Scribd Logo
Unggah

Selamat datang di Scribd!

  • Lightweight Directory Access Protocol N Global Catlog

    Diunggah oleh

    abhinaviacm
    97 tayangan32 halaman
    what is global catlog and LDAP and how it works

    Judul Asli

    Lightweight Directory Access Protocol n Global Catlog

    Hak Cipta

    © Attribution Non-Commercial (BY-NC)

    Format Tersedia

    DOC, PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    what is global catlog and LDAP and how it works

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai DOC, PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    97 tayangan32 halaman

    Lightweight Directory Access Protocol N Global Catlog

    Diunggah oleh

    abhinaviacm
    what is global catlog and LDAP and how it works

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai DOC, PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 32

    Windows 2000 use Lightweight Directory Access Protocol (LDAP) a

    streamlined version of DAP (Directory Access Protocol). The Directory


    Access Protocol (DAP) is a protocol used in X.500 Directory Services for
    controlling communications between the Directory User Agent and Directory
    System Agent.

    The Directory User Agent (DUA) provides functionality that can be


    implemented in all sorts of user interfaces through dedicated DUA clients,
    Web server gateways, or e-mail applications.

    In X.500, the Directory System Agent (DSA) is the database in which


    directory information is stored. This database is hierarchical in form,
    designed to provide fast and efficient search and retrieval.

    Contrary to X.500, LDAP supports TCP/IP, which is necessary for any type
    of Internet access. LDAP is an open protocol, and applications are
    independent of the of server platform hosting the directory.

    The Active Directory is not an X.500 directory. Instead, it uses LDAP as the
    access protocol and supports the X.500 information model without requiring
    systems to host the entire X.500 overhead. The result is the high level of
    interoperability required for administering real-world, heterogeneous
    networks.

    The Active Directory supports access via the LDAP protocol from any
    LDAP- enabled client. LDAP names are less intuitive than Internet names,
    but the complexity of LDAP naming is usually hidden within an application.
    LDAP names use the X.500 naming convention called "Attributed Naming."

    An example of an LDAP client is Outlook Express.

    A Windows 2000 Domain Controller is a LDAP server and contains all your
    domain information like user accounts and groups.

    A Windows 2000 Domain Controller can also be a Global Catalog (GC)


    server which contains Forest wide information. You can sent queries to a
    Global Catalog server to ask user attributes information like email address,
    street address and phone numbers.

    Step 1: Creating a Protocol Definition for a LDAP Server


    1. Expand the Policy Elements node in ISA Management console and
    right click on the Protocols Definitions node. Click New and then click
    Definition.
    2. On the Welcome page, type the name of the Protocol Definition,
    example LDAP Server, click Next.
    3. On the Primary Connection Information page, type 389 for the Port
    number, TCP for the Protocol Type and Inbound for the Direction,
    click Next.

    4. On the Secondary Connection page select No and click Next.


    5. On the last page click Finish.

    Step 2: Create a Server Publishing rule to publish a LDAP Server

    1. Expand the Publishing node in the ISA Management console and right
    click on the Server Publishing node. Click New and click Rule.
    2. On the Welcome page, type in the name of the rule, example LDAP
    Server, click Next.
    3. On the Address Mapping page, type in the IP address of the internal
    server, which is the IP address of your internal Domain Controller and
    the External IP address on the ISA server, which is the IP address on
    your external interface of ISA, click Next.
    4. On the Protocols Settings page, select the LDAP Server protocol
    definition that we created above, click Next.

    5. On the Client Type page, select the client type to which you want this
    rule applied and click Next.
    6. On the last page click Finish.

    Step 3: Configure Outlook Express to use your published LDAP Server

    1. Open Outlook Express from a client computer.


    2. From the menu, select Tools and Accounts.
    3. Click on Directory Services, click on the Add button and select
    Directory Service.
    4. On the Internet Directory Service Name page, type in the FQDN or
    External IP address of ISA server, select This server requires me to log
    on, click Next.
    5. On the Internet Directory Server Logon page, type in the text box
    Account name a domain user that have permissions to access the
    domain controller as follow domainname\username. In the password
    text box, type in the password for that user account, click Next.

    6. On the Check E-mail addresses page, select Yes if you want to check
    recipient email addresses against your LDAP Server, otherwise choose
    No, click Next.
    No performs faster response to Outlook Express.

    7. On the Congratulations page, click Finish


    8. Select your Directory Service from the listview, click Properties and
    Advanced.
    9. Verify if the Directory Service Port Number is 389
    10. If you send the queries directly to a LDAP server you need the specify
    a Search Base. Type in the Search Base textbox
    DC=domainname,DC=toplevel, example : DC=roswell,DC=edu.

    11. Click Apply, click OK and Close the Internet Account dialog box.

    Step 4: Testing the connection

    1. Click Addresses on the Outlook toolbar, in the Address Book window,


    click Find People on the toolbar.
    2. In the Find window dialog box, select the directory service that you
    just added. Type in the name text box the username you want to search
    the email address for and click Find.
    3. Click Close to exit all windows.

    Publishing a Global Catalog Server

    Instead of publishing a LDAP server you can publish a Global Catalog server
    from within your private network. In most cases the GC is the same machine
    as your DC, but you can use another machine that function as a GC.
    Step 1: Creating a Protocol Definition for a Global Catalog Server

    1. Expand the Policy Elements node in ISA Management console and


    right click on the Protocols Definitions node. Click New and then click
    Definition.
    2. On the Welcome page, type the name of the Protocol Definition,
    example GC Server, click Next.
    3. On the Primary Connection Information page, type 3268 for the Port
    number, TCP for the Protocol Type and Inbound for the Direction,
    click Next.

    4. On the Secondary Connection page select No and click Next.


    5. On the last page click Finish.

    Step 2: Create a Server Publishing rule to publish a Global Catalog Server

    1. Expand the Publishing node in the ISA Management console and right
    click on the Server Publishing node. Click New and click Rule.
    2. On the Welcome page, type in the name of the rule, example GC
    Server, click Next.
    3. On the Address Mapping page, type in the IP address of the internal
    server, which is the IP address of your internal Domain Controller and
    the External IP address on the ISA server, which is the IP address on
    your external interface of ISA, click Next.
    4. On the Protocols Settings page, select the GC Server protocol
    definition that we created above, click Next.
    5. On the Client Type page, select the client type to which you want this
    rule applied and click Next.
    6. On the last page click Finish.

    Step 3: Configure Outlook Express to use your published GC Server

    1. Open Outlook Express from a client computer.


    2. From the menu, select Tools and Accounts.
    3. Click on Directory Services, click on the Add button and select
    Directory Service.
    4. On the Internet Directory Service Name page, type in the FQDN or
    External IP address of ISA, select This server requires me to log on,
    click Next.
    5. On the Internet Directory Server Logon page, type in the text box
    Account name a domain user that have permissions to access the
    global catalog as follow domainname\username. In the password text
    box, type in the password for that user account, click Next.
    6. On the Check E-mail addresses page, select Yes if you want to check
    recipient email addresses against your GC Server, otherwise choose
    No, click Next.
    No performs faster response to Outlook Express.
    7. On the Congratulations page, click Finish
    8. Select your Directory Service from the listview, click Properties and
    Advanced.
    9. Verify if the Directory Services Port Number is 3268
    10. If you send the queries directly to a LDAP server you need the specify
    a Search Base. Type in the Search Base textbox “NULL”, without
    quotes.
    11. Click Apply, click OK and Close the Internet Account dialog box.

    Step 4: Testing the connection

    1. Click Addresses on the Outlook toolbar, in the Address Book window,


    click Find People on the toolbar.
    2. In the Find window dialog box, select the directory service that you
    just added. Type in the name text box the username you want to search
    the email address for and click Find.
    3. Click Close to exit all windows.

    Important
    Every time a user performs a query to your LDAP/GC server within Outlook
    Express, the username and password of the account that is used to query your
    LDAP/GC server is sent in clear text. Also queries sent to the LDAP/GC and
    responses (email addressees and user information) are sent in clear text. This
    can be a security risk, because users email addresses where sent in clear text
    over the internet and can be used for spamming mail.

