Barracuda Networks NG Firewall 7.0.0

Similar documents
RSA Ready Implementation Guide for

RSA Ready Implementation Guide for. GlobalSCAPE EFT Server 7.3

VMware Identity Manager vidm 2.7

Dell SonicWALL NSA 3600 vpn v

Cyber Ark Software Ltd Sensitive Information Management Suite

Barracuda Networks SSL VPN

Caradigm Single Sign-On and Context Management RSA Ready Implementation Guide for. Caradigm Single Sign-On and Context Management 6.2.

RSA Ready Implementation Guide for. VMware vsphere Management Assistant 6.0

Avocent DSView 4.5. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: June 9, Product Information Partner Name

RSA Ready Implementation Guide for. Checkpoint Mobile VPN for ios v1.458

Citrix Systems, Inc. Web Interface

<Partner Name> RSA SECURID ACCESS Standard Agent Implementation Guide. WALLIX WAB Suite 5.0. <Partner Product>

Cisco Systems, Inc. Aironet Access Point

Vanguard Integrity Professionals ez/token

HOB HOB RD VPN. RSA SecurID Ready Implementation Guide. Partner Information. Product Information Partner Name. Last Modified: March 3, 2014 HOB

RSA SecurID Implementation

Attachmate Reflection for Secure IT 8.2 Server for Windows

Cisco Systems, Inc. IOS Router

SSH Communications Tectia 6.4.5

Cisco Systems, Inc. Catalyst Switches

Infosys Limited Finacle e-banking

RSA SecurID Ready Implementation Guide. Last Modified: March 27, Cisco Systems, Inc.

Cisco Systems, Inc. Wireless LAN Controller

Microsoft Forefront UAG 2010 SP1 DirectAccess

Rocket Software Strong Authentication Expert

Security Access Manager 7.0

Microsoft Unified Access Gateway 2010

SecureW2 Enterprise Client

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

RSA Ready Implementation Guide for. HelpSystems Safestone DetectIT Security Manager

Open System Consultants Radiator RADIUS Server

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Cisco Adaptive Security Appliance 9.5(2)

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

RSA SecurID Ready Implementation Guide. Last Modified: November 19, 2009

Apple Computer, Inc. ios

Pulse Secure Policy Secure

RSA SECURID ACCESS PAM Agent Implementation Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

<Partner Name> RSA SECURID ACCESS. VMware Horizon View Client 6.2. Standard Agent Implementation Guide. <Partner Product>

Barron McCann Technology X-Kryptor

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

How to Integrate RSA SecurID with the Barracuda Web Application Firewall

RSA SecurID Ready Implementation Guide

How to RSA SecureID with Clustered NATIVE

RSA SecurID Ready Implementation Guide

How to Configure the RSA Authentication Manager

Integration Guide. LoginTC

<Partner Name> <Partner Product> RSA SECURID ACCESS. NetMove SaAT Secure Starter. Standard Agent Client Implementation Guide

RSA Ready Implementation Guide for

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. CyberArk Enterprise Password Vault

RSA SecurID Ready Implementation Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

TalariaX sendquick Alert Plus

RSA Ready Implementation Guide for

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

How to Set Up VPN Certificates

How to Set Up External CA VPN Certificates

QUESTION: 1 An RSA SecurID tokencode is unique for each successful authentication because

Hitachi ID Systems Inc Identity Manager 8.2.6

Fischer International Identity Fischer Identity Suite 4.2

RSA Ready Implementation Guide for

RSA Exam 050-v71-CASECURID02 RSA SecurID Certified Administrator 7.1 Exam Version: 6.0 [ Total Questions: 140 ]

050-v71x-CSESECURID RSA. RSA SecurID Certified Systems Engineer 7.1x

Barracuda SSL VPN Integration

Technical Note: RSA SecurID /SA Integration

Remote Support Security Provider Integration: RADIUS Server

AT&T Global Smart Messaging Suite

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Authentify SMS Gateway

Lab Guide. Barracuda NextGen Firewall F-Series Microsoft Azure - NGF0501

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Check Point SmartEndpoint Security

> Nortel Switched Firewall (NSF) SecurID Configuration Guide

Pass4sure CASECURID01.70 Questions

Two factor authentication for Check Point appliances

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Security Provider Integration RADIUS Server

VMware Horizon View Deployment

STRS OHIO F5 Access Client Setup for ChromeBook Systems User Guide

3. In the upper left hand corner, click the Barracuda logo ( ) then click Settings 4. Select the check box for SPoE as default.

Two factor authentication for Fortinet SSL VPN

SOFTEL Communications Password Reset and Identity Management Suite

How to Configure Authentication and Access Control (AAA)

SailPoint IdentityIQ 6.4

External Authentication with Checkpoint R77.20 Authenticating Users Using SecurAccess Server by SecurEnvoy

Two factor authentication for WatchGuard XTM and Firebox IPSec

Advantage Cloud Two-Factor Security Process

How to Configure Guest Access with the Ticketing System

Two factor authentication for SonicWALL SRA Secure Remote Access

Two factor authentication for OpenVPN Access Server

Two factor authentication for Cisco ASA IPSec VPN Alternative

Security Cooperation Information Portal

Two factor authentication for Cisco ASA SSL VPN

Two factor authentication for F5 BIG-IP APM

Two factor authentication for WatchGuard XTM and Firebox Alternative

<Partner Name> RSA SECURID ACCESS Authenticator Implementation Guide. Intel Authenticate & Intel IPT based Token Provider for RSA SecurID

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

VII. Corente Services SSL Client

SecurEnvoy Microsoft Server Agent

Load Balancing Microsoft Remote Desktop Services. Deployment Guide v Copyright Loadbalancer.org

Transcription:

<Partner Name> <Partner Product> RSA SECURID ACCESS Standard Agent Implementation Guide Barracuda Networks.0 fal, RSA Partner Engineering Last Modified: 10/13/16

Solution Summary The Barracuda NG Firewall can perform authentication with RSA SecurID by using the native RSA SecurID Protocol. This is done by utilizing a native RSA SecurID client to send authentication requests to the SecurID server and then allowing or denying access to the NG Firewall unit based upon a success or failure message returned by the SecurID server. Among other features, the client supports prompting for PIN changes and displaying system-generated PINs. In order to implement this, all that needs to be configured on the Barracuda NG Firewall is an Authentication Scheme which uses the RSA-ACE module, and the RSA specific details such as the RSA Configuration File, server IP, etc. RSA Authentication Manager supported features <Partner Product Name and version> RSA SecurID Authentication via Native RSA SecurID UDP Protocol RSA SecurID Authentication via Native RSA SecurID TCP Protocol RSA SecurID Authentication via RADIUS Protocol RSA SecurID Authentication via IPv6 On-Demand Authentication via Native SecurID UDP Protocol On-Demand Authentication via Native SecurID TCP Protocol On-Demand Authentication via RADIUS Protocol Risk-Based Authentication RSA Authentication Manager Replica Support Secondary RADIUS Server Support RSA SecurID Software Token Automation RSA SecurID SD800 Token Automation RSA SecurID Protection of Administrative Interface Yes Yes Yes -- 2 -

<Insert diagram of system architecture here> -- 3 -

RSA Authentication Manager Configuration Agent Host Configuration To facilitate communication between the Barracuda NG Firewall and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the Barracuda NG Firewall and contains information about communication and encryption. RSA Authentication Manager 8.0 introduced a new TCP-based authentication protocol and corresponding agent API. RSA Authentication Manager 8.0 and newer also maintains support for the existing UDPbased authentication protocol and agents. The agent host records for TCP and UDP agents are configured similarly, but there are some important differences. Include the following information when configuring a UDP-based agent host record. Hostname IP addresses for network interfaces Important: The UDP-based authentication agent s hostname must resolve to the IP address specified. Include the following information when configuring a TCP-based agent host record. RSA agent name (in the hostname field) Important: The RSA agent name is specified in the rsa_api.properties file. Set the Agent Type to Standard Agent when adding the Authentication Agent. This setting is used by the RSA Authentication Manager to determine how communication with Barracuda NG Firewall will occur. -- 4 -

Partner Product Configuration Before You Begin This section provides instructions for configuring the Barracuda NG Firewall with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All Barracuda NG Firewall components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Barracuda NG Firewall Configuration In order to configure the Barracuda NG Firewall with RSA SecurID Authentication, download and install Barracuda NG Admin first. 1. Start NG Admin and log into the Barracuda NG Firewall. -- 5 -

2. Click the Config tab, and then click Full Config to open the Config Tree. 3. Select Box > Infrastructure Services > Authentication Service. -- 6 -

4. From the left menu, select RSA-ACE Authentication. Click the Lock button to be able to edit the configuration settings. 5. Select Yes from the Activate Scheme drop down list. 6. In RSA Configuration File, click the Ex/Import button and select Import from File. Select the RSA configuration file sdconf.rec that was generated by the RSA Security Console. 7. Enter the IP of the RSA Server in RSA Server IP and the IP of the Barracuda NG Firewall in DNS Resolved IP. 8. Click Send Changes, and then activate the new configuration by clicking the Activation Pending link. A dialog will open asking you to confirm the activation 9. Click Activate. -- 7 -

Configure the Barracuda Virtual Server The Barracuda NG Firewall can host several services, such as the HTTP Proxy, SSL VPN, VPN, URL Filter, or Virus Scanner services. These services are assigned to virtual servers. te: For a standalone Barracuda NG Firewall, a preconfigured virtual server named S1 is created by default. 1. Modify the First-IP to match the Listen IP address of the services. -- 8 -

Create VPN Service 2. Log into the Barracuda NG Admin. 3. Select Config > Full Config > Box > Virtual Servers > S1 > Assigned Services. 4. Right click Assigned Services and select Create Service. 5. Enter a Service Name 6. From the Software Module drop down list select VPN Service. -- 9 -

Configure RSA SecurID on a SSL VPN Service 1. From the Config Tree, select Virtual Servers > S1 > Assigned Services > your created (VPN- Service) > SSL-VPN. 2. From the Enable SSL VPN list, select, yes. 3. In the Listen IPs table, add the listen IP address for the SSL VPN. 4. In the Service Identification section, select the certificate type to use. 5. Click Send Changes, and then activate the new configuration by clicking the Activation Pending link. A dialog will open asking you to confirm the activation. 6. Click Activate. -- 10 -

7. From the SSL-VPN left menu, select Authentication & Login. 8. Select Lock. 9. From the Authentication Scheme pull down select RSA SecurID. 10. Click Send Changes, and then activate the new configuration by clicking the Activation Pending link. A dialog will open asking you to confirm the activation. 11. Click Activate. Configure VPN Settings 1. Refer to the Barracuda document; How to Configure a Client to-site IPsec VPN; http://techlib.barracuda.com/display/bngv54/how+to+configure+a+client-to- Site+IPsec+VPN. 2. From the Config Tree, select Virtual Servers > S1 > Assigned Services > your created (VPN- Service) > VPN Settings. -- 11 -

3. Click Lock. 4. Under the Setting tab, click Click here for Server Settings 5. In the Access Control Service section enter the IP Address for the VPN service. 6. In the Server Configuration window, enter the required certificate information in each field. 7. In the Issuer section, create a new certificate. 8. Click Ex/Import and select New/Edit Certificate. 9. Click OK. 10. In the Default Key section, create a new 1024 bit RSA key. 11. Click Ex/Import and select New 1024Bit RSA Key. 12. Click OK. -- 12 -

13. Click the Client Networks tab 13. Right click the table and select New Client Network. 14. Complete the fields and click OK. 15. Click Send Changes, and then activate the new configuration by clicking the Activation Pending link. A dialog will open asking you to confirm the activation. 16. Click Activate. -- 13 -

Configure RSA SecurID on a VPN IPsec Service 1. From the Config Tree, select Virtual Servers > S1 > Assigned Services > your created (VPN- Service) > Client to Site. 2. Click Lock. 3. Click the External CA tab and then click Click here for options. 4. In the X509 Client Security section, select the External Authentication check box. 5. In the Group VPN Settings window, select rsaace from the Authentication Scheme pull down list. Click OK. 6. Click Send Changes, and then activate the new configuration by clicking the Activation Pending link. A dialog will open asking you to confirm the activation. Click activate -- 14 -

Create a VPN Group Policy 1. 2. From the Config Tree, select Virtual Servers > S1 > Assigned Services > your created (VPN- Service) > Client to Site. 3. Click Lock. 4. Click the External CA tab and then click Group Policy tab. 5. Right click the table and select New Group Policy. 6. Enter a name for the Group Policy. 7. From the Network list, select the VPN client network. 8. In the Network Route section, enter the network that must be reachable through the VPN connection. 9. Configure the group policy; right click the Group Policy Condition table and selecting New Rule. 10. In the Group Pattern field, define the group or leave it blank if no groups are used. 11. Click OK. 12. Click Send Changes, and then activate the new configuration by clicking the Activation Pending link. A dialog will open asking you to confirm the activation. 13. Click Activate. -- 15 -

RSA SecurID Login Screens SSL VPN Screens Login screen: User-defined New PIN: -- 16 -

System-generated New PIN: Next Tokencode: te: In the Next Token field enter the Next Passcode; PIN plus Tokencode. -- 17 -

Network Access Client Screens Login screen: User-defined New PIN: -- 18 -

Next Tokencode: -- 19 -

Certification Checklist for RSA SecurID Access Date Tested: October,13, 2016 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 8.2 Virtual Appliance RSA Authentication Agent 8.1.1.109.06_03_11_03_16_51 Linux RSA Software Token 5.0.0.292 Windows 10 Barracuda Network Access clients 4.0 Windows 10 Barracuda.0 Linux RSA SecurID Authentication Date Tested: October,13,2016 Mandatory Functionality Native Native RADIUS UDP TCP Client New PIN Mode Force Authentication After New PIN N/A N/A System Generated PIN N/A N/A User Defined (4-8 Alphanumeric) N/A N/A User Defined (5-7 Numeric) N/A N/A Deny 4 and 8 Digit PIN N/A N/A Deny Alphanumeric PIN N/A N/A Deny PIN Reuse N/A N/A Passcode 16 Digit Passcode N/A N/A 4 Digit Fixed Passcode N/A N/A Next Tokencode Mode Next Tokencode Mode N/A N/A On-Demand Authentication On-Demand Authentication N/A N/A On-Demand New PIN N/A N/A Load Balancing / Reliability Testing Failover (3-10 Replicas) N/A N/A RSA Authentication Manager N/A N/A = Pass = Fail N/A = n-available Function -- 20 -

Known Issues Barracuda Network Access VPN Client does not display the system generated PIN for the user. Contact your site administrator to predefine your PIN or use the url to your site s RSA Self-Service Console to predefine your own PIN -- 21 -

Appendix Perform Test Authentication: If you need to perform a test authentication, you can log into the NG Firewall using SSH. A SSH client is included in NG Admin under the SSH tab. Once logged in, type the following command in the console: phibstest e user=<username> password=<password> authscheme=rsaace Change <username> with your user name and <password> with your fixed password, tokencode or passcode depending on the authentication requirements. RSA SecurID Authentication Files RSA SecurID Authentication Files UDP Agent Files sdconf.rec sdopts.rec de secret sdstatus.12 / jastatus.12 Location ne stored, In Memory /phion0/rsa/rsamain t implemented. ne stored, In Memory or path to node secret file ne stored, In Memory /phion0/rsa/rsamain TCP Agent Files rsa_api.properties sdconf.rec sdopts.rec de secret Location N/A N/A N/A N/A Partner Integration Details Partner Integration Details Display RSA Server Info Perform Test Authentication Agent Tracing Yes -- 22 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback