ISA Server 2004 Configuration Guide 23
Introduction
The Microsoft Internet Authentication Server (IAS) is an industry standard RADIUS server that
can be used to authenticate users connecting to the ISA Server 2004 firewall machine. You
can use IAS to authenticate Web Proxy clients on the internal network and VPN clients and
VPN gateways calling in from an external network location. In addition, you can use RADIUS
authentication to remote users who connect to Web servers published using ISA Server 2004
Web Publishing rules.
The major advantage of using RADIUS authentication for Web proxy and VPN connections is
that the ISA Server 2004 firewall computer does not need to be a member of the domain to
authenticate users whose accounts are contained in the Active Directory on the internal
network. Many firewall administrators recommend that the firewall not be a member of the
user domain. This prevents attackers who may compromise the firewall from taking
advantage of the firewall’s domain member status to amplify an attack against the internal
network.
One major drawback to not making the ISA Server 2004 firewall a member of the internal
network domain is that you cannot use the Firewall client to provide authenticated access to
all TCP and UDP protocols. For this reason, we make the ISA Server 2004 firewall computer
a member of the domain in this ISA Server 2004 Configuration Guide series. However, if
you choose to not join the firewall to the domain, you can still use IAS to authenticate your
VPN and Web Proxy clients.
We will discuss the following procedures in this document:
• Installing the Microsoft Internet Authentication Service
• Configuring the Microsoft Internet Authentication Service
