Advertisement

11.07.2007 at 04:42PM PST, ID: 22946438
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.3

SSL VPN authentication to 2 Windows Domains

Asked by brownmattc in Virtual Private Networking (VPN), Windows 2003 Server, Secure Socket Layer (SSL) & HTTPS

Tags: , , , ,

I am currently setting up a windows domain to authenticate users for some services.  In this case the services to be hosted by this domain are simply OWA and a SharePoint site.  The users that will be part of this domain (call it the Service domain) will be external to the company.  They will have domain user accounts.

I also have my corporate domain that has all of our users in it.  All of these users will also need to access the SharePoint site in the new domain.  Call this domain the Corporate domain.

These two domains will be setup as completely separate forests.  This is not something that can be changed.

The information that will hosted on the SharePoint site in Service domain is of a nature that it needs to be secured.  As a result there will be no direct public access to this site.  In order to facilitate this access we will be deploying SSL VPN and using RADIUS to authenticate our users.  This is where the question comes in.

In order to authenticate our users we will need to point the authentication at both domains/forests in order to authenticate users from each place.  In order to do this we have a couple of thoughts:

Solution 1:
Create a one way forest trust between the two domains so that the Services domain trusts the Corporate domain (basically the Service domain should have no access into the Corporate domain).  Then point the authentication at the Service domain and hope that it can authenticate users in both domains.  I believe that is the way forest trust authentication is supposed to work but we are unsure how it passes the information back and forth between the forests and if that info would travel fast enough to satisfy the Cisco equipment.

Solution 2:
Use some kind of RADIUS proxy server to handle the authentication requests and configure the proxy to pass the authentication requests to one domain or the other based on the suffix of the login (user will use: user@servicedomain.corporate_domain.com user accounts).  So basically if they have a sub domain in there username then the authentication requests are passed to the Service domain.  Otherwise they are passed to the Corporate domain.

Both solutions require a tunnel to be configured between the two domains and the two sites (as the physical equipment is located in two separate locations).

What I am wondering is which one will work and which one might be better.  Does the Windows Authentication work as I have detailed?  Would a RADIUS proxy be able to pass the requests to each domain?  Are their any other suggestions?

Thank You,

MattStart Free Trial
[+][-]11.07.2007 at 08:42PM PST, ID: 20239219

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Virtual Private Networking (VPN), Windows 2003 Server, Secure Socket Layer (SSL) & HTTPS
Tags: ssl, vpn, cisco, authentication, windows
Sign Up Now!
Solution Provided By: markpalinux
Participating Experts: 1
Solution Grade: A
 
 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628