I'm in a situation where a customer of mine would like 2-factor authentication (e.g. log in and receive e-mail with access URL) according to the following rules:

1. If the users is on the LAN, do not require 2-level authentication (AD credentials).
2. If the user isn't on the LAN, require 2-level authentication >> Log in with username/password (can be AD, can be something else, we have created our own SSO solution) and then receive e-mail to a specified mail-adr.

Our main problem is that it is difficult to figure out where the user come from. The reason for this is the ISA server in the front that basically strip away all information about the client.
Installer's Guide to Local Area Networks
Learn more
Buddy Shipley The information received on the ISS where the application is running returns the ISA server address in the CLIENT_IP information.

So – how can we determine where the user come from when all traffic goes through the same ISA server?

One solution has been to create a resource that is only reachable from the LAN and basically say that "If you cannot reach this resource you are de facto not on the LAN". However – this again might have an impact on time-outs – e.g. "try and find the resource but time out after 3 seconds". This might slow down the application AND we might have an issue as several employees are working from other parts of the world where the lines are bad when it comes to accessing the production servers (e.g.
Swamp Showdown [HD]
Learn more
people on the LAN accessing the servers over fixed line might experience not reaching the resource, even though they are actually on the LAN).

I've asked this question on stackoverflow as well, but the solution sort of stranded when we learned that the ISA server stripped all information.

(I guess this article summarize the source of my problem: http://www.redline-software.com/eng/support/articles/isaserver/security/x-forwarded-isa-track.php)

We concluded on creating a mechanism that will be issue an encrypted secret to the client when on the LAN. If this secret is unavailable from the client machine he is de facto outside the LAN. We see that it has some holes, but we will focus on a tough encryption and short lifetime to reduce the risks.

Check more discussion of this question.

1. Using SBS 2003 SP2 as LAN gateway leads to massive HTTP timeouts
2. Cisco ASA – terminal a single Lan-to-lan VPN session
3. Router LAN port IP is a public address, is this correct?
4. 802.
   
   

   These are our most popular posts: how to make local area network on windows xp

   Photo Snap 5

   For instance, thumbnail views, bulk power operations, bandwidth throttling, packet loss, and LAN segments were all .... Run Workstation 8 in compatibility mode for Windows XP SP3 - (right click on the desktop icon, click on ... read more

   How To Extend Your Wi-Fi Network With Simple Access Points ...

   If the users is on the LAN, do not require 2-level authentication (AD credentials). If the user isnt on the LAN, require 2-level authentication Log in with username/password (can be AD, can be something else, we have ... read more

   How to make Red Alert 2 Network (LAN) mode work (Xp,Vista,Win7)

   IP on windows 7 professional online upgrade that LAN. This should do what acdsee pro 3 download he wants and needs. If you dont stop there.Facebook, windows xp professional discount like most of the spyware removal ... read more

   What 2-level authentication mechanism is available that can ...

   I did have a reputable source for this information: It was the "Windows XP Annoyances" book by OReilly. ..... for a while as soon as LAN icon appears then speed of window come to normal, please advise me what to do, i will ... read more

   Related Posts