Introduction
The Microsoft Internet Authentication Server (IAS) is an industry standard RADIUS server that can be used to authenticate users connecting to the ISA Server 2004 firewall machine. You can use IAS to authenticate Web Proxy clients on the internal network and VPN clients and VPN gateways calling in from an external network location. In addition, you can use RADIUS authentication to remote users who connect to Web servers published using ISA Server 2004 Web Publishing rules.
The major advantage of using RADIUS authentication for Web proxy and VPN connections is that the ISA Server 2004 firewall computer does not need to be a member of the domain to authenticate users whose accounts are contained in the Active Directory on the internal network. Many firewall administrators recommend that the firewall not be a member of the user domain. This prevents attackers who may compromise the firewall from taking advantage of the firewall’s domain member status to amplify an attack against the internal network.
One major drawback to not making the ISA Server 2004 firewall a member of the internal network domain is that you cannot use the Firewall client to provide authenticated access to all TCP and UDP protocols. For this reason, we make the ISA Server 2004 firewall computer a member of the domain in this ISA Server 2004 Configuration Guide series. However, if you choose to not join the firewall to the domain, you can still use IAS to authenticate your VPN and Web Proxy clients.
We will discuss the following procedures in this document:
•Installing the Microsoft Internet Authentication Service
•Configuring the Microsoft Internet Authentication Service
ISA Server 2004 Configuration Guide | 23 |
