[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1769
  • Last Modified:

Permit/Deny Internet Access Based on Active Directory Group Membership?

Hi everyone,

Currently we have Microsoft Active Directory Small Business Server, and use Microsoft ISA server for our firewall.  What I like about ISA is the ability to permit or deny internet access based on Active Directory group membership(s).

I would like to replace our ISA server with a stand alone firewall appliance (Cisco ASA, CheckPoint, Sonicwalll, or Juniper).  

Does anyone know if the stand alone firewalls (mentioned above) can permit or deny internet access based on Active Directory group membership?  Or perhaps there is software out that that can act as an intermediary between the stand alone firewall and Active Directory?

Thank you!
0
oxburger
Asked:
oxburger
  • 2
  • 2
1 Solution
 
Keith AlabasterEnterprise ArchitectCommented:
No offence - but not much point putting ISA Server in your topic areas list as i am hardly likely to recommend anything but ISA Server seeing as that is what I work on all the time :)

You might want to change that TA to Software firewalls rather than ISA or something to give yourself a better spread of responses

Keith
0
 
oxburgerAuthor Commented:
No offense taken, Keith.

I would gladly change the TA if I knew what it was or where to change it at :)

Thanks.
0
 
CBaldersonCommented:
Is there any reason you would not employ a Appliance firewall and also keep ISA for Web Proxy/Firewall Client contol using AD groups?  This is usually a good combination.  You'll get the appliance benefits and configurability of the Firewall while keeping your Proxy setup.  Should be less of an impact to your environment as well (changes etc).  Besides that as a practice we like to separate the inbound and outbound traffic in most cases and the combination gives you that option.

If you do want to use Juniper/Netscreen or some other firewall you'll need to look at RADIUS (Microsoft IAS) to match rules to a policy defined that way.  This would be a new one for me to setup but if you want to do it that way I'll see what I can cook up.

Here is an older document from Juniper on the subject (** Note it is old but goes over the process).
http://kb.juniper.net/kb/documents/public/ApplicationNotes/Technical/ScreenOS%204.0.0/400_config_screenos_ntdomain.pdf

I hope you decided to go with  the combination as it should yeild you many less headaches.

Hope that helps
0
 
oxburgerAuthor Commented:
Aplogies that it took so long to post back to this thread.

Thank you CBalderson for your help.  I like the idea of using ISA & a stand alone firewall appliance and I'll probably go with that.

Now my only concern is...what if the ISA server went down?  Your thoughts?

Thanks agian!    
0
 
CBaldersonCommented:
In our config we use a cluster firewall (that is easy to setup), then for ISA we use a stand by server.  In ISA you can specify a server to fail to via the firewall client.  For the Web Proxy Client we resolve proxy.company.com to the IP of the Production ISA server.  If there was a failure on the primary ISA the FW Clients will automatically go to the fail over (still stand alone ISA) but you would need to modify the DNS record for proxy to address the Web Proxy clients.  Note: If you like this setup, remember that DNS records cache on the client so if you test you'll need to flush the DNS Cache by typeing ipconfig /flushdns - Also in DNS modify the A record for proxy to havea short TTL (time to live) so if you did have an outage you can make the change and not worry about touching clients.

Hopefully that makes sense.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now