locked
Authenticate users with certificate @ISA(TMG) Proxy server RRS feed

  • Question

  • Hi,

    following problem: we have users who are authenticating at a UAG portal with user certificates. We want to force them to use the internet access via internal ISA proxy servers. We have implemented that by using a enhanced generic client application which enables the users to connect to the isa proxy servers via TCP port 8080. However the problem is that the users are logged in locally with non-domain accounts i.e. they would need to authenticate again @ISA server with their domain credentials. As a workaround we have setup a rule which allows all requests coming from the internal UAG ip addresses to access the internet, i.e. without any authentication. We are thinking about several ways to enable sso/authentication for the users:

    - using TMG client
    - using Citrix XenApp over Web Interface and publishing IE

    Any other thoughts? KCD with ISA does not seem to work as we are not using HTTP.

    Best regards

    Thomas

    Tuesday, November 2, 2010 10:32 AM

Answers

All replies

  • Would DirectAccess not provide a better solution here, although you imply the clients are non-domain joined so this may not be viable? I assume this is why they are logging on with non-domain accounts?

    I don't see how the TMG client would help here and KCD is not applicable to outbound web proxy, only reverse publishing.

    The only other thing I can think of is creating mirror accounts on the ISA Server(s), but this is pretty messy and not very scalable...

    I think the option of using published IE is probably the most realistic, although you may also want to consider using a RemoteApp solution as this integrates nicely with UAG. Have a look here: http://technet.microsoft.com/en-us/library/dd857295.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, November 2, 2010 10:55 AM
  • Hi Jason,

    sure DA would be *the soluton* but as you already said, the problem is that the endpoints (notebooks) are not domain joined.

    RemoteApp would be also a solution instead of XenApp. I have had the hope that it might be possible to authenticate against ISA/TMG with certificate or using any kind of delegation (ADFS?).


    Cheers

    Thomas

    Tuesday, November 2, 2010 11:03 AM
  • Outbound authentication options are much more limited than for reverse publishing. Have you considered third party solutions like Collective Software?
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, November 2, 2010 11:09 AM
  • Outbound authentication options are much more limited than for reverse publishing. Have you considered third party solutions like Collective Software?
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    http://technet.microsoft.com/en-us/library/cc441695.aspx
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 7:36 PM
    Tuesday, November 2, 2010 11:10 AM
  • We did some kind of brain storming and came up with other potential solutions:

    - using a different forward proxy which supports KCD (e.g. SQUID - don't know if it supports Kerberos) or certificate based authentication

    - using a client based solution (the goal is to authenticate the users and to have control over their internet usage)

    - using a cloud based solution (e.g. Websense)

    Tuesday, November 2, 2010 11:24 AM
  • Hi Jason,

    thanks for the tip with Collective Software (I was not aware of their solutions). Which one of them could be useful in this case?

    Best regards

    Thomas

    Tuesday, November 2, 2010 11:30 AM
  • We did some kind of brain storming and came up with other potential solutions:

    - using a different forward proxy which supports KCD (e.g. SQUID - don't know if it supports Kerberos) or certificate based authentication

    - using a client based solution (the goal is to authenticate the users and to have control over their internet usage)

    - using a cloud based solution (e.g. Websense)


    All good options too ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, November 2, 2010 11:31 AM
  • Hi Jason,

    thanks for the tip with Collective Software (I was not aware of their solutions). Which one of them could be useful in this case?

    Best regards

    Thomas


    I was thinking Captivate may provide a better user experience in the event that you cannot find a delegation solution and users need to provide credentials to TMG.
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 7:36 PM
    Tuesday, November 2, 2010 11:33 AM