Microsoft Forefront UAG 2010 SP1 DirectAccess RSA SecurID Ready Implementation Guide Last Modified: November 3, 2010 Partner Information Product Information Partner Name Web Site Product Name Microsoft www.microsoft.com Forefront UAG 2010 SP1 DirectAccess Version & Platform 4.0.1406.10000 Product Description Microsoft's Forefront 2010 is a comprehensive, secure remote access gateway that provides secure socket layer (SSL)-based application access and protection with endpoint security management. Providing granular access control, authorization, and deep content inspection from a broad range of devices and locations to a wide variety of line-of-business, intranet, and client/server resources.
Solution Summary Microsoft Forefront UAG 2010 SP1 DirectAccess utilizes RSA SecurID authentication for two factor authentication providing a higher level of security to access network resources. UAG provides network administrators with the tools necessary to secure hosted applications and control data streams passed to the host server. RSA SecurID supported features Microsoft Forefront UAG 2010 SP1 DirectAccess RSA SecurID Authentication via Native RSA SecurID Protocol RSA SecurID Authentication via RADIUS Protocol RSA Authentication Manager Replica Support Secondary RADIUS Server Support RSA SecurID Software Token Automation RSA SecurID SD800 Token Automation RSA SecurID Protection of Administrative Interface Yes No Yes No No No No 2
Authentication Agent Configuration Authentication Agents are records in the RSA Authentication Manager database that contain information about the systems for which RSA SecurID authentication is provided. All RSA SecurID-enabled systems require corresponding Authentication Agents. Authentication Agents are managed using the RSA Security Console. The following information is required to create an Authentication Agent: Hostname IP Addresses for network interfaces Set the Agent Type to Standard Agent when adding the Authentication Agent. This setting is used by the RSA Authentication Manager to determine how communication with Microsoft Forefront UAG will occur. Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network. RSA SecurID files RSA SecurID Authentication Files Files sdconf.rec Node Secret sdstatus.12 sdopts.rec Location C:\Windows\System32 C:\Windows\System32 C:\Windows\System32 C:\Windows\System32 Note: The appendix of this document contains more detailed information regarding these files. Please refer to the appropriate RSA Security documentation for additional information about Creating, Modifying and Managing Agent Host records. 3
Partner Product Configuration Before You Begin This section provides instructions for configuring the Microsoft Forefront UAG SP1 2010 with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All Microsoft Forefront UAG 2010 SP1 components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Integration Clients Configuration 1. Open UAG Manager and select DirectAccess, to begin configuring DirectAccess select the Configure link within Step 1. 4
2. Use the default option and click next. 3. Select the domain in which the clients will connect when using DirectAccess. 5
4. Use the default GPO names and click next. 5. Choose the security group for the client machines. 6
6. Select Add > Advanced and Find to locate and associate a security group for DirectAccess computer clients. 7. Click Finish to continue. 7
DirectAccess Server Configuration 1. Select the Configure link within Step 2. 2. Select the ip-address for the internet-facing network and internal network, and click next. 8
3. Use the Browse button to locate the DC s server certificate to be used by DirectAccess to initiate a connection to the network. 4. Select the DC s server certificate from the list of available certificates. 9
5. Select next to continue. 6. Select IPv6 prefixes used to connect to the corpnet and click next. 10
7. Select browse to locate the certificate used to connect the client using ip-https (similar to step 4 above). Click Finish to continue. 8. Select Require two-factor authentication and Next to continue. 11
9. Select Clients will authenticate using a one-time password (OTP) and select Next to continue. 10. Select Add to associate the RSA Authentication Manager for OTP authentication. 12
11. Set the IP address for the RSA 7.1 Authentication Manager. 12. Select Next to continue. 13
13. Select Add to associate the OTP CA server. 14. Browse to locate the OTP CA server. 15. Select the correct CA and OK to continue. 14
16. Select Next to continue. 17. Select Apply to generate and execute powershell script to configure the CA. 15
18. Click OK at the end of script execution. 19. Click Finish to continue 16
Infrastructure Server 1. Select the Configure link within Step 3. 2. Select a server to use for detection of network location and select Next to continue. 17
3. Verify that your domain exists and select Next to continue. 4. Select Next to continue. 18
5. Select Finish. Generate System Policies 1. Select the Apply Policy 19
2. Select Apply Now to push GPO settings to the DC. 3. UAG will now write the policies to the DC, select OK to complete. 20
4. Select Close.. 5. Open a command prompt using the Run as Administrator option within Windows. 21
6. Update the gp policies from the elevated command prompt by running gpupdate /force. 7. Open the UAG Manager and select File > Activate. 22
8. Select Activate from the Activate Configuration window. UAG DirectAccess client configuration 1. Install the DCA.MSI on the client machine. 23
2. Click Finish to complete the installation of the UAG DirectAccess client. 3. Open a command prompt using elevated privileges, select Run as administrator. 24
4. Run grpupdate /force from the command line to synchronize the domain user policy. Authentication Process 1. Relocate the client workstation/laptop to the external network and attempt to access a network resource located within the domain. If successful you will be prompted for the users OTP credentials. 2. If the RSA 7.1 AM is configured for system generated PIN s the users will be presented with the following screen during their initial login. 25
3. When a client is forced to change their SecurID PIN the following prompt will be displayed. 26
Certification Checklist for RSA Authentication Manager Date Tested: July 30 th, 2010 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 7.1 Windows 2003 SP2 Forefront UAG 2010 SP1 DirectAccess 4.0.1406.10000 Windows 2008 R2 x64 Mandatory Functionality RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN Force Authentication After New PIN N/A System Generated PIN System Generated PIN N/A User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) N/A User Defined (5-7 Numeric) User Defined (5-7 Numeric) N/A Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN N/A Deny Alphanumeric PIN Deny Alphanumeric PIN N/A Deny Numeric PIN Deny Numeric PIN N/A Deny PIN Reuse Deny PIN Reuse N/A Passcode 16 Digit Passcode 16 Digit Passcode N/A 4 Digit Fixed Passcode 4 Digit Fixed Passcode N/A Next Tokencode Mode Next Tokencode Mode Next Tokencode Mode N/A Load Balancing / Reliability Testing Failover (3-10 Replicas) Failover N/A No RSA Authentication Manager No RSA Authentication Manager N/A DRP/PAR = Pass = Fail N/A = Not Applicable to Integration 27
Certification Checklist for RSA Authentication Manager RSA Software Token Automation Functionality RSA Native Protocol RADIUS Protocol PINless Token N/A PINless Token N/A PINpad-style Token N/A PINpad-style Token N/A Fob-style Token N/A Fob-style Token N/A 16-Digit Passcode N/A 16-Digit Passcode N/A Alphanumeric PIN N/A Alphanumeric PIN N/A New PIN Mode N/A New PIN Mode N/A Next Tokencode Mode N/A Next Tokencode Mode N/A Password-Protected Token N/A Password-Protected Token N/A RSA SecurID 800 Token Automation Functionality RSA Native Protocol RADIUS Protocol PINless Mode N/A PINless Mode N/A 16-Digit Passcode N/A 16-Digit Passcode N/A New PIN Mode N/A New PIN Mode N/A Next Tokencode Mode N/A Next Tokencode Mode N/A DRP / PAR = Pass = Fail N/A = Not Applicable to Integration 28
Appendix Partner Integration Details RSA SecurID API Custom Build; 6.4 (025) RSA Authentication Agent Type Standard Agent RSA SecurID User Specification Designated Users Display RSA Server Info No Perform Test Authentication No Agent Tracing Yes API Details: The UAG utilizes a custom implementation of the ACE Agent API which cannot be used with any other product. The aceclnt.dll is located in the C:\Program Files\Microsoft Forefront Threat Management Gateway folder. Node Secret: Located within the c:\windows\system32 folder and should be deleted when if required to clear the node secret on the Agent Host. sdconf.rec: Place the sdconf.rec file in the c:\iwndows\system32 folder. sdopts.rec: Place the sdopts.rec file in the c:\iwndows\system32 folder. sdstatus.12: Created by the agent and located within the c:\windows\system32 folder. Agent Tracing: To enable tracing, registry edits must be made on the Microsoft Windows system on which the RSA ACE/Agent is loaded. 1. Run the registry editor. 2. Under [HKEY_LOCAL_MACHINE] [SOFTWARE] [SDTI] [ACECLIENT] add the following two values, by doing [edit] [add value]: Value Name: TraceLevel Data Type: REG_DWORD Click OK Select hex in the DWORD Editor Data: f 29
3. Click OK. Value Name: TraceDest Data Type: REG_DWORD Click OK Select hex in the DWORD Editor Data: 6 Click OK Note: that the TraceDest parameter is a bit map as follows: "1" --> Windows Event Log "2" --> stdout (screen output) "4" --> <WINDOWS_HOME>\aceclient.log E.g. using the value "6" will direct the debug trace to the aceclient.log file and to the console. 4. 3. Reboot the Windows machine Optional parameters are as follows: Value Name: TraceFile Data Type: REG_SZ Click OK Enter the path and filename for the logfile to create (default %SYSTEM ROOT\aceclient.log) Value Name: TraceSize Data Type: REG_DWORD Click OK Select a format in the DWORD Editor Data: Enter the desired file size in Bytes Click OK 30