I've never seen any problems with ISA crashing. In a couple of client firms I've had a pair of Enterprise ISA 2004 boxes load balanced as a proxy and firewall supporting up to 7000 users without issue. Had it up for over 6 months before rebooting. I would use it in conjunction with a hardware based firewall though such as the Cisci ASA as the edge firewall.
This goes without saying but ensure your website traffic is encrypted using SSL to prevent AD passwords being sniffed
-
The key fob allows secure access by a person from any computer or internet device and if you lose your laptop you are not compromising security by losing a certificate.Originally posted by vetran View Postlast I looked MS approved way is ISA server & client certificates. Not sure why all these big corporates waste their money on RSA fobs & VPNs.
If you lose the keyfob, there is still the PIN and your password that the hacker will not know.
I know a few companies that prefer this approach.Leave a comment:
-
There is more than one type of VPN.... IPSEC VPN with or without Authentication Fobs... and SSL VPNS with or without Authentication Fobs. Authentication Fobs are not critical for any type IPSEC implimentation, but would be helpful.Originally posted by vetran View Postlast I looked MS approved way is ISA server & client certificates. Not sure why all these big corporates waste their money on RSA fobs & VPNs.
The reason why people don't use the MS solutions is because the MS solutions don't meet their requirements for some reason or another. I've known a few councils to have thrown out ISA Proxy in favour of Bluecoat proxy because ISA was not up to the job of handling the load (often crashes).Leave a comment:
-
last I looked MS approved way is ISA server & client certificates. Not sure why all these big corporates waste their money on RSA fobs & VPNs.
Leave a comment:
-
SSL VPN is a clientless solution and would be absolutely ideal for you environment. However, if your client has accepted the risk for not securing the transmission of developer code and AD authentication over the interweb, then fair enough. However, if I were you, I would give the client the option and advise them of the insecurities of doing non-encrypted uploads of code (i.e. 3rd-party interception, modification, etc. etc.) before you dismiss SSL VPN from the equation. Let them make the decision to take the risk, otherwise the risk may be transferred to you and you could be liable for any loss incurred by the client.Originally posted by bekarovka View PostLeave a comment:
-
COnsider using ISA Server to allow authentication to your webserver in the DMZ. This will integrate with AD to authorise specific AD groups to allow access to that web server via forms based auth or basic/integrated auth.Leave a comment:
-
VPN is definately the way to go. Trying to roll your own solution is going to cause you all sorts of security headaches. From the sound of it though, the app has been knocked up on the cheap and an equally cheap access solution is being sought.Leave a comment:
-
Thankyou for your answers. Unfortunately I can't use VPN as the requirement is very adhoc access among a large user base.
My main concern really is the implication of the ASP.Net application being in DMZ & communication with AD from there. I would think that there would need to be some extra configuration to get this to work. DMZ machine isn't in a domain. I will try the url that was recommended for asking this question.Leave a comment:
-
Have to agree. A VPN with perhaps a smartcard for authentication in combination with the users usual Windows account and SSL is the way to go. In this way all your Intranet apps are available to remote workers and it is secure and the code doesn't have to change.Originally posted by Not So Wise View Post
I've used RSA stuff before.
http://www.ansecurity.co.uk/products/rsa.htm
And Juniper too.
http://www.ansecurity.co.uk/products/juniper/sslvpn.htmLast edited by DimPrawn; 24 August 2009, 09:11.Leave a comment:
-
Honestly, don't do it. Not to be mean but fact that you even need to ask if it possible tells me you are not experienced enough to make this properly secure for internet publication
Do as pmeswani suggested and use VPN, if they are home workers they should already have this and it would require no extra config from yourselfLeave a comment:
-
Leave a comment:
-
- Yes, this is possible.
- I can't remember all the details, as I haven't done anything like this with .NET in several years.
If you don't get enough help here (and I'm not exactly helping with the above) then you may want to try searching or posting a question on serverfault.com - there's a good chance somebody over there has either answered your question, or can answer it.Leave a comment:
-
Yes this should be possible, I believe there is an active directory membership provider for asp.net (or you could create your own if it doesn't meet your requirements). Have a look for that on google.Leave a comment:
-
Using Active Directory to authenticate internet users
I have an intranet application that is using windows authentication. What I want to do is port it to internet useage for homeworkers. Web server will be in the DMZ.
What I would like know is this. If home worker logs in to internet using forms authentication (this is asp.net app) and enters user name in the form of their normal windows login (domain\userid) can this be passed to active directory and validated? I dont want maintenance of login details in dtatbase or anthing I would like to be using active directory. I think I would have to set up trust between DMZ webserver and AD. Is this possible. Thank you if you help me.
Leave a comment: