Service (Local) node. Right click on RADIUS Clients node and click New RADIUS

Client.

Installing and configuring the 2004 ISA Server Firewall - Chapter 3 Picture 3Installing and configuring the 2004 ISA Server Firewall - Chapter 3 Picture 3

3. On the Name and Address page of the New RADIUS Client wizard , fill in the Friendly-name of ISA Server 2004 Firewall computer in the Friendly name text box. Simply, this name is used to identify the RADIUS client and is not used for operational purposes. Fully insert FQDN name ( EXCHANGE2003BE. MSFIREWALL.ORG ) , or the IP address of ISA Server 2004 Firewall computer in Client address (IP or DNS) text box.

Installing and configuring the 2004 ISA Server Firewall - Chapter 3 Picture 4Installing and configuring the 2004 ISA Server Firewall - Chapter 3 Picture 4

4. Click Verify . In the Verify Client dialog box, the FQDN- fully qualified domain name of ISA Server 2004 Firewall computer will appear in the Client text box. Click Resolve . If the RADIUS server can resolve the Name, the IP address will appear in the IP address frame . If the RADIUS server cannot resolve the IP Address name, this should be noted to the Admin that the hostname of the ISA Server 2004 Firewall has not been created in the DNS server (no record has been created for the Server). If this is the case, you can give two solutions: Create A Record for ISA Server on the DNS server installed on the Domain controller, or you can use IP address on the Internal interface ( 10.0.0.1 ) of the ISA Server 2004 Firewall in Client address (IP and DNS) text box belongs to Name or Address page (mentioned above). Click OK in the Verify Client dialog box. The purpose of the settings in this section is to turn the ISA Server 2004 Firewall into a RADIUS Client, then keep the RADIUS server and the RADIUS Client ready to collaborate.

Installing and configuring the 2004 ISA Server Firewall - Chapter 3 Picture 5Installing and configuring the 2004 ISA Server Firewall - Chapter 3 Picture 5

5. Click Next on the Name and Address page of the New RADIUS Client wizard.

6. On the Additional Information page of the wizard, use the default Client-Vendor entry, the standard of RADIUS. Enter a password in the Shared secret text box and confirm this password . The secret password is shared (only the ISA Server 2004 Firewall and RADIUS server), and use this "signal" to work together. Shared Secret contains at least 8 characters (both mixed and normal, numbers and special characters .). Check to Request must contain the Authenticator attribute check box. Click Finish.

Installing and configuring the 2004 ISA Server Firewall - Chapter 3 Picture 6Installing and configuring the 2004 ISA Server Firewall - Chapter 3 Picture 6

7. You should now see the New RADIUS client entry appear on the console

Installing and configuring the 2004 ISA Server Firewall - Chapter 3 Picture 7Installing and configuring the 2004 ISA Server Firewall - Chapter 3 Picture 7

8. Close Internet Authentication Service console.

The next configuration on ISA Server 2004 Firewall to recognize its partner is the RADIUS server, the configuration will be carried out through this ISA Server 2004 Firewall and RADIUS server administration interface to assume the role of authentication bridges from the Web and VPN clients.

Conclude:

In this chapter we mentioned the Microsoft Internet Authentication Server, how to install and configure an IAS server on the Domain controller of the Internal Network domain. In the next section of the tutorial, we will use this IAS server to authenticate external requests (incoming requestst of Web / VPN Clients) to access the Web / VPN server.

(Please read Chapter 4 .)

Released chapters:

  1. Installing and configuring the 2004 ISA Server Firewall - Chapter 2 Installing Certificate Services
  2. Installing and configuring the 2004 ISA Server Firewall - Chapter 1

Ho Viet Ha - Owner
Network Information Security Vietnam, Inc.
http://nis.com.vn
Email: networksecurity@Nis.com.vn

4 ★ | 2 Vote