| *** test (4ab0d485@gateway/web/freenode/ip.74.176.212.133) has joined #wikid | 16:04 | |
| test | hello | 16:05 |
|---|---|---|
| *** test has quit (Ping timeout: 258 seconds) | 16:09 | |
| *** nowen has quit (Quit: Leaving.) | 18:08 | |
| *** nowen (~nowen@adsl-74-176-212-133.asm.bellsouth.net) has joined #wikid | 19:29 | |
| *** XaaS (ad498917@gateway/web/freenode/ip.173.73.137.23) has joined #wikid | 20:26 | |
| XaaS | @nowen - are you you around? | 20:26 |
| nowen | yes- but on the phone | 20:26 |
| nowen | with Chris :) | 20:26 |
| XaaS | Oh OK - I have some questions for you | 20:27 |
| XaaS | You free to talk now? :) | 20:32 |
| nowen | ha! yes | 20:34 |
| XaaS | Hope it went well with Chris (not sure what you guys were talking about) | 20:34 |
| XaaS | I am contacting you about pre-registering tokens | 20:34 |
| XaaS | and what it takes to do both OS and Phone tokens | 20:34 |
| nowen | yeah, the phone tokens don't support it now. At best we could try to do for Advanced server | 20:37 |
| nowen | still not sure about how to modify the setup for software that is downloaded from the app store | 20:37 |
| XaaS | If you had the ability to put the server code and the pre-reg code in at the same time??? | 20:38 |
| nowen | hmm, yeah, my mind was affixed to dedicated server code | 20:39 |
| XaaS | have a checkbox to enable pre-regisitration | 20:39 |
| XaaS | and it undims a prereg field | 20:39 |
| nowen | should work. We need to do all new tokens for Advanced anyway | 20:40 |
| XaaS | or have a seperate pre-reg wikid domain that only does pre-registration - you connect your token to the wikid domain and then it asks for the pre-reg code | 20:41 |
| nowen | yeah, that might be better - one step to start - enter domain. | 20:42 |
| XaaS | We can beta it for you | 20:42 |
| nowen | awesome | 20:44 |
| XaaS | We really could use the ability for WiKID to support multiple RADIUS clients with different secrets | 20:51 |
| nowen | but the same IP address? | 20:52 |
| nowen | because, it does support multiple RADIUS clients with different secrets and IP addresses | 20:52 |
| XaaS | yes - multi-tenancy using a single NPS/IAS server to do the RADIUS pass-through authentication and accounting... | 20:52 |
| XaaS | the point is to use 1 (or 2 for HA) NPS servers that can handle multiple WiKID domains | 20:53 |
| nowen | can NPS handle radius attributes? | 20:54 |
| XaaS | yes it can | 20:54 |
| nowen | I wonder if you can do the same via radius attributes? | 20:55 |
| XaaS | I didn't think the NPS server was the issue (unless we need to configure attributes I didn't know about) | 20:56 |
| nowen | what are the users logging into? a vpn, private cloud, your hosted cloud? | 20:59 |
| XaaS | either a VPN connection via MS Forefront TMG/UAG | 21:00 |
| XaaS | something that supports RADIUS typically | 21:00 |
| nowen | ok, where are they going? are they getting their own hosted cloud? | 21:01 |
| XaaS | it depends on the rules - it typically puts them on the VLANs (networks) where their VMs are residing. | 21:03 |
| nowen | ok - what assigns them to their vlan? | 21:03 |
| XaaS | It's set up by either a policy which can be controlled by Active Directory or other rules in TMG | 21:04 |
| nowen | can one of the rules be a radius return attribute? | 21:08 |
| XaaS | hmm... not sure - they are more like they either allow or deny traffic to different networks/ip's depending on the permissions attached to the rules | 21:09 |
| nowen | "The 3rd option is the really interesting one where the VLANs are dynamically assigned by the Policy Server based on the health state of the client. This assignment happens by having the Policy Server pass identifiers to the Network Access Device (via RADIUS attributes) telling it which VLAN to assign the client to." | 21:09 |
| nowen | http://blogs.technet.com/b/nap/archive/2006/05/31/444128.aspx | 21:10 |
| nowen | not quite what we want, but close | 21:10 |
| XaaS | actually - TMG doesn't do VLANs directly - you need to use a NIC that provides multiple VLAN support and presents as virtual NICs | 21:13 |
| nowen | what tells the NIC to provide the VLAN? | 21:15 |
| XaaS | like in VMware the Intel E1000/Pro 1000 MT driver can be replaced with the Microsoft provided one and use the Intel drive and be configured to present a separate virtual NIC for each VLAN exposed. | 21:15 |
| * nowen displays cloud ignorance | 21:15 | |
| *** XaaS has quit (Ping timeout: 258 seconds) | 21:19 | |
| *** XaaS (ad498917@gateway/web/freenode/ip.173.73.137.23) has joined #wikid | 21:40 | |
| XaaS | @nowen - sorry - internet issues | 21:40 |
| nowen | np | 21:40 |
| XaaS | Good article on VGT in VMware - http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004252 | 21:41 |
| nowen | where does the dynamic part happen? | 21:44 |
| XaaS | So this is how the VLANs get configured on the TMG with the Intel PRO/1000 E1000 drivers - http://img35.imageshack.us/img35/166/96796611.gif | 21:50 |
| XaaS | As you add the VLANs into the NIC, new virtual NICs appear in your Device Manager | 21:51 |
| nowen | ok - but how does the user get assigned to one? Is that still Forefront? | 21:51 |
| XaaS | yes - that is in TMG | 21:53 |
| XaaS | In the firewall policy screen - http://araihan.files.wordpress.com/2010/03/120.jpg | 21:53 |
| XaaS | FYI - this is Microsoft position on supporting VLANs with ISA/TMG - http://blogs.technet.com/b/isablog/archive/2006/10/04/802.1q-and-isa-server.aspx | 21:54 |
| XaaS | That is why we use the Intel E1000 drivers for VMware to support 802.1q VLAN support | 21:56 |
| XaaS | TMG just sees each one of those virtual NICs as a separate perimeter leg (DMZ) or internal leg... | 21:57 |
| XaaS | depending on how we configure it | 21:57 |
| XaaS | Check this out for on the Three Leg (Perimeter) Network (which is the configuration we use) - http://www.isaserver.org/tutorials/Deeper-Dive-TMG-Firewall-Network-Templates.html | 22:01 |
| XaaS | But we have more than "3" legs | 22:01 |
| nowen | so when a customer is added, you create a vlan for them manually? | 22:03 |
| nowen | and then when they login, you route them to it? | 22:03 |
| XaaS | sometimes - depending on how many VMs they use | 22:04 |
| XaaS | we typically can do something in VMware called PVLANs (Private VLANs) on an existing VLAN | 22:05 |
| XaaS | http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1010691 | 22:05 |
| XaaS | We can put the VM on a shared VLAN in Promiscuous, Isolated or Community mode and have it be logically isolated | 22:07 |
| XaaS | All we need to do is put the routing information into the TMG | 22:07 |
| XaaS | as well as how the VPN clients attach to that PVLAN | 22:08 |
| XaaS | based upon their credentials | 22:08 |
| nowen | so, the routing info is in the TMG and instructions on how to connect the vpn and it fulfills those orders based on their creds? | 22:12 |
| nowen | are the creds in the TMG? or AD? | 22:18 |
| XaaS | AD | 22:26 |
| XaaS | yes about the routing info | 22:26 |
| nowen | so, we're back to Forefront setting up the pvlan based on something - credentials, radius attributes, something | 22:37 |
| nowen | XaaS: I have to head out. can we resume tomorrow? | 22:46 |
| *** XaaS has quit (Ping timeout: 258 seconds) | 22:49 | |
| *** nowen has quit (Quit: Leaving.) | 22:50 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!
