Options for Authenticating Users in ISA Server 2004

On June 14, 2005

When configuring ISA Server 2004, one challenge a lot of people face is how to design the services so you can use Active Directory groups to configure ISA Server rules. If you want to use users or groups in ISA Server 2004 rules, you must make ISA Server a member of Active Directory domain so it can communicate with Active Directory. As a member server, ISA Server can be configured to take advantage of specific users or groups in Active Directory by creating User Sets. A User Set is a group of users that are defined together as a single set. The set can include three types of users or groups:

1. Windows users and groups
2. RADIUS
3. SecurID

For example, if you want only the members of Information Technology (IT) department to access the internal network when they use a Virtual Private Network (VPN), you can create a network rule where the source network will be VPN Clients and the destination network will be Internal network. You can create a User Set that includes only the members of IT department and configure the network rule to apply only to the IT User Set.

For security reasons, administrators prefer not to add their ISA Servers to the corporate Active Directory domain. One solution is to create a separate forest in the DMZ, add ISA Server to that forest and configure ISA Server to use domain accounts for access policy rules. However, this is a lot of work and it would require you to maintain separate accounts in two different forests.

If you only want to use users and groups for authentication (instead of access rules) then you can use a RADIUS server. Microsoft’s RADIUS server is called Internet Authentication Server (IAS) and is included in Windows Server 2003. This will eliminate the need for you to add ISA Server 2004 to the Active Directory as a member server. However, there’s one thing that you should know about this solution. It may seem like you can add a group from the RADIUS server to a User Set but you can’t. You can either add an individual (Specified User Name) from the RADIUS server or add everyone (All Users in Namespace), as shown in the screen shot below.

Another option is to use SecurID option, which will add additional cost. RSA SecurID for Microsoft Windows software offers better security by combining something the user knows (a secret PIN) with something the user possesses (a unique RSA SecurID token).

The token generates a one-time password every 60 seconds. The options for adding SecureID are identical to the RADIUS options. You can add either a Specified User Name or All Users in Namespace.