Installation and configuration guide

Transcription

1 Winfrasoft HAS Installation and Configuration Guide Installation and configuration guide Winfrasoft HAS for Microsoft Forefront UAG 2010 Published: October 2011 Applies to: Winfrasoft HAS (Build ) Web site: Winfrasoft Corporation. All rights reserved. This publication is for informational purposes only. Winfrasoft makes no warranties, express or implied, in this summary. Winfrasoft and Winfrasoft HAS are trademarks of Winfrasoft Corporation. All other trademarks are property of their respective owners.

2 Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organisations, products, domain names, addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organisation, product, domain name, address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Winfrasoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written licence agreement from Winfrasoft, the furnishing of this document does not give you any licence to these patents, trademarks, copyrights, or other intellectual property. Microsoft, Active Directory, UAG 2010, Windows and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Copyright Winfrasoft Corporation. All rights reserved.

3 Table of Contents 3 Table of Contents TABLE OF CONTENTS... 3 INTRODUCTION... 4 CONSIDERATIONS... 4 Server System Requirements... 4 Language Requirements... 4 CONFIGURATION OVERVIEW... 4 LICENSING... 5 Running a trial... 5 Applying a new licence... 5 DESIGN AND DEPLOYMENT SCENARIOS... 6 SMARTCARD TECHNOLOGY... 6 BACKGROUND... 6 DEPLOYMENT... 7 OVERVIEW... 7 INSTALLING THE WINFRASOFT HAS SERVER... 8 INSTALLING THE WINFRASOFT HAS PLUG-IN FOR UAG INSTALLING THE WINFRASOFT HAS MANAGEMENT CONSOLE UNINSTALLING WINFRASOFT HAS HAS CONFIGURATION ON UAG CONFIGURE IIS MIME TYPES (INTERNET ONLY) ADD A HAS AUTHENTICATION REPOSITORY (INTERNET) ADD A HAS AUTHENTICATION REPOSITORY (N3) CONFIGURE A UAG TRUNK TO USE HAS (INTERNET) CONFIGURE A UAG TRUNK TO USE HAS (N3) CONFIGURE USER AUTO PROVISIONING WITHOUT SELF SERVICE PASSWORD RESET CONFIGURE USER AUTO PROVISIONING WITH SELF SERVICE PASSWORD RESET Active Directory Configuration UAG 2010 Configuration CONFIGURE THE TMG FIREWALL (N3 ONLY) CERTIFICATE CONFIGURATION CERTIFICATE TRUST LIST CONFIGURATION WINFRASOFT HAS MANAGEMENT ADVANCED CONFIGURATION HAS REGISTRY KEYS HAS Server / Appliance keys UAG Server / Appliance keys... 64

4 4 Winfrasoft HAS Introduction Winfrasoft HAS is a two-factor authentication and provisioning application that integrates with Microsoft Forefront UAG 2010 to:- Considerations Provide smart card two-factor authentication for NHS CRS cards. Provision smart card users into Microsoft Active Directory without AD schema extensions and without an AD integrated PKI. Integrated Self Service Password Reset capabilities to help reduce helpdesk costs since users can securely prove who they are with their smart card. Integrate with the NHS Identify Agent and Spine. Server System Requirements The minimum system requirements for Winfrasoft HAS are: Winfrasoft UAG Appliance or a server running Forefront UAG 2010 o HAS supports UAG RTM, Update 1, Update 2, SP 1 & SP 1 Update 1. Winfrasoft HAS Appliance or Windows Server 2003 (SP2) or 2008 running IIS 32bit / 64bit PC with Active Directory Users and Computers MMC Microsoft Active Directory Language Requirements Server The Winfrasoft HAS MMC Add-in is compatible with multi-lingual versions of Windows Server 2003 / 2008, however is only available in English. Product support and documentation is only available in English. Configuration Overview Prior to installation, ensure you have the following: Fully configured Winfrasoft Gateway Appliance running Forefront Unified Access Gateway 2010, including networking and portal configuration information. A Winfrasoft HAS Appliance or an available server running Windows Server 2003 (SP2) or Windows Server 2008 to install the HAS Web Services onto. A valid Winfrasoft HAS Licence file with sufficient licences for the deployment requirements. The installation includes 10 free licences. Smart cards and their appropriate middle-ware smartcard reader software (e.g. GemAuthenticate Client). This can be remotely installed via the login page. Optional - NHS Identity Agent if accessing from N3. A client test workstation on either the Internet, or N3 with a functioning NHS Identity Agent installed.

5 Introduction 5 Licensing Winfrasoft HAS is licensed on a combination of a per server basis and client access licences. A licence file must be installed onto each Microsoft UAG 2010 appliance otherwise the application will not function. Note For detailed information on the licence types please refer to the licence agreement document embedded within the installation package. Running a trial Winfrasoft HAS is available for trial. Fully functional time-limited trial licences can be requested from Winfrasoft. All installations of the Winfrasoft HAS server software include a non-expiring 10 user licence. Applying a new licence Once you receive a new licence from Winfrasoft, install the Winfrasoft HAS licence file onto the server running the HAS Web Services by copying the new licence file into the Winfrasoft HAS installation directory and rename it to licence.lic. Once the licence has been installed, restart the IIS web server by running IISRESET for the new licence to take effect.

6 6 Winfrasoft HAS Design and Deployment Scenarios Winfrasoft HAS is designed to operate with Microsoft Forefront UAG 2010 update 1. The Winfrasoft HAS Management utility utilises Microsoft Management Console technology which can be run remotely and installed on any 32bit or 64bit machine where Active Directory Users and Computers is installed. Winfrasoft HAS is a true Enterprise-class solution designed for highly availability multimaster Active Directory integrated deployments. In high-availability deployments and scenarios with numerous users, provisioned user information can be stored across multiple domains in an Active Directory Forest with no schema extensions required. There are two main deployment scenarios for Winfrasoft HAS: (1) Access from the Internet: This scenario makes use of public and private key (protected by the PIN) to verify the card and user. The UID in the smart card is linked with an AD user account. (2) Access from N3 using the Identity Agent: This scenario makes use of the NHS Identity Agent and validates sessions against Spine. The UID from Spine is linked with an AD user account. When is a user is provisioned to use HAS they are able to make use of both authentication methods, there is no need to provision a user twice. Smartcard Technology Background As the usage of Information Technology has increased exponentially, the need for security of these systems has increased accordingly. Traditionally, authenticating users was solely done by the user providing a valid username and password. This was known as single-factor authentication as the user knows all parts of the authentication process. Over time, additional user provided information wasn t sufficient and additional factors were required. Physical token technology came to the fore and smart cards have become a recognised industry standard for authentication. The major benefit of smart cards is the versatility of the solution as smart cards can not only prove the identity of holder and authenticate the user to a network, but also be used for physical perimeter access. Furthermore, picture identification can be printed on the card for additional verification and user identification.

7 Deployment 7 Deployment Overview This deployment section assumes that the UAG 2010 Appliance has been installed and is configured. Note This guide does not detail how to install and configure UAG To fully deploy the Winfrasoft HAS solution the following steps must be performed: (1) Deploy and configure UAG 2010, including any service packs or updates (2) Install Winfrasoft HAS Web Services on a separate server to UAG 2010 (3) Install the Winfrasoft HAS Add-on for UAG 2010 on the UAG appliance (4) Provision users with HAS tokens

8 8 Winfrasoft HAS Installing the Winfrasoft HAS Server The Winfrasoft HAS Web Services must be installed onto a server running Windows Server 2008 R2 (x64), the HAS Server. The Winfrasoft HAS Server is also available as a preconfigured appliance from Winfrasoft. The HAS Web Services can NOT be installed on a server running UAG 2010 due to restrictions placed on UAG 2010 by Microsoft. This is a change from the previous version of HAS for IAG 2007 which was able to cater for this scenario. Note Ensure you are logged onto the HAS Server with Domain Admin rights to allow for the Active Directory configuration to be performed. (1) To start the Winfrasoft HAS installation, run the Winfrasoft HAS.exe installer. (2) The setup wizard starts: (3) Click Next to continue. (4) After reading the licence agreement click I accept the terms in the terms in the License Agreement if you agree to the terms, then click Next to continue.

9 Deployment 9 (5) Select the setup type. Click Custom and select Next to continue. Note The HAS Web Services can NOT be installed on a server running UAG 2010 due to restrictions placed on UAG 2010 by Microsoft. This is a change from the previous version of HAS for IAG 2007 which was able to cater for this scenario. (6) Click Next to continue. Note The HAS Management Console option is automatically visible when installing on the HAS Server if Active Directory Users and Computers snap-in is already installed.

10 10 Winfrasoft HAS (7) Click Next to continue. The installation is being performed. During the install a balloon will popup displaying the UAG version that was detected for the Plug-in. Note The Winfrasoft HAS Active Directory Initialisation wizard may show extra information or warning messages if it has previously been run in the forest. Existing groups will be reused for multiple box deployment scenarios.

11 Deployment 11 (8) Ensure no critical errors have occurred during the Winfrasoft HAS Active Directory Initialisation, if so contact Winfrasoft for support. Click Close to continue. (9) All necessary Winfrasoft HAS files have been installed on your HAS Server. Click Finish to complete the installation process. Note The HAS Server may require a restart in order for all changes to be applied. Without a restart the HAS Server will not have the required rights to update smart card details on AD user accounts. If HAS is being reinstalled or the server is already a member of the Winfrasoft HAS Servers group then a reboot is not required. The Winfrasoft HAS Servers group is added to the Account Operators group by default. This grants the HAS Server the rights required to update user accounts with Smart Card information for auto provisioning. However, Account Operators do not have rights to modify AD Administrator accounts. As such administrator accounts cannot use auto provisioning by default. Add the Winfrasoft HAS Servers group to the Domain Admin group to enable this functionality.

12 12 Winfrasoft HAS Installing the Winfrasoft HAS Plug-in for UAG 2010 The Winfrasoft HAS Plug-in for UAG 2010 enables UAG to communicate with the HAS Server. (1) To start the Winfrasoft HAS installation, run the Winfrasoft HAS.exe installer. (2) The setup wizard starts: (3) Click Next to continue. (4) After reading the licence agreement click I accept the terms in the terms in the License Agreement if you agree to the terms, then click Next to continue.

13 Deployment 13 (5) Select the setup type. Click Custom and select Next to continue. Note The HAS Web Services can NOT be installed on a server running UAG 2010 due to restrictions placed on UAG 2010 by Microsoft. This is a change from the previous version of HAS for IAG 2007 which was able to cater for this scenario. (6) Click Next to continue. Note The HAS Management Console option is automatically selected when installing on the UAG server if Active Directory Users and Computers snap-in is locally installed. (7) Enter the fully DNS name of the HAS appliance or the web server running the HAS authentication web service. Click Next to continue.

14 14 Winfrasoft HAS (8) Click Next to continue. The installation is being performed. (9) All necessary Winfrasoft HAS files have been installed on your UAG appliance. Click Finish to complete the installation process.

15 Installing the Winfrasoft HAS Management Console The Winfrasoft HAS Management Console can only be installed on any 32bit or 64bit computer that has the Active Directory Users and Computers MMC snap-in installed. Typically, this would be a Domain Controller. Deployment 15 (1) To start the Winfrasoft HAS installation, run the Winfrasoft HAS.exe installer. (2) The setup wizard starts: (3) Click Next to continue. (4) After reading the licence agreement click I accept the terms in the terms in the License Agreement if you agree to the terms, then click Next to continue.

16 16 Winfrasoft HAS (5) Select the setup type. Click Custom and select Next to continue. Note If IIS is installed on the machine you want to install the HAS Management Console on then the HAS Web Service will display as a selected installation option. (6) Ensure that only the HAS Management Console is selected if other choices are displayed. Click Next to continue.

17 Deployment 17 (7) Click Next to continue The installation is being performed. (8) Click Finish to complete the installation process.

18 18 Winfrasoft HAS Uninstalling Winfrasoft HAS If you no longer require Winfrasoft HAS you can remove it from a server by doing the following: (1) To start the Winfrasoft HAS un-installation, run the Winfrasoft HAS.exe installation. Alternatively use Add/Remove Programs in the Control Panel, select Winfrasoft HAS application and click Remove. (2) Running the EXE file starts the setup wizard. (3) Select Uninstall. Click Next to continue. (4) Click Next to continue.

19 Deployment 19 The Winfrasoft HAS uninstall will remove configured components. (5) Click Finish to complete the uninstall process.

20 20 Winfrasoft HAS HAS Configuration on UAG 2010 Configure IIS MIME Types (Internet only) (1) On the UAG 2010 server, open IIS Manager and select the Server. (2) Double click MIME Types.

21 (3) Click Add and add each of the following MIME types: Extension.dat.vslp.cfg Note MIME type application/octet-stream application/octet-stream application/octet-stream Do NOT add the MIME types to the default web site, they MUST be added to the web server directly. HAS Configuration on UAG When done the MIME types will be listed as follows: (4) Close IIS Manager when done.

22 22 Winfrasoft HAS Add a HAS Authentication repository (Internet) (1) Start the Microsoft UAG 2010 Management Console. (2) Click Admin- Authentication and Authorization Servers (3) Click Add

23 HAS Configuration on UAG (4) Select Other from the Server type drop down list. Enter WinfrasoftHASInternet (one word) in the Server name box. Check the Use a different server for portal application authorization box and select the existing Active Directory repository from the dropdown list. Click OK. (5) Click Close

24 24 Winfrasoft HAS Add a HAS Authentication repository (N3) (1) Start the Microsoft UAG 2010 Management Console. (2) Click Admin- Authentication and Authorization Servers (3) Click Add

25 HAS Configuration on UAG (4) Select Other from the Server type drop down list. Enter WinfrasoftHASN3 (one word) in the Server name box. Check the Use a different server for portal application authorization box and select the existing Active Directory repository from the dropdown list. Click OK. (5) Click Close

26 26 Winfrasoft HAS Configure a UAG Trunk to use HAS (Internet) A Trunk can be configured for use from N3 or the Internet, but not both. If you require HAS functionality from both locations then either use the Internet configuration only and do not rely on Spine authentication, or setup two Trunks. Note The URLs used in this section are listed in the C:\Program Files\Winfrasoft HAS\readme.txt file. It is highly recommended that the URLs are copied and pasted from the readme.txt file instead of manually typed for speed and accuracy. (1) Start the Microsoft UAG 2010 Management Console. (2) Every Trunk on the UAG server must be configured separately to use HAS. Select the trunk to configure for use with HAS Authentication. Click Configure

27 HAS Configuration on UAG (3) Select the Authentication tab. (4) In the Require users to authenticate as session logon section: a. Under Select authentication servers: i. Add WinfrasoftHASInternet

28 28 Winfrasoft HAS ii. Remove the existing Active Directory entry b. Update the User login page entry with: CustomUpdate/HASLoginInternet.asp Note Do NOT place a / {slash} before CustomUpdate/HASLoginInternet.asp (5) Select the URL Set tab.

29 HAS Configuration on UAG (6) In this section, the appropriate access rules for the different custom files installed by HAS must be created. Scroll through the URL List and select the URL InternalSite_Rule2. Below the Parameter List Click Add to add a new parameter for this URL Rule. Set the parameter values to the following: Parameter List Property Name Name Type Value Value Type Value chall String {empty} String Length 0:350 Existence Occurrences Optional Multiple Max Total Length -1 Rejected values checking On

30 30 Winfrasoft HAS (7) Scroll through the URL List and select the URL InternalSite_Rule20. Modify the URL property so it contains the following new bold entries: URL /internalsite/scripts/customupdate/[0-9a-z]*(params install sslvpnpage rds jquery format scripts vsapi)\.js (8) Add the following Primary URLs. For each new URL set, click Add Primary.

31 HAS Configuration on UAG URL List Property Name Action URL Parameters Value InternalSite_SC1 Accept /internalsite/scripts/customupdate/api_gsl_p7/(vsappletlauncher vsapinative)\.jar Ignore Note Methods GET Property Name Action URL Parameters Value InternalSite_SC2 Accept /internalsite/scripts/customupdate/api_gsl_p7/(vsapi)\.dat Ignore Note Methods GET Property Name Action URL Parameters Value InternalSite_SC3 Accept /internalsite/scripts/customupdate/api_gsl_p7/(vsapiapplet)\.vslp Ignore Note Methods GET Property Name Action URL Parameters Value InternalSite_SC4 Accept /internalsite/scripts/customupdate/api_gsl_p7/(vstapidll)\.cfg Ignore Note Methods GET

32 32 Winfrasoft HAS Property Name Action URL Parameters Value InternalSite_SC5 Accept /internalsite/scripts/customupdate/api_gsl_p7/meta- INF/services/javax.xml.parsers.SAXParserFactory Ignore Note Methods GET Property Name Action URL Parameters Value InternalSite_UserLookup Accept /internalsite/customupdate/userlookup.asp Handle Note Methods GET Parameter list Heading Entry 1 Entry 2 Name authtype sessionid Name Type String String Value {empty} {empty} Value Type String String Length 1:10 1:2000 Existence Mandatory Mandatory Occurrences Single Single Max Total Length -1-1 Rejected values checking On On

33 HAS Configuration on UAG (9) Once complete and the appropriate modifications and new URL Set pages have been successfully added, click OK to accept the changes. (10) Open the following folder in Windows Explorer: C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate Make a copy of the [PortalName]1PostPostValidate (Winfrasoft HAS).inc file. Rename the file by removing (Winfrasoft HAS) off of the end and replacing [PortalName] with the actual name of the Trunk you are configuring. Do not remove the 1. e.g. InternetPortal1PostPostValidate.inc (11) Click Activate Configuration to apply and save the changes.

34 34 Winfrasoft HAS (12) Click Activate to apply the changes. (13) Click Finish.

35 Configure a UAG Trunk to use HAS (N3) HAS Configuration on UAG A Trunk can be configured for use from N3 or the Internet, but not both. If you require HAS functionality from both locations then either use the Internet configuration only and do not rely on Spine authentication, or setup two Trunks. Note The URLs used in this section are listed in the C:\Program Files\Winfrasoft HAS\readme.txt file. It is highly recommended that the URLs are copied and pasted from the readme.txt file instead of manually typed for speed and accuracy. (1) Start the Microsoft UAG 2010 Management Console. (2) Every Trunk on the UAG server must be configured separately to use HAS. Select the trunk to configure for use with HAS Authentication. Click Configure

36 36 Winfrasoft HAS (3) Select the Authentication tab.

37 (4) In the Require users to authenticate as session logon section: a. Under Select authentication servers: i. Add WinfrasoftHASN3 ii. Remove the existing Active Directory entry b. Update the User login page entry with: CustomUpdate/HASLoginN3.asp HAS Configuration on UAG Note Do NOT place a / {slash} before CustomUpdate/HASLoginN3.asp (5) Select the URL Set tab.

38 38 Winfrasoft HAS (6) In this section, we now need to create the appropriate access rules for the different custom files installed by HAS. Scroll through the URL List and select the URL InternalSite_Rule20. Modify the URL property so it contains the following new bold entries: URL /internalsite/scripts/customupdate/[0-9a-z]*(params install sslvpnpage rds jquery-1.3.2)\.js (7) Scroll through the URL List and select the URL InternalSite_Rule27. Modify the URL property so it contains the following new bold entries: URL /internalsite/applet/(detectjava microsoftclient oesislocal runtimeelevator agent_win_helper agent_mac_helper a n_helper gettoken)\.jar

39 HAS Configuration on UAG (8) Add the following Primary URL. For each new URL set, click Add Primary URL List Property Value Name InternalSite_UserLookup Action URL Parameters Accept /internalsite/customupdate/userlookup.asp Handle Note Methods GET Parameter list Heading Entry 1 Entry 2 Name authtype sessionid Name Type String String Value {empty} {empty} Value Type String String Length 1:10 1:2000 Existence Mandatory Mandatory Occurrences Single Single Max Total Length -1-1 Rejected values checking On On

40 40 Winfrasoft HAS (9) Once complete and the appropriate modifications and new URL Set pages have been successfully added, click OK to accept the changes. (14) Open the following folder in Windows Explorer: C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate Make a copy of the [PortalName]1PostPostValidate (Winfrasoft HAS).inc Rename the file by removing (Winfrasoft HAS) off of the end and replacing [PortalName] with the actual name of the Trunk you are configuring. Do not remove the 1. e.g. N3Portal1PostPostValidate.inc (10) Click Activate Configuration to apply and save the changes.

41 HAS Configuration on UAG (11) Click Activate to apply the changes. (12) Click Finish.

42 42 Winfrasoft HAS Configure User Auto Provisioning without Self Service Password Reset To enable users to access the self-provisioning functionality i.e. the ability for users to associate smart cards with their Active Directory account, then the Winfrasoft HAS Provisioning application must be published in the trunk. This section describes the process to publish the Winfrasoft HAS Auto Provisioning and Self Service Password Reset pages in UAG Note This process must be repeated for every UAG trunk that will provide portal access to provisioning and password resets. (1) Start the Microsoft UAG 2010 Management Console. (2) Select the appropriate trunk to add the Self Service Password Reset Application to. In the Applications section, click Add...

43 HAS Configuration on UAG (3) The UAG Add Application Wizard will start. Click Next. (4) Choose Other Web Application (portal hostname) from Web section. Click Next. (5) Complete the values for the Application Values with the following and click Next: Property Value Application Name Winfrasoft HAS Auto Provisioning Application Type GenericWeb

44 44 Winfrasoft HAS (6) Click Next. (7) Click Next.

45 HAS Configuration on UAG Note If multiple HAS servers are deployed in a high availability scenario then publish both together as a server farm. (8) Click Next. (9) Complete the values for the Web Servers as follows: Property Address Type Addresses Value IP/Host {HAS Server FQDN} Paths / HTTP ports HTTPS ports 12443

46 46 Winfrasoft HAS (10) Click Next. (11) Click Next.

47 HAS Configuration on UAG (12) Untick the Add a portal and toolbar link box. Click Next. (13) Click Next.

48 48 Winfrasoft HAS (14) Click Finish. (15) Click Activate Configuration to apply and save the changes.

49 HAS Configuration on UAG (16) Click Activate to apply the changes. (17) Click Finish. Your Trunk is now configured to use the Auto Provisioning functionality.

50 50 Winfrasoft HAS Configure User Auto Provisioning with Self Service Password Reset To enable users to reset their Active Directory passwords and to access the auto provisioning functionality i.e. the ability for users to associate smart cards with their Active Directory account, the Self Service Password Reset application must be published in the trunk. The Self Service Password Reset facility shares the same published application configuration as auto provisioning to simplify the configuration. Active Directory Configuration This section describes the process to configure the Active Directory with Kerberos Constrained Delegation to support Self Service Password Reset. (1) Open Active Directory Users and Computers (either on a DC or management station) and select the properties of the UAG 2010 computer account, then select the Delegation tab. (2) Select Trust this computer for delegation to specific services only and Use any authentication protocol (if they are not already selected) then click Add

51 HAS Configuration on UAG (3) Click Users or Computers and locate the HAS Server computer account running the HAS Web Services. (4) Select the http service type and click OK. (5) Click OK.

52 52 Winfrasoft HAS UAG 2010 Configuration This section describes the process to publish the Winfrasoft HAS Auto Provisioning and Self Service Password Reset pages in UAG Note This process must be repeated for every UAG trunk that will provide portal access to provisioning and password resets. (1) Start the Microsoft UAG 2010 Management Console. (2) Select the appropriate trunk to add the Self Service Password Reset Application to. In the Applications section, click Add...

53 HAS Configuration on UAG (3) The UAG Add Application Wizard will start. Click Next. (4) Choose Other Web Application (portal hostname) from Web section. Click Next. (5) Complete the values for the Application Values with the following and click Next: Property Value Application Name Self Service Password Reset Application Type GenericWeb (6) Click Next.

54 54 Winfrasoft HAS (7) Click Next. Note If multiple HAS servers are deployed in a high availability scenario then publish both together as a server farm. (8) Click Next. (9) Complete the values for the Web Servers as follows: Property Address Type Addresses Value IP/Host {HAS Server FQDN} Paths /

55 HAS Configuration on UAG HTTP ports HTTPS ports (10) Click Next. (11) Click Next.

56 56 Winfrasoft HAS (12) Click Next. (13) Click Next.

57 HAS Configuration on UAG (14) Click Finish. (15) Double click the Self Service Password Reset application to edit it. (16) Select the Authentication tab. (17) Check Use single sign-on to send credentials to published applications, then select Use Kerberos constrained delegation for single sign-on. Enter http/* or enter http/{your.server.and.domain.name} in the Application field where {your.server.and.domain.name} is the full DNS name of the HAS computer account in AD.

58 58 Winfrasoft HAS (18) Click OK. (19) Click Activate Configuration to apply and save the changes. (20) Click Activate to apply the changes. (21) Click Finish. Your Trunk is now configured to use Self Service Password Reset and Auto Provisioning functionality.

59 HAS Configuration on UAG Configure the TMG Firewall (N3 only) Microsoft UAG 2010 runs on top of TMG 2010 which provides security and protocol access to the published portals on UAG via its firewall services. As such, a firewall rule needs to be created allowing Winfrasoft HAS access to the N3 network. To do this, create a Firewall rule in Microsoft TMG Management Console with the following properties: Property Name Action Protocols From To Conditions Value Winfrasoft N3 Spine Access Allow HTTP HTTPS Local Host External All users

60 60 Winfrasoft HAS Certificate Configuration Various certificate configurations must be performed on the UAG server depending on the type of Smart Card authentication is being used. Certificate Trust List Configuration In order for Winfrasoft HAS to trust the certificates, the public certificate of the issuer s root CA needs to be applied. Winfrasoft HAS makes use of the Operating System trust list to validate SSL certificates. Import the Root and Intermediate certificates required into the certificate store of the Computer account. Note Do NOT double click the certificate file to install it, this will install the certificate into the currently logged on users certificate store. The required certificate files are installed in the following folder: C:\Program Files\Winfrasoft HAS\certs\

61 Certificate Configuration 61 Note HAS includes the Root and Intermediate certificates for the Live and NIS1 Spine implementations.

62 62 Winfrasoft HAS Winfrasoft HAS Management Winfrasoft HAS must be configured and users need to be provisioned before they can use the two-factor authentication technologies. Users can be provisioned automatically via the auto-provisioning web page (if enabled), or via the MMC Snap-In. All data is stored in the Active Directory (without the need for schema extensions), not on the HAS or UAG server. To configure user s Winfrasoft HAS credentials, on a machine that has the Winfrasoft HAS Management Console Snap-In extension installed, open Active Directory Users and Computers. Select the user you wish to manage. Open the account properties and select the NHS Smart Card tab. If a User ID exists, then this user has been configured for Winfrasoft HAS. Administrators can manually configure users by entering the user s UID in this field. To remove a user from Winfrasoft HAS, click the Clear button. The certificate subject name will be removed from the user account and the licence will be released for use for another user. The License Availability details displayed are solely for informational purposes and cannot be modified manually. Should you require additional licences, please contact your local Winfrasoft partner. Note There is a current known limitation that Smart Card information cannot be modified on user account properties when the accounts are located via the Find feature of Active Directory Users and Computers. The Read Card feature is currently only available when using a 32bit MMC.

63 Advanced Configuration 63 Advanced Configuration Winfrasoft HAS advanced configuration is performed by modifying pre-existing registry keys. HAS Registry Keys These keys should NOT be renamed or removed; only the values can be changed. Not all keys are available on all servers as some are specific to the UAG Server or Appliance and others to the HAS Server or Appliance; however some are common to both. The keys are located in the following registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Winfrasoft\Winfrasoft HAS UAG Server / Appliance keys Name Default Value Description LicenceFolder C:\Program Files\ Winfrasoft HAS The path on the server where the licence file is located. It is not recommended to change this location. LoggingEnabled 0 Changing this setting to 1 enabled diagnostic logging. This should not be enabled for usual operation and is only required for troubleshooting or when instructed by Winfrasoft support. HASWebServiceURL emo.com:12000 The URL accessed by UAG 2010 then connecting to the HAS Server. This URL must be updated with the correct server name after installation. It is not supported to use a port other than

64 64 Winfrasoft HAS HAS Server / Appliance keys Name Default Value Description AutoProvisionDisabled 0 Provides the ability to enable or disable the user auto provisioning functionality. The default of 0 indicates that auto provisioning is not disabled. To disabled auto provisioning set the value to 1. AutoProvisionOverwriteEnabled 0 Changing this setting to 1 allows a user to overwrite an existing smart card link with a new card. When this value it set to 0 an administrator has to manually unlink the existing card before a user can link a new one. This setting has no effect if auto provisioning has been disabled. DisableSpineCertCheck 1 Disables checking the validity of the SSL certificate used on the Spine connection point. This is enabled by default to allow spine authentication to work in cases where the CRL or the root for the SSL certificate is not available. GuestAccessEnabled 0 Changing this setting to 1 allows guest users to access the UAG portal. A guest user is a user with no AD users account. To allow a guest user access to internal resources create an AD user account called PortalGuest and assign any required rights to it. LicenceFolder C:\Program Files\ Winfrasoft HAS When this setting is set to 0 guest logins are not possible. The path on the server where the licence file is located. It is not recommended to change this location. LoggingEnabled 0 Changing this setting to 1 enabled diagnostic logging. This should not be enabled for usual operation and is only required for troubleshooting or when instructed by Winfrasoft support. LoggingFolder C:\Program Files\ Winfrasoft HAS\Log The path on the server where the diagnostic logging file are located. It is not recommended to change this location. ProvisionTTL 3600 decimal Time in seconds that session information is kept in memory prior to a successful provisioning event. SessionTTL 300 decimal Time in seconds that a session is kept active before a user must enter their smart card PIN. SpineURL oleassertion?token= {sso_ticket} The URL accessed by the HAS Server when connecting to Spine. If testing against other Spine implementations this URL can be modified.