Authlogics Forefront TMG and UAG Agent Integration Guide With PINgrid, PINphrase & PINpass Technology Product Version: 3.0.6230.0 Publication date: January 2017 Authlogics, 12 th Floor, Ocean House, The Ring, Bracknell, Berkshire, RG12 1AX, United Kingdom UK Tel: +44 1344 568 900 US Tel: +1 857 214 2174 email: info@authlogics.com web: http://authlogics.com/
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organisations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organisation, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Authlogics may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written licence agreement from Authlogics, the furnishing of this document does not give you any licence to these patents, trademarks, copyrights, or other intellectual property. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. The information contained in this document represents the current view of Authlogics on the issues discussed as of the date of publication. Because Authlogics must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Authlogics, and Authlogics cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. AUTHLOGICS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS Document. Copyright 2017 Authlogics. All rights reserved. Page 1
Table of Contents Introduction... 3 Considerations... 3 Requirements... 3 Language Requirements... 3 Licensing... 4 Design and Deployment Scenarios... 5 TMG High Availability... 5 UAG High Availability... 5 Deployment... 6 Overview... 6 Installing/Removing the Authlogics Windows Desktop Logon Agent... 6 Running an installation... 6 Running a removal... 8 Authlogics Configuration on UAG 2010... 10 Add an AuthCentral Authentication repository... 10 Configure a UAG Trunk to use AuthCentral... 12 Adding the Authlogics Services to a UAG Trunk... 18 Active Directory KCD Configuration... 18 Publishing the Self Service Portal... 20 Configure the UAG Login page for 2FA only... 26 Authlogics Configuration on TMG 2010... 27 Configuring RADIUS... 27 Configure a Web Listener for AuthCentral... 30 Web Publish the AuthCentral Token Providers... 31 Adding strong authentication to a publishing rule... 36 Active Directory KCD Configuration... 37 Page 2
Introduction Authlogics Authentication Server is a multi-factor authentication system which provides: Token and token-less multi-factor authentication. Award winning transaction signing / verification technology. Self-service password reset and unlocking. Web Service API and RADIUS interfaces for connectivity. Authentication technologies: o PINgrid Pattern Based Authentication. o PINphrase Random Character Authentication o PINpass OATH (TOTP) Compliant Authentication Integrating Authlogics with Forefront TMG 2010 or UAG 2010 is an ideal way to add strong authentication at the gateway level to VPN connection and published web applications such as Exchange Outlook Web Access and SharePoint. The Authlogics Forefront TMG and UAG Agent includes pre-customised logon forms for Outlook Web Access and generic web sites. Considerations Requirements An Authlogics 3.0 server must be deployed and functional prior to installing the Authlogics Forefront TMG and UAG Agent. Language Requirements Authlogics Forefront TMG and UAG Agent is only available in English. Product support and documentation is only available in English. Page 3
Licensing Authlogics Forefront TMG and UAG Agent is free of charge however may only be used with a correctly licenced Authlogics Authentication Server. Note For detailed information on the licence types please refer to the licence agreement document embedded within the installation package. Page 4
Design and Deployment Scenarios The Authlogics Forefront TMG Agent has been designed to communicate with the Authlogics Authentication Server via RADIUS. 1.5 factor challenges are reverse proxied over HTTPS via TMG to the Authlogics Authentication Server. The Authlogics Forefront UAG Agent has been designed to communicate with the Authlogics Authentication Server via Web Services only. TMG High Availability In a high availability scenario, assuming at least 2 Authlogics Authentication Servers and 2 TMG servers, the Authlogics Authentication Server can be configured to use Windows Network Load Balancing and TMG should use the NLB virtual IP for the RADIUS server. When web publishing the authentication challenge URL s, TMG can also utilise Web Farm Load balancing instead of NLB, however NLB is still required for the RADIUS traffic. UAG High Availability In a high availability scenario, assuming at least 2 AuthCentral and 2 UAG servers, the Authlogics Authentication Server can be configured to use Windows Network Load Balancing for TCP port 14000. A DNS entry should be created to resolve to the NLB IP address and UAG should use the DNS name for the virtual IP. When publishing the Self Service Portal, UAG can also utilise Web Farm Load balancing instead of NLB, however NLB is still required for the authentication traffic. Page 5
Deployment The following deployment overview walks through the installation process for deploying the Authlogics Forefront TMG and UAG Agent. Overview This deployment section assumes that at least one Authlogics Authentication Server has already been installed and is functional. See the Authlogics Authentication Server Installation and Configuration guide for further information on setting up the Authlogics Authentication Server. In addition, Authlogics user accounts should already be configured for users. (1) Install the Authlogics Forefront TMG and UAG Agent on a TMG / UAG system. (2) Configure Microsoft Forefront TMG / UAG 2010 to utilise Winfrasoft AuthCentral multifactor authentication. (3) Test user logins. Installing/Removing the Authlogics Windows Desktop Logon Agent Running an installation (1) To start the Authlogics Forefront TMG and UAG Agent installation, run the Authlogics Forefront TMG and UAG Agent xxxxx.exe installer with elevated privileges. (2) Click Next to continue. Page 6
(3) After reading the licence agreement click I accept the terms in the terms in the Licence Agreement if you agree to the terms, then click Next to continue. (4) Select the Complete setup type and select Next to continue. (5) Click Next to continue. The installation is being performed. Page 7
(6) All necessary files have been installed. Click Finish to complete the installation process. The Microsoft Forefront TMG Firewall service MUST be restarted after installation on a TMG Server as TMG only reads custom logon forms into memory during the service start up. Running a removal Uninstalling the Authlogics Forefront TMG and UAG Agent does NOT remove the metadata from user accounts in the Active Directory. If you no longer require Authlogics Forefront TMG and UAG Agent on a server, you can remove it by performing an uninstall as follows: (1) To start the Authlogics Forefront TMG and UAG Agent un-installation, execute the Authlogics Forefront TMG and UAG Agent xxxxx.exe installer or use the Uninstall or change a program option in Control Panel and click Remove. (2) Select Uninstall. Click Next to continue. (3) Click Next to continue. Page 8
(4) The Authlogics uninstall will remove configured components. (5) Click Finish to complete the uninstall process. Page 9
Authlogics Configuration on UAG 2010 The Microsoft Forefront UAG 2010 server will require additional configuration for use with the Authlogics Forefront UAG Agent. This section should only be followed after the Authlogics Forefront UAG Agent has been installed on the UAG server. Add an AuthCentral Authentication repository (1) Start the Microsoft UAG 2010 Management Console. (2) Click Admin- Authentication and Authorization Servers (3) Click Add Page 10
(4) Select Other from the Server type drop down list. Enter either PINgrid, PINphrase or PINpass (one word) in the Server name box. Check the Use a different server for portal application authorization box and select the existing Active Directory repository from the dropdown list. Click OK. (5) To add multiple authentication technologies repeat from step 3, otherwise Click Close. Page 11
Configure a UAG Trunk to use AuthCentral Each trunk must be configured specifically for use with Authlogics. Note The URLs used in this section are listed in the C:\Program Files\ Authlogics Forefront TMG and UAG Agent\readmeUAG.txt file. It is highly recommended that the URLs are copied and pasted from the readmeuag.txt file instead of manually typed for speed and accuracy. This section must be repeated for every Trunk that will use Authlogics. (1) Start the Microsoft UAG 2010 Management Console. (2) Select the trunk to configure for use with Authlogics. Click Configure (3) Select the Authentication tab. Page 12
(4) In the Require users to authenticate as session logon section: a. Under Select authentication servers, add the required Authlogics technology repository, i.e. PINgrid, PINphrase or PINpass. b. Optional: Remove the previous authentication server from the list to only use Authlogics for authentication. c. Select Users authenticate to each server. d. Update the User login page entry with appropriate login page: CustomUpdate/AuthlogicsPinGridLogin.asp CustomUpdate/AuthlogicsPinPhraseLogin.asp CustomUpdate/AuthlogicsPinPassLogin.asp Note Do NOT place a / {slash} before CustomUpdate/AuthlogicsPinxxxxLogin.asp Page 13
(5) Select the URL Set tab. (6) Update the InternalSite_Rule24 to include png files as follows: /internalsite/images/customupdate/[^/\\]+\.(gif jpg png) Page 14
(7) In this section a new access rule for an Authlogics custom file must be created. To add the following Primary URL click Add Primary. Property Name Action URL Parameters Note Methods Value InternalSite_AuthlogicsTokenProxy Accept /internalsite/images/customupdate/authlogicstokenproxy.asp Handle GET Parameter list Heading Entry 1 Entry 2 Name username authtype Name Type String String Value {empty} {empty} Value Type String String Length 0:250 0:20 Existence Optional Optional Occurrences Single Single Max Total Length -1-1 Rejected values checking On On Page 15
(8) Once the appropriate modifications and new URL Set pages have been added, click OK. (9) Open the following folder in Windows Explorer: C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate Make a copy of the [TrunkName]1PostPostValidate Authlogics.inc file. Rename the file by removing Authlogics off of the end and replacing [TrunkName] with the actual name of the Trunk you are configuring. Do not remove the 1. e.g. Portal1PostPostValidate.inc (10) Click Activate Configuration to apply and save the changes. (11) Click Activate to apply the changes. Page 16
(12) Click Finish. Page 17
Adding the Authlogics Services to a UAG Trunk To enable users to reset their PINgrid MIPs, PINs and Active Directory passwords the Self Service Portal application must be published in the trunk. The Self Service Portal MUST be published even if the application is not made visible, this is required so that UAG allows network access to the authentication web services on the AuthCentral Authentication Server. Active Directory KCD Configuration This section describes the process to configure the Active Directory with Kerberos Constrained Delegation to allow single sign-on to the Self Service Portal without the need to enter an Active Directory password at any point. To configure KCD the Active Directory must be set to Windows 2003 Native mode as a minimum, a mixed mode domain will not support KCD. If KCD cannot be configured due to restrictions on the AD domain mode then either the login page must request AD credentials or On-The-Fly login must be used and the users will be prompted for their AD credentials to access the Self Service Portal. (1) Open Active Directory Users and Computers (either on a DC or management station) and select the properties of the UAG 2010 computer account, then select the Delegation tab. (2) Select Trust this computer for delegation to specific services only and Use any authentication protocol (if they are not already selected) then click Add Page 18
(3) Click Users or Computers and locate the AuthCentral Server / Appliance computer account running the AuthCentral Services. (4) Select the http service type and click OK. (5) Click OK. Page 19
Publishing the Self Service Portal This section describes the process to publish the Authlogics Self Service Portal in UAG 2010. Note This process must be repeated for every UAG trunk that will provide portal access to provisioning and password resets. (1) Start the Microsoft UAG 2010 Management Console. (2) Select the appropriate trunk to add the User Self Service Portal application to. In the Applications section, click Add... (3) The UAG Add Application Wizard will start. (4) Click Next. (5) Choose Other Web Application (portal hostname) from Web section. Click Next. (6) Complete the values for the Application Values with the following: Property Value Application Name Manage PINs and Passwords Application Type GenericWeb Page 20
(7) Click Next. (8) Click Next. Page 21
(9) Click Next. Note If multiple AuthCentral Authentication servers are deployed in a high availability scenario then publish them together as a server farm. Complete the values for the Web Servers as follows: Property Address Type Addresses Paths / Value IP/Host HTTP ports 14000 HTTPS ports 443 {AuthCentral Server FQDN} (10) Click Next. (11) Click Next. Page 22
(12) If you do not want to allow users to use the Self Service Portal uncheck the All a portal and toolbar link box. Update the Icon URL with one of the following icons as appropriate to the chosen authentication technology: images/appicons/customupdate/pingrid.gif images/appicons/customupdate/pinphrase.gif images/appicons/customupdate/pinpass.gif images/appicons/customupdate/authlogics.gif (13) Click Next. (14) Click Next. Page 23
(15) Click Finish. (16) Double click the Manage Pins and Passwords application to edit it. (17) Select the Authentication tab. (18) Check Use SSO, then select Use Kerberos constrained delegation for single sign-on. Enter http/* or enter http/{your.server.and.domain.name} in the Application field where {your.server.and.domain.name} is the full DNS name of the AuthCentral Authentication Server computer account in AD. Page 24
(19) Click OK. (20) Click Activate Configuration to apply and save the changes. (21) Click Activate to apply the changes. (22) Click Finish. The Trunk is now configured to use Winfrasoft AuthCentral User Self Service Portal. Page 25
Configure the UAG Login page for 2FA only By default, the Authlogics Forefront UAG Agent login page will display a 1½ factor challenge (if supported but the authentication technology). If you are only planning to deploy 2 Factor Authentication you can disable the display of the 1½ factor challenge on the UAG server as follows: Start the registry editor on the UAG 2010 server and edit the appropriate key are required. HKLM\SOFTWARE\Winfrasoft\Winfrasoft AuthCentral\PinGrid2FAonly HKLM\SOFTWARE\Winfrasoft\Winfrasoft AuthCentral\PinPhrase2FAonly Accepted Values: 0 = Disabled (default) 1 = Enabled No services need to restarted and the UAG configuration does not need to be activated for these changes to take effect. Page 26
Authlogics Configuration on TMG 2010 The Microsoft Forefront TMG 2010 server will require additional configuration for use with Authlogics Forefront TMG Agent. This section should only be followed after the Authlogics Forefront TMG Agent has been installed on the TMG server. Configuring RADIUS TMG 2010 will process authentication requests with the Authlogics Authentication Server via RADIUS. (1) Configure the TMG server as a RADIUS client on the Authlogics Authentication Server. See the Adding a RADIUS client section of the Authlogics Authentication Server Installation and Configuration Guide for further information. (2) Configure the TMG server to use the Authlogics Authentication Server as a RADIUS server. Start the Microsoft TMG 2010 Management Console. (3) Open the Remote Access Policy (VPN) section. Click RADIUS Server in step 2. Page 27
(4) Tick the Use RADIUS for authentication and Use RADIUS for accounting (logging) boxes, then click the RADIUS Servers button. (5) Click Add (6) Enter the name of the RADIUS / Authlogics Authentication Server and an optional description. Click change to enter a shared secret. (7) Enter the shared secret used when specifying the RADIUS client information at step 1, then click OK. (8) Click OK. (9) Click OK. Page 28
(10) Change to the Authentication tab and ensure that only Unencrypted password (PAP) is selected under Authentication Methods. (11) Click OK. (12) Click Apply at the top of the TMG MMC to apply the changes. Page 29
Configure a Web Listener for AuthCentral The TMG Web Listener must be configured to use Forms based authentication and validate credentials via RADIUS OTP. (1) Start the Microsoft TMG 2010 Management Console. (2) Double click the web listener, in this case Listener1 and change to the Authentication tab. (3) Select HTML Form Authentication under Client Authentication Method and select RADIUS OTP under Authentication Validation Methods. (4) Click Configure Validation Servers (5) Ensure that the Authlogics Authentication Server RADIUS created previously is at the top of the list and click OK. (6) Click OK to close the Listener. Page 30
Web Publish the AuthCentral Token Providers The Authlogics Authentication Server hosts 3 Token Provider URL s for processing token challenge requests, one for each Authlogics authentication technology, as follows: /Services/GetPinPhraseToken.ashx /Services/GetPinPassToken.ashx /Services/GetPinGridToken.ashx These providers MUST be web published anonymously via each Web Listener with which you want to use Authlogics with. These providers enable the display of a 1.5 Factor Authentication challenge as well as initiate the sending of a Real-Time 2FA token. (1) Start the Microsoft TMG 2010 Management Console. (2) Create a new Web Publishing Rule called {Web Listener} - AuthCentral Token Providers. (3) Click Next. (4) Click Next. Page 31
(5) If the Authlogics Authentication Server is configured as a load balanced pair you can utilise the TMG web farm publishing, otherwise click Next. (6) Select Use non-secured connections to connect the published Web server or server farm using HTTP. If a SSL certificate has been configured on the Authlogics Authentication Server then use the default selection. (7) Click Next. (8) Enter the name of the Authlogics Authentication Server. (9) Click Next. Page 32
(10) Click Next. (11) Select Any domain name in the Accept request for section. This enabled the use of Authlogics with multiple sites which share the web listener. Alternatively you can specify all the Public Names later. (12) Click Next. (13) Select the Web Listener you want to use with Authlogics, in this case Listener1. (14) Click Next. Page 33
(15) Click Next. (16) Remove All Authenticated Users and add All Users. (17) Click Next. (18) Click Finish. (19) Double click the new rule to edit it. Change to the Bridging tab and change the HTTP port to 14000. If using SSL select Redirect requests to SSL port and change the SSL port to 14443. Page 34
(20) Change to the Paths tab. Remove the /* path. Add the 3 Token Provider URL s: /Services/GetPinPhraseToken.ashx /Services/GetPinPassToken.ashx /Services/GetPinGridToken.ashx (21) Click Apply and then Test Rule. If issues are found in the test correct the problem and try again. Click OK when done. (22) If the following warning is displayed click OK, it can be ignored. Page 35
Adding strong authentication to a publishing rule All existing web publishing rules which are linked to the web listener which has been configured for Authlogics must be modified to use the Authlogics logon form pages. Each Authlogics authentication technology has its own TMG form, this is then further broken down into 1.5FA and 2FA, then again into Exchange and generic forms as follows: Technology Factor Style Form Set name Exchange PinGrid1FAExchange 1.5FA Generic PinGrid1FAISA PINgrid Exchange PinGrid2FAExchange 2FA Generic PinGrid2FAISA Exchange PinPass2FAExchange PINpass 2FA Generic PinPass2FAISA Exchange PinPhrase1FAExchange 1.5FA Generic PinPhrase1FAISA PINphrase Exchange PinPhrase2FAExchange 2FA Generic PinPhrase2FAISA Identify the Form Set name you wish to use with each web publishing rule and then repeat this process for each rule. (1) Start the Microsoft TMG 2010 Management Console. (2) Double click the web publishing rule to edit it. (3) Change to the Application Settings tab. Select Use customized HMTL forms instead of the default. Enter the name of the Form Set required from the table above. (4) Change to the Users tab. If the rule was previously using a Windows group to restrict access add a new User Set to contain those RADIUS users or ensure that All Authenticated Users is selected. Page 36
(5) If the published web site utilises Windows Authentication (e.g. Exchange or SharePoint) then change to the Authentication Delegation tab and select Kerberos constrained delegation and configure the server SPN as needed. (6) Click OK. Active Directory KCD Configuration This section describes the process to configure the Active Directory with Kerberos Constrained Delegation to allow single sign-on to the published web sites without the need to enter an Active Directory password at any point. To configure KCD the Active Directory must be set to Windows 2003 Native mode as a minimum, a mixed mode domain will not support KCD. If KCD cannot be configured due to restrictions on the AD domain mode then either the users will be prompted for their AD credentials by the published application. (1) Open Active Directory Users and Computers (either on a DC or management station) and select the properties of the TMG 2010 computer account, then select the Delegation tab. Page 37
(2) Select Trust this computer for delegation to specific services only and Use any authentication protocol (if they are not already selected) then click Add (3) Click Users or Computers and locate the computer account running the published web site. (4) Select the http service type and click OK. Page 38
(5) Click OK. Page 39