SAM 8.0 SP2 Deployment at AWS. Version 1.0

Transcription

1 SAM 8.0 SP2 Deployment at AWS Version 1.0 Publication Date July 2011

2

3 Copyright 2011 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate. SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice. SafeNet, SafeNet Authentication Manager and SafeNet Authentication Client are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks referenced in this Manual are trademarks of their respective owners. SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications. Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification. Date of Publication: May 2011 Last update: August 2011 i

4 SAM 8.0 SP2 Deployment at AWS Contacting SafeNet We work closely with our reseller partners to offer the best worldwide technical support services. Your reseller is the first line of support when you have questions about products and services. However, if you require additional assistance you can contact the SafeNet technical support team help-desk which is available 24 hours a day, seven days a week: Country/Region Telephone USA International For further assistance submit additional questions to the SafeNet technical support team at the following web page: For assistance via to SafeNet technical support send the request to the following address: support@safenet-inc.com ii

5 Table of Contents Overview... 6 Virtual Private Cloud (VPC)Components... 7 OTP Scenario Use Case... 8 Main Route Table Recommended Security Groups SRP Security Group SAM Security Group Checklists Step By Step Task 1: Prepare for the VPN Connection...22 Task 2 to Task 6: Create VPC using AWS console...23 Task 7: Create Security Groups and Add Rules Task 8: Launch Instances into the Subnets...34 Task 9: Allocate and Assign Elastic IP Addresses SAM 8.0 SP2 Deployment at AWS (Private Network) SRP Deployment at AWS (Public network) Adding a Portal Connection OTP Plug-in Deployment at Corporate Network Configuring OTP Authentication Settings Step 1- Enroll a MobilePASS Token Step 2- Authenticate Using OTP against a Corporate VPN Server iii

6

7 Chapter 1 Introduction This guide provides basic configuration information required to securely deploy SAM 8.0 SP2 in Amazon Web Services (AWS). This guide introduces the AWS feature Virtual Private Cloud (VPC) which enables communication with a home network over an IPSec VPN tunnel. This guide uses the AWS Management Console to perform Amazon VPC tasks, such as creating virtual private clouds, subnets, and gateways. The console is similar to the Amazon EC2 interface. In addition, Amazon EC2 and Amazon VPC functionality are offered on different tabs in the same AWS Management console. In this chapter: Overview Virtual Private Cloud (VPC)Components OTP Scenario Use Case 5

8 SAM 8.0 SP2 Deployment at AWS Overview Amazon Virtual Private Cloud (Amazon VPC) enables provisioning a private, isolated Amazon Web Services (AWS) Cloud section to launch AWS resources in a defined virtual network. With Amazon VPC, a virtual network topology can be defined to closely resemble a traditional network that is operational in the existing datacenter. There is complete control over a virtual networking environment, including IP address range selection, subnet creation, or route tables and network gateways configuration. The network configuration is easily customized for an Amazon VPC. For example, a public-facing subnet for SafeNet Secure Remote Portal (SRP) 8.0 SP2 servers can be created with access to the Internet, and backend systems such as SafeNet Authentication Manager (SAM) 8.0 SP2 in a private-facing subnet that can be placed with no Internet access. To help control access to Amazon EC2 instances in each subnet, multiple layers of security can be leveraged, including security groups and network access control lists. Additionally, a Hardware Virtual Private Network (VPN) connection can be created between a corporate datacenter and a VPC with the AWS cloud leveraged as a corporate datacenter extension. 6

9 Virtual Private Cloud (VPC)Components VPC is comprised of a variety of objects that is familiar to users with existing networks: A Virtual Private Cloud (VPC) An isolated portion of the AWS cloud. A VPC s IP address space is defined from a range selected by the user. Subnet A VPC IP address range segment where groups of isolated resources can be placed. Internet Gateway The Amazon VPC side of a connection to the public Internet. Hardware VPN Connection A hardware-based VPN connection between an Amazon VPC and the datacenter, home network, or co-location facility. VPN Gateway The Amazon VPC side of a VPN Connection. Customer Gateway The user s side of a VPN Connection. Router Routers interconnect Subnets and direct traffic between Internet gateways, VPN gateways and Subnets. 7

10 SAM 8.0 SP2 Deployment at AWS OTP Scenario Use Case Sometimes an organization requires extending its authentication scheme to use OTP in a typical VPN scenario, for a remote user attempting to access resources on a corporate network. To provide this functionality, the user is required first to enroll an OTP profile that can be either a physical token device or a MobilePASS. MobilePASS token is an application installed on a user s mobile device that generates an OTP passcode. The OTP profile enrollment is performed using the Secure Remote Portal (SRP 8.0 SP2) located in AWS. Note: Other OTP authenticators can be used, for more information, refer to the OTP_Authentication_Admin_Guide_8_0.pdf. After successfully enrolling an OTP profile, a connection through the Internet to the corporate network can be established, and then authenticated to gain access to the corporate resources. The following diagram illustrates a basic VPN scenario and contains the following components. Customer VPN Gateway CheckpointVPN-1 gateway NGX R71 HFA30 Customer Router Cisco ISR IOS 12.4 SAM 8.0 SP2 SRP-8.0 SP2 SafeNet OTP Plug-in 8.0 8

11 Internet 2 VPN-1 gateway NGX R71 HFA30 Safenet OTP Plugin Cisco ISR IOS 12.4 SRP-8.0 SP2 SAM 8.0 SP2 VPC AWS 1 The MobilePASS token enrollment flow is as follows: 1. Client securely connects to SRP 8.0 SP2 server installed at AWS. 2. The client is prompted to enter the MobilePASS Activation Code displayed on the user s mobile device. 3. The user enters an OTP PIN, and confirms the PIN. 4. The MobilePASS token enrollment site on SRP communicates securely with SAM 8.0 SP2 installed on the VPN-only network at AWS, and validates the user credentials A Token Successfully Enrolled message opens. The OTP authentication flow is as follows: 1. A client requests access to a CheckpointVPN-1 gateway. 2. The CheckpointVPN-1 gateway prompts the user for authentication credentials including username, and OTP value. 3. The user opens the MobilePASS application on the mobile device. When the application prompts for the MobilePASS PIN, the user enters the mobile device s Mobile PASS PIN which is set during the MobilePASS Token enrollment. 4. The user generates an OTP which is displayed for a limited period of time. The generated OTP is used, together with the OTP PIN or Windows password if required, to authenticate to the CheckpointVPN-1 gateway. 5. The CheckpointVPN-1 gateway service uses these credentials to authenticate the user via the RADIUS protocol. The authentication request is submitted to the 9

12 SAM 8.0 SP2 Deployment at AWS RADIUS server with Safenet OTP Plugin installed on the customer s network. The Safenet OTP authentication plug-in installed on the RADIUS server validates the request via web services (SOAP over HTTPS) to the SAM 8.0 SP2 validation service installed at AWS. 10

13 Chapter 2 Basic Layout The following diagram illustrates the basic layout of an existing VPC. The larger grey cloud is the existing VPC (the isolated portion of the AWS cloud). There is an Internet gateway attached to the VPC enabling the VPC to communicate with the Internet. There is also a VPN gateway enabling the VPC to communicate with a home network over an IPSec VPN tunnel. The Router in the VPC represents the VPC's built-in routing function. The VPC has two subnets. 1 2 The following table provides additional details about the VPC and its layout for this scenario. A size xx.xx.xx.xx/16 VPC (for example, /16), providing 65,536 private IP addresses. An Internet gateway connecting the VPC to the Internet. 11

14 SAM 8.0 SP2 Deployment at AWS A VPN between the VPC and home network. The entire VPN scenario consists of a customer gateway, VPN gateway, VPN attachment (connecting the VPN gateway to the VPC), and a VPN connection. For this scenario, the VPN setup is generally referred to as the client VPN gateway or VPN connection. To enable the VPN connection, the client must have an appliance (for example a router) in the client s home network operating as the anchor on the client s side of the connection. A size xx.xx.xx.xx/24 subnet (for example, /24), providing 256 private IP addresses. The diagram illustrates the subnet containing an SRP web server with a private IP address (for example, ) and an Elastic IP address (for example, ), enabling the instance to be reached from the Internet. The addresses illustrated in the diagram are examples; when implementing the scenario the values will probably be different. Another subnet, also size /24. In the diagram, the subnet contains backend SAM 8.0 SP2 services for the SRP website and also for the RADIUS server installed at the corporate network. The SAM 8.0 SP2 server has a private IP address (for example, ). Unlike the SRP in the public subnet, the SAM 8.0 SP2 server does not need to accept incoming traffic from the Internet (and should not). Set up the VPC enabling the subnet to receive and send traffic only from the home network (in addition to talking with the public subnet only in specific ports). Therefore in the diagram, the subnet is referred to as VPN-only. Note: For the SRP 8.0 sp2 instance in the public subnet to be reachable from the Internet, the instance must have an associated Elastic IP address. The SAM 8.0 SP2 instance in the VPN-only subnet cannot reach the Internet directly; any Internet-bound traffic must first traverse the VPN gateway to the home network, where the traffic is then subject to the firewall and corporate security policies. 12

15 Chapter 3 Routing A VPC has an implied router, as well as a modifiable main route table. Other route tables can be created to use in the VPC. By default, each table has a local route enabling instances in the VPC to talk to each other. The following diagram and table illustrate the route tables and routes required to set up this scenario. 13

16 SAM 8.0 SP2 Deployment at AWS 1 2 The VPC is automatically configured with a main route table. Any subnet not explicitly associated with another route table uses the main route table. For this scenario, the main route table is updated with a route that sends traffic from the VPN-only subnet to the VPN gateway (the flow of traffic is indicated by the dotted line adjacent to the table). The VPNonly subnet is not explicitly associated with any route table, so it implicitly uses the routes in the main route table. The VPC can have other route tables besides the main route table. This scenario illustrates another route sending traffic from the public subnet to the Internet gateway (the flow of traffic is indicated by the dotted line adjacent to the table). 14

17 Main Route Table If the wizard in the AWS Management Console is used to set up the VPC, the wizard automatically updates the main route table with the route between the VPN-only subnet and the VPN gateway, and creates the custom route table, associating the public subnet with the custom route table. Otherwise the main route table and associating the public subnet with the custom route table must be manually updated. 15

18 SAM 8.0 SP2 Deployment at AWS Chapter 4 Security AWS provides two methods for controlling security in a VPC: security groups and network ACLs. Both enable controlling traffic going in and out of the instances, with security groups working at the instance level, and network ACLs working at the subnet level. For many VPC users, security groups are sufficient, although sometimes both security groups and network ACLs, which take advantage of the additional security layer that network ACLs provide, is required. 16

19 Recommended Security Groups In the example scenario, only security groups and not network ACLs are used. A security group is a group of instances sharing a common set of inbound and outbound rules. To use security groups, create a group, add the required group rules, and then launch instances into the group. Rules can be added and removed from the group, with changes automatically applied to the instances in the group. An instance can be launched into more than one group, and an instance's group membership can be changed after launch. The VPC comes with a default security group with initial settings denying all inbound traffic, allowing all outbound traffic, and allowing all traffic between instances in the group. If a security group is not specified an instance is launched, the instance automatically goes into this default group. Change the group's rules from the initial default rules if it is required that the instances receive traffic from outside the group. For this scenario, it is recommended you do not use the default security group and instead create the following security groups: SRP For the Secure Remote Portal 8.0 SP2 web servers in the public subnet. SAM For the SafeNet Authentication Manager 8.0 SP2 servers in the VPNonly subnet. The following figures illustrate each security group as a circle. A simplified lightgray VPC is in the background to help illustrate how the different VPC parts are related. Each figure has a corresponding table listing the inbound and outbound rules for the group and what they do. 17

20 SAM 8.0 SP2 Deployment at AWS SRP Security Group The SRP security group, launched into the Secure Remote Portal 8.0 SP2 web servers, is based on the rules in the following table. The web servers can only receive secured Internet traffic. The instances can also initiate secured Internet traffic the SafeNet Authentication Manager 8.0 SP2 server instances in the private subnet. Inbound Source Protocol Port Range Comments /0 TCP 443 Allow inbound HTTPS access to the SRP web servers from anyone /24 RDP 3389 Allow inbound Remote Desktop Protocol (RDP) traffic from VPN-only network. 18

21 Outbound Destination Protocol Port Range Comments /24 TCP 443 Allow outbound HTTPS access to the SAM 8.0 SP2 servers from public network. SAM Security Group The SAM security group is launched into the SAM 8.0 SP2 servers. Based on the rules in the following table, the SAM 8.0 SP2 servers can receive secured Internet traffic (HTTPS) from public networks and enables RDP traffic for management. SAM 8.0 SP2 servers also receive HTTPS traffic from RADIUS servers with the SafeNet OTP Plug-in located in the home network. The VPN-only network can initiate RDP traffic to the public network for SRP server management. 19

22 SAM 8.0 SP2 Deployment at AWS Inbound Source Protocol Port Range Comments /24 TCP 443 Allow inbound HTTPS access to SAM 8.0 SP2 servers from public network /16 TCP 443 Allow inbound HTTPS access to SAM 8.0 SP2 servers from corporate network (over VPN Gateway) /16 UDP 3389 Allow inbound RDP traffic from home network (over VPN Gateway). Outbound Destination Protocol Port Range Comments /24 TCP 3389 Allow outbound RDP traffic to the SRP server s public network /24 TCP 443 Allow outbound HTTPS access to the SRP server s public network /16 TCP 443 Allow outbound HTTPS access from SAM 8.0 SP2 servers to corporate network (over VPN Gateway). 20

23 Chapter 5 Implementing the VPC Scenario Checklists These checklists outline the steps required to reach a baseline for a VPC setup with SAM 8.0 SP2 and SRP 8.0 SP2 for OTP usage scenario. Checklist Steps: 1. Setup VPC at AWS. 2. Install SAM 8.0 SP2 instance at VPC (Private network). 3. Install SAM 8.0 SP2 instance at VPC (Public network) 4. Configure RADIUS server with SafeNet OTP Plugin (HQ network). 21

24 SAM 8.0 SP2 Deployment at AWS Step By Step This section describes the process for implementing the previously described scenario. Several tasks (Task 2 to Task 6) are automatically handled when using the wizard in the AWS Management Console. The process for implementing the VPC Scenario is as follows: Task 1: Prepare for the VPN Connection. Task 2: Create the VPC and Subnets. Task 3: Create and Attach the Internet Gateway. Task 4: Create a Custom Route Table and add rules. Task 5: Set Up the VPN Connection. Task 6: Add a Route to the Main Route Table. Task 7: Create Security Groups and Add Rules. Task 8: Launch Instances into the Subnets. Task 9: Allocate and Assign Elastic IP Addresses. Task 1: Prepare for the VPN Connection In the scenario set up a VPN connection between the home network and the VPC. The connection requires an appliance onsite (for example, router) to act as the customer gateway. Help is required from a network administrator to: 22

25 Determine the appliance that is assigned as the customer gateway. Provide the Internet-routable IP address for the customer gateway's external interface. The address must be static and cannot be behind a device performing Network Address Translation (NAT). The following devices meeting the aforementioned requirements are known to work with Hardware VPN connections, and have support in the command line tools for automatic generation of configuration files appropriate for the device: Cisco ISR running Cisco IOS 12.4 (or later) software Juniper J-Series Service Router running JunOS 9.5 (or later) software Juniper SSG running ScreenOS 6.1, or 6.2 (or later) software Juniper ISG running ScreenOS 6.1, or 6.2 (or later) software Any other device can be used; however, it MUST be able to: Establish IKE Security Association using Pre-Shared Keys. Establish IPsec Security Associations in Tunnel mode. Utilize the AES 128-bit encryption function. Utilize the SHA-1 hashing function. Utilize Diffie-Hellman Perfect Forward Secrecy in "Group 2" mode. Establish Border Gateway Protocol (BGP) peering. Bind tunnels to logical interfaces (route-based VPN). Utilize IPsec Dead Peer Detection. Perform packet fragmentation prior to encryption. In the demo, Cisco ISR running Cisco IOS 12.4 software is used. Task 2 to Task 6: Create VPC using AWS console To use the wizard to set up the VPC, the Amazon VPC completes tasks 2-6 by using the wizard in the AWS Management Console. This procedure assumes a VPC is not set up, and that the IP address for the customer gateway (see the preceding task) is available. To use the wizard: 1. Open the AWS Management Console. 2. Select the Amazon VPC tab. The Amazon VPC Console Dashboard opens containing the Your Virtual Private Cloud work area. 23

26 SAM 8.0 SP2 Deployment at AWS 3. On the VPC Dashboard, in the Your Virtual Private Cloud work area click Get started creating a VPC. The wizard opens providing four VPC creating options. 4. Select the option VPC with Public and Private Subnets and Hardware VPN Access, and then click Continue. The VPC with Public and Private Subnets and Hardware VPN Access dialog box opens. 24

27 5. Enter your customer gateway's IP address and click Continue. A confirmation page opens. The Confirmation page displays the CIDR blocks used for the VPC and subnets. It also displays the IP address provided for the customer gateway, as well as the VPC instance hardware tenancy. Any of these values can be edited in the Confirmation page. 6. Modify any details, if required, and then click Create VPC. The wizard begins creating the VPC, subnets, Internet gateway, and VPN connection. It also updates the main route table, creates a custom route table, and adds routes. An incremental bar illustrates the process. 25

28 SAM 8.0 SP2 Deployment at AWS On completion, a confirmation dialog box opens with an option to download the configuration for the customer gateway. 7. Click Download Configuration. The Download Configuration dialog box opens. 8. Select the customer gateway's Vendor, Platform and Software version, and then click Yes, Download. The console responds with a text file containing the configuration. 9. Save the file and give it to the network administrator. The VPN will not work until the network administrator configures the customer gateway. The next task is to create the recommended security groups. 26

29 Task 7: Create Security Groups and Add Rules The AWS console automatically creates a default VPC security group with all ports open. It is advisable to manually create new security groups and add rules to the created groups. This section describes how to manually create new security groups. First create both groups and then add the rules to each. For details about the groups and their rules for this scenario, see the Security chapter. To create a security group: 1. Open the AWS Management Console. 2. Select the Amazon VPC tab. The Amazon VPC page opens. 3. Select the Security Groups page. The Security Groups page opens listing the VPC's security groups. 4. Click Create Security Group. The Create Security Group dialog box opens. 5. Enter the name for the security group (for example, SRP), enter a group description, select the VPC's ID from the VPC menu, and click Yes, Create. The security group is created and appears on the Security Groups page. Notice that the group has an ID (for example, sg-622b390e). The Group ID column may require activating by clicking Show/Hide in the page s top right corner. 27

30 SAM 8.0 SP2 Deployment at AWS 6. Repeat the preceding steps for the (SAM) group. The created security groups must now have rules added to them. To add rules to the SRP security group: 1. In the list of security groups, select the check box for the SRP group. The lower pane displays the security group's details. 2. Add rules for inbound HTTPS access to the group from anywhere: a. In the lower pane select Inbound. The Inbound tab opens. b. On the Inbound tab, from the Create a new rule drop-down list select HTTPS. c. Ensure the Source field's value is /0, and then click Add Rule. The rule to allow HTTPS access from anywhere ( /0) is added to the Inbound tab. Notice that the rule on the right is highlighted in blue and an asterisk appears on the tab. This indicates that it is still required to click Apply Rule Changes (which is done after adding all the inbound rules to the group). 3. Add rule for inbound RDP access to the group from private a VPN-only network: a. In the lower pane select Inbound. The Inbound tab opens. 28

31 b. On the Inbound tab, from the Create a new rule drop-down list select RDP. c. Ensure the Source field's value is /24, and then click Add Rule. d. The rule to allow RDP access from private network ( /24) is added to the Inbound tab. Notice that the rule on the right is highlighted in blue and an asterisk appears on the tab. This indicates that it is still required to click Apply Rule Changes (which is done after adding all the inbound rules to the group). 4. Click Apply Rule Changes. The new inbound rules on the right side of the screen are no longer highlighted in blue and the asterisk no longer appears on the tab. The changes indicate that the new inbound rules have been applied. 5. Add the outbound rules to limit egress traffic from the instances: a. Select the Outbound tab. The Outbound tab opens. b. Locate the default rule enabling all outbound traffic, and then click Delete. 29

32 SAM 8.0 SP2 Deployment at AWS The rule is marked for deletion, and an asterisk appears on the tab. The deletion does not take effect until clicking Apply Rule Changes, which is done after adding all the new outbound rules to the group. c. On the Outbound tab, from the Create a new rule drop-down list select HTTPS. d. Ensure the Destination field's value is /24, and then click Add Rule. The rule is added to the Outbound tab. 6. Click Apply Rule Changes. The new outbound rules now apply to the security group. 30

33 The VPC now includes a security group for the SRP servers in the public subnet. The group enabled HTTPS access inbound from anywhere. The group also enables inbound RDP access from the private VPN-only network's IP range. The group also enables HTTPS access to the SAM security group. To add rules to the SAM security group: 1. In the list of security groups, select the check box for the SAM group. The lower pane displays the security group's details. 2. Add rule for inbound HTTPS access to the group from VPC public network: a. In the lower pane select Inbound. The Inbound tab opens. b. On the Inbound tab, from the Create a new rule drop-down list select HTTP. c. Ensure the Source field's value is /24, and then click Add Rule. The rule to allow HTTPS access from public network ( /24) is added to the Inbound tab. Notice that the rule on the right is highlighted in blue and an asterisk appears on the tab. This indicates that it is still required to click Apply Rule Changes (which is done after adding all the inbound rules to the group). 3. Add rules for inbound HTTPS access from the corporate network: a. In the lower pane select Inbound. The Inbound tab opens. b. On the Inbound tab, from the Create a new rule drop-down list select HTTPS. c. Ensure the Source field's value is /16, and then click Add Rule. The rule enables HTTPS access from the corporate network ( /16) is added to the Inbound tab. Notice that the rule on the right is highlighted in blue and an asterisk appears on the tab. This indicates that it is still required to click Apply Rule Changes (which is done after adding all the inbound rules to the group). 4. Add rules for inbound RDP access from corporate network: a. In the lower pane select Inbound. The Inbound tab opens. b. On the Inbound tab, from the Create a new rule drop-down list select RDP. c. Ensure the Source field's value is /16, and then click Add Rule. The rule to allow RDP access from corporate network ( /16) is added to the Inbound tab. Notice that the rule on the right is highlighted in blue and an asterisk appears on the tab. This indicates that it is still required to click Apply 31

34 SAM 8.0 SP2 Deployment at AWS Rule Changes (which is done after adding all the inbound rules to the group). 5. Click Apply Rule Changes. The new inbound rules on the right side of the screen are no longer highlighted in blue and the asterisk no longer appears on the tab. The changes indicate that the new inbound rules have been applied. 6. Add the outbound rules to limit egress traffic from the instances: a. In the lower pane select Outbound. The Outbound tab opens. b. On the Outbound tab, locate the default rule that enables all outbound traffic, and then click Delete. 32

35 The rule is marked for deletion, and an asterisk appears on the tab. The deletion will not take effect until clicking Apply Rule Changes, which is done after adding all the new outbound rules to the group. 7. Add rules for outbound HTTPS access to corporate network: a. In the lower pane select Outbound. The Outbound tab opens. b. On the Outbound tab, from the Create a new rule drop-down list select HTTPS. c. Ensure the Destination field's value is /16, and then click Add Rule. The rule to allow HTTPS access to corporate network /16) is added to the Outbound tab. Notice that the rule on the right is highlighted in blue and an asterisk appears on the tab. This indicates that it is still required to click Apply Rule Changes (which is done after adding all the inbound rules). 8. Add rules for outbound HTTPS access to public network: a. In the lower pane select Outbound. The Outbound tab opens. b. On the Outbound tab, from the Create a new rule drop-down list select HTTPS. c. Ensure the Destination field's value is /24, and then click Add Rule. The rule to allow HTTPS access to VPC Public network ( /24) is added to the Outbound tab. 9. Add rules for outbound RDP access to public network: 33

36 SAM 8.0 SP2 Deployment at AWS a. In the lower pane select Outbound. The Outbound tab opens. b. On the Outbound tab, from the Create a new rule drop-down list select RDP. c. Ensure the Destination field's value is /24, and then click Add Rule. The rule to allow RDP access to VPC Public network ( /24) is added to the Outbound tab. 10. Click Apply Rule Changes. The new outbound rules are applied to the security group. The VPC now includes a security group for the SAM 8.0 SP2 servers in the private VPN-only subnet. The group enables HTTPS and RDP access from the corporate network. The group also enables inbound HTTPS access from the public network's IP range. The group also enables RDP access to the SRP security group for server management. The next section launches instances in the subnets. Task 8: Launch Instances into the Subnets After the network administrator configures the customer gateway, instances can be launched into the VPC. If you have not launched instances before, use the following procedure. If you are already familiar with launching Amazon EC2 instances outside a VPC, then you already know most of what you need to know. 34

37 The additional items to know are as follows: The VPC and subnet to launch the instances in, must be specified. The VPC security group the instance to be in, must be specified (for example, SRP, SAM, etc.). To launch an instance: 1. Start the launch wizard. The following screen opens. 2. Select the Amazon EC2 tab. The Getting Started window opens. 3. Click Launch Instance. The Request Instances Wizard opens. 35

38 SAM 8.0 SP2 Deployment at AWS The first page of the wizard displays tabs listing different Amazon Machine Images (AMI) types. 4. Select an AMI from one of the tabs. If there is not a particular AMI to launch, select the Microsoft Windows Server 2008 Base AMI on the Quick Start tab. The wizard steps to the Instance Details page. The Instance Details page controls settings such as the number and size of instances to launch, and in which subnet to launch the instance. 36

39 5. Select the Launch Instances Into Your Virtual Private Cloud option, and from the Subnet ID drop-down list select the subnet in which to launch the instance. 6. Keep the other default settings on this page and click Continue. The wizard steps to the next page for instance details. 7. Click Continue. The wizard steps to the next page for instance details. 8. Click Continue. 37

40 SAM 8.0 SP2 Deployment at AWS The wizard steps to the Create Key Pair page. A key pair is a security credential similar to a password, which is used to securely connect to an instance once it is running. If you are new to Amazon EC2 and have not created any key pairs yet, then when the wizard displays the Create Key Pair page, the Create a new Key Pair button is selected by default. 9. Create a key pair: a. On the Create Key Pair page, enter a name for the key pair (for example, SAM_Keypair). This is the name of the private key file associated with the pair (with a.pem extension). b. Click Create & Download your Key Pair. A prompt to save the private key from the key pair to the system opens. c. Save the private key in a safe location on the system. Note the location because it is required to use the key to connect to the instance. The wizard steps to the Configure Firewall page. 38

41 10. On the Configure Firewall page, select the security group to use for the instance (for example, SAM or SRP), and then click Continue. The wizard steps to the Review page. The Review page displays all the settings. 11. Review your settings and launch the instance: a. Click Launch. A confirmation page opens indicating the instance is launching. 39

42 SAM 8.0 SP2 Deployment at AWS b. Click Close. The confirmation page is closed. c. In the navigation pane click Instances to view the instance's status. It takes a short time for an instance to launch. The instance's status is pending while it is launching. After a short period, the instance's status switches to running. To refresh the display click Refresh. Now that you know how to launch an instance to VPC you can launch another instance and assign it to the SRP group. The next task associates Elastic IP addresses with SRP servers in the public subnet. Task 9: Allocate and Assign Elastic IP Addresses There should be at least one instance running in each of the subnets. Now Elastic IP addresses can be allocated and assigned to instances in the public subnet. To allocate and assign an Elastic IP address to an instance: 1. Open the AWS Management Console. 2. Select the Amazon VPC tab. The Amazon VPC opens. 3. Select the Elastic IPs page. The Elastic IP page opens. 4. Click Allocate New Address. The Allocate New Address dialog box opens. 40

43 5. From the EIP used in: drop-down list, select VPC, and then click Yes, Allocate. The new address is allocated and is displayed on the page. 6. Right-click the IP addresses in the list and select Associate. The Associate Address dialog box opens. 7. From the Instance: drop-down list select the instance to associate the address with and then click Yes, Associate. The address is associated with the instance. Notice that the instance ID is displayed next to the IP address in the list. The SRP instance now has an Elastic IP address associated with it, and is now accessible from the Internet. 41

44 SAM 8.0 SP2 Deployment at AWS Chapter 6 Connect to the SAM 8.0 SP2 & SRP SP2 Instances at AWS To connect to a Windows instance, the initial administrator password must first be retrieved, and then used with Remote Desktop. The private key file contents created when the instance was launched is required (for example, 2008r2SAM.pem). To connect to your Windows instance: 1. Retrieve the initial administrator password: a. Navigate to the directory where the private key file was stored when the SAM 8.0 SP2 server instance was launched. b. Open the file in a text editor and copy the entire contents (including the first and last lines, which contain BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY). c. Navigate to the AWS Management Console and locate the instance on the Instances page. d. Right-click the instance and select Get Windows Password. The Retrieve Default Windows Administrator Password dialog box opens (it might take a few minutes after the instance is launched before the password is available). 42

45 e. Into the Private Key field paste the private key file contents. f. Click Decrypt Password. The console returns the default administrator password for the instance. 2. Connect to the instance using Remote Desktop: a. Start the Remote Desktop application (for example, from the Start menu, point to All Programs >Accessories, and then select Remote Desktop Connection). 3. Enter the instance private IP address (which is recorded earlier) and click Connect. 4. Log in using Administrator as the username and the administrator password received in the previous task as the password. You're now connected to your instance. You can work with it like you would any Windows server. Proceed now with the Windows password retrieval for the SRP server instance located in the public network. 43

46 SAM 8.0 SP2 Deployment at AWS Chapter 7 SafeNet Software Deployment This chapter provides a checklist of the main tasks required to install, configure, and deploy SAM 8.0 SP2 and SRP 8.0 SP2 for MobilePASS token enrollment. The chapter includes: SAM 8.0 SP2 Deployment at AWS (Private network) SRP 8.0 SP2 Deployment at AWS (Public network) OTP Plug-in Deployment at Corporate Network 44

47 SAM 8.0 SP2 Deployment at AWS (Private Network) SafeNet Authentication Manager (SAM) 8.0 SP2 enables complete user authentication life cycle management. SafeNet Authentication Manager links tokens with users, organizational rules, and security applications to enable streamlined handling of users' needs throughout the various stages of their authenticator lifecycle. For a checklist of the main tasks required to install, configure, and deploy SAM 8.0 SP2 for MobilePASS token enrollment in an OTP usage scenario, refer to the SAM Administrator s Guide Version 8.0 SP2.pdf. Basic Configuration Order Action Location Reference 1 Install the SafeNet Authentication Manager server component, selecting the OTP installation option. SAM 8.0 SP2 server installed at AWS VPC private network See Installing the SafeNet Authentication Manager Server on page 74 in SAM Administrator s Guide Version 8.0 SP2.pdf. 2 Configure the SafeNet Authentication Manager server. SAM 8.0 SP2 server installed at AWS VPC private network See SAM Configuration Manager on page 283 in SAM Administrator s Guide Version 8.0 SP2.pdf 45

48 SAM 8.0 SP2 Deployment at AWS Ec2ConfigService Configuartion Amazon EC2 Windows Server AMIs reset their hostname on startup due to the Ec2ConfigService. This behavior may cause SAM DB to be not recognized after system reboot. To disable this feature, select EC2ConfigService Settings from the start menu, and uncheck the first checkbox under Set Computer Name To disable reset hostname: 1. Select Start > Programs > EC2ConfigService Settings. The EC2 Service Properties window opens. 2. On the General tab, deselect Set Computer Name 3. Click OK. 46

49 SRP Deployment at AWS (Public network) The SafeNet s Secure Remote Portals (SRP) 8.0 SP2 are configured using the SafeNet Authentication 8.0 SP2 Manager Portals Configuration. For a checklist of the main tasks required to install, configure, and deploy SAM 8.0 SP2 and SRP 8.0 SP2 for MobilePASS token enrollment, see Configuring SAM Portals on page 698 in the SAM Administrator s Guide Version 8.0 SP2.pdf. Adding a Portal Connection A connection must be added for the required MobilePASS Enrollment portal. To add a portal connection: 4. Select Start > Programs > SafeNet > SafeNet Authentication Manager > Portals Configuration. The SafeNet Authentication Manager - Portals Configuration window opens. 5. Select the Connections tab, and click Add. The Connection Details window opens. 47

50 SAM 8.0 SP2 Deployment at AWS 6. Complete the fields as follows: Field Description Connection Name Enter a name for the connection. SAM Server URL Enter the SAM 8.0 SP2 server URL, according to the following format: Username Enter the username (this is the username used for logging on to SAM 8.0 SP2). Password Enter the password (this is the password used for logging on to SAM 8.0 SP2). Instance Name 1. Click Select. The Select SAM instance window opens. 2. Select the instance name of the SAM user store for which the portal connection is to be added. Note: For the Field SAM Server URL, the internal VPC IP address provided by AWS can be used. 48

51 OTP Plug-in Deployment at Corporate Network SafeNet's OTP Plug-In for Microsoft RADIUS Client works with the Microsoft s IAS/NPS Server to provide strong authenticated remote access through the Microsoft IAS/NPS RADIUS Server. When configured, users who access their network remotely using IAS are prompted for a token-generated OTP Passcode to access the network. For configuring the RADIUS server to receive RADIUS requests from a RADIUS client and OTP Plug-In configuration, refer to the OTP Plug-In for Microsoft RADIUS Client on page 542 in the SAM Administrator s Guide Version 8.0 SP2.pdf for a checklist of the main tasks required to install, configure, and deploy the SafeNet OTP Plugin. Configuring OTP Authentication Settings To change the default OTP authentication behavior, modify the OTP configuration settings file, located on the Microsoft RADIUS (IAS/NPS) server. The configuration settings are added to the <ias_plugin_configuration> section in the otp_plugin_config.xml file. The SafeNet's OTP Plug-In is required to communicate with the SAM 8.0 SP2 OTP web service installed at the AWS VPC private network. To configure OTP authentication settings: 1. In the OTP plug-in installation folder, open the otp_plugin_config.xml file for editing. 2. In the <ias_plugin_configuration> section, edit the parameters as follows: Key Value Description Sample otp_web_servic String Defines the SafeNet e_url Authentication Web ntication/service.asmx Service URL. The web server checks all necessary parameters and then authorizes or rejects the request. 49

52 SAM 8.0 SP2 Deployment at AWS Chapter 8 Test the Authentication Scenario To test the OTP scenario, the user has to first enroll an OTP profile which is used for authentication. In this demo, the MobilePASS client software application is used which is enrolled on the user s mobile device to generate an OTP without the need for a physical token. After a MobilePASS token is enrolled the user can proceed and authenticate against the VPN gateway. Step 1- Enroll a MobilePASS Token If it is required to map an existing domain name to an Amazon EC2 instance, one of the DNS management services are required to be used which are available on the Internet. Within Amazon EC2, DNS requests for the external DNS name of an instance are resolved to the internal IP address of the corresponding instance. When using a proprietary domain name, it is recommended to map the instance's external DNS name using a CNAME, not by using a record pointing at the instance's IP address. To enroll a MobilePASS token: 1. Launch your SRP server at AWS: 1.compute.amazonaws.com/sammobile/. The Logon Page opens. 50

53 2. Enter the Username and Password, and then click Submit. The Activation Code Page opens. 51

54 SAM 8.0 SP2 Deployment at AWS 3. Enter the Activation code for the MobilePASS token enrollment, and click Enroll. The enrollment is performed. On completion the Enrollment Completed Page opens. 52

55 The MobilePASS token is successfully enrolled from SRP server installed at AWS. 53

56 SAM 8.0 SP2 Deployment at AWS Step 2- Authenticate Using OTP against a Corporate VPN Server Ensure the VPN gateway is pointed at the corporate network to your RADIUS server with the SafeNet OTP authentication plug-in installed. In this scenario, the RADIUS server with SafeNet OTP authentication plug-in is installed at the corporate network, and it communicates with SAM 8.0 SP2 which is installed at AWS to verify if the OTP is valid. The User now is successfully authenticated with SAM 8.0SP2 installed at the AWS using his MobilePASS token. 54