    Encrypting Traffic From an LDAP Client to the ISA Server using SSL

    Perform the following steps to encrypt traffic from an LDAP client to the
    ISA Server using SSL:

    Step 1: Obtain a certificate for the ISA server

    1. Before a user application outside the organization can set up an SSL


    session, your ISA server must have a certificate. An ISA server can
    obtain a computer certificate through group policies
    2. Install an Enterprise CA on a Windows 2000 Domain Controller.
    3. Open the Default Controller Policy using Group Policy Editor.
    4. Under Computer Configuration, click Windows Settings.
    5. Click Security Settings, and then click Public Key Policies.
    6. Click Automatic Certificate Request Settings.
    7. Use the wizard to add a policy for Computers
    8. Open the ISA Management console and right click on the server name,
    select Properties.
    9. On the Incoming Web Requests page, enable SSL listeners, click
    Apply.
    10.Verify that port 443 for SSL is available.
    11. Close this dialog box.

    Note: You can use above procedure to ask a certificate for Domain
    Controllers (LDAP servers), but instead of Computers, use a Domain
    Controller policy.

    Step 2: Creating a Protocol Definition for a Secure LDAP Server


    1. Expand the Policy Elements node in ISA Management console and
    right click on the Protocols Definitions node. Click New and then click
    Definition.
    2. On the Welcome page, type the name of the Protocol Definition,
    example Secure LDAP Server, click Next.
    3. On the Primary Connection Information page, type 636 for the Port
    number, TCP for the Protocol Type and Inbound for the Direction,
    click Next.

    4. On the Secondary Connection page select No and click Next.


    5. On the last page click Finish.

    Step 3: Create a Server Publishing rule to publish a Secure LDAP Server

    1. Expand the Publishing node in the ISA Management console and right
    click on the Server Publishing node. Click New and click Rule.
    2. On the Welcome page, type in the name of the rule, example Secure
    LDAP Server, click Next.
    3. On the Address Mapping page, type in the IP address of the internal
    server, which is the IP address of your internal Domain Controller and
    the External IP address on the ISA server, which is the IP address on
    your external interface of ISA, click Next.
    4. On the Protocols Settings page, select the Secure LDAP Server
    protocol definition that we created above, click Next.

    5. On the Client Type page, select the client type to which you want this
    rule applied and click Next.
    6. On the last page click Finish.

    Step 4: Configure Outlook Express to use your published Secure LDAP


    Server

    1. Open Outlook Express from a client computer.


    2. From the menu, select Tools and Accounts.
    3. Click on Directory Services, click on the Add button and select
    Directory Service.
    4. On the Internet Directory Service Name page, type in the FQDN or
    External IP address of ISA, select This server requires me to log on,
    click Next.
    5. On the Internet Directory Server Logon page, type in the text box
    Account name a domain user that have permissions to access the
    domain controller as follow domainname\username. In the password
    text box, type in the password for that user account, click Next.
    6. On the Check E-mail addresses page, select Yes if you want to check
    recipient email addresses against your LDAP Server, otherwise choose
    No, click Next.
    No performs faster response to Outlook Express.
    7. On the Congratulations page, click Finish
    8. Select your Directory Service from the listview, click Properties and
    Advanced.
    9. Check This server requires a secure connection check box. Verify if
    the Directory Service Port Number is 636
    10. If you send the queries directly to a LDAP server you need the specify
    a Search Base. Type in the Search Base textbox
    DC=domainname,DC=toplevel, example : DC=roswell,DC=edu.

    11. Click Apply, click OK and Close the Internet Account dialog box.

    Step 5: Testing the connection

    1. Click Addresses on the Outlook toolbar, in the Address Book window,


    click Find People on the toolbar.
    2. In the Find window dialog box, select the directory service that you
    just added. Type in the name text box the username you want to search
    the email address for and click Find.
    3. First an SSL tunnel is created between the Outlook Express client and
    the ISA server before queries will be send.
    4. Click Close to exit all windows.

    Instead of publishing a Secure LDAP server you can publish a Secure Global
    Catalog server from within your private network

    Step 1: Creating a Protocol Definition for a Secure Global Catalog Server

    1. Expand the Policy Elements node in ISA Management console and


    right click on the Protocols Definitions node. Click New and then click
    Definition.
    2. On the Welcome page, type the name of the Protocol Definition,
    example GC Server, click Next.
    3. On the Primary Connection Information page, type 3269 fot the Port
    number, TCP for the Protocol Type and Inbound for the Direction,
    click Next.
    4. On the Secondary Connection page select No and click Next.
    5. On the last page click Finish.

    Step 2: Create a Server Publishing rule to publish a Secure Global Catalog


    Server

    1. Expand the Publishing node in the ISA Management console and right
    click on the Server Publishing node. Click New and click Rule.
    2. On the Welcome page, type in the name of the rule, example Secure
    GC Server, click Next.
    3. On the Address Mapping page, type in the IP address of the internal
    server, which is the IP address of your internal Domain Controller and
    the External IP address on the ISA server, which is the IP address on
    your external interface of ISA, click Next.
    4. On the Protocols Settings page, select the Secure GC Server protocol
    definition that we created above, click Next.
    5. On the Client Type page, select the client type to which you want this
    rule applied and click Next.
    6. On the last page click Finish.

    Step 3: Configure Outlook Express to use your published Secure GC Server

    1. Open Outlook Express from a client computer.


    2. From the menu, select Tools and Accounts.
    3. Click on Directory Services, click on the Add button and select
    Directory Service.
    4. On the Internet Directory Service Name page, type in the FQDN or
    External IP address of ISA, select This server requires me to log on,
    click Next.
    5. On the Internet Directory Server Logon page, type in the text box
    Account name a domain user that have permissions to access the
    global catalog as follow domainname\username. In the password text
    box, type in the password for that user account, click Next.
    6. On the Check E-mail addresses page, select Yes if you want to check
    recipient email addresses against your GC Server, otherwise choose
    No, click Next.
    No performs faster response to Outlook Express.
    7. On the Congratulations page, click Finish
    8. Select your Directory Service from the listview, click Properties and
    Advanced.
    9. Check This server requires a secure connection.
    10. Verify if the Directory Services Port Number is 3269
    11. If you send the queries directly to a LDAP server you need to specify a
    Search Base. Type in the Search Base textbox “NULL”, without
    quotes.
    12. Click Apply, click OK and Close the Internet Account dialog box.

    Step 4: Testing the connection

    1. Click Addresses on the Outlook toolbar, in the Address Book window,


    click Find People on the toolbar.
    2. In the Find window dialog box, select the directory service that you
    just added. Type in the name text box the username you want to search
    the email address for and click Find.
    3. First an SSL tunnel is created between the Outlook Express client and
    the ISA server before queries will be send
    4. Click Close to exit all windows.

    Summary

    LDAP Directory Service Port number is 389


    LDAP over SSL Directory Service Port Number is 636
    GC Directory Service Port number is 3268
    GC over SSL Directory Service Port Number is 326

    Receive all the latest articles by email!

    Get all articles delivered directly to your mailbox as and when they are
    released on ISAserver.org! Choose between receiving instant updates with
    the Real-Time Article Update, or a monthly summary with the Monthly
    Article Update. Sign up to the ISAserver.org Monthly Newsletter, written by
    ISA expert Dr. Tom Shinder, containing news, the hottest tips, ISA links of
    the month and much more. Subscribe today and don't miss a thing!

    • Real-Time Article Update (click for sample)


    • Monthly Article Update (click for sample)
    • Monthly Newsletter (click for sample)

    Latest articles by Johan Loos

    • Publishing FTP server on ISA

    Related links

    • Publishing FTP server on ISA


    • ISA Server 2006 Overview
    • ISA Server 2006 Overview
    • ISA Firewall Publishing OWA and RPC/HTTP with a Single IP
    Address: Part 5 - Single Exchange Server with Separate DC
    Scenario/LDAP Authentication
    • LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to
    Pre-authenticate OWA Access (Part 4)

    Featured Links*

    ClearTunnel - Upgrade ISA Server to Inspect and Cache SSL Proxy


    Traffic
    ISA secures HTTP traffic but leaves your LAN vulnerable to the HTTPS
    channel. With ClearTunnel your ISA filters can secure HTTPS traffic, the
    newest emerging attack vector.
    Web filtering and security for ISA Server
    Manage user internet access, block websites by category, AV scan
    downloads, prevent spyware infection, block phishing scams, block/restrict
    the use of IM and more!

    Receive all the latest articles by email!

    Receive Real-Time & Monthly ISAserver.org article updates in your


    mailbox. Enter your email below!
    Click for Real-Time sample & Monthly sample

    Become an ISAserver.org member!

    Discuss your ISA Server issues with thousands of other ISA Server experts.
    Click here to join!

    Windows 2000 use Lightweight Directory Access Protocol (LDAP) a


    streamlined version of DAP (Directory Access Protocol). The Directory
    Access Protocol (DAP) is a protocol used in X.500 Directory Services for
    controlling communications between the Directory User Agent and Directory
    System Agent.

    The Directory User Agent (DUA) provides functionality that can be


    implemented in all sorts of user interfaces through dedicated DUA clients,
    Web server gateways, or e-mail applications.

    In X.500, the Directory System Agent (DSA) is the database in which


    directory information is stored. This database is hierarchical in form,
    designed to provide fast and efficient search and retrieval.

    Contrary to X.500, LDAP supports TCP/IP, which is necessary for any type
    of Internet access. LDAP is an open protocol, and applications are
    independent of the of server platform hosting the directory.

    The Active Directory is not an X.500 directory. Instead, it uses LDAP as the
    access protocol and supports the X.500 information model without requiring
    systems to host the entire X.500 overhead. The result is the high level of
    interoperability required for administering real-world, heterogeneous
    networks.

    The Active Directory supports access via the LDAP protocol from any
    LDAP- enabled client. LDAP names are less intuitive than Internet names,
    but the complexity of LDAP naming is usually hidden within an application.
    LDAP names use the X.500 naming convention called "Attributed Naming."

    An example of an LDAP client is Outlook Express.

    A Windows 2000 Domain Controller is a LDAP server and contains all your
    domain information like user accounts and groups.

    A Windows 2000 Domain Controller can also be a Global Catalog (GC)


    server which contains Forest wide information. You can sent queries to a
    Global Catalog server to ask user attributes information like email address,
    street address and phone numbers.

    Step 1: Creating a Protocol Definition for a LDAP Server

    1. Expand the Policy Elements node in ISA Management console and


    right click on the Protocols Definitions node. Click New and then click
    Definition.
    2. On the Welcome page, type the name of the Protocol Definition,
    example LDAP Server, click Next.
    3. On the Primary Connection Information page, type 389 for the Port
    number, TCP for the Protocol Type and Inbound for the Direction,
    click Next.
    4. On the Secondary Connection page select No and click Next.
    5. On the last page click Finish.

    Step 2: Create a Server Publishing rule to publish a LDAP Server

    1. Expand the Publishing node in the ISA Management console and right
    click on the Server Publishing node. Click New and click Rule.
    2. On the Welcome page, type in the name of the rule, example LDAP
    Server, click Next.
    3. On the Address Mapping page, type in the IP address of the internal
    server, which is the IP address of your internal Domain Controller and
    the External IP address on the ISA server, which is the IP address on
    your external interface of ISA, click Next.
    4. On the Protocols Settings page, select the LDAP Server protocol
    definition that we created above, click Next.
    5. On the Client Type page, select the client type to which you want this
    rule applied and click Next.
    6. On the last page click Finish.

    Step 3: Configure Outlook Express to use your published LDAP Server

    1. Open Outlook Express from a client computer.


    2. From the menu, select Tools and Accounts.
    3. Click on Directory Services, click on the Add button and select
    Directory Service.
    4. On the Internet Directory Service Name page, type in the FQDN or
    External IP address of ISA server, select This server requires me to log
    on, click Next.
    5. On the Internet Directory Server Logon page, type in the text box
    Account name a domain user that have permissions to access the
    domain controller as follow domainname\username. In the password
    text box, type in the password for that user account, click Next.
    6. On the Check E-mail addresses page, select Yes if you want to check
    recipient email addresses against your LDAP Server, otherwise choose
    No, click Next.
    No performs faster response to Outlook Express.

    7. On the Congratulations page, click Finish


    8. Select your Directory Service from the listview, click Properties and
    Advanced.
    9. Verify if the Directory Service Port Number is 389
    10. If you send the queries directly to a LDAP server you need the specify
    a Search Base. Type in the Search Base textbox
    DC=domainname,DC=toplevel, example : DC=roswell,DC=edu.

    11. Click Apply, click OK and Close the Internet Account dialog box.

    Step 4: Testing the connection

    1. Click Addresses on the Outlook toolbar, in the Address Book window,


    click Find People on the toolbar.
    2. In the Find window dialog box, select the directory service that you
    just added. Type in the name text box the username you want to search
    the email address for and click Find.
    3. Click Close to exit all windows.

    Publishing a Global Catalog Server

    Instead of publishing a LDAP server you can publish a Global Catalog server
    from within your private network. In most cases the GC is the same machine
    as your DC, but you can use another machine that function as a GC.
    Step 1: Creating a Protocol Definition for a Global Catalog Server

    1. Expand the Policy Elements node in ISA Management console and


    right click on the Protocols Definitions node. Click New and then click
    Definition.
    2. On the Welcome page, type the name of the Protocol Definition,
    example GC Server, click Next.
    3. On the Primary Connection Information page, type 3268 for the Port
    number, TCP for the Protocol Type and Inbound for the Direction,
    click Next.

    4. On the Secondary Connection page select No and click Next.


    5. On the last page click Finish.

    Step 2: Create a Server Publishing rule to publish a Global Catalog Server

    1. Expand the Publishing node in the ISA Management console and right
    click on the Server Publishing node. Click New and click Rule.
    2. On the Welcome page, type in the name of the rule, example GC
    Server, click Next.
    3. On the Address Mapping page, type in the IP address of the internal
    server, which is the IP address of your internal Domain Controller and
    the External IP address on the ISA server, which is the IP address on
    your external interface of ISA, click Next.
    4. On the Protocols Settings page, select the GC Server protocol
    definition that we created above, click Next.
    5. On the Client Type page, select the client type to which you want this
    rule applied and click Next.
    6. On the last page click Finish.

    Step 3: Configure Outlook Express to use your published GC Server

    1. Open Outlook Express from a client computer.


    2. From the menu, select Tools and Accounts.
    3. Click on Directory Services, click on the Add button and select
    Directory Service.
    4. On the Internet Directory Service Name page, type in the FQDN or
    External IP address of ISA, select This server requires me to log on,
    click Next.
    5. On the Internet Directory Server Logon page, type in the text box
    Account name a domain user that have permissions to access the
    global catalog as follow domainname\username. In the password text
    box, type in the password for that user account, click Next.
    6. On the Check E-mail addresses page, select Yes if you want to check
    recipient email addresses against your GC Server, otherwise choose
    No, click Next.
    No performs faster response to Outlook Express.
    7. On the Congratulations page, click Finish
    8. Select your Directory Service from the listview, click Properties and
    Advanced.
    9. Verify if the Directory Services Port Number is 3268
    10. If you send the queries directly to a LDAP server you need the specify
    a Search Base. Type in the Search Base textbox “NULL”, without
    quotes.
    11. Click Apply, click OK and Close the Internet Account dialog box.

    Step 4: Testing the connection

    1. Click Addresses on the Outlook toolbar, in the Address Book window,


    click Find People on the toolbar.
    2. In the Find window dialog box, select the directory service that you
    just added. Type in the name text box the username you want to search
    the email address for and click Find.
    3. Click Close to exit all windows.

    Important
    Every time a user performs a query to your LDAP/GC server within Outlook
    Express, the username and password of the account that is used to query your
    LDAP/GC server is sent in clear text. Also queries sent to the LDAP/GC and
    responses (email addressees and user information) are sent in clear text. This
    can be a security risk, because users email addresses where sent in clear text
    over the internet and can be used for spamming mail.

    Encrypting Traffic From an LDAP Client to the ISA Server using SSL

    Perform the following steps to encrypt traffic from an LDAP client to the
    ISA Server using SSL:

    Step 1: Obtain a certificate for the ISA server

    1. Before a user application outside the organization can set up an SSL


    session, your ISA server must have a certificate. An ISA server can
    obtain a computer certificate through group policies
    2. Install an Enterprise CA on a Windows 2000 Domain Controller.
    3. Open the Default Controller Policy using Group Policy Editor.
    4. Under Computer Configuration, click Windows Settings.
    5. Click Security Settings, and then click Public Key Policies.
    6. Click Automatic Certificate Request Settings.
    7. Use the wizard to add a policy for Computers
    8. Open the ISA Management console and right click on the server name,
    select Properties.
    9. On the Incoming Web Requests page, enable SSL listeners, click
    Apply.
    10.Verify that port 443 for SSL is available.
    11. Close this dialog box.

    Note: You can use above procedure to ask a certificate for Domain
    Controllers (LDAP servers), but instead of Computers, use a Domain
    Controller policy.

    Step 2: Creating a Protocol Definition for a Secure LDAP Server


    1. Expand the Policy Elements node in ISA Management console and
    right click on the Protocols Definitions node. Click New and then click
    Definition.
    2. On the Welcome page, type the name of the Protocol Definition,
    example Secure LDAP Server, click Next.
    3. On the Primary Connection Information page, type 636 for the Port
    number, TCP for the Protocol Type and Inbound for the Direction,
    click Next.

    4. On the Secondary Connection page select No and click Next.


    5. On the last page click Finish.

    Step 3: Create a Server Publishing rule to publish a Secure LDAP Server

    1. Expand the Publishing node in the ISA Management console and right
    click on the Server Publishing node. Click New and click Rule.
    2. On the Welcome page, type in the name of the rule, example Secure
    LDAP Server, click Next.
    3. On the Address Mapping page, type in the IP address of the internal
    server, which is the IP address of your internal Domain Controller and
    the External IP address on the ISA server, which is the IP address on
    your external interface of ISA, click Next.
    4. On the Protocols Settings page, select the Secure LDAP Server
    protocol definition that we created above, click Next.

    5. On the Client Type page, select the client type to which you want this
    rule applied and click Next.
    6. On the last page click Finish.

    Step 4: Configure Outlook Express to use your published Secure LDAP


    Server

    1. Open Outlook Express from a client computer.


    2. From the menu, select Tools and Accounts.
    3. Click on Directory Services, click on the Add button and select
    Directory Service.
    4. On the Internet Directory Service Name page, type in the FQDN or
    External IP address of ISA, select This server requires me to log on,
    click Next.
    5. On the Internet Directory Server Logon page, type in the text box
    Account name a domain user that have permissions to access the
    domain controller as follow domainname\username. In the password
    text box, type in the password for that user account, click Next.
    6. On the Check E-mail addresses page, select Yes if you want to check
    recipient email addresses against your LDAP Server, otherwise choose
    No, click Next.
    No performs faster response to Outlook Express.
    7. On the Congratulations page, click Finish
    8. Select your Directory Service from the listview, click Properties and
    Advanced.
    9. Check This server requires a secure connection check box. Verify if
    the Directory Service Port Number is 636
    10. If you send the queries directly to a LDAP server you need the specify
    a Search Base. Type in the Search Base textbox
    DC=domainname,DC=toplevel, example : DC=roswell,DC=edu.

    11. Click Apply, click OK and Close the Internet Account dialog box.

    Step 5: Testing the connection

    1. Click Addresses on the Outlook toolbar, in the Address Book window,


    click Find People on the toolbar.
    2. In the Find window dialog box, select the directory service that you
    just added. Type in the name text box the username you want to search
    the email address for and click Find.
    3. First an SSL tunnel is created between the Outlook Express client and
    the ISA server before queries will be send.
    4. Click Close to exit all windows.

    Instead of publishing a Secure LDAP server you can publish a Secure Global
    Catalog server from within your private network

    Step 1: Creating a Protocol Definition for a Secure Global Catalog Server

    1. Expand the Policy Elements node in ISA Management console and


    right click on the Protocols Definitions node. Click New and then click
    Definition.
    2. On the Welcome page, type the name of the Protocol Definition,
    example GC Server, click Next.
    3. On the Primary Connection Information page, type 3269 fot the Port
    number, TCP for the Protocol Type and Inbound for the Direction,
    click Next.
    4. On the Secondary Connection page select No and click Next.
    5. On the last page click Finish.

    Step 2: Create a Server Publishing rule to publish a Secure Global Catalog


    Server

    1. Expand the Publishing node in the ISA Management console and right
    click on the Server Publishing node. Click New and click Rule.
    2. On the Welcome page, type in the name of the rule, example Secure
    GC Server, click Next.
    3. On the Address Mapping page, type in the IP address of the internal
    server, which is the IP address of your internal Domain Controller and
    the External IP address on the ISA server, which is the IP address on
    your external interface of ISA, click Next.
    4. On the Protocols Settings page, select the Secure GC Server protocol
    definition that we created above, click Next.
    5. On the Client Type page, select the client type to which you want this
    rule applied and click Next.
    6. On the last page click Finish.

    Step 3: Configure Outlook Express to use your published Secure GC Server

    1. Open Outlook Express from a client computer.


    2. From the menu, select Tools and Accounts.
    3. Click on Directory Services, click on the Add button and select
    Directory Service.
    4. On the Internet Directory Service Name page, type in the FQDN or
    External IP address of ISA, select This server requires me to log on,
    click Next.
    5. On the Internet Directory Server Logon page, type in the text box
    Account name a domain user that have permissions to access the
    global catalog as follow domainname\username. In the password text
    box, type in the password for that user account, click Next.
    6. On the Check E-mail addresses page, select Yes if you want to check
    recipient email addresses against your GC Server, otherwise choose
    No, click Next.
    No performs faster response to Outlook Express.
    7. On the Congratulations page, click Finish
    8. Select your Directory Service from the listview, click Properties and
    Advanced.
    9. Check This server requires a secure connection.
    10. Verify if the Directory Services Port Number is 3269
    11. If you send the queries directly to a LDAP server you need to specify a
    Search Base. Type in the Search Base textbox “NULL”, without
    quotes.
    12. Click Apply, click OK and Close the Internet Account dialog box.

    Step 4: Testing the connection

    1. Click Addresses on the Outlook toolbar, in the Address Book window,


    click Find People on the toolbar.
    2. In the Find window dialog box, select the directory service that you
    just added. Type in the name text box the username you want to search
    the email address for and click Find.
    3. First an SSL tunnel is created between the Outlook Express client and
    the ISA server before queries will be send
    4. Click Close to exit all windows.

    Summary

    LDAP Directory Service Port number is 389


    LDAP over SSL Directory Service Port Number is 636
    GC Directory Service Port number is 3268
    GC over SSL Directory Service Port Number is 326

    Receive all the latest articles by email!

    Get all articles delivered directly to your mailbox as and when they are
    released on ISAserver.org! Choose between receiving instant updates with
    the Real-Time Article Update, or a monthly summary with the Monthly
    Article Update. Sign up to the ISAserver.org Monthly Newsletter, written by
    ISA expert Dr. Tom Shinder, containing news, the hottest tips, ISA links of
    the month and much more. Subscribe today and don't miss a thing!

    • Real-Time Article Update (click for sample)


    • Monthly Article Update (click for sample)
    • Monthly Newsletter (click for sample)

    Latest articles by Johan Loos

    • Publishing FTP server on ISA

    Related links

    • Publishing FTP server on ISA


    • ISA Server 2006 Overview
    • ISA Server 2006 Overview
    • ISA Firewall Publishing OWA and RPC/HTTP with a Single IP
    Address: Part 5 - Single Exchange Server with Separate DC
    Scenario/LDAP Authentication
    • LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to
    Pre-authenticate OWA Access (Part 4)

    Featured Links*

    ClearTunnel - Upgrade ISA Server to Inspect and Cache SSL Proxy


    Traffic
    ISA secures HTTP traffic but leaves your LAN vulnerable to the HTTPS
    channel. With ClearTunnel your ISA filters can secure HTTPS traffic, the
    newest emerging attack vector.
    Web filtering and security for ISA Server
    Manage user internet access, block websites by category, AV scan
    downloads, prevent spyware infection, block phishing scams, block/restrict
    the use of IM and more!

    Receive all the latest articles by email!

    Receive Real-Time & Monthly ISAserver.org article updates in your


    mailbox. Enter your email below!
    Click for Real-Time sample & Monthly sample

    Anda mungkin juga menyukai