Installation and configuration guide

Similar documents
Authlogics Forefront TMG and UAG Agent Integration Guide

Virtual Appliance Deployment Guide

Yubico with Centrify for Mac - Deployment Guide

Integrating Microsoft Forefront Unified Access Gateway (UAG)

Microsoft Unified Access Gateway 2010

Integrating Microsoft Forefront Threat Management Gateway (TMG)

x10data Application Platform v7.1 Installation Guide

Cloud Link Configuration Guide. March 2014

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Sharepoint 2007

INSTALLATION & OPERATIONS GUIDE Wavextend Calculation Framework & List Manager for CRM 4.0

Receive and Forward syslog events through EventTracker Agent. EventTracker v9.0

Integrating Terminal Services Gateway EventTracker Enterprise

Deploying Windows Server 2003 Internet Authentication Service (IAS) with Virtual Local Area Networks (VLANs)

Windows Server 2012 Immersion Experience Enabling Secure Remote Users with RemoteApp, DirectAccess, and Dynamic Access Control

Installation Guide. EventTracker Enterprise. Install Guide Centre Park Drive Publication Date: Aug 03, U.S. Toll Free:

DualShield. for. Microsoft UAG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

VMware AirWatch Integration with SecureAuth PKI Guide

Integrate Aventail SSL VPN

SOA Software Intermediary for Microsoft : Install Guide

Microsoft ISA 2006 Integration. Microsoft Internet Security and Acceleration Server (ISA) Integration Notes Introduction

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

SECURE FILE TRANSFER PROTOCOL. EventTracker v8.x and above

How To Embed EventTracker Widget to an External Site

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Agent Installation Using Smart Card Credentials Detailed Document

VMware AirWatch Certificate Authentication for EAS with ADCS

Installation Guide Worksoft Analyze

Privileged Identity App Launcher and Session Recording

Enabling Smart Card Logon for Linux Using Centrify Suite

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP

Installing and Configuring vcloud Connector

Horizon DaaS Platform 6.1 Service Provider Installation - vcloud

DameWare Server. Administrator Guide

Using VMware View Client for Mac

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

Microsoft Dynamics GP Web Client Installation and Administration Guide For Service Pack 1

Integrate Symantec Messaging Gateway. EventTracker v9.x and above

Deployment guide for Duet Enterprise for Microsoft SharePoint and SAP Server 2.0

Lab Answer Key for Module 1: Creating Databases and Database Files

Integrate VMware ESX/ESXi and vcenter Server

Integrate Microsoft Office 365. EventTracker v8.x and above

SafeNet Authentication Service

Secure IIS Web Server with SSL

VMware AirWatch: Directory and Certificate Authority

Integrate Veeam Backup and Replication. EventTracker v9.x and above

8815 Centre Park Drive Columbia MD Publication Date: Dec 04, 2014

VMware Horizon Client for Chrome Installation and Setup Guide. 15 JUNE 2018 VMware Horizon Client for Chrome 4.8

Symprex Out-of-Office Extender

Integrate Bluecoat Content Analysis. EventTracker v9.x and above

Integrating Cyberoam UTM

Symantec Managed PKI. Integration Guide for ActiveSync

Installing and Configuring vcloud Connector

Privileged Access Agent on a Remote Desktop Services Gateway

Manual. DriveLock Setup. Quick Start Guide

HYCU SCOM Management Pack for F5 BIG-IP

Remote Indexing Feature Guide

Installation Guide. CompanyCRYPT v1.4.5

Integrate Saint Security Suite. EventTracker v8.x and above

Centrify for Dropbox Deployment Guide

Version Installation Guide. 1 Bocada Installation Guide

LifeSize Control Installation Guide

Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide

Configuring Remote Access using the RDS Gateway

Server Installation Guide

Integrate Palo Alto Traps. EventTracker v8.x and above

Integrate Check Point Firewall. EventTracker v8.x and above

Cisco TelePresence Management Suite Extension for Microsoft Exchange

Novell Access Manager

Intel Unite. Enterprise Test Environment Setup Guide

Policy Manager for IBM WebSphere DataPower 7.2: Configuration Guide

Installation Guide. Mobile Print for Business version 1.0. July 2014 Issue 1.0

Integrate Microsoft ATP. EventTracker v8.x and above

EventTracker Manual Agent Deployment User Manual

Deploying a System Center 2012 R2 Configuration Manager Hierarchy

Installation Guide. CompanyCRYPT v1.4.5

Version 9 Release 0. IBM i2 Analyst's Notebook Premium Configuration IBM

Getting Started with VMware View View 3.1

Integrate Citrix Access Gateway

HOTPin Software Instructions. Mac Client

Microsoft UAG Integration

VMware AirWatch Integration with RSA PKI Guide

Monitoring SharePoint 2007/ 2010/ 2013 Server using EventTracker

Installation and configuration guide

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

Application Launcher & Session Recording

Version 9 Release 0. IBM i2 Analyst's Notebook Configuration IBM

Configuring Windows 7 VPN (Agile) Client for authentication to McAfee Firewall Enterprise v8. David LePage - Enterprise Solutions Architect, Firewalls

Balabit s Privileged Session Management and Remote Desktop Protocol Scenarios

Table of Contents. VMware AirWatch: Technology Partner Integration

INUVIKA TECHNICAL GUIDE

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

Integrate Routing and Remote Access Service (RRAS) EventTracker v8.x and above

Coveo Platform 7.0. Microsoft SharePoint Legacy Connector Guide

Oracle Enterprise Single Sign-on Provisioning Gateway

Centrify Infrastructure Services

VMware AirWatch Product Provisioning and Staging for Windows Rugged Guide Using Product Provisioning for managing Windows Rugged devices.

Integration Guide. SafeNet Authentication Client. Using SAC CBA for VMware Horizon 6 Client

Transcription:

Winfrasoft HAS Installation and Configuration Guide Installation and configuration guide Winfrasoft HAS for Microsoft Forefront UAG 2010 Published: October 2011 Applies to: Winfrasoft HAS (Build 2.0.2300.4) Web site: http://www.winfrasoft.com Email: support@winfrasoft.com 2006-2011 Winfrasoft Corporation. All rights reserved. This publication is for informational purposes only. Winfrasoft makes no warranties, express or implied, in this summary. Winfrasoft and Winfrasoft HAS are trademarks of Winfrasoft Corporation. All other trademarks are property of their respective owners.

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organisations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organisation, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Winfrasoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written licence agreement from Winfrasoft, the furnishing of this document does not give you any licence to these patents, trademarks, copyrights, or other intellectual property. Microsoft, Active Directory, UAG 2010, Windows and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Copyright 2006-2011 Winfrasoft Corporation. All rights reserved.

Table of Contents 3 Table of Contents TABLE OF CONTENTS... 3 INTRODUCTION... 4 CONSIDERATIONS... 4 Server System Requirements... 4 Language Requirements... 4 CONFIGURATION OVERVIEW... 4 LICENSING... 5 Running a trial... 5 Applying a new licence... 5 DESIGN AND DEPLOYMENT SCENARIOS... 6 SMARTCARD TECHNOLOGY... 6 BACKGROUND... 6 DEPLOYMENT... 7 OVERVIEW... 7 INSTALLING THE WINFRASOFT HAS SERVER... 8 INSTALLING THE WINFRASOFT HAS PLUG-IN FOR UAG 2010... 12 INSTALLING THE WINFRASOFT HAS MANAGEMENT CONSOLE... 15 UNINSTALLING WINFRASOFT HAS... 18 HAS CONFIGURATION ON UAG 2010... 20 CONFIGURE IIS MIME TYPES (INTERNET ONLY)... 20 ADD A HAS AUTHENTICATION REPOSITORY (INTERNET)... 22 ADD A HAS AUTHENTICATION REPOSITORY (N3)... 24 CONFIGURE A UAG TRUNK TO USE HAS (INTERNET)... 26 CONFIGURE A UAG TRUNK TO USE HAS (N3)... 35 CONFIGURE USER AUTO PROVISIONING WITHOUT SELF SERVICE PASSWORD RESET... 42 CONFIGURE USER AUTO PROVISIONING WITH SELF SERVICE PASSWORD RESET... 50 Active Directory Configuration... 50 UAG 2010 Configuration... 52 CONFIGURE THE TMG FIREWALL (N3 ONLY)... 59 CERTIFICATE CONFIGURATION... 60 CERTIFICATE TRUST LIST CONFIGURATION... 60 WINFRASOFT HAS MANAGEMENT... 62 ADVANCED CONFIGURATION... 63 HAS REGISTRY KEYS... 63 HAS Server / Appliance keys... 63 UAG Server / Appliance keys... 64

4 Winfrasoft HAS Introduction Winfrasoft HAS is a two-factor authentication and provisioning application that integrates with Microsoft Forefront UAG 2010 to:- Considerations Provide smart card two-factor authentication for NHS CRS cards. Provision smart card users into Microsoft Active Directory without AD schema extensions and without an AD integrated PKI. Integrated Self Service Password Reset capabilities to help reduce helpdesk costs since users can securely prove who they are with their smart card. Integrate with the NHS Identify Agent and Spine. Server System Requirements The minimum system requirements for Winfrasoft HAS are: Winfrasoft UAG Appliance or a server running Forefront UAG 2010 o HAS supports UAG RTM, Update 1, Update 2, SP 1 & SP 1 Update 1. Winfrasoft HAS Appliance or Windows Server 2003 (SP2) or 2008 running IIS 32bit / 64bit PC with Active Directory Users and Computers MMC Microsoft Active Directory Language Requirements Server The Winfrasoft HAS MMC Add-in is compatible with multi-lingual versions of Windows Server 2003 / 2008, however is only available in English. Product support and documentation is only available in English. Configuration Overview Prior to installation, ensure you have the following: Fully configured Winfrasoft Gateway Appliance running Forefront Unified Access Gateway 2010, including networking and portal configuration information. A Winfrasoft HAS Appliance or an available server running Windows Server 2003 (SP2) or Windows Server 2008 to install the HAS Web Services onto. A valid Winfrasoft HAS Licence file with sufficient licences for the deployment requirements. The installation includes 10 free licences. Smart cards and their appropriate middle-ware smartcard reader software (e.g. GemAuthenticate Client). This can be remotely installed via the login page. Optional - NHS Identity Agent if accessing from N3. A client test workstation on either the Internet, or N3 with a functioning NHS Identity Agent installed.

Introduction 5 Licensing Winfrasoft HAS is licensed on a combination of a per server basis and client access licences. A licence file must be installed onto each Microsoft UAG 2010 appliance otherwise the application will not function. Note For detailed information on the licence types please refer to the licence agreement document embedded within the installation package. Running a trial Winfrasoft HAS is available for trial. Fully functional time-limited trial licences can be requested from Winfrasoft. All installations of the Winfrasoft HAS server software include a non-expiring 10 user licence. Applying a new licence Once you receive a new licence from Winfrasoft, install the Winfrasoft HAS licence file onto the server running the HAS Web Services by copying the new licence file into the Winfrasoft HAS installation directory and rename it to licence.lic. Once the licence has been installed, restart the IIS web server by running IISRESET for the new licence to take effect.

6 Winfrasoft HAS Design and Deployment Scenarios Winfrasoft HAS is designed to operate with Microsoft Forefront UAG 2010 update 1. The Winfrasoft HAS Management utility utilises Microsoft Management Console technology which can be run remotely and installed on any 32bit or 64bit machine where Active Directory Users and Computers is installed. Winfrasoft HAS is a true Enterprise-class solution designed for highly availability multimaster Active Directory integrated deployments. In high-availability deployments and scenarios with numerous users, provisioned user information can be stored across multiple domains in an Active Directory Forest with no schema extensions required. There are two main deployment scenarios for Winfrasoft HAS: (1) Access from the Internet: This scenario makes use of public and private key (protected by the PIN) to verify the card and user. The UID in the smart card is linked with an AD user account. (2) Access from N3 using the Identity Agent: This scenario makes use of the NHS Identity Agent and validates sessions against Spine. The UID from Spine is linked with an AD user account. When is a user is provisioned to use HAS they are able to make use of both authentication methods, there is no need to provision a user twice. Smartcard Technology Background As the usage of Information Technology has increased exponentially, the need for security of these systems has increased accordingly. Traditionally, authenticating users was solely done by the user providing a valid username and password. This was known as single-factor authentication as the user knows all parts of the authentication process. Over time, additional user provided information wasn t sufficient and additional factors were required. Physical token technology came to the fore and smart cards have become a recognised industry standard for authentication. The major benefit of smart cards is the versatility of the solution as smart cards can not only prove the identity of holder and authenticate the user to a network, but also be used for physical perimeter access. Furthermore, picture identification can be printed on the card for additional verification and user identification.

Deployment 7 Deployment Overview This deployment section assumes that the UAG 2010 Appliance has been installed and is configured. Note This guide does not detail how to install and configure UAG 2010. To fully deploy the Winfrasoft HAS solution the following steps must be performed: (1) Deploy and configure UAG 2010, including any service packs or updates (2) Install Winfrasoft HAS Web Services on a separate server to UAG 2010 (3) Install the Winfrasoft HAS Add-on for UAG 2010 on the UAG appliance (4) Provision users with HAS tokens

8 Winfrasoft HAS Installing the Winfrasoft HAS Server The Winfrasoft HAS Web Services must be installed onto a server running Windows Server 2008 R2 (x64), the HAS Server. The Winfrasoft HAS Server is also available as a preconfigured appliance from Winfrasoft. The HAS Web Services can NOT be installed on a server running UAG 2010 due to restrictions placed on UAG 2010 by Microsoft. This is a change from the previous version of HAS for IAG 2007 which was able to cater for this scenario. Note Ensure you are logged onto the HAS Server with Domain Admin rights to allow for the Active Directory configuration to be performed. (1) To start the Winfrasoft HAS installation, run the Winfrasoft HAS.exe installer. (2) The setup wizard starts: (3) Click Next to continue. (4) After reading the licence agreement click I accept the terms in the terms in the License Agreement if you agree to the terms, then click Next to continue.

Deployment 9 (5) Select the setup type. Click Custom and select Next to continue. Note The HAS Web Services can NOT be installed on a server running UAG 2010 due to restrictions placed on UAG 2010 by Microsoft. This is a change from the previous version of HAS for IAG 2007 which was able to cater for this scenario. (6) Click Next to continue. Note The HAS Management Console option is automatically visible when installing on the HAS Server if Active Directory Users and Computers snap-in is already installed.

10 Winfrasoft HAS (7) Click Next to continue. The installation is being performed. During the install a balloon will popup displaying the UAG version that was detected for the Plug-in. Note The Winfrasoft HAS Active Directory Initialisation wizard may show extra information or warning messages if it has previously been run in the forest. Existing groups will be reused for multiple box deployment scenarios.

Deployment 11 (8) Ensure no critical errors have occurred during the Winfrasoft HAS Active Directory Initialisation, if so contact Winfrasoft for support. Click Close to continue. (9) All necessary Winfrasoft HAS files have been installed on your HAS Server. Click Finish to complete the installation process. Note The HAS Server may require a restart in order for all changes to be applied. Without a restart the HAS Server will not have the required rights to update smart card details on AD user accounts. If HAS is being reinstalled or the server is already a member of the Winfrasoft HAS Servers group then a reboot is not required. The Winfrasoft HAS Servers group is added to the Account Operators group by default. This grants the HAS Server the rights required to update user accounts with Smart Card information for auto provisioning. However, Account Operators do not have rights to modify AD Administrator accounts. As such administrator accounts cannot use auto provisioning by default. Add the Winfrasoft HAS Servers group to the Domain Admin group to enable this functionality.

12 Winfrasoft HAS Installing the Winfrasoft HAS Plug-in for UAG 2010 The Winfrasoft HAS Plug-in for UAG 2010 enables UAG to communicate with the HAS Server. (1) To start the Winfrasoft HAS installation, run the Winfrasoft HAS.exe installer. (2) The setup wizard starts: (3) Click Next to continue. (4) After reading the licence agreement click I accept the terms in the terms in the License Agreement if you agree to the terms, then click Next to continue.

Deployment 13 (5) Select the setup type. Click Custom and select Next to continue. Note The HAS Web Services can NOT be installed on a server running UAG 2010 due to restrictions placed on UAG 2010 by Microsoft. This is a change from the previous version of HAS for IAG 2007 which was able to cater for this scenario. (6) Click Next to continue. Note The HAS Management Console option is automatically selected when installing on the UAG server if Active Directory Users and Computers snap-in is locally installed. (7) Enter the fully DNS name of the HAS appliance or the web server running the HAS authentication web service. Click Next to continue.

14 Winfrasoft HAS (8) Click Next to continue. The installation is being performed. (9) All necessary Winfrasoft HAS files have been installed on your UAG appliance. Click Finish to complete the installation process.

Installing the Winfrasoft HAS Management Console The Winfrasoft HAS Management Console can only be installed on any 32bit or 64bit computer that has the Active Directory Users and Computers MMC snap-in installed. Typically, this would be a Domain Controller. Deployment 15 (1) To start the Winfrasoft HAS installation, run the Winfrasoft HAS.exe installer. (2) The setup wizard starts: (3) Click Next to continue. (4) After reading the licence agreement click I accept the terms in the terms in the License Agreement if you agree to the terms, then click Next to continue.

16 Winfrasoft HAS (5) Select the setup type. Click Custom and select Next to continue. Note If IIS is installed on the machine you want to install the HAS Management Console on then the HAS Web Service will display as a selected installation option. (6) Ensure that only the HAS Management Console is selected if other choices are displayed. Click Next to continue.

Deployment 17 (7) Click Next to continue The installation is being performed. (8) Click Finish to complete the installation process.

18 Winfrasoft HAS Uninstalling Winfrasoft HAS If you no longer require Winfrasoft HAS you can remove it from a server by doing the following: (1) To start the Winfrasoft HAS un-installation, run the Winfrasoft HAS.exe installation. Alternatively use Add/Remove Programs in the Control Panel, select Winfrasoft HAS application and click Remove. (2) Running the EXE file starts the setup wizard. (3) Select Uninstall. Click Next to continue. (4) Click Next to continue.

Deployment 19 The Winfrasoft HAS uninstall will remove configured components. (5) Click Finish to complete the uninstall process.

20 Winfrasoft HAS HAS Configuration on UAG 2010 Configure IIS MIME Types (Internet only) (1) On the UAG 2010 server, open IIS Manager and select the Server. (2) Double click MIME Types.

(3) Click Add and add each of the following MIME types: Extension.dat.vslp.cfg Note MIME type application/octet-stream application/octet-stream application/octet-stream Do NOT add the MIME types to the default web site, they MUST be added to the web server directly. HAS Configuration on UAG 2010 21 When done the MIME types will be listed as follows: (4) Close IIS Manager when done.

22 Winfrasoft HAS Add a HAS Authentication repository (Internet) (1) Start the Microsoft UAG 2010 Management Console. (2) Click Admin- Authentication and Authorization Servers (3) Click Add

HAS Configuration on UAG 2010 23 (4) Select Other from the Server type drop down list. Enter WinfrasoftHASInternet (one word) in the Server name box. Check the Use a different server for portal application authorization box and select the existing Active Directory repository from the dropdown list. Click OK. (5) Click Close

24 Winfrasoft HAS Add a HAS Authentication repository (N3) (1) Start the Microsoft UAG 2010 Management Console. (2) Click Admin- Authentication and Authorization Servers (3) Click Add

HAS Configuration on UAG 2010 25 (4) Select Other from the Server type drop down list. Enter WinfrasoftHASN3 (one word) in the Server name box. Check the Use a different server for portal application authorization box and select the existing Active Directory repository from the dropdown list. Click OK. (5) Click Close

26 Winfrasoft HAS Configure a UAG Trunk to use HAS (Internet) A Trunk can be configured for use from N3 or the Internet, but not both. If you require HAS functionality from both locations then either use the Internet configuration only and do not rely on Spine authentication, or setup two Trunks. Note The URLs used in this section are listed in the C:\Program Files\Winfrasoft HAS\readme.txt file. It is highly recommended that the URLs are copied and pasted from the readme.txt file instead of manually typed for speed and accuracy. (1) Start the Microsoft UAG 2010 Management Console. (2) Every Trunk on the UAG server must be configured separately to use HAS. Select the trunk to configure for use with HAS Authentication. Click Configure

HAS Configuration on UAG 2010 27 (3) Select the Authentication tab. (4) In the Require users to authenticate as session logon section: a. Under Select authentication servers: i. Add WinfrasoftHASInternet

28 Winfrasoft HAS ii. Remove the existing Active Directory entry b. Update the User login page entry with: CustomUpdate/HASLoginInternet.asp Note Do NOT place a / {slash} before CustomUpdate/HASLoginInternet.asp (5) Select the URL Set tab.

HAS Configuration on UAG 2010 29 (6) In this section, the appropriate access rules for the different custom files installed by HAS must be created. Scroll through the URL List and select the URL InternalSite_Rule2. Below the Parameter List Click Add to add a new parameter for this URL Rule. Set the parameter values to the following: Parameter List Property Name Name Type Value Value Type Value chall String {empty} String Length 0:350 Existence Occurrences Optional Multiple Max Total Length -1 Rejected values checking On

30 Winfrasoft HAS (7) Scroll through the URL List and select the URL InternalSite_Rule20. Modify the URL property so it contains the following new bold entries: URL /internalsite/scripts/customupdate/[0-9a-z]*(params install sslvpnpage rds jquery-1.3.2 format scripts vsapi)\.js (8) Add the following Primary URLs. For each new URL set, click Add Primary.

HAS Configuration on UAG 2010 31 URL List Property Name Action URL Parameters Value InternalSite_SC1 Accept /internalsite/scripts/customupdate/api_gsl_p7/(vsappletlauncher vsapinative)\.jar Ignore Note Methods GET Property Name Action URL Parameters Value InternalSite_SC2 Accept /internalsite/scripts/customupdate/api_gsl_p7/(vsapi)\.dat Ignore Note Methods GET Property Name Action URL Parameters Value InternalSite_SC3 Accept /internalsite/scripts/customupdate/api_gsl_p7/(vsapiapplet)\.vslp Ignore Note Methods GET Property Name Action URL Parameters Value InternalSite_SC4 Accept /internalsite/scripts/customupdate/api_gsl_p7/(vstapidll)\.cfg Ignore Note Methods GET

32 Winfrasoft HAS Property Name Action URL Parameters Value InternalSite_SC5 Accept /internalsite/scripts/customupdate/api_gsl_p7/meta- INF/services/javax.xml.parsers.SAXParserFactory Ignore Note Methods GET Property Name Action URL Parameters Value InternalSite_UserLookup Accept /internalsite/customupdate/userlookup.asp Handle Note Methods GET Parameter list Heading Entry 1 Entry 2 Name authtype sessionid Name Type String String Value {empty} {empty} Value Type String String Length 1:10 1:2000 Existence Mandatory Mandatory Occurrences Single Single Max Total Length -1-1 Rejected values checking On On

HAS Configuration on UAG 2010 33 (9) Once complete and the appropriate modifications and new URL Set pages have been successfully added, click OK to accept the changes. (10) Open the following folder in Windows Explorer: C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate Make a copy of the [PortalName]1PostPostValidate (Winfrasoft HAS).inc file. Rename the file by removing (Winfrasoft HAS) off of the end and replacing [PortalName] with the actual name of the Trunk you are configuring. Do not remove the 1. e.g. InternetPortal1PostPostValidate.inc (11) Click Activate Configuration to apply and save the changes.

34 Winfrasoft HAS (12) Click Activate to apply the changes. (13) Click Finish.

Configure a UAG Trunk to use HAS (N3) HAS Configuration on UAG 2010 35 A Trunk can be configured for use from N3 or the Internet, but not both. If you require HAS functionality from both locations then either use the Internet configuration only and do not rely on Spine authentication, or setup two Trunks. Note The URLs used in this section are listed in the C:\Program Files\Winfrasoft HAS\readme.txt file. It is highly recommended that the URLs are copied and pasted from the readme.txt file instead of manually typed for speed and accuracy. (1) Start the Microsoft UAG 2010 Management Console. (2) Every Trunk on the UAG server must be configured separately to use HAS. Select the trunk to configure for use with HAS Authentication. Click Configure

36 Winfrasoft HAS (3) Select the Authentication tab.

(4) In the Require users to authenticate as session logon section: a. Under Select authentication servers: i. Add WinfrasoftHASN3 ii. Remove the existing Active Directory entry b. Update the User login page entry with: CustomUpdate/HASLoginN3.asp HAS Configuration on UAG 2010 37 Note Do NOT place a / {slash} before CustomUpdate/HASLoginN3.asp (5) Select the URL Set tab.

38 Winfrasoft HAS (6) In this section, we now need to create the appropriate access rules for the different custom files installed by HAS. Scroll through the URL List and select the URL InternalSite_Rule20. Modify the URL property so it contains the following new bold entries: URL /internalsite/scripts/customupdate/[0-9a-z]*(params install sslvpnpage rds jquery-1.3.2)\.js (7) Scroll through the URL List and select the URL InternalSite_Rule27. Modify the URL property so it contains the following new bold entries: URL /internalsite/applet/(detectjava microsoftclient oesislocal runtimeelevator agent_win_helper agent_mac_helper a n_helper gettoken)\.jar

HAS Configuration on UAG 2010 39 (8) Add the following Primary URL. For each new URL set, click Add Primary URL List Property Value Name InternalSite_UserLookup Action URL Parameters Accept /internalsite/customupdate/userlookup.asp Handle Note Methods GET Parameter list Heading Entry 1 Entry 2 Name authtype sessionid Name Type String String Value {empty} {empty} Value Type String String Length 1:10 1:2000 Existence Mandatory Mandatory Occurrences Single Single Max Total Length -1-1 Rejected values checking On On

40 Winfrasoft HAS (9) Once complete and the appropriate modifications and new URL Set pages have been successfully added, click OK to accept the changes. (14) Open the following folder in Windows Explorer: C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate Make a copy of the [PortalName]1PostPostValidate (Winfrasoft HAS).inc Rename the file by removing (Winfrasoft HAS) off of the end and replacing [PortalName] with the actual name of the Trunk you are configuring. Do not remove the 1. e.g. N3Portal1PostPostValidate.inc (10) Click Activate Configuration to apply and save the changes.

HAS Configuration on UAG 2010 41 (11) Click Activate to apply the changes. (12) Click Finish.

42 Winfrasoft HAS Configure User Auto Provisioning without Self Service Password Reset To enable users to access the self-provisioning functionality i.e. the ability for users to associate smart cards with their Active Directory account, then the Winfrasoft HAS Provisioning application must be published in the trunk. This section describes the process to publish the Winfrasoft HAS Auto Provisioning and Self Service Password Reset pages in UAG 2010. Note This process must be repeated for every UAG trunk that will provide portal access to provisioning and password resets. (1) Start the Microsoft UAG 2010 Management Console. (2) Select the appropriate trunk to add the Self Service Password Reset Application to. In the Applications section, click Add...

HAS Configuration on UAG 2010 43 (3) The UAG Add Application Wizard will start. Click Next. (4) Choose Other Web Application (portal hostname) from Web section. Click Next. (5) Complete the values for the Application Values with the following and click Next: Property Value Application Name Winfrasoft HAS Auto Provisioning Application Type GenericWeb

44 Winfrasoft HAS (6) Click Next. (7) Click Next.

HAS Configuration on UAG 2010 45 Note If multiple HAS servers are deployed in a high availability scenario then publish both together as a server farm. (8) Click Next. (9) Complete the values for the Web Servers as follows: Property Address Type Addresses Value IP/Host {HAS Server FQDN} Paths / HTTP ports 12000 HTTPS ports 12443

46 Winfrasoft HAS (10) Click Next. (11) Click Next.

HAS Configuration on UAG 2010 47 (12) Untick the Add a portal and toolbar link box. Click Next. (13) Click Next.

48 Winfrasoft HAS (14) Click Finish. (15) Click Activate Configuration to apply and save the changes.

HAS Configuration on UAG 2010 49 (16) Click Activate to apply the changes. (17) Click Finish. Your Trunk is now configured to use the Auto Provisioning functionality.

50 Winfrasoft HAS Configure User Auto Provisioning with Self Service Password Reset To enable users to reset their Active Directory passwords and to access the auto provisioning functionality i.e. the ability for users to associate smart cards with their Active Directory account, the Self Service Password Reset application must be published in the trunk. The Self Service Password Reset facility shares the same published application configuration as auto provisioning to simplify the configuration. Active Directory Configuration This section describes the process to configure the Active Directory with Kerberos Constrained Delegation to support Self Service Password Reset. (1) Open Active Directory Users and Computers (either on a DC or management station) and select the properties of the UAG 2010 computer account, then select the Delegation tab. (2) Select Trust this computer for delegation to specific services only and Use any authentication protocol (if they are not already selected) then click Add

HAS Configuration on UAG 2010 51 (3) Click Users or Computers and locate the HAS Server computer account running the HAS Web Services. (4) Select the http service type and click OK. (5) Click OK.

52 Winfrasoft HAS UAG 2010 Configuration This section describes the process to publish the Winfrasoft HAS Auto Provisioning and Self Service Password Reset pages in UAG 2010. Note This process must be repeated for every UAG trunk that will provide portal access to provisioning and password resets. (1) Start the Microsoft UAG 2010 Management Console. (2) Select the appropriate trunk to add the Self Service Password Reset Application to. In the Applications section, click Add...

HAS Configuration on UAG 2010 53 (3) The UAG Add Application Wizard will start. Click Next. (4) Choose Other Web Application (portal hostname) from Web section. Click Next. (5) Complete the values for the Application Values with the following and click Next: Property Value Application Name Self Service Password Reset Application Type GenericWeb (6) Click Next.

54 Winfrasoft HAS (7) Click Next. Note If multiple HAS servers are deployed in a high availability scenario then publish both together as a server farm. (8) Click Next. (9) Complete the values for the Web Servers as follows: Property Address Type Addresses Value IP/Host {HAS Server FQDN} Paths /

HAS Configuration on UAG 2010 55 HTTP ports 12000 HTTPS ports 12443 (10) Click Next. (11) Click Next.

56 Winfrasoft HAS (12) Click Next. (13) Click Next.

HAS Configuration on UAG 2010 57 (14) Click Finish. (15) Double click the Self Service Password Reset application to edit it. (16) Select the Authentication tab. (17) Check Use single sign-on to send credentials to published applications, then select Use Kerberos constrained delegation for single sign-on. Enter http/* or enter http/{your.server.and.domain.name} in the Application field where {your.server.and.domain.name} is the full DNS name of the HAS computer account in AD.

58 Winfrasoft HAS (18) Click OK. (19) Click Activate Configuration to apply and save the changes. (20) Click Activate to apply the changes. (21) Click Finish. Your Trunk is now configured to use Self Service Password Reset and Auto Provisioning functionality.

HAS Configuration on UAG 2010 59 Configure the TMG Firewall (N3 only) Microsoft UAG 2010 runs on top of TMG 2010 which provides security and protocol access to the published portals on UAG via its firewall services. As such, a firewall rule needs to be created allowing Winfrasoft HAS access to the N3 network. To do this, create a Firewall rule in Microsoft TMG Management Console with the following properties: Property Name Action Protocols From To Conditions Value Winfrasoft N3 Spine Access Allow HTTP HTTPS Local Host External All users

60 Winfrasoft HAS Certificate Configuration Various certificate configurations must be performed on the UAG server depending on the type of Smart Card authentication is being used. Certificate Trust List Configuration In order for Winfrasoft HAS to trust the certificates, the public certificate of the issuer s root CA needs to be applied. Winfrasoft HAS makes use of the Operating System trust list to validate SSL certificates. Import the Root and Intermediate certificates required into the certificate store of the Computer account. Note Do NOT double click the certificate file to install it, this will install the certificate into the currently logged on users certificate store. The required certificate files are installed in the following folder: C:\Program Files\Winfrasoft HAS\certs\

Certificate Configuration 61 Note HAS includes the Root and Intermediate certificates for the Live and NIS1 Spine implementations.

62 Winfrasoft HAS Winfrasoft HAS Management Winfrasoft HAS must be configured and users need to be provisioned before they can use the two-factor authentication technologies. Users can be provisioned automatically via the auto-provisioning web page (if enabled), or via the MMC Snap-In. All data is stored in the Active Directory (without the need for schema extensions), not on the HAS or UAG server. To configure user s Winfrasoft HAS credentials, on a machine that has the Winfrasoft HAS Management Console Snap-In extension installed, open Active Directory Users and Computers. Select the user you wish to manage. Open the account properties and select the NHS Smart Card tab. If a User ID exists, then this user has been configured for Winfrasoft HAS. Administrators can manually configure users by entering the user s UID in this field. To remove a user from Winfrasoft HAS, click the Clear button. The certificate subject name will be removed from the user account and the licence will be released for use for another user. The License Availability details displayed are solely for informational purposes and cannot be modified manually. Should you require additional licences, please contact your local Winfrasoft partner. Note There is a current known limitation that Smart Card information cannot be modified on user account properties when the accounts are located via the Find feature of Active Directory Users and Computers. The Read Card feature is currently only available when using a 32bit MMC.

Advanced Configuration 63 Advanced Configuration Winfrasoft HAS advanced configuration is performed by modifying pre-existing registry keys. HAS Registry Keys These keys should NOT be renamed or removed; only the values can be changed. Not all keys are available on all servers as some are specific to the UAG Server or Appliance and others to the HAS Server or Appliance; however some are common to both. The keys are located in the following registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Winfrasoft\Winfrasoft HAS UAG Server / Appliance keys Name Default Value Description LicenceFolder C:\Program Files\ Winfrasoft HAS The path on the server where the licence file is located. It is not recommended to change this location. LoggingEnabled 0 Changing this setting to 1 enabled diagnostic logging. This should not be enabled for usual operation and is only required for troubleshooting or when instructed by Winfrasoft support. HASWebServiceURL http://has.winfrasoftd emo.com:12000 The URL accessed by UAG 2010 then connecting to the HAS Server. This URL must be updated with the correct server name after installation. It is not supported to use a port other than 12000.

64 Winfrasoft HAS HAS Server / Appliance keys Name Default Value Description AutoProvisionDisabled 0 Provides the ability to enable or disable the user auto provisioning functionality. The default of 0 indicates that auto provisioning is not disabled. To disabled auto provisioning set the value to 1. AutoProvisionOverwriteEnabled 0 Changing this setting to 1 allows a user to overwrite an existing smart card link with a new card. When this value it set to 0 an administrator has to manually unlink the existing card before a user can link a new one. This setting has no effect if auto provisioning has been disabled. DisableSpineCertCheck 1 Disables checking the validity of the SSL certificate used on the Spine connection point. This is enabled by default to allow spine authentication to work in cases where the CRL or the root for the SSL certificate is not available. GuestAccessEnabled 0 Changing this setting to 1 allows guest users to access the UAG portal. A guest user is a user with no AD users account. To allow a guest user access to internal resources create an AD user account called PortalGuest and assign any required rights to it. LicenceFolder C:\Program Files\ Winfrasoft HAS When this setting is set to 0 guest logins are not possible. The path on the server where the licence file is located. It is not recommended to change this location. LoggingEnabled 0 Changing this setting to 1 enabled diagnostic logging. This should not be enabled for usual operation and is only required for troubleshooting or when instructed by Winfrasoft support. LoggingFolder C:\Program Files\ Winfrasoft HAS\Log The path on the server where the diagnostic logging file are located. It is not recommended to change this location. ProvisionTTL 3600 decimal Time in seconds that session information is kept in memory prior to a successful provisioning event. SessionTTL 300 decimal Time in seconds that a session is kept active before a user must enter their smart card PIN. SpineURL https://sbapi.national.ncrs.nhs.uk/saml/r oleassertion?token= {sso_ticket} The URL accessed by the HAS Server when connecting to Spine. If testing against other Spine implementations this URL can be modified.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback