Solaris ISP Server is designed to run on a network; although you can install the entire product on a single machine, the result would not be functional in a working ISP environment. For best performance and security results, we recommend segregation of services by host machine, in a configuration appropriate for your planned use. The product presumes the existence of standard primary and secondary DNS (domain name service) servers, but requires no special configuration of them.
The directory services are integral to Solaris ISP Server. The product presumes a single installation of SunTM Directory Services managing all subscriber, administrator, and service configuration data for the system. Sun Internet Administrator and some of the services do not work in the absence of a directory. When set up to interoperate with Sun Internet Mail Server, certain special configuration steps are required to keep the two directories (Solaris ISP Server's directory server and that contained within the mail product) in synchronization. The sections that follow describe these networks in a general manner and describe the flow of basic operations.
In the simple example that follows, some services share host computers. This is not a requirement; segregate services by host machine if that is the best configuration for your system.
Host C can also be the RADIUS server, if desired. RADIUS is a part of Sun Directory Services and is configured for authentication against the directory.
When Solaris ISP Server is set up to interoperate with Sun Internet Mail Server, the mail server must be installed on a different computer from Sun Directory Services.
In this setup, the directory in the mail server is configured as a slave to the main Sun Directory Services. All user information management is performed on the main directory on Host C. User information is replicated across to Host F.
Solaris ISP Server user information is stored in the directory, and user authentication is performed using LDAP. For example, if the RADIUS server packaged with Sun Directory Services is used, the server binds to the directory and searches the user entries for the user name and authsuffixname (a directory attribute defining the user's domain) provided by the user. Once the user's directory entry is found, the server compares the password provided with the one in the directory, validating the user. Once authenticated, the user communicates with the desired service using the appropriate protocol.
The ISP administrator typically accesses the administration server for Sun Internet Administrator. Once Sun Internet Administrator authenticates the administrator against the directory, it passes the login information to the services (single sign-on) as the administrator accesses them. Three-tier services invisibly authenticate the user against the directory again, blocking any attempt by an intruder pretending to be a Sun Internet Administrator. Three-tier services are described in "Three-Tier Service Architecture".