DualShield. for. Microsoft UAG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

Similar documents
Implementation Guide VMWare View 5.1. DualShield. for. VMWare View 5.1. Implementation Guide

Astaro Security Gateway UTM

DualShield. Self-Service Console. Administration Guide. Copyright 2011 Deepnet Security Limited

Outlook Web Access. Implementation Guide. (Version 5.4) Copyright 2012 Deepnet Security Limited

T-Pass. Administration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

DualShield Windows Logon Agent Installation Guide (Version 5.7)

Deepnet SafeID Pinpad User Manual

DualFence. Implementation Guide. Copyright 2013 Deepnet Security Limited. Copyright 2013, Deepnet Security. All Rights Reserved.

Implementation Guide

DualShield Authentication Platform

Authlogics Forefront TMG and UAG Agent Integration Guide

DIGIPASS Authentication for NETASQ

Installation and configuration guide

Implementation Guide for protecting Juniper SSL VPN with BlackShield ID

Microsoft Unified Access Gateway 2010

Integration Guide. SafeNet Authentication Service. Strong Authentication for Juniper Networks SSL VPN

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

DIGIPASS Authentication for Check Point VPN-1

External Authentication with Checkpoint R77.20 Authenticating Users Using SecurAccess Server by SecurEnvoy

DIGIPASS Authentication for Check Point VPN-1

Table of Contents 1 Cisco AnyConnect...1

Software Token. Installation and User Guide. 22 September 2017

DIGIPASS Authentication for Cisco ASA 5500 Series

SafeNet Authentication Manager

SecurEnvoy Microsoft Server Agent

Microsoft ISA 2006 Integration. Microsoft Internet Security and Acceleration Server (ISA) Integration Notes Introduction

DIGIPASS Authentication for O2 Succendo

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft NPS Technical Manual Template

Integrating Microsoft Forefront Unified Access Gateway (UAG)

Integration Guide. SafeNet Authentication Service. Protecting Microsoft Internet Security and Acceleration (ISA) Server 2006 with SAS

Device LinkUP + VIN. Service + Desktop LP Guide RDP

SafeNet Authentication Service

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

SafeNet Authentication Service

SafeNet Authentication Service

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with CA SiteMinder

Yubico with Centrify for Mac - Deployment Guide

SafeNet MobilePASS+ for Android. User Guide

Symantec Validation & ID Protection Service. Integration Guide for Microsoft Outlook Web App

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Citrix NetScaler 10.5

External Authentication with Citrix GoToMyPc Corporate Edition Authenticating Users Using SecurAccess Server by SecurEnvoy

DIGIPASS Authentication for F5 BIG-IP

SafeNet Authentication Service

Barracuda Networks SSL VPN

Integration Guide. SafeNet Authentication Service (SAS)

NetScaler Radius Authentication. Integration Guide

Secomea LinkManager Mobile and WAGO WebVisu-App Setup Guide

SafeNet Authentication Service

Multi-Sponsor Environment. SAS Clinical Trial Data Transparency User Guide

Pulse Secure Policy Secure

Steel-Belted RADIUS. Digipass Plug-In for SBR. SBR Plug-In SBR. G etting Started

Establishing two-factor authentication with Juniper SSL VPN and HOTPin authentication server from Celestix Networks

SafeNet Authentication Manager

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for VMware Horizon 6

Version 9 Release 0. IBM i2 Analyst's Notebook Premium Configuration IBM

INTEGRATION GUIDE. DIGIPASS Authentication for VMware View

External Authentication with Ultra Protect v7.2 SSL VPN Authenticating Users Using SecurAccess Server by SecurEnvoy

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

Microsoft UAG Integration

NetMotion Integration with GreenRADIUS - Quick Start Guide

SafeNet Authentication Service

Partner Information. Integration Overview Authentication Methods Supported

4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.

NBC Learn Tool. Administrator s Guide V3.0

Hitachi ID Systems Inc Identity Manager 8.2.6

DIGIPASS Authentication to Citrix XenDesktop with endpoint protection

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for SonicWALL Secure Remote Access

Integrate Microsoft Office 365. EventTracker v8.x and above

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for Citrix GoToMyPC

Microsoft Forefront UAG 2010 SP1 DirectAccess

Secomea LinkManager Mobile and Pro-face Remote HMI Setup Guide

Mobile Admin GETTING STARTED GUIDE. Version 8.2. Last Updated: Thursday, May 25, 2017

SafeNet Authentication Service Agent for Cisco AnyConnect Client. Installation and Configuration Guide

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Cisco ASA

MegaTrack. Quick Start Guide

SafeNet Authentication Service

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Better MDM

Akana API Platform: Upgrade Guide

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Check Point Security Gateway

Upgrade Guide. NovaBACKUP xsp NovaStor. All Rights Reserved.

EMC Secure Remote Support Device Client for Symmetrix Release 2.00

SafeNet Authentication Manager

WebADM and OpenOTP are trademarks of RCDevs. All further trademarks are the property of their respective owners.

One Identity Starling Two-Factor HTTP Module 2.1. Administration Guide

ISA 2006 and OWA 2003 Implementation Guide

Integration Guide. SecureAuth

AccuRoute Extensions for OpenText DM Installation Guide

Integration Guide. LoginTC

RSA Authentication Manager 7.1 Help Desk Administrator s Guide

ActivIdentity 4TRESS AAA Web Tokens and F5 BIG-IP Access Policy Manager. Integration Handbook

Media Archive Server for Small Teams

SafeNet Authentication Service

Intel Unite Solution Intel Unite Plugin for WebEx*

Aruba Mobility. Setup Guide

SafeNet Authentication Manager

Version 9 Release 0. IBM i2 Analyst's Notebook Configuration IBM

SafeNet Authentication Manager

Firmware Update Guide

HOB HOB RD VPN. RSA SecurID Ready Implementation Guide. Partner Information. Product Information Partner Name. Last Modified: March 3, 2014 HOB

Transcription:

DualShield for Implementation Guide (Version 5.2) Copyright 2011 Deepnet Security Limited Copyright 2011, Deepnet Security. All Rights Reserved. Page 1

Trademarks DualShield Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID, SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp are trademarks of Deepnet Security Limited. All other brand names and product names are trademarks or registered trademarks of their respective owners. Copyrights Under the international copyright law, neither the Deepnet Security software or documentation may be copied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole or in part, without the prior written consent of Deepnet Security. Licence Conditions Please read your licence agreement with Deepnet carefully and make sure you understand the exact terms of usage. In particular, for which projects, on which platforms and at which sites, you are allowed to use the product. You are not allowed to make any modifications to the product. If you feel the need for any modifications, please contact Deepnet Security. Disclaimer This document is provided as is without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the document. Deepnet Security may make improvements of and/or changes to the product described in this document at any time. Contact If you wish to obtain further information on this product or any other Deepnet Security products, you are always welcome to contact us. Deepnet Security Limited Northway House 1379 High Road London N20 9LP United Kingdom Tel: +44(0)20 8343 9663 Fax: +44(0)20 8446 3182 Web: www.deepnetsecurity.com Email: support@deepnetsecurity.com Copyright 2011, Deepnet Security. All Rights Reserved. Page 2

Table of Contents 1. Overview... 4 2. Preparation... 5 3. Configuration... 6 4. Authentication... 12 5. On-Demand Password... 13 5.1 Challenge & Response...13 5.2 Test Authentication...15 5.3 DualShield UAG Agent...16 5.4 Test Authentication...20 Copyright 2011, Deepnet Security. All Rights Reserved. Page 3

1. Overview This implementation guide describes how to protect with two-factor authentication with the DualShield unified authentication platform. supports external authentication servers including Active Directory and RADIUS, and it also supports chained authentication. By leveraging those features in UAG, we can implement a two-factor authentication in UAG system in which the first factor will be the user s static password and second factor will be a one-time password. The user s static password will be authenticated by the customer s Active Directory server (domain controller) and the user s one-time password will be authenticated by the DualShield authentication server via RADIUS. DualShield provides a wide selection of portable one-time password tokens in a variety of form factors, ranging from hardware tokens, software tokens, mobile tokens to USB tokens. These include: Deepnet SafeID Deepnet MobileID Deepnet GridID Deepnet CryptoKey RSA SecurID VASCO DigiPass Go OATH-compliant OTP tokens In addition to the support of one-time password, DualShield also supports on-demand password for RADIUS authentication. The product that provides on-demand password in the DualShield platform is Deepnet T-Pass. Deepnet T-Pass is an on-demand, token-less strong authentication that delivers logon passwords via SMS texts, phone calls, twitter direct messages or email messages. The complete solution consists of the following components: DualShield Radius Server DualShield Authentication Server Copyright 2011, Deepnet Security. All Rights Reserved. Page 4

2. Preparation Prior to configuring UAG for two-factor authentication, you must have the DualShield Authentication Server and DualShield Radius Server installed and operating. For the installation, configuration and administration of DualShield Authentication and Radius servers, please refer to the following documents: DualShield Authentication Platform Installation Guide DualShield Authentication Platform Quick Start Guide DualShield Authentication Platform Administration Guide DualShield Radius Server - Installation Guide You also need to have a RADIUS application created in the DualShield authentication server. The application will be used for the two-factor authentication in UAG. The document below provides detailed instructions for RADIUS authentication with the DualShield Radius Server: VPN & RADIUS - Implementation Guide As an example in this document, we are going to going to add two-factor authentication to an OWA portal. Assuming that the OWA portal is already setup and operating. If you are new to UAG, please refer to the article below for instruction of publishing OWA on a UAG portal: http://technet.microsoft.com/en-us/library/ee921443.aspx Copyright 2011, Deepnet Security. All Rights Reserved. Page 5

3. Configuration The first stage is to add two authentication servers: Active Directory and DualShield Radius server to your UAG. 1. In the main menu, select Admin Authentication and Authorization Servers 2. Click Add 3. Select Active Directory as the Server Type Enter the Server Name Click Define to define your domain controller Configure the Base DN Specify the access user and its password Click OK to save it Copyright 2011, Deepnet Security. All Rights Reserved. Page 6

4. Click Add again 5. Select RADIUS as the Server Type Enter the Server Name, e.g. DualShield Set the IP address and port number of the DualShield RADIUS server If you have installed a second DualShield Radius server then enter this as the alternate Enter the shared Secret Key Leave Support challengeresponse mode unchecked. We will cover this option later Click Save to save Copyright 2011, Deepnet Security. All Rights Reserved. Page 7

Now, we have added two authentication servers The second stage is to add chained authentication to the truck that you wish to enable two-factor authentication. 1. Select an existing truck that you wish to configure, in this example OWA under HTTP connections. 2. Click the Configure button in the Trunk Configuration section 3. Click the "Authentication Tab 4. Click the Add button and select AD first, then select DualShield Copyright 2011, Deepnet Security. All Rights Reserved. Page 8

5. a chained authentication with AD as the first and DualShield as the second server is now added Tick Require users to authenticate at session logon Select Require users to authenticate to each server, and tick Authenticate to each server with the same user name Finally, click the Activate Configuration icon on the toolbar to save and activate the changes. The third stage is to configure the DualShield server to add UAG as a Radius client and to create a Radius application with a logon procedure. Create a new logon procedure 1. Login to the DualShield management console 2. In the main menu, select Authentication Logon Procedure 3. Click the Create button on the toolbar 4. Enter Name and select RADIUS as the Type 5. Click Save 6. Click the Context Menu icon of the newly create logon procedure, select Logon Steps 7. In the popup windows, click the Create button on the toolbar 8. Select One-Time Password as the authenticator Copyright 2011, Deepnet Security. All Rights Reserved. Page 9

9. Click Save Create a new application 1. In the main menu, select Authentication Applications 2. Click the Create button on the toolbar 3. Enter Name 4. Select Realm 5. Select the logon procedure that was just created 6. Click Save Add UAG as a Radius client 1. In the main menu, select RADIUS Clients 2. Click the Register button on the toolbar Copyright 2011, Deepnet Security. All Rights Reserved. Page 10

3. Select the application that was created in the previous steps 4. Enter UAG s IP in the IP address 5. Enter the Shared Secret and make sure it is identical to the shared secret defined in the Radius server settings in the UAG. 6. Click Save We have now completed all necessary stages and steps in setting up two-factor authentication in UAG with DualShield. In our example, we have added a chained authentication to a OWA portal with two authentication factors, AD static password and DualShield one-time password. Let us proceed to testing the authentication. Copyright 2011, Deepnet Security. All Rights Reserved. Page 11

4. Authentication Launch your web browser and connect to the OWA portal. User will now be asked to provide both AD Password and DualShield Password. The DualShield password is defined the logon procedure in your DualShield server. In our example, we defined One-Time Password in the logon procedure. Which means that users will be able to use any one-time password token supported by the DualShield to authenticate to the OWA portal. You can also add the On-Demand Password to the list of authenticator in your logon procedure. Your users will now be able to use Deepnet T-Pass as well to authenticate to OWA. Copyright 2011, Deepnet Security. All Rights Reserved. Page 12

5. On-Demand Password If you enable On-Demand Password in DualShield, then your users will be able to use Deepnet T-Pass as their authentication method. A typical question with On-Demand password is how can users request to have their password delivered in real time? Using the configuration that we have set up in above steps, users can t request to have their password delivered in real time. Users will need to have a password pre-delivered before they can logon. The system administrator can push out on-demand passwords to users, or users can use the self-service console to obtain an on-demand password. Once a user has successfully logged in, the DualShield server will then automatically send out a new password to be used by the user at next logon. Fortunately, there are two alternative solutions that will enable users to request ondemand password in real time at logon. The first solution is to utilise Radius challenge & response which is supposed by UAG. The second solution is to install the DualShield UAG Agent. 5.1 Challenge & Response To implement this real-time delivery solution by leveraging Radius challenge & response, we need to make the following changes. 1. In UAG, change the DualShield RADIUS server settings Enable the option Support challenge-response mode Copyright 2011, Deepnet Security. All Rights Reserved. Page 13

2. Configure the Trunk settings Switch the order of the AD and DualShield so that DualShield is the first server and AD is the second server 3. Click Activate Configuration icon on the toolbar to save and activate changes. 4. In DualShield, change the logon procedure to make it two steps The first step is Static Password The second step is On- Demand Password Optional, you can also add On-Time Password in the second step Copyright 2011, Deepnet Security. All Rights Reserved. Page 14

5.2 Test Authentication Now, when users attempt to logon to the OWA portal Users will be asked to provide DualShield Password and AD Password. Users must enter their static password in both the DualShield Password and AD Password field. Click Logon. If the credentials provided are correct, the DualShield server will automatically generate an on-demand one-time password and deliver it to the user in the defined delivery channel (email, SMS etc). On the next screen, the OWA portal will ask the user to enter a one-time password. Copyright 2011, Deepnet Security. All Rights Reserved. Page 15

5.3 DualShield UAG Agent DualShield UAG Agent is a simple plugin that enables users to request on-demand password at logon. Essentially, it adds 4 clickable icons on the UAG s logon page: In install the DualShield UAG Agent, follow steps below. 1. Follow instructions in the "Microsoft TMG - Implementation Guide", section 5.1 to 5.4, to publish the DualShield Provisioning Service (DPS) web site. 2. Copy all files in the "scripts" folder in DualShieldUAG-1.1.zip to: C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\scripts 3. Copy all files in the "images" folder in DualShieldUAG.1.1.zip to: Copyright 2011, Deepnet Security. All Rights Reserved. Page 16

C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\images 4. Copy all files in the "css" folder in DualShieldUAG.1.1.zip to: C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\css 5. Open the file below in a text editor C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\scripts\jquery.dps.js Replace the URL in the first line which reads: var DPS_Host = 'http://mail.deepnettest32.com:8072'; with the real URL of your DPS. 6. Open the file below in a text editor C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\{Trunk Name}\Login.asp In which, {Trunk Name} is the name of the trunk that you wish to add the DualShield UAG agent, e.g. OWA C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\OWA\Login.asp Locate the following line of text in the file: <LINK rel="stylesheet" type="text/css" href="<%=application(g_site_name&g_secure&template_css)%>"> Insert the following line of text underneath the above line: <LINK rel="stylesheet" type="text/css" href="/internalsite/css/dualshield.css"> Copyright 2011, Deepnet Security. All Rights Reserved. Page 17

Append the following lines of text to the end of the file: <script language="javascript" src="/internalsite/scripts/jquery.1.7.min.js" type="text/javascript"></script> <script language="javascript" src="/internalsite/scripts/jquery.json.2.3.min.js" type="text/javascript"></script> <script language="javascript" src="/internalsite/scripts/jquery.blockui.js" type="text/javascript"></script> <script language="javascript" src="/internalsite/scripts/jquery.dps.js" type="text/javascript"></script> Save the file. 7. Configue the Truck settings, in the "URL Set" tab add the following rules: Name: Action: Url: Paramerts: Methods: Name: Action: Url: Paramerts: Methods: InternalSite_Rule100 Accept /internalsite/scripts/jquery.*\.js Reject GET InternalSite_Rule101 Accept /internalsite/css/dualshield.css Reject GET Copyright 2011, Deepnet Security. All Rights Reserved. Page 18

8. Save and activate the changes 9. In the DualShield Management Console, make sure that the logon procedure is one step only and it contains On-Demand Password Copyright 2011, Deepnet Security. All Rights Reserved. Page 19

10. In the DualShield Management Console, make sure that the Provisioning Server is connected to the application: 5.4 Test Authentication Now, when users attempt to logon to the portal To request an on-demand password, users will firstly enter their User Name and AD Password, and then click one of the delivery icons (e.g. the Email icon). If the credentials provided are correct, DPS server will generate an on-demand one-time password ( Passcode ) and deliver it to the user in the defined delivery channel (e.g. email). --- END --- Copyright 2011, Deepnet Security. All Rights Reserved. Page 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback