Microsoft Forefront UAG 2010 SP1 DirectAccess

Similar documents
RSA Ready Implementation Guide for. GlobalSCAPE EFT Server 7.3

Microsoft Unified Access Gateway 2010

VMware Identity Manager vidm 2.7

RSA Ready Implementation Guide for

SSH Communications Tectia 6.4.5

Cisco Systems, Inc. Aironet Access Point

Barracuda Networks NG Firewall 7.0.0

Cyber Ark Software Ltd Sensitive Information Management Suite

Citrix Systems, Inc. Web Interface

Vanguard Integrity Professionals ez/token

Caradigm Single Sign-On and Context Management RSA Ready Implementation Guide for. Caradigm Single Sign-On and Context Management 6.2.

Avocent DSView 4.5. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: June 9, Product Information Partner Name

Barracuda Networks SSL VPN

Attachmate Reflection for Secure IT 8.2 Server for Windows

<Partner Name> RSA SECURID ACCESS Standard Agent Implementation Guide. WALLIX WAB Suite 5.0. <Partner Product>

SecureW2 Enterprise Client

<Partner Name> RSA SECURID ACCESS. VMware Horizon View Client 6.2. Standard Agent Implementation Guide. <Partner Product>

Rocket Software Strong Authentication Expert

Dell SonicWALL NSA 3600 vpn v

Infosys Limited Finacle e-banking

Cisco Systems, Inc. Catalyst Switches

RSA Ready Implementation Guide for. VMware vsphere Management Assistant 6.0

Pulse Secure Policy Secure

Cisco Systems, Inc. Wireless LAN Controller

HOB HOB RD VPN. RSA SecurID Ready Implementation Guide. Partner Information. Product Information Partner Name. Last Modified: March 3, 2014 HOB

Security Access Manager 7.0

RSA SecurID Ready Implementation Guide. Last Modified: November 19, 2009

RSA Ready Implementation Guide for. Checkpoint Mobile VPN for ios v1.458

RSA SecurID Ready Implementation Guide. Last Modified: March 27, Cisco Systems, Inc.

Barron McCann Technology X-Kryptor

Open System Consultants Radiator RADIUS Server

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Cisco Systems, Inc. IOS Router

Apple Computer, Inc. ios

RSA SecurID Ready Implementation Guide

RSA SecurID Implementation

RSA Ready Implementation Guide for. HelpSystems Safestone DetectIT Security Manager

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Cisco Adaptive Security Appliance 9.5(2)

RSA SECURID ACCESS PAM Agent Implementation Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. CyberArk Enterprise Password Vault

RSA SecurID Ready Implementation Guide

RSA Ready Implementation Guide for

<Partner Name> <Partner Product> RSA SECURID ACCESS. NetMove SaAT Secure Starter. Standard Agent Client Implementation Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

RSA SecurID Ready Implementation Guide

How to RSA SecureID with Clustered NATIVE

Fischer International Identity Fischer Identity Suite 4.2

TalariaX sendquick Alert Plus

Hitachi ID Systems Inc Identity Manager 8.2.6

<Partner Name> RSA SECURID ACCESS Authenticator Implementation Guide. Intel Authenticate & Intel IPT based Token Provider for RSA SecurID

Secured by RSA Implementation Guide for Software Token Authenticators

SOFTEL Communications Password Reset and Identity Management Suite

RSA Ready Implementation Guide for

Authentify SMS Gateway

How to Configure the RSA Authentication Manager

RSA Ready Implementation Guide for

Technical Note: RSA SecurID /SA Integration

RSA Exam 050-v71-CASECURID02 RSA SecurID Certified Administrator 7.1 Exam Version: 6.0 [ Total Questions: 140 ]

Symantec Encryption Desktop

Authlogics Forefront TMG and UAG Agent Integration Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Check Point SmartEndpoint Security

Intel Security/McAfee Endpoint Encryption

How to Integrate RSA SecurID with the Barracuda Web Application Firewall

QUESTION: 1 An RSA SecurID tokencode is unique for each successful authentication because

McAfee Endpoint Encryption

Instructions for Application Access via SecureCitrix

Xceedium Xsuite. Secured by RSA Implementation Guide for 3rd Party PKI Applications. Partner Information. Last Modified: February 10 th, 2014

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Intel Security Drive Encryption 7.1.3

Advantage Cloud Two-Factor Security Process

AT&T Global Smart Messaging Suite

SailPoint IdentityIQ 6.4

Integration Guide. LoginTC

Integration Guide. SafeNet Authentication Service (SAS)

Pass4sure CASECURID01.70 Questions

Vendor: RSA. Exam Code: CASECURID01. Exam Name: RSA SecurID Certified Administrator 8.0 Exam. Version: Demo

Remote Support Security Provider Integration: RADIUS Server

Checkpoint SecureClient Integration

Data Structure Mapping

Data Structure Mapping

Microsoft ISA 2006 Integration. Microsoft Internet Security and Acceleration Server (ISA) Integration Notes Introduction

Security Provider Integration RADIUS Server

Data Structure Mapping

Data Structure Mapping

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

BMC Software BMC Provisioning Module for RSA Authentication Manager

> Nortel Switched Firewall (NSF) SecurID Configuration Guide

Data Structure Mapping

Installation and configuration guide

050-v71x-CSESECURID RSA. RSA SecurID Certified Systems Engineer 7.1x

Authentication. August 17, 2018 Version 9.4. For the most recent version of this document, visit our documentation website.

Data Structure Mapping

SecuRemote for Windows 32-bit/64-bit

Data Structure Mapping

DualShield. for. Microsoft UAG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

Authentication Guide

Thales nshield Series

Transcription:

Microsoft Forefront UAG 2010 SP1 DirectAccess RSA SecurID Ready Implementation Guide Last Modified: November 3, 2010 Partner Information Product Information Partner Name Web Site Product Name Microsoft www.microsoft.com Forefront UAG 2010 SP1 DirectAccess Version & Platform 4.0.1406.10000 Product Description Microsoft's Forefront 2010 is a comprehensive, secure remote access gateway that provides secure socket layer (SSL)-based application access and protection with endpoint security management. Providing granular access control, authorization, and deep content inspection from a broad range of devices and locations to a wide variety of line-of-business, intranet, and client/server resources.

Solution Summary Microsoft Forefront UAG 2010 SP1 DirectAccess utilizes RSA SecurID authentication for two factor authentication providing a higher level of security to access network resources. UAG provides network administrators with the tools necessary to secure hosted applications and control data streams passed to the host server. RSA SecurID supported features Microsoft Forefront UAG 2010 SP1 DirectAccess RSA SecurID Authentication via Native RSA SecurID Protocol RSA SecurID Authentication via RADIUS Protocol RSA Authentication Manager Replica Support Secondary RADIUS Server Support RSA SecurID Software Token Automation RSA SecurID SD800 Token Automation RSA SecurID Protection of Administrative Interface Yes No Yes No No No No 2

Authentication Agent Configuration Authentication Agents are records in the RSA Authentication Manager database that contain information about the systems for which RSA SecurID authentication is provided. All RSA SecurID-enabled systems require corresponding Authentication Agents. Authentication Agents are managed using the RSA Security Console. The following information is required to create an Authentication Agent: Hostname IP Addresses for network interfaces Set the Agent Type to Standard Agent when adding the Authentication Agent. This setting is used by the RSA Authentication Manager to determine how communication with Microsoft Forefront UAG will occur. Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network. RSA SecurID files RSA SecurID Authentication Files Files sdconf.rec Node Secret sdstatus.12 sdopts.rec Location C:\Windows\System32 C:\Windows\System32 C:\Windows\System32 C:\Windows\System32 Note: The appendix of this document contains more detailed information regarding these files. Please refer to the appropriate RSA Security documentation for additional information about Creating, Modifying and Managing Agent Host records. 3

Partner Product Configuration Before You Begin This section provides instructions for configuring the Microsoft Forefront UAG SP1 2010 with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All Microsoft Forefront UAG 2010 SP1 components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Integration Clients Configuration 1. Open UAG Manager and select DirectAccess, to begin configuring DirectAccess select the Configure link within Step 1. 4

2. Use the default option and click next. 3. Select the domain in which the clients will connect when using DirectAccess. 5

4. Use the default GPO names and click next. 5. Choose the security group for the client machines. 6

6. Select Add > Advanced and Find to locate and associate a security group for DirectAccess computer clients. 7. Click Finish to continue. 7

DirectAccess Server Configuration 1. Select the Configure link within Step 2. 2. Select the ip-address for the internet-facing network and internal network, and click next. 8

3. Use the Browse button to locate the DC s server certificate to be used by DirectAccess to initiate a connection to the network. 4. Select the DC s server certificate from the list of available certificates. 9

5. Select next to continue. 6. Select IPv6 prefixes used to connect to the corpnet and click next. 10

7. Select browse to locate the certificate used to connect the client using ip-https (similar to step 4 above). Click Finish to continue. 8. Select Require two-factor authentication and Next to continue. 11

9. Select Clients will authenticate using a one-time password (OTP) and select Next to continue. 10. Select Add to associate the RSA Authentication Manager for OTP authentication. 12

11. Set the IP address for the RSA 7.1 Authentication Manager. 12. Select Next to continue. 13

13. Select Add to associate the OTP CA server. 14. Browse to locate the OTP CA server. 15. Select the correct CA and OK to continue. 14

16. Select Next to continue. 17. Select Apply to generate and execute powershell script to configure the CA. 15

18. Click OK at the end of script execution. 19. Click Finish to continue 16

Infrastructure Server 1. Select the Configure link within Step 3. 2. Select a server to use for detection of network location and select Next to continue. 17

3. Verify that your domain exists and select Next to continue. 4. Select Next to continue. 18

5. Select Finish. Generate System Policies 1. Select the Apply Policy 19

2. Select Apply Now to push GPO settings to the DC. 3. UAG will now write the policies to the DC, select OK to complete. 20

4. Select Close.. 5. Open a command prompt using the Run as Administrator option within Windows. 21

6. Update the gp policies from the elevated command prompt by running gpupdate /force. 7. Open the UAG Manager and select File > Activate. 22

8. Select Activate from the Activate Configuration window. UAG DirectAccess client configuration 1. Install the DCA.MSI on the client machine. 23

2. Click Finish to complete the installation of the UAG DirectAccess client. 3. Open a command prompt using elevated privileges, select Run as administrator. 24

4. Run grpupdate /force from the command line to synchronize the domain user policy. Authentication Process 1. Relocate the client workstation/laptop to the external network and attempt to access a network resource located within the domain. If successful you will be prompted for the users OTP credentials. 2. If the RSA 7.1 AM is configured for system generated PIN s the users will be presented with the following screen during their initial login. 25

3. When a client is forced to change their SecurID PIN the following prompt will be displayed. 26

Certification Checklist for RSA Authentication Manager Date Tested: July 30 th, 2010 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 7.1 Windows 2003 SP2 Forefront UAG 2010 SP1 DirectAccess 4.0.1406.10000 Windows 2008 R2 x64 Mandatory Functionality RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN Force Authentication After New PIN N/A System Generated PIN System Generated PIN N/A User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) N/A User Defined (5-7 Numeric) User Defined (5-7 Numeric) N/A Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN N/A Deny Alphanumeric PIN Deny Alphanumeric PIN N/A Deny Numeric PIN Deny Numeric PIN N/A Deny PIN Reuse Deny PIN Reuse N/A Passcode 16 Digit Passcode 16 Digit Passcode N/A 4 Digit Fixed Passcode 4 Digit Fixed Passcode N/A Next Tokencode Mode Next Tokencode Mode Next Tokencode Mode N/A Load Balancing / Reliability Testing Failover (3-10 Replicas) Failover N/A No RSA Authentication Manager No RSA Authentication Manager N/A DRP/PAR = Pass = Fail N/A = Not Applicable to Integration 27

Certification Checklist for RSA Authentication Manager RSA Software Token Automation Functionality RSA Native Protocol RADIUS Protocol PINless Token N/A PINless Token N/A PINpad-style Token N/A PINpad-style Token N/A Fob-style Token N/A Fob-style Token N/A 16-Digit Passcode N/A 16-Digit Passcode N/A Alphanumeric PIN N/A Alphanumeric PIN N/A New PIN Mode N/A New PIN Mode N/A Next Tokencode Mode N/A Next Tokencode Mode N/A Password-Protected Token N/A Password-Protected Token N/A RSA SecurID 800 Token Automation Functionality RSA Native Protocol RADIUS Protocol PINless Mode N/A PINless Mode N/A 16-Digit Passcode N/A 16-Digit Passcode N/A New PIN Mode N/A New PIN Mode N/A Next Tokencode Mode N/A Next Tokencode Mode N/A DRP / PAR = Pass = Fail N/A = Not Applicable to Integration 28

Appendix Partner Integration Details RSA SecurID API Custom Build; 6.4 (025) RSA Authentication Agent Type Standard Agent RSA SecurID User Specification Designated Users Display RSA Server Info No Perform Test Authentication No Agent Tracing Yes API Details: The UAG utilizes a custom implementation of the ACE Agent API which cannot be used with any other product. The aceclnt.dll is located in the C:\Program Files\Microsoft Forefront Threat Management Gateway folder. Node Secret: Located within the c:\windows\system32 folder and should be deleted when if required to clear the node secret on the Agent Host. sdconf.rec: Place the sdconf.rec file in the c:\iwndows\system32 folder. sdopts.rec: Place the sdopts.rec file in the c:\iwndows\system32 folder. sdstatus.12: Created by the agent and located within the c:\windows\system32 folder. Agent Tracing: To enable tracing, registry edits must be made on the Microsoft Windows system on which the RSA ACE/Agent is loaded. 1. Run the registry editor. 2. Under [HKEY_LOCAL_MACHINE] [SOFTWARE] [SDTI] [ACECLIENT] add the following two values, by doing [edit] [add value]: Value Name: TraceLevel Data Type: REG_DWORD Click OK Select hex in the DWORD Editor Data: f 29

3. Click OK. Value Name: TraceDest Data Type: REG_DWORD Click OK Select hex in the DWORD Editor Data: 6 Click OK Note: that the TraceDest parameter is a bit map as follows: "1" --> Windows Event Log "2" --> stdout (screen output) "4" --> <WINDOWS_HOME>\aceclient.log E.g. using the value "6" will direct the debug trace to the aceclient.log file and to the console. 4. 3. Reboot the Windows machine Optional parameters are as follows: Value Name: TraceFile Data Type: REG_SZ Click OK Enter the path and filename for the logfile to create (default %SYSTEM ROOT\aceclient.log) Value Name: TraceSize Data Type: REG_DWORD Click OK Select a format in the DWORD Editor Data: Enter the desired file size in Bytes Click OK 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback