One of the biggest pieces of feedback I hear when pitching Server and Domain Isolation to customers (which…btw…is a great first step towards an eventual NAP deployment) is “how will this work with my non-Windows clients?”
I don’t like to think about interoperability as a binary thing, that is, Server and Domain Isolation is or is not interoperable with non-Windows hosts. Instead, there’s really a range of options for enabling interoperability that include policy exemptions (e.g. don’t use IPsec when communicating to or when receiving communications from a host — like a mainframe) all the way to a “full Domain Isolation citizen” (like it is within the Windows sections of your networks).
In between these are a few different deployment scenarios. These include “hardwiring” configs and settings into the IPsec components on the non-Windows host, such as racoon on certain flavors of Linux, and using manually deployed machine certificates for authentication. Another one of these options uses ISA Server 2006 (or 2004) as an IPsec proxy or gateway to bridgehead communications between the trusted, isolated domain and the non-Windows hosts.
As the above graphic illustrates, this is a great way to extend Server and Domain Isolation functionality to hosts that do not or cannot run IPsec.
Pretty neat, eh?
The good news here (beyond what I’ve already shared) is we’ve just published a new technical whitepaper to the Server and Domain Isolation TechNet site that covers this solution across three specific scenarios:
- An isolated client needs access to a non-IPsec-enabled server
- Non-IPsec client needs access to a server on an IPsec-enabled, isolation domain
- Allowing full access to isolated domains for business-critical exceptions
Here’s the short description/abstract for the paper:
This white paper details how to use ISA Server as an IPsec gateway or proxy within a Server and Domain Isolation solution, from preparation to installation and configuration, and includes best practices to keep in mind during the process. It is written for enterprise technical decision makers, IT administrators, and architects who want to gain a better understanding of the processes and implementation of ISA Server as an IPsec gateway or proxy to extend Server and Domain Isolation interoperability to non-Windows devices and legacy systems.
For more details on this whitepaper, checkout the following link to the download center: