Authlogics Forefront TMG and UAG Agent Integration Guide

Similar documents
Installation and configuration guide

Authlogics for Azure and Office 365

Microsoft Unified Access Gateway 2010

Integrating Microsoft Forefront Unified Access Gateway (UAG)

DualShield. for. Microsoft UAG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

How To Embed EventTracker Widget to an External Site

Virtual Appliance Deployment Guide

Microsoft ISA 2006 Integration. Microsoft Internet Security and Acceleration Server (ISA) Integration Notes Introduction

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Receive and Forward syslog events through EventTracker Agent. EventTracker v9.0

Integrating Microsoft Forefront Threat Management Gateway (TMG)

Yubico with Centrify for Mac - Deployment Guide

Remote Support Security Provider Integration: RADIUS Server

Cloud Link Configuration Guide. March 2014

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Sharepoint 2007

Integrating Terminal Services Gateway EventTracker Enterprise

Product Update: ET82U16-029/ ET81U EventTracker Enterprise

ISA 2006 and OWA 2003 Implementation Guide

Security Provider Integration RADIUS Server

Integrate Microsoft Office 365. EventTracker v8.x and above

IBM SECURITY PRIVILEGED IDENTITY MANAGER

DIGIPASS Authentication to Citrix XenDesktop with endpoint protection

SecurEnvoy Microsoft Server Agent Installation and Admin Guide v9.3

SecurEnvoy Microsoft Server Agent

PROVIDING SECURE ACCESS TO VMWARE HORIZON 7 AND VMWARE IDENTITY MANAGER WITH THE VMWARE UNIFIED ACCESS GATEWAY REVISED 2 MAY 2018

Astaro Security Gateway UTM

Owner of the content within this article is Written by Marc Grote

Outlook Web Access. Implementation Guide. (Version 5.4) Copyright 2012 Deepnet Security Limited

INSTALLATION & OPERATIONS GUIDE Wavextend Calculation Framework & List Manager for CRM 4.0

External Authentication with Checkpoint R77.20 Authenticating Users Using SecurAccess Server by SecurEnvoy

Deploying Windows Server 2003 Internet Authentication Service (IAS) with Virtual Local Area Networks (VLANs)

Monitoring SharePoint 2007/ 2010/ 2013 Server using EventTracker

DIGIPASS Authentication for Check Point VPN-1

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Integrate Salesforce. EventTracker v8.x and above

Enhancement in Network monitoring to monitor listening ports EventTracker Enterprise

Integrate Aventail SSL VPN

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Integrate Symantec Messaging Gateway. EventTracker v9.x and above

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Remote Indexing Feature Guide

Integrate WatchGuard XTM. EventTracker Enterprise

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Integrate Check Point Firewall. EventTracker v8.x and above

Installation Guide. EventTracker Enterprise. Install Guide Centre Park Drive Publication Date: Aug 03, U.S. Toll Free:

Using VMware View Client for Mac

SECURE FILE TRANSFER PROTOCOL. EventTracker v8.x and above

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Content Gateway to Unified Access Gateway Migration Guide

HOTPin Software Instructions. Mac Client

SafeNet Authentication Service

Implementation Guide VMWare View 5.1. DualShield. for. VMWare View 5.1. Implementation Guide

SOA Software Intermediary for Microsoft : Install Guide

VMware AirWatch Content Gateway Guide for Windows

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

Intel Small Business Extended Access. Deployment Guide

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

NetScaler Radius Authentication. Integration Guide

Integrate Veeam Backup and Replication. EventTracker v9.x and above

Integrate NGINX. EventTracker v8.x and above

Integrating Imperva SecureSphere

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Agent Installation Using Smart Card Credentials Detailed Document

Integrate Citrix Access Gateway

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: UNIFIED ACCESS GATEWAY ARCHITECTURE

Cloud Access Manager Overview

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Secure IIS Web Server with SSL

Integrate Akamai Web Application Firewall EventTracker v8.x and above

Integrating Cyberoam UTM

LifeSize Control Installation Guide

Parallels Remote Application Server

RED IM Integration with Bomgar Privileged Access

Integrate VMware ESX/ESXi and vcenter Server

Check Point Guide. Configure ETAgent to read CheckPoint Logs. EventTracker 8815 Centre Park Drive Columbia MD

Echidna Concepts Guide

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

How to Configure ASA 5500-X Series Firewall to send logs to EventTracker. EventTracker

ANIXIS Password Reset

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Integrate MySQL Server EventTracker Enterprise

Using Kerberos Authentication in a Reverse Proxy Environment

Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. Microsoft Windows Family of Operating Systems

Table of Contents 1 Cisco AnyConnect...1

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

DIGIPASS Authentication for Check Point VPN-1

ActivIdentity 4TRESS AAA Web Tokens and F5 BIG-IP Access Policy Manager. Integration Handbook

DameWare Server. Administrator Guide

Integrate Dell FORCE10 Switch

x10data Application Platform v7.1 Installation Guide

VMware AirWatch Content Gateway Guide for Linux For Linux

AppScaler SSO Active Directory Guide

Integrate Microsoft ATP. EventTracker v8.x and above

Privileged Identity App Launcher and Session Recording

UC for Enterprise (UCE) NEC Centralized Authentication Service (NEC CAS)

HySecure Quick Start Guide. HySecure 5.0

Oracle Hospitality Simphony Post-Installation or Upgrade Guide. Release 18.2

INSTALLATION GUIDE Spring 2017

EventTracker v8.2. Install Guide for EventTracker Log Manager. EventTracker 8815 Centre Park Drive Columbia MD

Transcription:

Authlogics Forefront TMG and UAG Agent Integration Guide With PINgrid, PINphrase & PINpass Technology Product Version: 3.0.6230.0 Publication date: January 2017 Authlogics, 12 th Floor, Ocean House, The Ring, Bracknell, Berkshire, RG12 1AX, United Kingdom UK Tel: +44 1344 568 900 US Tel: +1 857 214 2174 email: info@authlogics.com web: http://authlogics.com/

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organisations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organisation, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Authlogics may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written licence agreement from Authlogics, the furnishing of this document does not give you any licence to these patents, trademarks, copyrights, or other intellectual property. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. The information contained in this document represents the current view of Authlogics on the issues discussed as of the date of publication. Because Authlogics must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Authlogics, and Authlogics cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. AUTHLOGICS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS Document. Copyright 2017 Authlogics. All rights reserved. Page 1

Table of Contents Introduction... 3 Considerations... 3 Requirements... 3 Language Requirements... 3 Licensing... 4 Design and Deployment Scenarios... 5 TMG High Availability... 5 UAG High Availability... 5 Deployment... 6 Overview... 6 Installing/Removing the Authlogics Windows Desktop Logon Agent... 6 Running an installation... 6 Running a removal... 8 Authlogics Configuration on UAG 2010... 10 Add an AuthCentral Authentication repository... 10 Configure a UAG Trunk to use AuthCentral... 12 Adding the Authlogics Services to a UAG Trunk... 18 Active Directory KCD Configuration... 18 Publishing the Self Service Portal... 20 Configure the UAG Login page for 2FA only... 26 Authlogics Configuration on TMG 2010... 27 Configuring RADIUS... 27 Configure a Web Listener for AuthCentral... 30 Web Publish the AuthCentral Token Providers... 31 Adding strong authentication to a publishing rule... 36 Active Directory KCD Configuration... 37 Page 2

Introduction Authlogics Authentication Server is a multi-factor authentication system which provides: Token and token-less multi-factor authentication. Award winning transaction signing / verification technology. Self-service password reset and unlocking. Web Service API and RADIUS interfaces for connectivity. Authentication technologies: o PINgrid Pattern Based Authentication. o PINphrase Random Character Authentication o PINpass OATH (TOTP) Compliant Authentication Integrating Authlogics with Forefront TMG 2010 or UAG 2010 is an ideal way to add strong authentication at the gateway level to VPN connection and published web applications such as Exchange Outlook Web Access and SharePoint. The Authlogics Forefront TMG and UAG Agent includes pre-customised logon forms for Outlook Web Access and generic web sites. Considerations Requirements An Authlogics 3.0 server must be deployed and functional prior to installing the Authlogics Forefront TMG and UAG Agent. Language Requirements Authlogics Forefront TMG and UAG Agent is only available in English. Product support and documentation is only available in English. Page 3

