etoken Integration Guide etoken and ISA Server 2006

Transcription

1 etoken Integration Guide etoken and ISA Server 2006 March 2007

2 Contact Information Support If you have any questions regarding this package, its documentation and content or how to obtain a valid software license you may contact your local reseller or Aladdin's technical support team: Country / Region Telephone USA EUROPE: Austria, Belgium, France, Germany, Italy, Netherlands, Spain, Switzerland, UK Ireland Rest of the World If you want to write to the etoken Technical Support department, please go to the following web page: Website

3 i COPYRIGHTS AND TRADEMARKS The etoken system and its documentation are copyrighted 1985 to present, by Aladdin Knowledge Systems Ltd. All rights reserved. etoken is a trademark and ALADDIN KNOWLEDGE SYSTEMS LTD is a registered trademark of Aladdin Knowledge Systems Ltd. All other trademarks, brands, and product names used in this guide are trademarks of their respective owners. This manual and the information contained herein are confidential and proprietary to Aladdin Knowledge Systems Ltd. (hereinafter Aladdin ). All intellectual property rights (including, without limitation, copyrights, trade secrets, trademarks, etc.) evidenced by or embodied in and/or attached/connected/related to this manual, information contained herein and the Product, are and shall be owned solely by Aladdin. Aladdin does not convey to you an interest in or to this manual, information contained herein and the Product, but only a limited right of use. Any unauthorized use, disclosure or reproduction is a violation of the licenses and/or Aladdin's proprietary rights and will be prosecuted to the full extent of the Law. DISCLAIMER NEITHER ALADDIN NOR ANY OF ITS WORLDWIDE SUBSIDIARIES AND DISTRIBUTORS SHALL BE OBLIGATED IN ANY MANNER IN RESPECT OF BODILY INJURY AND/OR PROPERTY DAMAGE ARISING FROM THIS PRODUCT OR THE USE THEREOF. EXCEPT AS STATED IN THE ETOKEN END USER LICENSE AGREEMENT, THERE ARE NO OTHER WARRANTIES, EXPRESSED OR IMPLIED, REGARDING ALADDIN'S PRODUCTS, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The product must be used and maintained in strict compliance with instructions and safety precautions contained herein, in all supplements hereto and according to all terms of its End User License Agreement. This product must not be modified or changed without the written permission of the copyright holder. All attempts have been made to make the information in this document complete and accurate. Aladdin is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications in this document are subject to change without notice.

4 ii Important Notice to Users Distribution of this document to any outside or third parties is strictly forbidden without the express written consent of Aladdin. The Integration Guides contain instructions regarding both Aladdin products and those of third parties. Any instructions regarding third party products or applications are accurate at the time of writing but must be seen as only recommendations by Aladdin. Users of this document should refer specifically to the vendor s formal instructions and recommendations. The content of this document is accurate at the time of writing, but future product enhancements may be made that affect the specific information in this document. Aladdin may not announce such changes and users should be aware that this may occur. Revision History Rev. Date Author Description 1 1/10/06 AM 22/10/06

5 iii Table of Contents Chapter Introduction... 1 Administrator Prerequisites... 3 Benefits of using etoken Solutions... 3 Additional etoken Solutions... 4 Chapter etoken and ISA: PKI Solution... 5 VPN Configuration... 7 Server 2003 Configuration... 7 ISA Server Configuration Run the Solution WEB - Establish SSL Connection (OWA) Server 2003 Configuration ISA Server Configuration Run the Solution Chapter etoken and ISA, OTP Solutions Establish VPN Connection (with Microsoft Client) Server 2003 Configuration ISA Server Configuration Run the Solution WEB - Establish SSL Connection (OWA) Server 2003 Configuration ISA Server Configuration Run the Solution Chapter Troubleshooting Tips ISA Server Server Event Viewer Client

6

7 Introduction CHAPTER 1 1 Chapter 1 Introduction Microsoft Internet Security and Acceleration (ISA) Server 2006 solves the problems of securing, managing, and accelerating branch office connections to the main office. ISA Server 2006 is an integrated firewall, Web proxy, remote access Virtual Private Network (VPN) server, and site-to-site VPN gateway. Each of the ISA Server 2006 technologies can be applied individually or together to provide an excellent combination of security, reliability, and accessibility for branch office employees to access main office information resources. ISA Server 2006 secures your network, allowing you to implement your business security policy by configuring a broad set of rules that specify which sites, protocols, and content can be passed through the ISA Server 2006 computer. ISA Server 2006 monitors requests and responses between the Internet and internal client computers, controlling who can access which computers on the corporate network. ISA Server 2006 also controls which computers on the Internet can be accessed by internal clients. This guide describes how to authenticate users to the ISA Server 2006 using an OTP solution or certificates stored on an etoken. The user workstations may have PKI Client installed or may be clientless (based on SSL). This guide describes the installation and the configuration of the ISA Server 2006 and the client for integration with etoken solutions, including PKI authentication and OTP. The integration described in this guide was performed using the following operating systems and components: Microsoft ISA Server 2006 Microsoft 2003 server with Active Directory (AD) Microsoft Enterprise CA Exchange 2003 Microsoft IIS Server 6.0

8 2 etoken and ISA Server 2006 CHAPTER 1 Microsoft IAS Server (RADIUS) Token Management System (TMS) Windows XP Professional with SP-2 installed. About This Chapter PKI Solution This chapter provides a brief explanation of Microsoft ISA Server and etoken PKI and OTP authentication solutions. It contains the minimum requirements to implement these solutions. ISA Server 2006 is the VPN endpoint for our solution. Though Windows Server natively includes a VPN server as part of the Routing and Remote Access Services, enterprise customers need the additional security, manageability, and rules provided by the ISA Server 2006 VPN service. ISA Server 2006 is an application-layer firewall (ALF) that provides state full packet inspection at Layer 7, as well as secure VPN services based on PPTP or L2TP. The ISA Server VPN services may be load balanced across multiple machines and, importantly, may run on servers that are not domain members. Deploying ISA Server on workgroup member servers in the DMZ is an important part of a defense-in-depth strategy, as no services run with domain credentials on the VPN servers. Authenticates users on ISA Server using PKI (certificate) stored on the etoken. This solution demonstrates how to enhance users security, using etoken solutions incorporated with Microsoft ISA Server. The user authenticates himself against the ISA Server using his certificate on the etoken.

9 OTP Solution Introduction Authenticate users against ISA Server using OTP (One Time Password) authentication. CHAPTER 1 3 This solution demonstrates how etoken with OTP authentication gives you the versatility to securely log on to your network from any workstation. The generation of the OTP value occurs by clicking the button on the etoken NG- OTP. No client software or USB connections are necessary. In the following integrations, OTP with ISA Server 2006, Microsoft IIS, IAS, TMS and OTP are used. Administrator Prerequisites To integrate and implement the etoken s authentication module, the administrator should be familiar with the following: Microsoft technology: ISA Server, Active Directory (AD), Microsoft CA, Microsoft Radius Server (IAS), Microsoft IIS and exchange Aladdin etoken solutions, including etoken PKI Client. Aladdin Token Management System (TMS), (if applicable). Aladdin etoken OTP Authentication Solution. Benefits of using etoken Solutions etoken solutions with Microsoft, provide simple, yet powerful, security for corporate information assets. The benefits include: Enhanced productivity secure access is easily enabled. Easy back-end configuration. Full compatibility with the entire etoken suite of solutions. This includes secure network access, VPN and Web access, and password management. For more information, contact etoken Customer Support at

10 4 etoken and ISA Server 2006 CHAPTER 1 Additional etoken Solutions Aladdin s etoken offers several authentication solutions. Central Management of etokens using TMS The Aladdin etoken Management System (TMS) is a robust management system that enables the deployment, provisioning and maintenance of all etoken devices within an organization. It supports a comprehensive range of security applications: Network logon, VPN, web access, OTP authentication, secure , data encryption, and many others. TMS is built on Microsoft Active Directory and integrates with Active Directory s user management tools. This ensures rapid installation and simple implementation. A connector is a software component that enables TMS to support a specific system or application during etoken s life span. One such connector, the Microsoft Certification Authority (CA) Connector, enables the user to generate certificates using Microsoft Certification Authority services. These certificates are put on the etoken during enrolment. They are then used for smart card authentication to other applications. For example it can be used for the Concentrator and ACS authentication. Using TMS enables easy deployment of CA root certificates and user Smart Card certificates. For more information on certificates and certification authorities, refer to Microsoft documentation. For information about etoken products and solutions, visit our website:

11 etoken and ISA: PKI Solution 5 Chapter 2 etoken and ISA: PKI Solution This chapter describes how to use Aladdin s etoken security key for PKI solutions. The chapter is intended for those responsible for data security and integrity in an organization. It assumes an existing understanding of the Windows 2003 environment and Microsoft ISA Server The following chapter describes how to authenticate users against ISA Server, using a user certificate stored on the etoken. This description provides instructions on how to install and configure the ISA Server and Microsoft programs and integrate them with etoken solutions, including PKI authentication using PKI solution. The PKI Solution includes: VPN: makes VPN connection with Microsoft client and the certificate on the etoken in order to authenticate the user against Microsoft ISA Server and establish a secure connection to the corporate network. WEB: makes SSL connection with Microsoft ISA Server and the certificate on the etoken to authenticate the user against the ISA Server and establish a secure connection. Note: It is assumed that the ISA Server is installed and configured with the basic configuration. Information within this chapter should be considered as a recommendation. For additional information about the basic installation and configuration, please refer to Microsoft documentation concerning ISA Server 2006 configuration. Link to Microsoft ISA Server installation instructions: lt.mspx?mfr=true

12 6 etoken and ISA Server 2006 About This Chapter This chapter describes how to install and configure ISA Server and Microsoft components and integrate them with the etoken solutions, including PKI authentication. This chapter will cover the following topics: Server 2003 Configuration page 7 ISA Server Configuration page 12 Run the Solution page 25

13 etoken and ISA: PKI Solution 7 VPN Configuration The integration was performed on the following network configuration: Server 2003 Configuration For the following integration to work, it is assumed that the basic configuration of the 2003 server has been done and the following programs have been installed with the basic configuration. Prerequisites: Install AD (Active Directory) For installation instructions of AD refer to Microsoft documentation. Microsoft Enterprise CA For basic installation instructions of Microsoft Enterprise CA refer to Microsoft documentation. Install IAS For basic installation instructions for IAS refer to Microsoft documentation. PKI Client For installation instructions for PKI Client refer to Aladdin etoken RTE documentation. Configuring IAS For instructions how to configure IAS refer to Configuring IAS page 8 For more information regarding installing and configuring these programs, refer to Microsoft and Aladdin documentation.

14 8 etoken and ISA Server 2006 Configuring IAS In the following section, we configure the IAS to serve as the RADIUS server for the ISA Server. The IAS Server is registered/connected to the Active Directory (AD) database. This permits authentication of any AD user. When a user initiates a connection with the ISA Server, the ISA Server requests access permission from the IAS. The reply by the ISA Server permits or denies the connection. To configure the IAS: 1 On the IAS Server machine, click Start and select Administrative Tools. 2 Click Internet Authentication Service. 3 Right-click Internet Authentication Service (Local) and select Register Server in Active Directory. 4 Click OK. 5 In the left pane of the Internet Authentication Service console, right-click RADIUS Clients. 6 Click New RADIUS Client. The New Radius Client screen is displayed.

15 etoken and ISA: PKI Solution 9 7 In the Name and Address screen, enter a Friendly name. (In this example the friendly name will be ISA Server.) 8 Enter the IP address in the Client address (IP or DNS) text box. Click Next. The New Radius Client screen is displayed. 9 In the Additional Information screen, select the Client- Vendor. 10 Enter a password in the Shared secret text box and confirm the password in the Confirm shared secret text field. 11 Click Finish.

16 10 etoken and ISA Server 2006 Note: The password in the RADIUS Server must be the same as the password in the ISA Server. In the next step, you will be asked to delete the policy Connection to Microsoft Routing and Remote Access. This step is not mandatory. Before deleting it, check to see if this policy is used. 12 Select the Remote Access Policies folder and delete Connection to Microsoft Routing and Remote Access server connection and double-click it. The Connection to other access servers Properties screen is displayed. 13 Select Grant remote access permission and click Edit Profile. The Edit Dial-in Profile screen is displayed.

17 etoken and ISA: PKI Solution 11 Note: If you are using the OTP solution, select Microsoft Encrypted Authentication version 2 (MS-CHAP v2) and click OK. Now proceed with the rest of the OTP solution. 14 Select the Authentication tab and click EAP Methods. 15 Click Add. 16 Select Smart Card or other certificate and click OK. The Select EAP Providers screen is displayed. 17 Click OK twice. The IAS Server Main console is displayed.

18 12 etoken and ISA Server 2006 ISA Server Configuration Configure the ISA Server 2006 firewall's VPN Server components to: Use EAP and RADIUS Authentication Create suitable rules for VPN Access on the ISA Server 2006 firewall's rule base This section will cover the following topics: Configuring ISA Server for EAP and RADIUS page 12 Creating Access Rule page 22 Configuring ISA Server for EAP and RADIUS The ISA configuration facilitates smartcard logon certificate authentication. To enable and configure the ISA Server for VPN: 1 Open the Microsoft Internet Security and Acceleration Server 2006 management console and expand the server name. 2 Select Virtual Private Networks (VPN). 3 Click Configure Address Assignment Method. The Virtual Private Networks (VPN) Properties screen is displayed.

19 etoken and ISA: PKI Solution 13 4 Click Add. The Server IP address Range Properties screen is displayed. 5 Select the server. 6 Enter the Start and End IP addresses. 7 Click OK. The Virtual Private Networks (VPN) Properties screen is displayed. 8 Select the Authentication tab.

20 14 etoken and ISA Server 2006 Note: For the OTP solution, select Microsoft Encrypted Authentication version 2 (MS-CHAPv2) and clear the Extensible authentication protocol (EAP) with a smart card with another certificate. Proceed as follows. 9 Select Extensible authentication protocol (EAP) with smart card or other certificate. The following message is displayed. 10 Click OK. 11 Select the RADIUS tab.

21 etoken and ISA: PKI Solution Select Use RADIUS for authentication. 13 Select Use RADIUS for accounting (logging) 14 Click RADIUS Servers and click ADD button. The Add Radius Server screen is displayed: Note: Using RADIUS for accounting (Logging) is not mandatory but it may be helpful for debugging and auditing. 15 Type the RADIUS IP address In the Server name field.

22 16 etoken and ISA Server In the Shared Secret field click Change. The Shared Secret screen is displayed. 17 Choose a strong secret key for the IAS Server and enter it twice. 18 Click OK. The Virtual Private Networks (VPN) Properties screen is displayed. 19 Select the Access Network tab. The Access Network screen is displayed.

23 etoken and ISA: PKI Solution Select the External interface. This is where the VPN client connections are allowed to connect to. (In this scenario) 21 Click OK until you reach the Microsoft Internet Security and Acceleration Server 2006 management console. Note: The RADIUS and the ISA Server secret should be the same for the authentication to work.

24 18 etoken and ISA Server Click Enable VPN Client Access. The VPN Clients Properties screen is displayed. 23 Select Enable VPN client access and enter a realistic number of VPN clients that are permitted to connect.

25 etoken and ISA: PKI Solution 24 Select the Protocols tab and select Enable PPTP protocol. 25 Click OK. A pop up screen informs you that a restart is required: Click OK. The Microsoft Internet Security and Acceleration Server 2006 management console screen is displayed. 27 In the left pane Select the Firewall Policy node. 28 In the right pane select the Toolbox tab, expand Network Objects. 29 Right-click on the Computers folder and select New Computer. The New Computer Rule Elements screen is displayed.

26 20 etoken and ISA Server Type the RADIUS server name. 31 Type the IP address of the RADIUS server 32 Click OK. After adding the RADIUS computer to the Network Objects, we need to configure the RADIUS access on the System Policy rules. To Configure the RADIUS access on the System Policy rules: 1 Open the IAS Server console

27 etoken and ISA: PKI Solution 21 2 Right-click Firewall Policy and select Edit System Policy. The System Policy Editor screen is displayed. 3 In the Authentication Services folder select RADIUS. 4 Select the Enable this configuration group and click the To tab. The System Policy Editor screen is displayed. 5 Remove the Internal object 6 Add the internal IAS computer object (for security reasons). 7 Click OK and Apply.

28 22 etoken and ISA Server 2006 Creating Access Rule After completing the previous steps, you need to create an access rule for the VPN Client access. In the access rule, we provide the users with the ability to establish the VPN connection to the internal network. In order to create an access rule: 1 Right click on the Firewall Policy 2 Select New and click Access Rule. The New Access Rule Wizard is displayed. 3 Click Next. The Rule Action screen is displayed.

29 etoken and ISA: PKI Solution 23 4 Select Allow and click Next. The Protocols screen is displayed.. 5 Click Add and select a specific protocol for VPN Access. (In this example All outbound traffic was selected) 6 Click Next.The Access Rule Sources screen is displayed. Note: For greater security, choose PPTP protocol. (instead of All outbound traffic.)

30 24 etoken and ISA Server Select VPN Clients and click Add. 8 Click Next. The Access Rule Destination screen is displayed. 9 Select the destination server or network in the VPN Access rule. 10 Click Next. The User Sets screen is displayed.

31 etoken and ISA: PKI Solution Select All Users. 12 Click Next, Finish and Apply. Note: If you are running the configuration described in Chapter 3, etoken and ISA, OTP Solutions, go to Run the Solution on page 67, in Establish VPN Connection (with Microsoft Client). Run the Solution This section describes how the client authenticates with ISA Server through Microsoft VPN client in order to access the private network, protected by the ISA Server. To run the solution the following topics must be configured: Download Smartcard Logon Certificate page 25 Downloading the Root CA Certificate page 28 Configuring Microsoft VPN Client page 31 Establish VPN Connection page 32 Download Smartcard Logon Certificate In the following section, we download a smartcard logon certificate to the etoken. The PKI Client must be installed prior to this, to enable the downloading of the certificate to the etoken.

32 26 etoken and ISA Server 2006 To enrol a smartcard logon certificate: 1 Connect to the CA web server. The password window is displayed. 2 Enter the User name and Password and click OK. 3 Click Request a certificate and Advance certificate request. 4 Click Create and submit a request to this CA. The Advanced Certificate Request screen is displayed. 5 In the Certificate Template list select Smartcard Logon certificate 6 In the CSP list select etoken Base Cryptographic Provider 7 In Key Size enter Select Automatic key selector name. 9 Clear all other check boxes. 10 Select CMC. 11 In the Hash Algorithm list select SHA-1

33 etoken and ISA: PKI Solution 12 Click Submit. The etoken Base Cryptographic Provider window is displayed. 27. Enrolment Tip: If the user cannot select the certificate template, correct permissions may not be applied to this user. If the user cannot choose the etoken from the CSP drop down list, confirm that the PKI Client is installed on the user computer. 13 Enter the etoken password and click OK. The Microsoft Certificate Service domain 30CA is displayed. 14 Click Install this certificate. A success message is displayed indicating the certificate has been installed successfully on the etoken.

34 28 etoken and ISA Server 2006 Downloading the Root CA Certificate The CA root certificate needs to be installed on every machine the user will authenticate from. In the following section we install the root CA certificate on the etoken The CA root certificate is then automatically installed when the etoken is inserted. For more information concerning root CA certificate deployment, refer to Microsoft formal documentation. The screen below is displayed when the user inserts his etoken into the USB interface and the root CA certificate is not installed on the machine. To import the CA certificate to the etoken: 1 Click Start, Programs and select etoken 2 Click etoken Properties. The etoken Properties screen is displayed. 3 Click Advanced. The etoken Password window is displayed.

35 etoken and ISA: PKI Solution 29 4 Enter the etoken Password and click OK. The etoken Properties screen is displayed. 5 Select the Certificate & keys tab and click Import CA Chain. The import was successful window is displayed.

36 30 etoken and ISA Server Click OK. The CA certificate that was installed on the etoken is displayed. 7 On the VPN machine, insert the etoken into the USB interface, and install the root CA certificate.

37 etoken and ISA: PKI Solution 31 Note: The user certificate and the CA certificate now reside on the etoken. The user can install the root CA certificate on any computer where he would like to establish the VPN connection. Configuring Microsoft VPN Client This section described how to configure the Microsoft VPN client connection with the New Connection Wizard to establish a secure connection with the smartcard logon certificate. (The user certificate and the CA certificate have already been installed to the etoken). To Configure VPN connection with smartcard logon certificate: 1 From the Start Menu click Start, Settings and Network Connection. 2 Click New Connection Wizard. The connection wizard opens. 3 Click Next. 4 Select Connect to the network at my workplace and click Next. 5 Select Virtual private network connection and click Next. 6 Enter the connection company name and click Next. 7 Select Do not dial the initial connection and click Next. 8 Enter the IP address of the server you want to connect to and click Next. The Smart Cards screen is displayed.

38 32 etoken and ISA Server Select Use my smartcard and click Next. 10 You can add a shortcut to you desktop by selecting Add a shortcut to this connection to my desktop. 11 Click Finish. Establish VPN Connection In the following section, we initiate a secure connection with Microsoft VPN client. The will enable a secure connection to the corporate network via the smartcard logon certificate we downloaded to the etoken in the previous section. To establish VPN connection with smartcard logon certificate: 1 Insert the etoken with the smartcard user certificate into the USB interface and click Connect. The etoken Smartcard pin screen is displayed.

39 etoken and ISA: PKI Solution 33 2 Type the etoken password and click OK. A network connection appears in the right corner of the taskbar to indicate that the VPN connection has been successfully establish. Note: For the VPN connection to succeed the VPN user must have dial in permission. To configure the dial-in permission, enter the user properties in the AD users and computers In the Dial-in tab select Allow access.

40 34 etoken and ISA Server 2006 WEB - Establish SSL Connection (OWA) Two-factor authentication provides improved security because it requires the user to meet two authentication criteria: etoken password combination and a certificate, known as something you have, something you know. In the following section, we configure the ISA Server firewall to securely publish Exchange 2003 Outlook Web Access and SSL bridging using client certificate to provide a higher level of security in web mail access. This section will cover the following topics: Server 2003 Configuration page 35 ISA Server Configuration page 46 Run the Solution page 59 The authentication process for PKI authentication is demonstrated in the following diagram. Note that this is a simplified description of the process, describing the primary steps. For more information regarding the methods to implement SSL connection, refer to Microsoft documentation.

41 etoken and ISA: PKI Solution In the following integration, we configure the Exchange server (OWA) as the web site; however, the configuration can be made on any other site we choose. 35 The integration was performed on the following network configuration as described bellow: Server 2003 Configuration For the integration to succeed the 2003 server must be preconfigured and all the following programs must be installed. Prerequisites: Install AD (Active Directory) For installation instructions for AD refer to Microsoft documentation. Microsoft Enterprise CA For basic installation instructions for Microsoft Enterprise CA refer to Microsoft documentation. Install IAS For basic installation instructions for IAS refer to Microsoft documentation. Install IIS (Internal Information Services) For basic installation instructions for IIS refer to Microsoft documentation. Exchange 2003 Server For installation instructions for Exchange 2003 server refer to Microsoft documentation. PKI Client For installation instructions for PKI Client refer to Aladdin etoken RTE documentation.

42 36 etoken and ISA Server 2006 Configuring IAS page 8 For instructions on how to configure IAS, refer to Configuring IAS page 8 from step 1 through step 11. For more information regarding installing and configuring these programs, refer to Microsoft and Aladdin documentation. The 2003 server configuration includes the following: Delegate Control to ISA Server Machine page 36 IIS Configuration page 41 Delegate Control to ISA Server Machine In the following section, we configure the AD to delegate control to the ISA Server machine in order to permit and authenticate the OWA web site on behalf of the user. For more information regarding delegation control, refer to Microsoft documentation. Note: In order to delegate control to the ISA Server you must check that your domain function level is Native Mode (Windows Server 2003) and that the ISA Server machine has been added to the domain. For more information regarding raising the function level of the domain, (from mixed mode to native mode) refer to Microsoft documentation. To delegate control to the ISA Server: 1 In the Server 2003 DC click Start. 2 Select Administrative Tools, and click Active Directory Users and Computers. 3 Open the Computers container and select the ISA Server computer.

43 etoken and ISA: PKI Solution 37 Note: If you cannot select the ISA Server from the computers container, the ISA Server has not been added to the domain. The ISA Server must be added as a member of the domain computers. 4 Right-click on the ISA Server machine, click Properties, and select Delegation tab. The Moon Properties screen is displayed.

44 38 etoken and ISA Server Select Trust this computer for delegation to specified services only 6 Select Use any authentication protocol. 7 Click Add. The Add Users screen is displayed. 8 Click Users or Computers. 9 Select Advanced, and click Find Now. The Select Users or Computers screen is displayed.

45 etoken and ISA: PKI Solution Select the domain controller and click OK. The Select Users or Computers screen is displayed. 11 Click OK. The Add Services screen is displayed.

46 40 etoken and ISA Server Select http, and click OK. The Moon Properties screen is displayed.

47 etoken and ISA: PKI Solution Click OK and close the Active Directory Users and Computers screen. Note: You can run gpupdate /force to make the changes in the entire domain. IIS Configuration In our case, remote clients will actually connect to the ISA Server firewall and not to the IIS (OWA web site) The ISA Server firewall will act as a client of the OWA web site. The Exchange server s OWA web site can be configured to require SSL/https or regular http communication and the administrator may choose between the two options depending on the network needs. This section will cover the following topics: Installing a Web Server Certificate page 41 Configuring the OWA Web Site page 43 Installing a Web Server Certificate In order to enable secure authentication with SSL a certificate for a web server needs to be installed. The web site certificate is installed on the IIS. At a later stage we will export and install the same certificate on the ISA Server in order that OWA users can connect to the ISA Server with a SSL connection. To download a certificate to the IIS: 1 Click Start, Programs, Administrative Tools and Internet Information Services (IIS) Manager. 2 In Internet Services Manager, in the console tree, expand SERVERNAME (your local computer), and then expand Default Web Sites. 3 In the console tree, right-click Default Web Site, and click Properties. 4 In the Default Web Site Properties dialog box, select Directory Security. 5 On the Directory Security tab, click Server Certificate. The Welcome to the Web Server Certificate Wizard is displayed. 6 Click Next.

48 42 etoken and ISA Server In the Server Certificate screen select Create a new certificate and click Next. 8 In the Delayed or Immediate Request screen, select Send the request immediately to an online certification authority. 9 Click Next. The Name and Security Settings screen is displayed. 10 In the Name box, type: yourservername.domainname.com (or.net,.org,.mil etc). (Use your own registered domain name, the one you want people to use when browsing to your site) 11 Click Next. The Organization Information screen is displayed. Note: Ensure that either the Name or the Common Name fields (one or both) match exactly the external FQDN of the website. For example, if your server's NetBIOS name is SERVER1, and is located in the MYINTERNALDOM.LOCAL domain, and it hosts a website that requires users to enter to reach it, you must use as the Name or Common ame in the certificate request wizard. DO NOT use SERVER1.MYINTERNALDOM.LOCAL. 12 In the Organization field, type your own company name. 13 In the Organizational Unit field, type a descriptive name and click Next.

49 etoken and ISA: PKI Solution 14 In the Your Sites Common Name screen, in the Common name field, type yourservername.domainname.com and click Next. 15 In the Geographical Information screen, in the State/province field type the required information and click Next. 16 In the SSL Port screen, in the SSL Port this web site should use list, select 443. and click Next. 17 In the Choose a Certification Authority screen, in the Certification Authorities list, select Online CA, and click Next. The Certificate Request Submission page is displayed Click Next to submit the request 19 Click Finish to complete the wizard. Configuring the OWA Web Site In the following section, the OWA virtual directory is configured for secure communication. The following steps can be performed on any virtual directory as well. To configure the OWA: 1 In Internet Services Manager, in the console tree, expand SERVERNAME (your local computer), expand Web Sites, and expand Default Web Site.

50 44 etoken and ISA Server In the console tree, right-click the EXCHANGE virtual directory, and click Properties. 3 In the Default Web Site Properties dialog box, select the Directory Security tab. 4 In the Secure communications area, click Edit. The Secure Communication screen is displayed. Note: If the EDIT button in the Directory Security screen is unavailable then you did not successfully install a certificate for the Default Web Site. Go back to Installing a Web Server Certificate section and follow the instructions. 5 Select Require secure channel (SSL) and Require 128- bit encryption 6 In the Client certificates section select Accept client certificates. 7 Click OK. The Exchange Properties screen is displayed.

51 etoken and ISA: PKI Solution 45 8 In the Authentication and access control section, click Edit. The Authentication Methods screen is displayed.

52 46 etoken and ISA Server Clear Enable anonymous access. 10 In the Authentication access section select Integrated Windows authentication. 11 Click OK all the way out. 12 Close Internet Information Services (IIS) Manager. You might want to restart the World Wide Web Publishing service just in case, although generally this is not required. Note: To test that your new settings connect, open a browser and type your server's FQDN + /EXCHANGE in the address bar (for example: ) If you are on LAN use the NetBIOS name. ISA Server Configuration The following section deals with the ISA Server configuration needed to make the SSL connection work. This section will cover the following topics: Export and Install the IIS Certificate on the ISA Server page 46 Publishing OWA and Web Listener Configuration page 48 Export and Install the IIS Certificate on the ISA Server The ISA Server firewall will require the web site certificate with its private key to make the client-to-isa Server SSL connections. Export a copy of web site certificate (IIS) and install the certificate on the ISA Server machine for a later use. To export a copy of the web site certificate: 1 In the IIS machine click Start, Programs, Administrative Tools and Internet Information Services (IIS) Manager. 2 In Internet Services Manager, in the console tree, expand SERVERNAME (your local computer), and expand Web Sites. 3 In the Default Web Site Properties list, select Directory Security. 4 In the Directory Security tab, click View Certificate.

53 etoken and ISA: PKI Solution 5 In the certificate window, select the Details tab. 6 Click Copy to file. 7 In the wizard, click Next, Yes, and export the private key 8 Select Enable strong protection, click set a password 9 Select to save the certificate to a file named c:\owawebcert.pfx 10 Close the wizard and copy the PFX file to the ISA Server firewall hard drive. 47 Installing the Web Site Certificate In the following section, you install the web site certificate (IIS) that you copied in the previous stage to the ISA Server firewall. To install the web site certificate: 1 In the ISA Server firewall, click Start, Run, type mmc and click OK. 2 In the new console, either click CRTL+M, or select Add/Remove Snap-in from the file menu. 3 In the Standalone tab, click Add, and select Certificates. 4 Select Computer Account, and click Next. 5 Select Local Computer and click Finish. 6 Click Close and click OK. 7 In the console, expand Certificates (Local computer), and navigate to Personal container. 8 Right-click Personal and select All Tasks, then Import.

54 48 etoken and ISA Server Browse to locate the owasitecert.pfx file you copied from the IIS earlier, provide the password, and place the imported certificate in the personal certificate store. Note: To choose the PFX file and install it in the personal certificate store, you must change the Files of type to PFX, otherwise the file will not be seen. 10 Refresh the personal store and locate the imported web site certificate under Personal, Certificates. The certificate will be named based on the Common Name you selected for the published web site. Publishing OWA and Web Listener Configuration In the following example, the ISA Server firewall is configured with two network adapters. The first adapter connects to the LAN and the second adapter to the Internet as shown in the following figure.

55 etoken and ISA: PKI Solution 49 When you create a Web publishing rule, you specify a Web listener to be used when applying the rule. The Web listener properties determine: Which Internet Protocol (IP) addresses and ports on the specified networks will listen for Web requests Which authentication method is to be used, when authentication is required Number of connections that are allowed The Web listener is used to: Indicate the IP address and port to which a client makes a connection. Enable Microsoft Internet Security and Acceleration (ISA) Server 2004 to pre-authenticate the connection. Web listeners can be used by more than one Web publishing rule. For more information regarding web listener, refer to Microsoft ISA Server documentation. To publish the OWA web site: 1 Open the ISA Server management console, and navigate to the Firewall Policy in the left pane. 2 In the right pane, expand the Task Pane. 3 Click Publish Exchange Web Client Access 4 Select the Tasks tab, and type the name of the rule 5 Click Next. The New Exchange Public Rule Wizard screen is displayed appears.

56 50 etoken and ISA Server From the Exchange version list, select Exchange Server Select Outlook Web Access and click Next. The Publishing Type screen is displayed. 8 Select Publish a single Web site or load balancer and click Next. The Server Connection Security screen is displayed.

57 etoken and ISA: PKI Solution 51 Note: In the following integration you configure the IIS server to require a SSL connection from authenticated users. In this case you need to configure the ISA Server to authenticate with the SSL against the IIS server. 9 Select Use SSL to connect to the publish Web server or server farm and click Next. The Internal Publishing Details screen is displayed.

58 52 etoken and ISA Server Type the name of the published OWA web site and click Next. The Public Name Details screen is displayed. 11 From the Accept requests for list, select This domain name (type below) and enter the FQDN. 12 Click Next. The Select Web Listener screen is displayed.

59 etoken and ISA: PKI Solution Click New to create new listener. The Welcome to the New Web Listener Wizard screen is displayed. 14 Type the name of the listener and click Next. The Client Connection Security screen is displayed.

60 54 etoken and ISA Server Select Require SSL secured connections with clients and click Next. The Web Listener IP Addresses screen is displayed. 16 Select External. 17 Select ISA Server will compress content sent to clients through this Web Listener.. and click Next. The Listener SSL Certificates screen is displayed.

61 etoken and ISA: PKI Solution Select Use a single certificate for this Web Listener and click Select Certificate. The Select a Certificate screen is displayed. 19 Select the certificate you installed in the previous section and click Select. The Listeners SSL Certificate screen is displayed with the selected certificate. 20 Click Next. The Authentication Setting screen is displayed.

62 56 etoken and ISA Server Select SSL Client Certificate Authentication and select Windows (Active Directory). The Single Sign On Settings screen is displayed. 22 Click Next. The Completing the New Web Listener Wizard screen is displayed.

63 etoken and ISA: PKI Solution Click Finish. The ISA Server pop up screen is displayed. 24 Click Yes (To allow CRL download). The Select Web Listener screen is displayed.

64 58 etoken and ISA Server Click Next. The Authentication Delegation screen is displayed. 26 Select Kerberos constrained delegation from the list. 27 Type the SPN. 28 Click Next. The User Sets screen is displayed.

65 etoken and ISA: PKI Solution Click Next. The Completing the New Exchange Publish Rule Wizard screen is displayed. 30 Click Finish. Note: If you encounter a message that indicates the need to configure the AD to allow the ISA Server to delegate authentication, click OK. Run the Solution In the following section, we run the solution and establish the SSL connection to the OWA web site. Prerequisites: PKI Client is installed on the machine. For more information regarding installing the PKI Client refer to Aladdin PKI Client 3.65 admin guide.

66 60 etoken and ISA Server 2006 Smartcard logon certificate has been installed on the user etoken. For more information regarding downloading client certificate to the etoken refer to Download Smartcard Logon Certificate page 25. The root CA certificate is installed on the machine. For more information regarding downloading and installing the root CA certificate refer to Downloading the Root CA Certificate page 28. To connect the OWA web site: 1 Insert the etoken into the USB interface and browse with HTTPS protocol to the published OWA web site. For example: the Client Authentication screen is displayed. 2 Click View Certificate and select the Details tab. The Certificate screen is displayed.

67 etoken and ISA: PKI Solution 61 3 Click OK. The etoken Base Cryptographic Provider screen is displayed. 4 Type the etoken password and click OK. The web browser is displayed.

68 62 etoken and ISA Server 2006 Logon to the OWA web site has been successful.

69 etoken and ISA, OTP Solutions CHAPTER 3 63 Chapter 3 etoken and ISA, OTP Solutions This chapter demonstrates that with etoken One Time Password (OTP) authentication the user has versatility to securely log into your network from wherever he is without the need for any client software installed or a USB connection. In the following integration, we use OTP with ISA Server, Microsoft IIS, TMS and OTP. The ISA must be configured to enable etoken users to perform authentication with OTP and gain access to the private network. About This Chapter This chapter provides explanation on Microsoft ISA Server and etoken OTP authentication. Users are authenticated by combining ISA and Microsoft RADIUS Server (IAS) with OTP authentication. OTP appears on the etoken NG-OTP screen when a button is pressed. The OTP Solution Includes: VPN establish VPN connection with Microsoft client and etoken OTP in order to authenticate user against Microsoft ISA Server and establish secure connection to the corporate network. Web establish SSL connection with Microsoft ISA Server and etoken OTP to authenticate a domain user against the ISA Server and establish a secure connection. This chapter will cover the following topics: Server 2003 Configuration page 64 ISA Server Configuration page 65 Run the Solution page 67

70 64 etoken and ISA Server 2006 CHAPTER 3 Establish VPN Connection (with Microsoft Client) This chapter provides a basic configuration description of the Microsoft ISA Server 2006 to enable OTP authentication with the Microsoft VPN client. The ISA Server has been installed and configured with the basic configuration. Information within this chapter should be considered as a recommendation. For additional information concerning basic installation and configuration, refer to Microsoft official documentation concerning ISA Server configuration. The following is a link to Microsoft ISA Server installation instructions: lt.mspx?mfr=true The integration was performed on the following network configuration as described bellow: Server 2003 Configuration For the following integration to succeed, basic configuration of the 2003 server must have been done. All the following programs have been installed and basic configuration done. Prerequisites: Install AD (Active Directory) For AD installation instructions, refer to Microsoft documentation.

71 Install IAS. etoken and ISA, OTP Solutions For basic IAS installation instructions, refer to Microsoft documentation. TMS (Token Management System) CHAPTER 3 For basic TMS installation instructions, refer to the Aladdin TMS reference guide. OTP (One Time Password) For basic OTP installation instructions, refer to the Aladdin etoken OTP Integration guide. Configuring IAS For IAS configuration instructions, refer to Configuring IAS page 8 in from step 1 through step 14. Configure the TMS for OTP Authentication For TMS and OTP configuration instructions, refer to the Aladdin TMS reference guide. 65 ISA Server Configuration In the following section, we configure the ISA Server s 2006 firewall's VPN Server component to use EAP and RADIUS Authentication and create suitable rules for VPN Access on the ISA Server 2006 firewall's rule base. Note: In the OTP authentication solutions, the ISA Server machine does not have to be part of the domain. To enable and configure the ISA Server: 5 Open the Microsoft Internet Security and Acceleration Server 2006 management console and expand the server name. 6 Click the Virtual Private Networks (VPN) node. The Virtual Private Networks (VPN) screen is displayed.

72 66 etoken and ISA Server 2006 CHAPTER 3 7 Select the Address Assignment tab. 8 Click Add. 9 Select VPN address pool. 10 The Server IP Address Range Properties is displayed. 11 Select Server and fill in the IP address as above. 12 Click Ok. The Virtual Private Networks (VPN) screen is displayed. 13 Select the Authentication tab.

73 etoken and ISA, OTP Solutions CHAPTER 3 14 Select Microsoft encrypted authentication version 2 (MS-CHAPv2). 15 Click OK. 67 Note: In order to proceed with the configuration, follow the instructions in Chapter 2 ISA Server Configuration step 10 page 14 until the end of the procedure and continue with Creating Access Rule on page 22 to the end of the section. Run the Solution Traditionally static passwords are more vulnerable to access by unauthorized intruders given enough attempts and time. By constantly altering the password, as is done with a one-time password we enhance security. This section will cover the following topics: Configure Microsoft VPN Connection for OTP page 67 Establishing VPN Connection with the OTP page 68 Configure Microsoft VPN Connection for OTP This section described how to configure the Microsoft client connection with the new connection wizard to establish an OTP connection with the RRAS and IAS that have been configured in the previous sections. To configure the new connection: 1 Click on Start, Settings Network Connections and New Connection Wizard. 2 Click Next. 3 Select Connect to the network at my workplace, and click Next. 4 Choose Virtual Private Network connection, and click Next. 5 Type a name for this connection and click Next. 6 Select Do not dial the initial connection and click Next. 7 In the field Host Name or IP address type the name of ISA Server you are connecting and click Next. 8 Select Do not use my smart card and click Next. 9 Select My use only and click Next.

74 68 etoken and ISA Server 2006 CHAPTER 3 10 Select Add a shortcut to this connection to my desktop and click Finish. 11 Click Properties and click the Security tab. 12 Select Advanced (custom setting) and click Settings. 13 In the Data encryption section select Require encryption (disconnect if server declines) and MS- CHAP v2 and click OK. 14 Click Yes and OK. You have completed configuration of the client VPN connection. Establishing VPN Connection with the OTP In the following section, we establish a VPN connection with the OTP that was generated by pressing the OTP button. Note: The etoken NG OTP must be initialized with an OTP profile. For basic initialization instructions of OTP for a user, refer to etoken OTP Authentication Admin Guide. To establish the connection: 1 Double-click the shortcut on the desktop of the configured client. The Connect Aladdin OTP screen is displayed. 2 Enter the User name and the OTP (and if required OTP PIN) and click Connect. The Connecting screens are displayed.

75 etoken and ISA, OTP Solutions CHAPTER 3 69 In the right corner of the taskbar you can see that the connection as been established. Note: In order for the VPN connection to succeed the VPN user must have dial-in permission. To verify permission, open the user properties in the AD Users and Computers and in the Dial-in tab select Allow access.

76 70 etoken and ISA Server 2006 CHAPTER 3 WEB - Establish SSL Connection (OWA) Two-factor authentication provides improved security because it requires the user to meet two authentication criteria: OTP pin combination and an etoken OTP, known as something you have, something you know. In the following section, we configure the ISA Server firewall to securely publish Exchange 2003 Outlook Web Access and SSL bridging using OTP to enhance security in web mail access. The authentication process for OTP is demonstrated in the following screenshot. Note that this is a simplified description of the process, describing the main steps. For more information regarding the methods to implement SSL connection, refer to Microsoft documentation. Note: In the following integration, we configure the Exchange server (OWA) as the web site. The configuration can be made on any other site we choose. The integration was performed on the following network configuration as described below:

77 etoken and ISA, OTP Solutions CHAPTER 3 71 This section will cover the following topics: Server 2003 Configuration page 71 ISA Server Configuration page 76 Run the Solution page 97 Server 2003 Configuration For the following integration to work, the assumption is that the basic configuration of the 2003 server has been done, and the following programs have been installed and configured. Prerequisites: Install AD (Active Directory) For AD installation instructions, refer to Microsoft documentation. Microsoft Enterprise CA For basic Microsoft Enterprise CA installation instructions, refer to Microsoft documentation. IAS (Internal Authentication Service) For basic IAS installation instructions, refer to Microsoft documentation. IIS (Internal Information Services) For basic IIS installation instructions, refer to Microsoft documentation. Exchange 2003 server For basic Exchange 2003 server installation instructions, refer to Microsoft documentation. TMS (Token Management System) For basic TMS installation instructions, refer to the Aladdin TMS reference guide. OTP (One Time Password) For basic OTP installation instructions, refer to the Aladdin etoken OTP Integration guide. Configuring IAS For IAS configuration instructions, refer to Configuring IAS page 8 in from step 1 until 14 and proceed with the following step.

78 72 etoken and ISA Server 2006 CHAPTER 3 Configure the TMS for OTP Authentication For TMS and OTP configuration instructions, refer to the Aladdin TMS reference guide. For more information regarding installation and configuration of these programs, refer to Microsoft and Aladdin documentation. IIS Configuration In our case, remote clients will connect to the ISA Server firewall and not to the IIS (OWA web site). The ISA Server firewall itself will act as a client to the OWA web site. The Exchange server OWA web site can be configured to require SSL/https or regular http communication and the administrator may choose between the two options depending on the network security needs. This section will cover the following topics: Installing a Web Server Certificate page 72 Configuring the OWA Web Site page 74 Installing a Web Server Certificate In order to enable secure authentication via SSL you need to install a certificate for a web server. Install the web site certificate on the IIS and at a later stage, export and install the same certificate on the ISA Server in order that the OWA users connect to the ISA Server with SSL connection. To download certificate to the IIS follow the these steps: 1 Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager. 2 In the console tree, expand SERVERNAME (your local computer), and then expand Web Sites. 3 In the console tree, right-click Default Web Site, and click Properties. 4 Select the Directory Security and click Server Certificate. The Welcome to the Web Server Certificate Wizard screen is displayed. 5 Click Next. 6 Select Create a new certificate, and click Next. The Delayed or Immediate Request screen is displayed.

79 etoken and ISA, OTP Solutions CHAPTER 3 7 Select Send the request immediately to an online certification authority, and click Next. The Name and Security Settings screen is displayed. 8 In the Name field, type: yourservername.domainname.com (or.net,.org,.mil etc. Use your own registered domain name, the one required when browsing the site) and then click Next. The Organization Information screen is displayed. 73 Note: Make sure that either the Name or the Common Name fields (one of them or both of them) exactly match the external FQDN of the website. For example, if your server's NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, but it hosts a website that requires users to enter to reach it, you must then use as the Name or Common Name in the certificate request wizard. DO NOT use SERVER1.MYINTERNALDOM.LOCAL 9 In the Organization field, type your company name. 10 In the Organizational Unit field, type a descriptive name, and click Next. The Your Sites Common Name screen is displayed. 11 In the Common name field type: yourservername.domainname.com and click Next. The Geographical Information screen is displayed. 12 In the State/province field, type the required information and click Next. The SSL Port screen is displayed. 13 In the SSL port this web site should use list, verify that 443 is specified, and then click Next. The Choose a Certification Authority screen is displayed. 14 In the Certification Authorities list, verify that your online CA is selected, and then click Next. The Certificate Request Submission screen is displayed.

80 74 etoken and ISA Server 2006 CHAPTER 3 15 Click Next to submit the request and click Finish to complete the wizard. Configuring the OWA Web Site In the following section, we configure the OWA virtual directory for secure communication. The following steps can be preformed on any virtual directory as well. To configure OWA: 1 Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager. 2 In the console tree, expand SERVERNAME (your local computer), expand Web Sites, expand Default Web Site. 3 In the console tree, right-click EXCHANGE virtual directory, and select Properties. 4 In the Default Web Site Properties dialog box, select the Directory Security tab 5 In the Secure communications section click Edit. The Secure Communication screen is displayed.

81 etoken and ISA, OTP Solutions CHAPTER 3 75 Note: If EDIT is unavailable, a certificate for the Default Web Site is not installed. Go back to the Installing a Web Server Certificate section and reinstall the certificate. 6 Select Require secure channel (SSL) and Require 128- bit encryption. In the Client certificates section select Accept client certificates and click OK. The Exchange Properties screen is displayed. 7 In the Authentication and access control section, click Edit. The Authentication Methods screen is displayed.

82 76 etoken and ISA Server 2006 CHAPTER 3 8 Clear Enable anonymous access. 9 Select the Integrated Windows authentication. 10 Click OK all the way out, and close the Internet Information Services (IIS) Manager. Note: You might need to restart the World Wide Web Publishing service, although generally this is not required To test your new settings open a browser and type your server's FQDN (or NetBIOS name, if on the LAN) + /EXCHANGE in the address bar (for example: ISA Server Configuration The following section deals with the ISA Server configuration needed for the SSL connection to work. This section will cover the following topics: Export and Install the IIS Certificate on the ISA Server page 77 Install Root CA Certificate page 79 Publishing OWA and Web Listener Configuration page 81

83 etoken and ISA, OTP Solutions Export and Install the IIS Certificate on the ISA Server CHAPTER 3 77 The ISA Server firewall will require the web site certificate with its private key to make client-to-isa Server SSL connections. You should export a copy of the web site certificate (IIS) and install the certificate on the ISA Server machine for later use. To export a copy of a web site certificate: 1 On the IIS machine click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager. 2 In the console tree, expand SERVERNAME (your local computer), expand Web Sites. 3 In the Default Web Site Properties dialog box, select the Directory Security tab. 4 In the Directory Security tab, click View Certificate. 5 In the certificate window, select Details tab, and click Copy to file. 6 In the wizard, click Next, Yes, export the private key, Select enable strong protection, set a password. 7 Click To save the certificate to a file named c:\owawebcert.pfx 8 Close the wizard and copy the file to the ISA Server firewall s hard drive. Installing the Web Site Certificate In the following section, we install the web site certificate (IIS) we copied in the previous section to the ISA Server firewall. To install the web site certificate: 1 On the ISA Server firewall, click Start, Run, type mmc and click OK. 2 In the new console, either click CRTL+M, or select Add/Remove Snap-in from the file menu. 3 Select Standalone tab, click Add, and select Certificates. 4 Select Computer Account, and click Next. 5 Select Local Computer and click Finish. 6 Click Close and OK. 7 In the console, expand Certificates (Local computer), and navigate to Personal container.

84 78 etoken and ISA Server 2006 CHAPTER 3 8 Right-click Personal and select All Tasks, and click Import. The Open screen is displayed. 9 Browse to locate the owasitecert.pfx file you copied from the Exchange server earlier. Provide the password, and place the imported certificate in the personal certificate store. Note: To select the PFX file and install it in the personal certificate store, you must change the Files of type to PFX otherwise the file will not be seen. 10 Refresh the personal store and locate the imported web site certificate under Personal, Certificates as shown in the screen below. The certificate name will be based on the Common Name you selected for the published web site.

85 etoken and ISA, OTP Solutions CHAPTER 3 Install Root CA Certificate In the following section, we install the Root CA certificate on the ISA Server machine. There are several options that enable installation of the root CA certificate on a machine. (TMS, CA web site, MMC, and etoken.) In the following section we use the MMC to install the Root CA. 79 To install the root CA certificate: 1 On the ISA Server firewall, click Start, Run, type mmc and click OK. 2 In the New Console, either click CRTL+M, or select Add/Remove Snap-in from the file menu. 3 Select the Standalone tab, click Add, and select Certificates. 4 Select Computer Account, and click Next. 5 Select Local Computer and click Finish. 6 Click Close and OK. 7 In the console, expand Certificates (Local computer), and navigate to Trusted root Certificate Authorities, Certificates. 8 Locate the root certificate. It should have the same name as your CA. The root CA has been installed. Note: If the CA Root Certificate is not found it must be imported. Follow the steps in the next section. To import CA root certificate: 1 On the CA server open the browser and type:c:\windows\system32\certsrv\certenroll

86 80 etoken and ISA Server 2006 CHAPTER 3 2 Copy the.crt file to the ISA Server firewall, as shown in the figure above. 3 On the ISA Server firewall, right-click the copied certificate, and select Install Certificate. 4 Click Next, and select Place all certificates in the following store. 5 Click Browse, select Show physical stores. The Select Certificate Store screen is displayed. 6 Expand the Trusted Root Certificate Authorities, and select Local Computer. 7 Click OK, Next and Finish. 8 You will be prompted with a security warning. Click Yes, and OK to confirm the certificate installation.

87 etoken and ISA, OTP Solutions CHAPTER To confirm the certificate installation, refresh the Trusted root Certificate Authorities certificate list and verify the certificate can be located as seen above. Note: After installing the root CA certificate, you might encounter a problem that you are unable to find the certificate in the MMC. Close and re-open the MMC. The root CA certificate should now be visible. Publishing OWA and Web Listener Configuration In the following example, the ISA Server firewall is configured with two network adapters. The first adapter connects to the LAN and the second adapter to the Internet as shown in the following figure.

88 82 etoken and ISA Server 2006 CHAPTER 3 When creating a Web publishing rule, specify a Web listener to be used when applying the rule. The Web listener properties determine: Which Internet Protocol (IP) addresses and ports on the specified networks will listen for Web requests Which authentication method will be used, when authentication is required Number of connections that are allowed The Web listener is used to: Indicate the IP address and port to which a client makes a connection. Enable Microsoft Internet Security and Acceleration (ISA) Server 2006 to pre-authenticate the connection. Web listeners can be used by more than one Web publishing rule. For more information regarding web listener refer to Microsoft ISA Server documentations: To publish the OWA website: 1 Open the ISA Server management console, and navigate to the Firewall Policy in the left pane. 2 In the right pane, expand the Task Pane. Click Publish Exchange Web Client Access 3 Select the Tasks tab, type the name of the rule and click Next. The New Exchange Publishing Rule Wizard screen is displayed.

89 etoken and ISA, OTP Solutions CHAPTER Select Exchange Server 2003, from the Exchange version list. 5 Select Outlook Web Access and click Next. The Publishing Type screen is displayed. 6 Select Publish a single Web site or load balancer and click Next. The Server Connection Security screen is displayed.

90 84 etoken and ISA Server 2006 CHAPTER 3 7 Select Use SSL to connect to the publish Web server or server farm and click Next. The Internal Publishing Details screen is displayed. 8 In the Internal site name, type the name of the published OWA web site and click Next. The Public Name Details screen is displayed.

91 etoken and ISA, OTP Solutions CHAPTER Select This domain name (type below) from the list and type the FQDN in the Public Name field and click Next. The Select Web Listener screen is displayed. 10 Click New to create new listener. The New Web Listener Definition Wizard screen is displayed.

92 86 etoken and ISA Server 2006 CHAPTER 3 11 In the Web Listener name field, type the name of the listener and click Next. The Client Connection Security screen is displayed. 12 Select Require SSL secured connections with clients and click Next. The Web Listener IP Addresses screen is displayed.

93 etoken and ISA, OTP Solutions CHAPTER Select External 14 Select ISA Server will compress content sent to clients through this Web Listener and click Next. The Listener SSL Certificates screen is displayed. 15 Select Use a single certificate for this Web Listener and click Select Certificate. The Select certificate from the list of available certificates screen is displayed.

94 88 etoken and ISA Server 2006 CHAPTER 3 16 Select the certificate that was installed in the previous section and click Select. The Listeners SSL Certificate screen is displayed. 17 The certificate appears in the Select Certificate field. Click Next. The Authentication Setting screen is displayed.

95 etoken and ISA, OTP Solutions CHAPTER Select HTML Form Authentication from the list 19 Select RADIUS OTP. The Single Sign On Settings screen is displayed. 20 Clear Enable SSO for Web sites published and click Next. The Completing the New Web Listener Wizard screen is displayed.

96 90 etoken and ISA Server 2006 CHAPTER 3 21 Click Finish. The Select Web Listener screen is displayed. 22 Click Next. The Authentication Delegation screen is displayed.

97 etoken and ISA, OTP Solutions CHAPTER Select No delegation, but client may authenticate directly from the list and click Next. The User Sets screen is displayed. 24 Click Next. The Completing the New Exchange Publish Rule Wizard screen is displayed.

98 92 etoken and ISA Server 2006 CHAPTER 3 25 In the Completing the New Exchange Publish Rule Wizard screen, click Finish. Configuring the RADIUS server The ISA Server firewall is configured to forward the user s authentication requests to the RADIUS server. In our solution this is the Microsoft IAS server. To facilitate this, the RADIUS server is added to the ISA Server. Configure the RADIUS server: 1 Open the Microsoft Internet Security and Acceleration Server 2006 management console and expand the server name. Click Virtual Private Networks (VPN) node. The ISA Server console is displayed.

99 etoken and ISA, OTP Solutions CHAPTER Click RADIUS Server. The Virtual Private Networks (VPN) Properties screen is displayed: 3 Select Use RADIUS for authentication and Use RADIUS for accounting (logging). 4 Click RADIUS Servers and click ADD. The Add Radius Server screen is displayed:

100 94 etoken and ISA Server 2006 CHAPTER 3 Note: The use of RADIUS for accounting (Logging) is not mandatory but it may be helpful for debugging and auditing purpose. 5 In the Server name field, type the RADIUS s IP address, in the Shard Secret field click Change. The Shared Secret screen is displayed. Note: The RADIUS and the ISA Server secret MUST be the same for the authentication to work. 6 Type a strong secret key that is suitable as the secret key on the IAS server. Click OK twice 7 Select the Authentication tab, on the Virtual Private Networks (VPN) Properties screen.

101 etoken and ISA, OTP Solutions CHAPTER Select Microsoft encrypted authentication version 2 (MS-CHAPv2) and click OK. The ISA Server console is displayed. 9 From the right pane select the Toolbox tab. 10 Click the Firewall Policy node to expand Network Objects. 11 Right-click on the Computers folder and select New Computer. New Computer Elements is displayed.

102 96 etoken and ISA Server 2006 CHAPTER 3 12 In the Name field, type the RADIUS server name. 13 In the Computer IP Address type the IP of the RADIUS server. 14 Click OK. After adding the RADIUS computer to the Network Objects, we need to configure the RADIUS access on the System Policy rules. 1 On the left pane in the IAS console select System Policy. 2 Right-click the Firewall Policy node and select Edit System Policy. The System Policy Editor screen is displayed. 3 In the Authentication Services folder click RADIUS, Select the Enable this configuration group. 4 Select the To tab. The To tab on the System Policy Editor is displayed.

103 etoken and ISA, OTP Solutions CHAPTER Remove the Internal object and add the internal IAS computer object (for security reasons). Click OK and Apply. Run the Solution Traditionally static passwords are more vulnerable to access by unauthorized intruders given enough attempts and time. By constantly altering the password, as is done with a one-time password we enhance security. In the following section, we establish a connection with the OTP.

104 98 etoken and ISA Server 2006 CHAPTER 3 Note: The etoken NG OTP must be initialized with an OTP profile. For basic initialization instruction of OTP for a user, refer to the etoken OTP Authentication Admin Guide. To establish the connection: 1 Browse with the HTTPS protocol to the published OWA web site. For example: the Office Outlook Web Access screen is displayed. 2 Type the User name and the etoken OTP 3 Click Log On. The Connect to: screen is displayed. 4 Type the User name and the user s network password. 5 Click OK. The Browser is displayed.

105 etoken and ISA, OTP Solutions CHAPTER 3 99 Note: The following user name and password are the real user logon name and network password. The user name and the password are sent encrypted (SSL) and can t be seen by any unauthorized user. The browser screen shows that you have successfully logged onto the OWA web site with the etoken OTP.

106 100 etoken and ISA Server 2006 CHAPTER 4 Chapter 4 Troubleshooting Tips ISA Server Microsoft Internet Security and Acceleration (ISA) Server 2006 provides a range of monitoring tools to help you track network status, create alerts to keep you up-to-date on firewall behavior, configure and view logs to track ISA Server activity, and create reports to customize and summarize log information. These features make it easier to ensure that your network is running as expected, to stay aware of attempted intrusions, to track network usage, and to begin troubleshooting where necessary. In the following section, we demonstrate the way to monitor and log the connection attempts in real time. You can query the log files using the built-in log query facility. To enable the live logon to the ISA Server: 1 Open the ISA Server management console, and navigate to the Monitoring node in the right pane. 2 Click the Tasks tab. 3 Click Start Query. Any connection attempt can be seen from here. The following figure is an example of successful connections with OTP and OWA:

107 Troubleshooting Tips CHAPTER Server Event Viewer In the following section we explain how to use the Event Viewer as a troubleshooting tool. The Event Viewer displays detailed information about system events. This information includes: The event type The date and time that the event occurred The source of the event, the category for the event The Event ID The user who was logged on when the event occurred The computer on which the event occurred After successful authentication you can see that the user has been granted permission to access the network. The user has passed the ISA Server and the IIS and now in the event viewer you can see the user is logged into the network.

108 102 etoken and ISA Server 2006 CHAPTER 4 Event viewer message: successful authentication with OTP: Event viewer message: successful authentication with smartcard logon certificate:

109 Troubleshooting Tips CHAPTER 4 Client HTTPS problems: If you try to access the OWA web site using a web browser with you may be prompted with an Alert, shown in the figure below. 103 The Alert contains three parts: A warning will appear if the CA that generated the certificate is not trusted: In the event that you generated the certificate from a privately installed CA, you will need to import the CA certificate to the computer Trusted root certificate authorities store. This is NOT a required process on every client unless you find this message very annoying. A warning will appear if the certificate dates are invalid. This could happen if the date scope of the certificate does not match the date settings on the browsing computer, or if the certificate dates themselves are invalid. A warning will appear if attempting to contact a URL that is different for the certificate common name. In the above example, I used the server NetBIOS name instead of FQDN ( which caused the alert to appear. In order for ISA Server firewall to properly publish the secured web site, you must make sure that SSL connection to the OWA web site will not fail any of the above tests. This will be covered later on. For more information regarding error messages refer to Microsoft documentation.