Forefront Edge Security TechCenter >
Forefront Edge Security Forums
>
Forefront Edge Security – IAG/UAG
>
IAG & AD LDS questions
IAG & AD LDS questions
- Hi,
We are looking to implement an IAG portal for external partners - and would either like to use a separate AD or AD LDS for these external accounts.
At this point in time, I am leaning towards AD LDS however I have a question:
- The external partners will need to create additional user accounts in this new AD LDS store. What I was thinking of is to use Active Directory Management Gateway Service - which should provide them with a Web Portal to do that. What you think?
Can I also presume that IAG & AD LDS would be a more secure route then IAG & AD?
Are there any authentication type limitations if I use AD LDS as opposed to AD?
If I use AD LDS, then IAG won't need to be in the domain?
What if I need to create another portal trunk for intranet users - will non-domain membership affect this in any way?
Also, since the IAG portal will most likely be in the DMZ, should I also place the AD LDS/AD server in the DMZ (for external partner authentication), or in the Intranet?
Any ideas and pointers will greatly help.
Kind regards,
Tom
Answers
- Hi Tom,
IAG does not need to be a domain member to work with AD. It also doesn't have to have the AD server on it's own subnet. IAG uses a repository to communicate with AD, and as long as the route exists and the ports are open, it can work no matter where the server is at. I don't have personal experience with setting up LDS, but as far as I know, it should work seamlessly just like regular AD would.
As for it being more secure - if what you mean is that it will leave your primary AD servers out of the attack path, then yes, it is more secure to some degree. Publishing the management gateway as a web app seems like a viable idea to allow the partner to create accounts. I would strongly advise, though, to keep a close eye on that server, to make sure it's not abused or attacked.
You can create another trunk for internal users with no problem - just use another repository to authenticate against your internal domain. Of course, that will also require the right route and ports to be open.
Good luck
Ben Ari
Microsoft CSS IAG Support
Sammamish, WA- Marked As Answer byBen AriMSFT, OwnerTuesday, October 27, 2009 5:44 PM
All Replies
- Hi Tom,
IAG does not need to be a domain member to work with AD. It also doesn't have to have the AD server on it's own subnet. IAG uses a repository to communicate with AD, and as long as the route exists and the ports are open, it can work no matter where the server is at. I don't have personal experience with setting up LDS, but as far as I know, it should work seamlessly just like regular AD would.
As for it being more secure - if what you mean is that it will leave your primary AD servers out of the attack path, then yes, it is more secure to some degree. Publishing the management gateway as a web app seems like a viable idea to allow the partner to create accounts. I would strongly advise, though, to keep a close eye on that server, to make sure it's not abused or attacked.
You can create another trunk for internal users with no problem - just use another repository to authenticate against your internal domain. Of course, that will also require the right route and ports to be open.
Good luck
Ben Ari
Microsoft CSS IAG Support
Sammamish, WA- Marked As Answer byBen AriMSFT, OwnerTuesday, October 27, 2009 5:44 PM
- awesome, thank you.