Licensing Authlogics Forefront TMG and UAG Agent is free of charge however may only be used with a correctly licenced Authlogics Authentication Server. Note For detailed information on the licence types please refer to the licence agreement document embedded within the installation package. Page 4

Design and Deployment Scenarios The Authlogics Forefront TMG Agent has been designed to communicate with the Authlogics Authentication Server via RADIUS. 1.5 factor challenges are reverse proxied over HTTPS via TMG to the Authlogics Authentication Server. The Authlogics Forefront UAG Agent has been designed to communicate with the Authlogics Authentication Server via Web Services only. TMG High Availability In a high availability scenario, assuming at least 2 Authlogics Authentication Servers and 2 TMG servers, the Authlogics Authentication Server can be configured to use Windows Network Load Balancing and TMG should use the NLB virtual IP for the RADIUS server. When web publishing the authentication challenge URL s, TMG can also utilise Web Farm Load balancing instead of NLB, however NLB is still required for the RADIUS traffic. UAG High Availability In a high availability scenario, assuming at least 2 AuthCentral and 2 UAG servers, the Authlogics Authentication Server can be configured to use Windows Network Load Balancing for TCP port 14000. A DNS entry should be created to resolve to the NLB IP address and UAG should use the DNS name for the virtual IP. When publishing the Self Service Portal, UAG can also utilise Web Farm Load balancing instead of NLB, however NLB is still required for the authentication traffic. Page 5

Deployment The following deployment overview walks through the installation process for deploying the Authlogics Forefront TMG and UAG Agent. Overview This deployment section assumes that at least one Authlogics Authentication Server has already been installed and is functional. See the Authlogics Authentication Server Installation and Configuration guide for further information on setting up the Authlogics Authentication Server. In addition, Authlogics user accounts should already be configured for users. (1) Install the Authlogics Forefront TMG and UAG Agent on a TMG / UAG system. (2) Configure Microsoft Forefront TMG / UAG 2010 to utilise Winfrasoft AuthCentral multifactor authentication. (3) Test user logins. Installing/Removing the Authlogics Windows Desktop Logon Agent Running an installation (1) To start the Authlogics Forefront TMG and UAG Agent installation, run the Authlogics Forefront TMG and UAG Agent xxxxx.exe installer with elevated privileges. (2) Click Next to continue. Page 6

(3) After reading the licence agreement click I accept the terms in the terms in the Licence Agreement if you agree to the terms, then click Next to continue. (4) Select the Complete setup type and select Next to continue. (5) Click Next to continue. The installation is being performed. Page 7

(6) All necessary files have been installed. Click Finish to complete the installation process. The Microsoft Forefront TMG Firewall service MUST be restarted after installation on a TMG Server as TMG only reads custom logon forms into memory during the service start up. Running a removal Uninstalling the Authlogics Forefront TMG and UAG Agent does NOT remove the metadata from user accounts in the Active Directory. If you no longer require Authlogics Forefront TMG and UAG Agent on a server, you can remove it by performing an uninstall as follows: (1) To start the Authlogics Forefront TMG and UAG Agent un-installation, execute the Authlogics Forefront TMG and UAG Agent xxxxx.exe installer or use the Uninstall or change a program option in Control Panel and click Remove. (2) Select Uninstall. Click Next to continue. (3) Click Next to continue. Page 8

(4) The Authlogics uninstall will remove configured components. (5) Click Finish to complete the uninstall process. Page 9

Authlogics Configuration on UAG 2010 The Microsoft Forefront UAG 2010 server will require additional configuration for use with the Authlogics Forefront UAG Agent. This section should only be followed after the Authlogics Forefront UAG Agent has been installed on the UAG server. Add an AuthCentral Authentication repository (1) Start the Microsoft UAG 2010 Management Console. (2) Click Admin- Authentication and Authorization Servers (3) Click Add Page 10

(4) Select Other from the Server type drop down list. Enter either PINgrid, PINphrase or PINpass (one word) in the Server name box. Check the Use a different server for portal application authorization box and select the existing Active Directory repository from the dropdown list. Click OK. (5) To add multiple authentication technologies repeat from step 3, otherwise Click Close. Page 11

Configure a UAG Trunk to use AuthCentral Each trunk must be configured specifically for use with Authlogics. Note The URLs used in this section are listed in the C:\Program Files\ Authlogics Forefront TMG and UAG Agent\readmeUAG.txt file. It is highly recommended that the URLs are copied and pasted from the readmeuag.txt file instead of manually typed for speed and accuracy. This section must be repeated for every Trunk that will use Authlogics. (1) Start the Microsoft UAG 2010 Management Console. (2) Select the trunk to configure for use with Authlogics. Click Configure (3) Select the Authentication tab. Page 12

(4) In the Require users to authenticate as session logon section: a. Under Select authentication servers, add the required Authlogics technology repository, i.e. PINgrid, PINphrase or PINpass. b. Optional: Remove the previous authentication server from the list to only use Authlogics for authentication. c. Select Users authenticate to each server. d. Update the User login page entry with appropriate login page: CustomUpdate/AuthlogicsPinGridLogin.asp CustomUpdate/AuthlogicsPinPhraseLogin.asp CustomUpdate/AuthlogicsPinPassLogin.asp Note Do NOT place a / {slash} before CustomUpdate/AuthlogicsPinxxxxLogin.asp Page 13

(5) Select the URL Set tab. (6) Update the InternalSite_Rule24 to include png files as follows: /internalsite/images/customupdate/[^/\\]+\.(gif jpg png) Page 14

(7) In this section a new access rule for an Authlogics custom file must be created. To add the following Primary URL click Add Primary. Property Name Action URL Parameters Note Methods Value InternalSite_AuthlogicsTokenProxy Accept /internalsite/images/customupdate/authlogicstokenproxy.asp Handle GET Parameter list Heading Entry 1 Entry 2 Name username authtype Name Type String String Value {empty} {empty} Value Type String String Length 0:250 0:20 Existence Optional Optional Occurrences Single Single Max Total Length -1-1 Rejected values checking On On Page 15

(8) Once the appropriate modifications and new URL Set pages have been added, click OK. (9) Open the following folder in Windows Explorer: C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate Make a copy of the [TrunkName]1PostPostValidate Authlogics.inc file. Rename the file by removing Authlogics off of the end and replacing [TrunkName] with the actual name of the Trunk you are configuring. Do not remove the 1. e.g. Portal1PostPostValidate.inc (10) Click Activate Configuration to apply and save the changes. (11) Click Activate to apply the changes. Page 16

(12) Click Finish. Page 17

Adding the Authlogics Services to a UAG Trunk To enable users to reset their PINgrid MIPs, PINs and Active Directory passwords the Self Service Portal application must be published in the trunk. The Self Service Portal MUST be published even if the application is not made visible, this is required so that UAG allows network access to the authentication web services on the AuthCentral Authentication Server. Active Directory KCD Configuration This section describes the process to configure the Active Directory with Kerberos Constrained Delegation to allow single sign-on to the Self Service Portal without the need to enter an Active Directory password at any point. To configure KCD the Active Directory must be set to Windows 2003 Native mode as a minimum, a mixed mode domain will not support KCD. If KCD cannot be configured due to restrictions on the AD domain mode then either the login page must request AD credentials or On-The-Fly login must be used and the users will be prompted for their AD credentials to access the Self Service Portal. (1) Open Active Directory Users and Computers (either on a DC or management station) and select the properties of the UAG 2010 computer account, then select the Delegation tab. (2) Select Trust this computer for delegation to specific services only and Use any authentication protocol (if they are not already selected) then click Add Page 18

(3) Click Users or Computers and locate the AuthCentral Server / Appliance computer account running the AuthCentral Services. (4) Select the http service type and click OK. (5) Click OK. Page 19

Publishing the Self Service Portal This section describes the process to publish the Authlogics Self Service Portal in UAG 2010. Note This process must be repeated for every UAG trunk that will provide portal access to provisioning and password resets. (1) Start the Microsoft UAG 2010 Management Console. (2) Select the appropriate trunk to add the User Self Service Portal application to. In the Applications section, click Add... (3) The UAG Add Application Wizard will start. (4) Click Next. (5) Choose Other Web Application (portal hostname) from Web section. Click Next. (6) Complete the values for the Application Values with the following: Property Value Application Name Manage PINs and Passwords Application Type GenericWeb Page 20

(7) Click Next. (8) Click Next. Page 21

(9) Click Next. Note If multiple AuthCentral Authentication servers are deployed in a high availability scenario then publish them together as a server farm. Complete the values for the Web Servers as follows: Property Address Type Addresses Paths / Value IP/Host HTTP ports 14000 HTTPS ports 443 {AuthCentral Server FQDN} (10) Click Next. (11) Click Next. Page 22

(12) If you do not want to allow users to use the Self Service Portal uncheck the All a portal and toolbar link box. Update the Icon URL with one of the following icons as appropriate to the chosen authentication technology: images/appicons/customupdate/pingrid.gif images/appicons/customupdate/pinphrase.gif images/appicons/customupdate/pinpass.gif images/appicons/customupdate/authlogics.gif (13) Click Next. (14) Click Next. Page 23

(15) Click Finish. (16) Double click the Manage Pins and Passwords application to edit it. (17) Select the Authentication tab. (18) Check Use SSO, then select Use Kerberos constrained delegation for single sign-on. Enter http/* or enter http/{your.server.and.domain.name} in the Application field where {your.server.and.domain.name} is the full DNS name of the AuthCentral Authentication Server computer account in AD. Page 24

(19) Click OK. (20) Click Activate Configuration to apply and save the changes. (21) Click Activate to apply the changes. (22) Click Finish. The Trunk is now configured to use Winfrasoft AuthCentral User Self Service Portal. Page 25

Configure the UAG Login page for 2FA only By default, the Authlogics Forefront UAG Agent login page will display a 1½ factor challenge (if supported but the authentication technology). If you are only planning to deploy 2 Factor Authentication you can disable the display of the 1½ factor challenge on the UAG server as follows: Start the registry editor on the UAG 2010 server and edit the appropriate key are required. HKLM\SOFTWARE\Winfrasoft\Winfrasoft AuthCentral\PinGrid2FAonly HKLM\SOFTWARE\Winfrasoft\Winfrasoft AuthCentral\PinPhrase2FAonly Accepted Values: 0 = Disabled (default) 1 = Enabled No services need to restarted and the UAG configuration does not need to be activated for these changes to take effect. Page 26

Authlogics Configuration on TMG 2010 The Microsoft Forefront TMG 2010 server will require additional configuration for use with Authlogics Forefront TMG Agent. This section should only be followed after the Authlogics Forefront TMG Agent has been installed on the TMG server. Configuring RADIUS TMG 2010 will process authentication requests with the Authlogics Authentication Server via RADIUS. (1) Configure the TMG server as a RADIUS client on the Authlogics Authentication Server. See the Adding a RADIUS client section of the Authlogics Authentication Server Installation and Configuration Guide for further information. (2) Configure the TMG server to use the Authlogics Authentication Server as a RADIUS server. Start the Microsoft TMG 2010 Management Console. (3) Open the Remote Access Policy (VPN) section. Click RADIUS Server in step 2. Page 27

(4) Tick the Use RADIUS for authentication and Use RADIUS for accounting (logging) boxes, then click the RADIUS Servers button. (5) Click Add (6) Enter the name of the RADIUS / Authlogics Authentication Server and an optional description. Click change to enter a shared secret. (7) Enter the shared secret used when specifying the RADIUS client information at step 1, then click OK. (8) Click OK. (9) Click OK. Page 28

(10) Change to the Authentication tab and ensure that only Unencrypted password (PAP) is selected under Authentication Methods. (11) Click OK. (12) Click Apply at the top of the TMG MMC to apply the changes. Page 29

Configure a Web Listener for AuthCentral The TMG Web Listener must be configured to use Forms based authentication and validate credentials via RADIUS OTP. (1) Start the Microsoft TMG 2010 Management Console. (2) Double click the web listener, in this case Listener1 and change to the Authentication tab. (3) Select HTML Form Authentication under Client Authentication Method and select RADIUS OTP under Authentication Validation Methods. (4) Click Configure Validation Servers (5) Ensure that the Authlogics Authentication Server RADIUS created previously is at the top of the list and click OK. (6) Click OK to close the Listener. Page 30

Web Publish the AuthCentral Token Providers The Authlogics Authentication Server hosts 3 Token Provider URL s for processing token challenge requests, one for each Authlogics authentication technology, as follows: /Services/GetPinPhraseToken.ashx /Services/GetPinPassToken.ashx /Services/GetPinGridToken.ashx These providers MUST be web published anonymously via each Web Listener with which you want to use Authlogics with. These providers enable the display of a 1.5 Factor Authentication challenge as well as initiate the sending of a Real-Time 2FA token. (1) Start the Microsoft TMG 2010 Management Console. (2) Create a new Web Publishing Rule called {Web Listener} - AuthCentral Token Providers. (3) Click Next. (4) Click Next. Page 31

(5) If the Authlogics Authentication Server is configured as a load balanced pair you can utilise the TMG web farm publishing, otherwise click Next. (6) Select Use non-secured connections to connect the published Web server or server farm using HTTP. If a SSL certificate has been configured on the Authlogics Authentication Server then use the default selection. (7) Click Next. (8) Enter the name of the Authlogics Authentication Server. (9) Click Next. Page 32

(10) Click Next. (11) Select Any domain name in the Accept request for section. This enabled the use of Authlogics with multiple sites which share the web listener. Alternatively you can specify all the Public Names later. (12) Click Next. (13) Select the Web Listener you want to use with Authlogics, in this case Listener1. (14) Click Next. Page 33

(15) Click Next. (16) Remove All Authenticated Users and add All Users. (17) Click Next. (18) Click Finish. (19) Double click the new rule to edit it. Change to the Bridging tab and change the HTTP port to 14000. If using SSL select Redirect requests to SSL port and change the SSL port to 14443. Page 34

(20) Change to the Paths tab. Remove the /* path. Add the 3 Token Provider URL s: /Services/GetPinPhraseToken.ashx /Services/GetPinPassToken.ashx /Services/GetPinGridToken.ashx (21) Click Apply and then Test Rule. If issues are found in the test correct the problem and try again. Click OK when done. (22) If the following warning is displayed click OK, it can be ignored. Page 35

Adding strong authentication to a publishing rule All existing web publishing rules which are linked to the web listener which has been configured for Authlogics must be modified to use the Authlogics logon form pages. Each Authlogics authentication technology has its own TMG form, this is then further broken down into 1.5FA and 2FA, then again into Exchange and generic forms as follows: Technology Factor Style Form Set name Exchange PinGrid1FAExchange 1.5FA Generic PinGrid1FAISA PINgrid Exchange PinGrid2FAExchange 2FA Generic PinGrid2FAISA Exchange PinPass2FAExchange PINpass 2FA Generic PinPass2FAISA Exchange PinPhrase1FAExchange 1.5FA Generic PinPhrase1FAISA PINphrase Exchange PinPhrase2FAExchange 2FA Generic PinPhrase2FAISA Identify the Form Set name you wish to use with each web publishing rule and then repeat this process for each rule. (1) Start the Microsoft TMG 2010 Management Console. (2) Double click the web publishing rule to edit it. (3) Change to the Application Settings tab. Select Use customized HMTL forms instead of the default. Enter the name of the Form Set required from the table above. (4) Change to the Users tab. If the rule was previously using a Windows group to restrict access add a new User Set to contain those RADIUS users or ensure that All Authenticated Users is selected. Page 36

(5) If the published web site utilises Windows Authentication (e.g. Exchange or SharePoint) then change to the Authentication Delegation tab and select Kerberos constrained delegation and configure the server SPN as needed. (6) Click OK. Active Directory KCD Configuration This section describes the process to configure the Active Directory with Kerberos Constrained Delegation to allow single sign-on to the published web sites without the need to enter an Active Directory password at any point. To configure KCD the Active Directory must be set to Windows 2003 Native mode as a minimum, a mixed mode domain will not support KCD. If KCD cannot be configured due to restrictions on the AD domain mode then either the users will be prompted for their AD credentials by the published application. (1) Open Active Directory Users and Computers (either on a DC or management station) and select the properties of the TMG 2010 computer account, then select the Delegation tab. Page 37

(2) Select Trust this computer for delegation to specific services only and Use any authentication protocol (if they are not already selected) then click Add (3) Click Users or Computers and locate the computer account running the published web site. (4) Select the http service type and click OK. Page 38

(5) Click OK. Page 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback