Implementation Guide VMWare View 5.1. DualShield. for. VMWare View 5.1. Implementation Guide

Similar documents
Astaro Security Gateway UTM

DualShield. for. Microsoft UAG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

DualShield. Self-Service Console. Administration Guide. Copyright 2011 Deepnet Security Limited

T-Pass. Administration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Outlook Web Access. Implementation Guide. (Version 5.4) Copyright 2012 Deepnet Security Limited

DualShield Windows Logon Agent Installation Guide (Version 5.7)

Deepnet SafeID Pinpad User Manual

DualFence. Implementation Guide. Copyright 2013 Deepnet Security Limited. Copyright 2013, Deepnet Security. All Rights Reserved.

Implementation Guide

DualShield Authentication Platform

External Authentication with Checkpoint R77.20 Authenticating Users Using SecurAccess Server by SecurEnvoy

Barracuda Networks SSL VPN

Authlogics Forefront TMG and UAG Agent Integration Guide

DIGIPASS Authentication for Check Point VPN-1

DIGIPASS Authentication for NETASQ

Integration Guide. SecureAuth

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

SafeNet MobilePASS+ for Android. User Guide

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with CA SiteMinder

DIGIPASS Authentication for Cisco ASA 5500 Series

Device LinkUP + VIN. Service + Desktop LP Guide RDP

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for VMware Horizon 6

DIGIPASS Authentication for F5 BIG-IP

Apple Computer, Inc. ios

DIGIPASS Authentication for Check Point VPN-1

SafeNet Authentication Service

SafeNet Authentication Service

Integration Guide. SafeNet Authentication Service (SAS)

SafeNet Authentication Manager

Software Token. Installation and User Guide. 22 September 2017

RSA Authentication Manager 7.1 Help Desk Administrator s Guide

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Citrix NetScaler 10.5

How to Integrate RSA SecurID with the Barracuda Web Application Firewall

External Authentication with Ultra Protect v7.2 SSL VPN Authenticating Users Using SecurAccess Server by SecurEnvoy

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. CyberArk Enterprise Password Vault

INTEGRATION GUIDE. DIGIPASS Authentication for VMware View

Implementation Guide for protecting Juniper SSL VPN with BlackShield ID

Integration Guide. SafeNet Authentication Service. Strong Authentication for Juniper Networks SSL VPN

DIGIPASS Authentication for O2 Succendo

SafeNet Authentication Manager

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for Citrix GoToMyPC

SafeNet Authentication Service (SAS) Service Provider Billing and Reporting Guide

Integration Guide. SafeNet Authentication Service. Protecting Microsoft Internet Security and Acceleration (ISA) Server 2006 with SAS

HOB HOB RD VPN. RSA SecurID Ready Implementation Guide. Partner Information. Product Information Partner Name. Last Modified: March 3, 2014 HOB

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Dell SonicWALL NSA 3600 vpn v

4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.

SafeNet Authentication Manager

SafeNet Authentication Service

External Authentication with Citrix GoToMyPc Corporate Edition Authenticating Users Using SecurAccess Server by SecurEnvoy

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Check Point Security Gateway

Avocent DSView 4.5. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: June 9, Product Information Partner Name

SafeNet Authentication Service. Service Provider Billing and Reporting Guide

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft NPS Technical Manual Template

Remote Access User Guide for Mac OS (Citrix Instructions)

SafeNet Authentication Service

WebADM and OpenOTP are trademarks of RCDevs. All further trademarks are the property of their respective owners.

Integration Guide. SafeNet Authentication Manager. Using SafeNet Authentication Manager with Citrix XenApp 6.5

SecurEnvoy Microsoft Server Agent

How to Configure the RSA Authentication Manager

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

One Identity Defender 5.9. Product Overview

Desktop LP - Connect Guide. Version 2.1 February 2016

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Microsoft DirectAccess

SafeNet Authentication Service Agent for Cisco AnyConnect Client. Installation and Configuration Guide

RSA SecurID Ready Implementation Guide. Last Modified: March 27, Cisco Systems, Inc.

Pulse Secure Policy Secure

Defender Desktop Login GrIDsure Token User Guide

<Partner Name> RSA SECURID ACCESS Standard Agent Implementation Guide. WALLIX WAB Suite 5.0. <Partner Product>

EOH-SASOL - Setup Sasol Mobile Express (Client)

<Partner Name> RSA SECURID ACCESS. VMware Horizon View Client 6.2. Standard Agent Implementation Guide. <Partner Product>

SafeNet Authentication Service

SafeNet Authentication Service

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Cisco ASA

Integration Guide. SafeNet Authentication Service. SAS using RADIUS Protocol with WatchGuard XTMv. SafeNet Authentication Service: Integration Guide

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Better MDM

SafeNet Authentication Manager

Echidna Concepts Guide

DIGIPASS Authentication for Citrix Access Essentials Web Interface

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

NetMotion Integration with GreenRADIUS - Quick Start Guide

Intellisync Mobile Suite Client Guide. S60 3rd Edition Platform

Firmware Update Guide

Steel-Belted RADIUS. Digipass Plug-In for SBR. SBR Plug-In SBR. G etting Started

SET UP GUIDE. Easy Dental eprescribe

Citrix Access Gateway Implementation Guide

CONFIGURING SSO FOR FILENET P8 DOCUMENTS

Yubico with Centrify for Mac - Deployment Guide

Integration Guide. SafeNet Authentication Client. Using SAC CBA for VMware Horizon 6 Client

KT-1 Token. Reference Guide. CRYPTOCard Token Guide

SafeNet Authentication Service

Defender Configuring for Use with GrIDsure Tokens

SafeNet Authentication Service. Push OTP Solution Guide

SurePassID Local Agent Guide SurePassID Authentication Server 2016

ActivIdentity 4TRESS AAA Web Tokens and F5 BIG-IP Access Policy Manager. Integration Handbook

Attachmate Reflection for Secure IT 8.2 Server for Windows

MANAGING ANDROID DEVICES: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Running TIBCO Spotfire 4.0 on Citrix XenApp. Installation Manual

Secure Held Print Jobs. Administrator's Guide

Transcription:

DualShield for VMWare View 5.1 Implementation Guide Copyright 2012 Deepnet Security Limited Copyright 2012, Deepnet Security. All Rights Reserved. Page 1

Trademarks Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID, SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp are trademarks of Deepnet Security Limited. All other brand names and product names are trademarks or registered trademarks of their respective owners. Copyrights Under the international copyright law, neither the Deepnet Security software or documentation may be copied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole or in part, without the prior written consent of Deepnet Security. Licence Conditions Please read your licence agreement with Deepnet carefully and make sure you understand the exact terms of usage. In particular, for which projects, on which platforms and at which sites, you are allowed to use the product. You are not allowed to make any modifications to the product. If you feel the need for any modifications, please contact Deepnet Security. Disclaimer This document is provided as is without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the document. Deepnet Security may make improvements of and/or changes to the product described in this document at any time. Contact If you wish to obtain further information on this product or any other Deepnet Security products, you are always welcome to contact us. Deepnet Security Limited Northway House 1379 High Road London N20 9LP United Kingdom Tel: +44(0)20 8343 9663 Fax: +44(0)20 8446 3182 Web: www.deepnetsecurity.com Email: support@deepnetsecurity.com Copyright 2012, Deepnet Security. All Rights Reserved. Page 2

Table of Contents Overview... 4 Preparation... 6 DualShield Configuration... 7 Create a RADIUS logon procedure... 7 Create a RADIUS application... 8 Register the VMWare View Server as a Radius client... 9 VMware View Server Configuration... 10 Authentication... 12 One-Time Password... 12 On-Demand Password... 14 Option A: Two Logon Steps...14 Option B: One Logon Step...16 Copyright 2012, Deepnet Security. All Rights Reserved. Page 3

Overview This document describes how to integrate DualShield with VMWare View 5.1 or higher, in order to add two-factor authentication into its logon process. If the version of your VMWare View server is 5.0 or lower, please refer to the VMWare View 5.0 - Implementation Guide. By default, VMware View authenticates users using Microsoft Active Directory credentials (user name and AD password). DualShield enhances VMWare View security by adding an extra layer of strong, two-factor authentication that assures the identities of users and protects sensitive company applications and data. VMWare View Server 5.1+ supports external RADIUS server as its authentication server. DualShield unified authentication platform includes a fully compliant RADIUS server, DualShield Radius Server, which will be configured as the external RADIUS server for VMWare Connection Server to provide two-factor authentication. The diagram below illustrates the architecture: WMWare View Client WMWare View Connection Server Internet Internal Network DualShield RADIUS Server DualShield Authentication Server Active Directory DualShield provides a wide selection of portable one-time password tokens in a variety of form factors, ranging from hardware tokens, software tokens, mobile tokens to USB tokens. These include: Deepnet SafeID Deepnet MobileID Deepnet GridID Deepnet CryptoKey RSA SecurID VASCO DigiPass Go OATH-compliant OTP tokens Copyright 2012, Deepnet Security. All Rights Reserved. Page 4

In addition to the support of one-time password, DualShield also supports on-demand password for RADIUS authentication. The product that provides on-demand password in the DualShield platform is Deepnet T-Pass. Deepnet T-Pass is an on-demand, token-less strong authentication that delivers logon passwords via SMS texts, phone calls, twitter direct messages or email messages. The complete solution consists of the following components: VMWare View Server, Agents & Clients DualShield Authentication Server DualShield RADIUS Server Copyright 2012, Deepnet Security. All Rights Reserved. Page 5

Preparation Prior to configuring the WMWare Server for two-factor authentication, you must have the DualShield Authentication Server and DualShield Radius Server installed and operating. For the installation, configuration and administration of DualShield Authentication and Radius servers please refer to the following documents: DualShield Authentication Platform Installation Guide DualShield Authentication Platform Quick Start Guide DualShield Authentication Platform Administration Guide DualShield Radius Server - Installation Guide You also need to have a RADIUS application created in the DualShield authentication server. The application will be used for the two-factor authentication in the VMware Connection Server. The document below provides general instructions for RADIUS authentication with the DualShield Radius Server: VPN & RADIUS - Implementation Guide Following outlines the key steps: In DualShield 1. Create a logon procedure for RADIUS authentication 2. Create an RADIUS application for VMWare View Server 3. Register the VMWare View Server as a RADIUS client In VMWare View Connection Server 1. Register the DualShield RADIUS authentication server Copyright 2012, Deepnet Security. All Rights Reserved. Page 6

DualShield Configuration Create a RADIUS logon procedure 1. Login to the DualShield management console 2. In the main menu, select Authentication Logon Procedure 3. Click the Create button on the toolbar 4. Enter Name and select RADIUS as the Type 5. Click Save 6. Click the Context Menu icon of the newly create logon procedure, select Logon Steps 7. In the popup windows, click the Create button on the toolbar 8. Select the One-Time Password as the authenticator 9. Click Save Copyright 2012, Deepnet Security. All Rights Reserved. Page 7

Create a RADIUS application 1. In the main menu, select Authentication Applications 2. Click the Create button on the toolbar 3. Enter Name 4. Select Realm 5. Select the logon procedure that was just created 6. Click Save 7. Click the context menu of the newly created application, select Agent 8. Select the DualShield Radius server, e.g. Local Radius Server 9. Click Save 10. Click the context menu of the newly created application, select Self Test Copyright 2012, Deepnet Security. All Rights Reserved. Page 8

Register the VMWare View Server as a Radius client 1. In the main menu, select RADIUS Clients 2. Click the Register button on the toolbar 3. Select the application that was created in the previous steps 4. Enter the IP address of your VMWare View Server 5. Enter the Shared Secret which will be used in VMWare View Server. 6. Click Save Copyright 2012, Deepnet Security. All Rights Reserved. Page 9

VMware View Server Configuration Login to the VMWare View Administrator console, navigate to View Configuration Servers, select the Connection Server tab and select the connection sever you want to configure. Now, click the Edit button then select the Authentication tab in the popup window. To switch on two-factor authentication, select RADIUS in the 2-factor authentication drop down list. Then select Create new authenticator in the Authenticator option: Copyright 2012, Deepnet Security. All Rights Reserved. Page 10

Click Next, and Click Finish You might also want to enable the Enforce 2-factor and Windows user name matching option for extra security. Copyright 2012, Deepnet Security. All Rights Reserved. Page 11

Authentication DualShield supports multiple authentication methods and various authentication tokens. However, due to the limitation in the RADIUS protocol, for VMWare View, DualShield only supports the following authentication methods and tokens: Method One-Time Password On-Demand Password Grid Card Tokens SafeID, MobileID T-Pass GridID In DualShield, you define the authentication methods (authenticators) to be used in the application s logon procedure. You can create a logon procedure that consists of one or two logon steps. In each logon step, you can specify the authenticators that the users can use to authenticate themselves. One-Time Password If you plan to deploy one-time password tokens, such as SafeID and MobileID, to your user base, then you will only need to create one logon step in your VMWare View s logon procedure. In the logon step, add One-Time Password as the authenticator. When a user attempts to connect to a VMWare View Server that has DualShield twofactor authentication enabled and the DualShield is configured to authenticate users by one-time passwords, they are first presented with a login prompt as shown below: Copyright 2012, Deepnet Security. All Rights Reserved. Page 12

Users enter their user name (which is normally their Active Directory user name), and a passcode. The passcode is normally a one-time password generated from their OTP tokens. If the token s PIN is required, then the passcode is the combination of an OTP and the token s PIN. After users click the OK button, their user name and password will be submitted to the DualShield. If the user name and passcode are successfully verified by DualShield, the user then gets a second prompt to enter their Microsoft Active Directory credentials: Users enter their AD password which will be submitted to your AD server to be verified. If the user name and AD password are successfully verified by your AD server, the logon process completed. Copyright 2012, Deepnet Security. All Rights Reserved. Page 13

On-Demand Password If you plan to let your users authenticate to VMWare View with on-demand passwords, i.e. Deepnet T-Pass, then you have two options. Option A: Two Logon Steps Create two logon steps. Add Static Password in Step 1 and On-Demand Password in Step 2. In this option, when a user attempts to connect to a VMWare View Server they are first presented with a login prompt as shown below: Copyright 2012, Deepnet Security. All Rights Reserved. Page 14

Users will enter their user name and AD password in the passcode box, then click OK. The user name and AD password will be submitted to DualShield to be verified. If the user s credentials are successfully verified, DualShield will generate an on-demand password to the user via the specified channel. VMWare View will then prompt the following screen: Users will wait for the password to arrive and then enter the on-demand password received in the Next response box. VMWare View client will finally prompt the user to enter their AD password: Copyright 2012, Deepnet Security. All Rights Reserved. Page 15

At this time, the user name and AD password will be submitted to your AD server to be verified. If the user name and AD password are successfully verified by your AD server, the logon process completed. Option B: One Logon Step Create one logon step only and add On-Demand Password in the logon step. When a user attempts to connect to a VMWare View Server they are first presented with a login prompt as shown below: Copyright 2012, Deepnet Security. All Rights Reserved. Page 16

Users are required to enter their on-demand passwords in the Passcode box. Where do users get their on-demand passwords? Again, there are two ways that users can obtain their on-demand passwords: Pre-Delivery The T-Pass authenticator in DualShield will automatically send a new password to the user each time the user has successfully logged in. Pre-Delivery is a policy option in T- Pass: The very first password has to be pushed out by the administrator to the user from the Management Console or by the user from the Self-Service Console. Subsequently, users can user the passwords received after previous login. Delivery by Commands Users can request a password to be sent in real time by entering a T-Pass delivery command. The T-Pass command has to be entered in the user name field: Copyright 2012, Deepnet Security. All Rights Reserved. Page 17

A T-Pass command starts with the > character, followed by one of the following commands and the user name itself. >sms >text >email >tweet >call >phone >sms and >text commands are for sending OTP via SMS text message >email command is for sending OTP by email message >tweet is for sending OTP by twitter direct message >call and >phone are for sending OTP by voice over telephone calls If the T-Pass policy requires static password authentication prior to sending OTP, then the user must also enter their static password in the passcode field. After the user has entered a T-Pass delivery command and their static password, and press the OK button, DualShield will generate an on-demand password and send it to the user via the specified channel. VMWare View will display a Access Denied error message. The user must then remove the T-Pass delivery command and enter the correct user name and the on-demand password they just received. Copyright 2012, Deepnet Security. All Rights Reserved. Page 18

If the user name and passcode are successfully verified by your DualShield server, then VMWare View client will prompt the user to enter their AD password: At this time, the user name and AD password will be submitted to your AD server to be verified. If the user name and AD password are successfully verified by your AD server, the logon process completed. Copyright 2012, Deepnet Security. All Rights Reserved. Page 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback