BlueCoat s Guide to Authentication V1.0
|
|
- Vincent McBride
- 8 years ago
- Views:
Transcription
1 BlueCoat s Guide to Authentication V1.0 Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered in certain jurisdictions. All other product or service names are the property of their respective owners. Blue Coat Systems, Inc All Rights Reserved.
2 Agenda Authentication, Authorization Authentication Modes Explicit mode authentication Transparent mode authentication Authentication Realms IWA Window SSO LDAP Novell Radius Local Certificate Substitution 2
3 Authentication, Authorization, Accounting 3
4 Authentication Used on Proxy SG for : Authenticate device administrators Can be used to setup authorization rules Configuration modifications logs Authenticate users surfing to Internet Used for logging Used to build a policy based on users Authentication is a two levels architecture : Proxy mechanism to challenge the user Authentication Realm used to validate credentials 4
5 Authorization Device s administrators Two profiles available today : Read only Read/write Users surfing to Internet Can build a policy based on : Usernames Groups Attributes Reporting Exceptions tuning 5
6 6 Authentication Modes
7 HTTP RFC Two HTTP challenges (challenges mode) are available : 401 : www-authenticate : authenticate on a resource 407 : Proxy-authenticate : proxy asks for auth. Credential are replayed by the browser in the same session : For the same destination with 401 For every requests with 407 Type of challenges can be : Basic NTLM Negotiate (Kerberos) 7
8 Blue Coat Terminology Need to understand differences between proxy s deployment mode regarding the authentication mode Proxy can be setup as : Explicit proxy Transparent proxy Authentication mode can be : Explicit mode : proxy, proxy IP Transparent mode : origin (ip/cookie), origine-redirect (ip/cookie), form (origin/cookie), form-redirect (origin/cookie) An explicit proxy architecture can use transparent mode authentication (but not really recommended) 8
9 Blue Coat Terminology Authentication mode syntax : Mode-surrogate[-redirect] Mode can be : Proxy Origin Form Surrogate can be : IP Cookie (session or time based) Redirect means the user will be challenged and redirected on the virtual url 9
10 Proxy Authentication 407 Proxy Authentication Required Indicates that the client must first authenticate itself with the proxy The proxy MUST return a Proxy-Authenticate header field The client MAY repeat the request with a suitable Proxy- Authorization header field Cannot be used in transparent deployments 10
11 Server Authentication 401 Unauthorized The request requires user authentication. The response MUST include a WWW-Authenticate header field Used for Web Server Authentication Authentication cached separately per each resource Proxy cannot challenge the user agent HTTP 407 are ignored Cache Authentication Information : Surrogate Avoid challenging the user agent multiple times 11
12 Surrogate It s the proxy s way to memorize an already authenticated user. Can be used to limit the impact on Authentication architecture in high volume deployment TCP session is the default surrogate In proxy mode authentication : Only IP can be used : proxy-ip In transparent mode authentication : IP Cookie Session Time based 12
13 Authentication modes best practice Proxy Challenge Origin Challenge Form Challenge Origin Challenge with redirection Form Challenge with redirection TCP connection Surrogate proxy origin Cookie Surrogate form-cookie - origin- cookie origin-cookie- redirect form-cookie-redirect IP Surrogate proxy-ip origin-ip form-ip origin-ip-redirect form-ip-redirect Explicit Proxy Reverse Proxy Transparent Proxy 13
14 When to use? Proxy mode : explicit proxy architecture Proxy-ip : explicit proxy when SG sees client ip Origin/form[ip/cookie] : reverse proxy when you don t need single auth for different servers [Origin/form]-redirect : transparent proxy auth Reverse proxy when single auth needed Secure basic credential in proxy mode (AT RISK) 14
15 How to setup? Using VPM in authentication layer Authenticate Force_authenticate 15
16 Specific modes Auto means : proxy chooses the mode depending of the connection type Proxy : in explicit mode Origin[cookie/ip] : in transparent mode SG2 : legacy auto on SG2 Use ip surrogate for IWA proxy mode 16
17 Downgrade rules Streaming requests are switched to origin challenges? If the challenge type is origin-redirect, but the client doesn t understand redirects, switch to origin including: Non-HTTP requests Streaming clients (even over HTTP) POST or PUT from browsers that don t support 307 redirects POST or PUT with mime-type multipart/form If the surrogate credential is set to cookie, but the client doesn t support cookies, downgrade to ip Non-HTTP requests Streaming clients (over HTTP) 17
18 The Tricky part : Origin cookie Redirect Why : In transparent proxy architecture you cannot just use 401 : will challenge every domain You cannot just set a cookie : cookie are per resource (host, domain, path) You need to globally authenticate your user for all Internet. How : redirect a user on a Virtual Url (VU) Authenticate the user on the VU Redirect the user from the VU Use a surrogate to limit performance impacts 18
19 How to setup? Global VU setting in Authentication/Transparent In Authentication/ Realm/General Virtual Url 19
20 20 Origin Cookie Redirect : phase 1
21 Origin Cookie Redirect : phase 2 on a different domain 21
22 Origin Cookie Redirect : phase 3 on the same domain 22
23 Origin Redirect for explicit proxy Why? Certificate Realm Siteminder Secure credential (HTTPS VU) Why not? Not working with Connect Method (explicit https requests) Not working with applets, bots, apps Not working with POST method (limited) Need to exclude the VU from browser configuration 23
24 24 Authentication cache
25 Authentication Cache Used to limit authentication impact on the architecture 3 levels cache (in 5.X, just one cache with 4.X) : Credential Surrogate Authorization Cache is define per Realm (5.X, global with 4.X) Cache time is customizable Cache can be flush (in statistics tab with 5.X) 4.X has a entries limit, starting flushing at
26 Authentication Cache Configuration Screenshot Cache : credential surrogate authorization 26
27 Credential cache Amount of time basic credentials are memorized Basic credentials are login and password asked for basic type of challenges (not NTLM, Kerberos ) Default time is 900 secs (15 mins) During this period user s credentials are compared to cached credentials If password mismatches, proxy will re validate to the server (may be a password change) Cached credentials can be forwarded to server (cli command in forwarding sub menue) 27
28 Surrogate Cache Surrogate is an information identifying an authenticated user During the surrogate life time, user s sessions are never challenged If you clear surrogate cache users will be re challenged Two main surrogates : Ip address : source ip seen in the tcp session Cookie : cookie set by the proxy Cookie mode only available with http (https) 28
29 Authorization Cache Concerns groups and attributes Only available for realms having such notions (ldap for ex) Proxy will remember Groups information attributes 29
30 Form specific information SG can challenge a user with a form instead of 401/407/30x Form is an exception Form content can be customized If user is challenged during a POST request, SG can memorize Post s content to replay it after authentication : request storage 30
31 Authentication Realms IWA 31
32 IWA Stands for Integrated Windows Authenticate Leverage on existing Microsoft SSO features 3 challenges types available : Basic, NTLM, Negotiate (Kerberos) Basic is a fallback method if non windows client ProsySG is not part of Windows Architecture! We use an agent to relay authentication challenges : BCAAA : Blue Coat Authentication and Authorization Agent Can be installed on Windows machine or Solaris (4.X) Using an Agent is a Microsoft s advise : 32 Microsoft SSPI: The Microsoft Security Support Provider Interface (SSPI) is the well-defined common API for obtaining integrated security services for authentication, message integrity, message privacy, and security quality of service for any distributed application protocol. Application protocol designers can take advantage of this interface to obtain different security services without modification to the protocol itself. Microsoft encourages all Win32 application developers to use the integrated security features of SSPI for secure distributed application development. Microsoft White Paper, The Security Support Provider Interface.
33 IWA : NTLM No specific needs for user s right running the agent process NTLM is a per session authentication mechanism No credential cache available (challenges) NTLM is a three way challenge (try to use surrogate) General Architecture : Browser Proxy BCAAA Domain Controller Request No Auth Auth Challenge NTLM Negotiate NTLM Negotiate Data Windows API Call w/ntlm Data Negotiation NTLM Challenge NTLM Challenge Data NTLM Challenge Data NTLM Response NTLM Response Data Windows API Call w/ntlm Response Data Requested Data Auth Confirmation Auth Confirmation 33
34 IWA : Kerberos Kerberos is future Microsoft s SSO norm More secure than NTLM? Uses key exchange/ Tickets based on clock Use the same BCAAA architecture Needs special right to install agent : act as operating system Kerberos only works with Transparent mode authentication (redirect) Need to register the VU on the DC with setspn command 34
35 IWA troubleshooting Good luck Try browsing via VPM User s rights for BCAA service (check documentation) When using transparent auth modes (for NTLM or by default with kerberos) By default web web browser's security only respond to SSO challenges on intranet urls Intranet urls are : non FQDN urls (ex : intranet) IP addresses Urls in the intranet security list of IE options This behavior can be changed for ie in options tabs Can be changed in Firefox in about:config Advanced logs for BCAAA : [Debug] DebugLevel=0xffffffff 35
36 IWA : NTLM & Kerberos caveats Verbose protocol, try using surrogate Not supported on most non IE apps (except Firefox?) Proxy will log last group matched in policy : Group of interest list can be ordered in VPM VPM : configuration / set group log order Try avoiding kerberos in explicit mode. Multiple Windows domains need bi-directional trust relationships or multiple realms. 36
37 Authentication Realms Windows SSO 37
38 Windows SSO Windows SSO is not IWA Windows Active Directory networks (Novell edirectory is Novell SSO) Available on IP address based Uses BCAAA to acquire mapping of IP address to User name User logs into the workstation and then is never challenged Works with all protocols 38
39 Windows SSO : version s specific Authorization is done with an LDAP query of the FQDN on the AD server In 4.2.2, Windows SSO only provided the NetBIOS username and domain In most cases customers cannot properly map the NetBIOS name to an AD FQDN provides the FQDN Select Use FQDN for Authorization 39
40 Windows SSO: How it Works Two methods are used to determine the user logged onto a workstation Domain Controller Querying Client Querying The methods can be used separately or together 40
41 Domain Controller Querying Domain Controller Querying discovers the domain controllers in the forest Each domain controller is then frequently queried for the current set of authenticated connections This is used to build up a table of IP addresses to authenticated users 41
42 Domain Controller Querying II Only captures logons, not logouts Only captures logons authenticated against a domain controller BCAAA must run as a domain user to be able to query Windows 2003 domain controllers Data is transient, if BCAAA goes down then new logons are missed All logons are written to a file which restores the state after a restart In 4.2.3, two BCAAA s can synchronize each other Configuration requires editing sso.ini file in the BCAAA install directory DCQEnabled=1 42
43 Client Querying Client Querying works by remotely reading the Workstation registry to see who is logged on Can solve several of the weaknesses of Domain Controller Querying Does not need persistent state or synchronization 43
44 Client Querying II Reading the registry requires BCAAA to run as a domain user Windows XP (and greater) firewall blocks registry read requests Need to set up a group domain policy to open up the firewall (if it is being used) Does not work with non-windows or Win 95/98/ME Configuration requires editing sso.ini file in the BCAAA install directory 44
45 Authorization Windows SSO just provide identification Mechanism doesn't provide groups information Need to use Realm s Authorization tab : Create a LDAP Realm Use LDAP for authorization Need to map username to LDAP FQDN Group based policy use Windows SSO Realm When defining a group based policy just create a group object from the windows sso realm. 45
46 Gotcha s Need to run BCAAA as a domain user BCAAA s domain user should be listed as a service user Existing SSL certificate problem Windows 2003 SSL privilege problem Need to carefully limit which domain controllers are queried 46
47 Authentication Realms LDAP 47
48 LDAP We have a nice LDAP client (never been a blocking LDAP scheme) LDAP can only use Basic type challenge No SSO LDAP is not secure between client and proxy unless using origin redirect on https vu (AT RISK) LDAP config propose 3 default schemes (AD, sun, novell) Nested groups are supported Groups membership can be modified 48
49 LDAP SGOS 4 How it works with SG4: 1. SG challenges the user 2. User sends basic 3. SG connect to LDAP server with search user/anonymous 4. SG searches for the user 5. SG connects with user account 6. SG compares attributes 49
50 LDAP SGOS 5 How it works with SG5: 1. SG challenges the user 2. User sends basic 3. SG connect to LDAP server with search user/anonymous 4. SG searches for the user 5. SG connects with search user account 6. SG compares attributes 50
51 How to setup? In authentication/ldap Realm LDAP version LDAP server s type (AD, Novell, Sun, other) Server ip address LDAP DN LDAP search user LDAP user attribute 51
52 Known LDAP limitations One compare request for all groups and attributes rules matched in policy No Regex on attribute (NetCache feature no more on roadmap) Attribute.userrigths=.*1011.* Next LDAP version should permit to retrieve all users information and to test it locally 52
53 Authentication Realms Novell SSO 53
54 Novell SSO Customers who use Novell edirectory want a single sign-on (SSO) solution Want users to be able to login to Novell client and then be authenticated by the SG without being challenged IP address based Works with BCAAA version 120 (4.2.3) 54
55 Novell SSO: edirectory Login How Novell client logins work User logs in with the Novell client which updates the edirectory user s networkaddress attribute with the IP address (and port) that they logged in from There is a networkaddress value for each IP address that the user has logged in from When a user logs out, the networkaddress value for that login is removed. 55
56 Novell SSO: Realm Authentication: BCAAA is used to make LDAP queries on the edirectory server to map IP addresses to user's FQDNs When a user makes a request to the SG, the SG queries BCAAA for the user identity corresponding to the client IP address Authorization: The Novell SSO realm uses BCAAA to query the edirectory server via LDAP An LDAP realm is used by the Novell SSO realm for edirectory LDAP config Authorization can be performed with the edirectory server or with separate authorization server 56
57 Novell SSO: BCAAA BCAAA version 120 (4.2.3) BCAAA uses LDAP APIs for Novell SSO BCAAA authenticates via an LDAP bind Credentials are from the search user defined in the Novell SSO LDAP realm BCAAA can run as LocalSystem and the machine does not require special trusts 57
58 Novell SSO: BCAAA Details BCAAA queries the root edirectory server for all users that are currently logged in (following referrals as necessary) The query searches for all users that have a networkaddress attribute The search results are then used to create a list of IPs to user FQDNs 58
59 Novell SSO: BCAAA Details BCAAA maintains the list in two ways Monitors the configured servers for login and logout events When an event is received, it adds and removes login entries as appropriate Does a full query of the edirectory server at configurable intervals Determine the edirectory structure Each separate tree requires a separate Novell SSO realm Determine the root server for each tree This will be the server for the Novell SSO LDAP search realm Determine how the partitions are replicated Monitor servers which contain partitions that are not replicated to the root server 59
60 Novell SSO: Server Relationships BCAAA LDAP Realm (Search and Monitor) edirectory Server ProxySG 60 Users
61 Novell SSO: LDAP Realms Relasionship 1. Create an LDAP realm for each master edirectory server 2. Create a Novell SSO realm for each of the LDAP realms each Novell SSO realm points to one LDAP realm 61
62 How to setup? Specify agent ip and key password if SSL LDAP Edirectory for search req Mapping updates 62
63 Authentication Realms Radius 63
64 Radius Rarely used No specific configuration Mainly for administrators authentication Can support OTP (One Time Password) Secure Safeworld, RSA Only http is supported Use form authentication No group support Need to use attribute : Blue-Coat-Group BC Vendor ID: 14501, attribute vendor type: 1 64
65 Authentication Realms Local Authentication 65
66 Local Authentication Proxy SG can use a local user database for Authentication Authorization Each Local Realm needs a local-user-list Users Groups Local user list provisioning : Cli commands Scripts Groups cannot be browsed via VPM 66
67 Local User List One script available : Perl Script set_auth.pl Takes as input a file text and push it to SG via HTTP Text file is.htpassword style : Login:encrypted_password group1, group2, On user per line Password is encrypted UNIX DES or MD5 Plaintext password < 64 caracters 67
68 How to setup Local-user-list Credentials cache VU 68
69 Authentication Realms Certificate 69
70 Certificate Realm Use X509 certificates Identify user Can be authorized with : LDAP Realm Local Realm Certificate cannot be forwarded to OCS Specifics information can be fwd in a header Installed certificate must be in PEM format Need origin style challenge 70
71 Revocation List Two types of CRL : Via policy and certificate s serial numbers With external CRL List List contains revocated certificates OCSP will be available in
72 Setup Certificate Realms How to setup : Origin style challenge HTTPS virtual url if redirect used HTTPS service with verify-client attribute Create/install a server certificate Attach the correct server certificate on the service Create a Certificate Realm Install PKI root CA Use a Authorization Realm if needed 72
73 Authentication Realms Policy Substitution 73
74 Policy Substitution When user cannot be challenged! Non human client No understanding of http challenges Cannot prompt for login/pwd Hierarchical proxy already authenticated on first level 4 mechanisms : NetBIOS RDNS Header Ident Can use Authorization Realm 74
75 How to setup? In authentication/substitution Realm : Specify the policy substitution cpl code User based on header 75
76 Substitution Most useful example is hierarchical architecture Central group based policy Central reporting Authentication Server Authorization Server Authorization challenge For username Users Lvl1 ProxySG WAN Lvl2 ProxySG Internet 76 Authentication Challenge Get /url X_header : username
77 Authentication Realms Sequence Realm 77
78 Sequence realm Users are in different directories Cannot specify a source condition in VPM Sequence realm permit to Specify multiple realms as a single one Challenge once the user Once basic are received, used them with different servers Specific : Only 1 IWA (first or last) No certificate realm Need SGOS 5.2 to tolerate errors 78
79 79 Sequence mechanisms
80 How to setup? Specify realms list : Iwa first Then ldap Then local Tolerate errors 80
81 Authentication Realms Guest users 81
82 Guest users Useful to handle : Guest users Non domain users Wifi subnets Authentication server errors User can be assigned as a guest Guest user can be assigned to a group Guest user name is customizable Ex: guest_$(c-ip) 82
83 How to setup? Creat a VPM authentication layer Specify : Username Realm 83
84 Authentication Realms Tolerate errors 84
85 Errors Handling SGOS 4 : if any authentication or authorization errors : Deny SGOS 5 : Deny by default Can specify tolerated errors : Authentication errors Authorization errors Be carefull on what an error is Cf TD on BCAAA agent unavailable and timeout (process VS network) 85
86
Executive Summary. What is Authentication, Authorization, and Accounting? Why should I perform Authentication, Authorization, and Accounting?
Executive Summary As the leader in Wide Area Application Delivery, Blue Coat products accelerate and secure applications within your WAN and across the Internet. Blue Coat provides a robust and flexible
More informationBlue Coat Security First Steps Solution for Integrating Authentication
Solution for Integrating Authentication using IWA Direct SGOS 6.5 Third Party Copyright Notices 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER,
More informationBlue Coat Systems SG Appliance
Blue Coat Systems SG Appliance Configuration and Management Guide Volume 5: Securing the Blue Coat SG Appliance SGOS Version 5.1.x Volume 5: Securing the Blue Coat SG Appliance Contact Information Blue
More informationBlue Coat ProxySG Authentication Guide. SGOS 6.5.x
Blue Coat ProxySG Authentication Guide SGOS 6.5.x 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9,
More informationUser-ID Best Practices
User-ID Best Practices PAN-OS 5.0, 5.1, 6.0 Revision A 2011, Palo Alto Networks, Inc. www.paloaltonetworks.com Table of Contents PAN-OS User-ID Functions... 3 User / Group Enumeration... 3 Using LDAP Servers
More informationHow to Configure Captive Portal
How to Configure Captive Portal Captive portal is one of the user identification methods available on the Palo Alto Networks firewall. Unknown users sending HTTP or HTTPS 1 traffic will be authenticated,
More information800-782-3762 www.stbernard.com. Active Directory 2008 Implementation. Version 6.410
800-782-3762 www.stbernard.com Active Directory 2008 Implementation Version 6.410 Contents 1 INTRODUCTION...2 1.1 Scope... 2 1.2 Definition of Terms... 2 2 SERVER CONFIGURATION...3 2.1 Supported Deployment
More informationIWA AUTHENTICATION FUNDAMENTALS AND DEPLOYMENT GUIDELINES
IWA AUTHENTICATION FUNDAMENTALS AND DEPLOYMENT GUIDELINES TECHNICAL BRIEF INTRODUCTION The purpose of this document is to explain how Integrated Windows Authentication (IWA) works with the ProxySG appliance,
More informationLDAP Authentication and Authorization
LDAP Authentication and Authorization What is LDAP Authentication? Today, the network can include elements such as LANs, WANs, an intranet, and the Internet. Many enterprises have turned to centralized
More informationwww.stbernard.com Active Directory 2008 Implementation Guide Version 6.3
800 782 3762 www.stbernard.com Active Directory 2008 Implementation Guide Version 6.3 Contents 1 INTRODUCTION... 2 1.1 Scope... 2 1.2 Definition of Terms... 2 2 SERVER CONFIGURATION... 3 2.1 Supported
More informationBlue Coat Security First Steps Solution for Integrating Authentication Using LDAP
Solution for Integrating Authentication Using LDAP SGOS 6.5 Third Party Copyright Notices 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER,
More informationUse Enterprise SSO as the Credential Server for Protected Sites
Webthority HOW TO Use Enterprise SSO as the Credential Server for Protected Sites This document describes how to integrate Webthority with Enterprise SSO version 8.0.2 or 8.0.3. Webthority can be configured
More informationConfiguring Sponsor Authentication
CHAPTER 4 Sponsors are the people who use Cisco NAC Guest Server to create guest accounts. Sponsor authentication authenticates sponsor users to the Sponsor interface of the Guest Server. There are five
More informationSiteminder Integration Guide
Integrating Siteminder with SA SA - Siteminder Integration Guide Abstract The Junos Pulse Secure Access (SA) platform supports the Netegrity Siteminder authentication and authorization server along with
More informationCisco TelePresence Authenticating Cisco VCS Accounts Using LDAP
Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP Deployment Guide Cisco VCS X8.1 D14465.06 December 2013 Contents Introduction 3 Process summary 3 LDAP accessible authentication server configuration
More informationProxySG TechBrief Enabling Transparent Authentication
ProxySG TechBrief Enabling Transparent Authentication What is Transparent Authentication? Authentication is a key factor when defining a web access policy. When the Blue Coat ProxyxSG is configured for
More informationBlue Coat Systems ProxySG Appliance
Blue Coat Systems ProxySG Appliance Configuration and Management Suite Volume 4: Securing the Blue Coat ProxySG SGOS Version 5.3.x Volume 4: Securing the Blue Coat ProxySG Contact Information Blue Coat
More informationWebsense Support Webinar: Questions and Answers
Websense Support Webinar: Questions and Answers Configuring Websense Web Security v7 with Your Directory Service Can updating to Native Mode from Active Directory (AD) Mixed Mode affect transparent user
More informationBlue Coat Systems SG Appliance
Blue Coat Systems SG Appliance Volume 4: Securing the Blue Coat SG Appliance SGOS Version 5.2.2 Volume 4: Securing the Blue Coat SG Appliance Contact Information Blue Coat Systems Inc. 420 North Mary Ave
More informationUser Identification (User-ID) Tips and Best Practices
User Identification (User-ID) Tips and Best Practices Nick Piagentini Palo Alto Networks www.paloaltonetworks.com Table of Contents PAN-OS 4.0 User ID Functions... 3 User / Group Enumeration... 3 Using
More informationNETASQ SSO Agent Installation and deployment
NETASQ SSO Agent Installation and deployment Document version: 1.3 Reference: naentno_sso_agent Page 1 / 20 Copyright NETASQ 2013 General information 3 Principle 3 Requirements 3 Active Directory user
More informationHow To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment
How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment How To - Implement Clientless Single Sign On Authentication with Active Directory Applicable
More informationDeploying RSA ClearTrust with the FirePass controller
Deployment Guide Deploying RSA ClearTrust with the FirePass Controller Deploying RSA ClearTrust with the FirePass controller Welcome to the FirePass RSA ClearTrust Deployment Guide. This guide shows you
More informationNETASQ ACTIVE DIRECTORY INTEGRATION
NETASQ ACTIVE DIRECTORY INTEGRATION NETASQ ACTIVE DIRECTORY INTEGRATION RUNNING THE DIRECTORY CONFIGURATION WIZARD 2 VALIDATING LDAP CONNECTION 5 AUTHENTICATION SETTINGS 6 User authentication 6 Kerberos
More informationProxySG TechBrief LDAP Authentication with the ProxySG
ProxySG TechBrief LDAP Authentication with the ProxySG What is LDAP Authentication? Today, the network can include elements such as LANs, WANs, an intranet, and the Internet. Many enterprises have turned
More informationClientless SSL VPN Users
Manage Passwords, page 1 Username and Password Requirements, page 3 Communicate Security Tips, page 3 Configure Remote Systems to Use Clientless SSL VPN Features, page 3 Manage Passwords Optionally, you
More informationSonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support
SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support Document Scope This document describes the integration of SonicOS Enhanced 3.2 with Lightweight Directory
More informationReverse Proxy Deployment Guide
Reverse Proxy Deployment Guide PDF of the Online WebGuide SGOS 6.5.x and Later Third Party Copyright Notices 2015 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,
More informationEnabling single sign-on for Cognos 8/10 with Active Directory
Enabling single sign-on for Cognos 8/10 with Active Directory Overview QueryVision Note: Overview This document pulls together information from a number of QueryVision and IBM/Cognos material that are
More informationWindows 2000 Security Architecture. Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation
Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation Topics Single Sign-on Kerberos v5 integration Active Directory security Delegation of authentication
More informationCA Performance Center
CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationCitrix Access on SonicWALL SSL VPN
Citrix Access on SonicWALL SSL VPN Document Scope This document describes how to configure and use Citrix bookmarks to access Citrix through SonicWALL SSL VPN 5.0. It also includes information about configuring
More informationSAML 2.0 SSO Deployment with Okta
SAML 2.0 SSO Deployment with Okta Simplify Network Authentication by Using Thunder ADC as an Authentication Proxy DEPLOYMENT GUIDE Table of Contents Overview...3 The A10 Networks SAML 2.0 SSO Deployment
More informationSingle Sign-On in SonicOS Enhanced 4.0
Single Sign-On in SonicOS Enhanced 4.0 Document Scope This document describes how to plan, design, implement, and maintain the Single Sign-On feature in the SonicWALL SonicOS Enhanced 4.0. This document
More informationPingFederate. IWA Integration Kit. User Guide. Version 2.6
PingFederate IWA Integration Kit Version 2.6 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate IWA Integration Kit User Guide Version 2.6 March, 2012 Ping Identity Corporation
More informationSingle Sign-on (SSO) technologies for the Domino Web Server
Single Sign-on (SSO) technologies for the Domino Web Server Jane Marcus December 7, 2011 2011 IBM Corporation Welcome Participant Passcode: 4297643 2011 IBM Corporation 2 Agenda USA Toll Free (866) 803-2145
More informationSecurity Provider Integration Kerberos Authentication
Security Provider Integration Kerberos Authentication 2015 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are
More informationIntegrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER
Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication
More informationGetting Started Guide
Getting Started Guide CensorNet Professional Copyright CensorNet Limited, 2007-2011 This document is designed to provide information about the first time configuration and testing of the CensorNet Professional
More informationDEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services
DEPLOYMENT GUIDE Version 1.0 Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services Table of Contents Table of Contents Using the BIG-IP Edge Gateway for layered security and
More informationHow To - Implement Single Sign On Authentication with Active Directory
How To - Implement Single Sign On Authentication with Active Directory Applicable to English version of Windows This article describes how to implement single sign on authentication with Active Directory
More informationPingFederate. IWA Integration Kit. User Guide. Version 3.0
PingFederate IWA Integration Kit Version 3.0 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate IWA Integration Kit User Guide Version 3.0 April, 2012 Ping Identity Corporation
More informationHow-to: Single Sign-On
How-to: Single Sign-On Document version: 1.02 nirva systems info@nirva-systems.com nirva-systems.com How-to: Single Sign-On - page 2 This document describes how to use the Single Sign-On (SSO) features
More informationControlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway
Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway Websense Support Webinar January 2010 web security data security email security
More informationDIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access
DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access With IDENTIKEY Server / Axsguard IDENTIFIER Integration Guidelines Disclaimer Disclaimer of Warranties and Limitations
More informationINTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN
INTEGRATION GUIDE IDENTIKEY Federation Server for Juniper SSL-VPN Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO
More informationAgenda. How to configure
dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services
More informationSingle Sign On. Configuration Checklist for Single Sign On CHAPTER
CHAPTER 39 The single sign on feature allows end users to log into a Windows client machine on a Windows domain, then use certain Cisco Unified Communications Manager applications without signing on again.
More informationSingle Sign-On. Document Scope. Single Sign-On
Single Sign-On Document Scope This document describes how to plan, design, implement, and maintain the Single Sign-On feature in the SonicWALL SonicOS 5.1 Enhanced. This document contains the following
More informationClick Studios. Passwordstate. Installation Instructions
Passwordstate Installation Instructions This document and the information controlled therein is the property of Click Studios. It must not be reproduced in whole/part, or otherwise disclosed, without prior
More informationSecurEnvoy IIS Web Agent. Version 7.2
SecurEnvoy IIS Web Agent Version 7.2 SecurEnvoy Global HQ Merlin House, Brunel Road, Theale, Reading. RG7 4TY Tel: 0845 2600010 Fax: 0845 260014 www.securenvoy.com SecurEnvoy IIS Web Agent Installation
More informationUser-ID. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks
User-ID Palo Alto Networks PAN-OS Administrator s Guide Version 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us
More informationConfiguring Security Features of Session Recording
Configuring Security Features of Session Recording Summary This article provides information about the security features of Citrix Session Recording and outlines the process of configuring Session Recording
More informationContents. Platform Compatibility. Directory Connector SonicWALL Directory Services Connector 3.1.7
Directory Connector SonicWALL Directory Services Connector 3.1.7 Contents Platform Compatibility... 1 New Features... 2 Known Issues... 3 Resolved Issues... 4 Overview... 7 About SonicWALL Single Sign-On
More informationSetup Guide Access Manager 3.2 SP3
Setup Guide Access Manager 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE
More informationPineApp Surf-SeCure Quick
PineApp Surf-SeCure Quick Installation Guide September 2010 WEB BASED INSTALLATION SURF-SECURE AS PROXY 1. Once logged in, set the appliance s clock: a. Click on the Edit link under Time-Zone section.
More information1 Introduction. Windows Server & Client and Active Directory. www.exacq.com
Windows Server & Client and Active Directory 1 Introduction For an organization using Active Directory (AD) for user management of information technology services, integrating exacqvision into the AD infrastructure
More informationAdministrator Guide. v 11
Administrator Guide JustSSO is a Single Sign On (SSO) solution specially developed to integrate Google Apps suite to your Directory Service. Product developed by Just Digital v 11 Index Overview... 3 Main
More informationArchitecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference
Architecture and Data Flow Overview BlackBerry Enterprise Service 10 721-08877-123 Version: Quick Reference Published: 2013-11-28 SWD-20131128130321045 Contents Key components of BlackBerry Enterprise
More informationBlackShield ID Agent for Remote Web Workplace
Agent for Remote Web Workplace 2010 CRYPTOCard Corp. All rights reserved. http:// www.cryptocard.com Copyright Copyright 2010, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced,
More informationInterwise Connect. Working with Reverse Proxy Version 7.x
Working with Reverse Proxy Version 7.x Table of Contents BACKGROUND...3 Single Sign On (SSO)... 3 Interwise Connect... 3 INTERWISE CONNECT WORKING WITH REVERSE PROXY...4 Architecture... 4 Interwise Web
More informationTROUBLESHOOTING RSA ACCESS MANAGER SINGLE SIGN-ON FOR WEB-BASED APPLICATIONS
White Paper TROUBLESHOOTING RSA ACCESS MANAGER SINGLE SIGN-ON FOR WEB-BASED APPLICATIONS Abstract This white paper explains how to diagnose and troubleshoot issues in the RSA Access Manager single sign-on
More informationINTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)
INTEGRATION GUIDE DIGIPASS Authentication for Citrix NetScaler (with AGEE) Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is';
More informationSkyward LDAP Launch Kit Table of Contents
04.30.2015 Table of Contents What is LDAP and what is it used for?... 3 Can Cloud Hosted (ISCorp) Customers use LDAP?... 3 What is Advanced LDAP?... 3 Does LDAP support single sign-on?... 4 How do I know
More informationProtecting Juniper SA using Certificate-Based Authentication. Quick Start Guide
Protecting Juniper SA using Certificate-Based Authentication Copyright 2013 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate.
More informationDeploying F5 with Microsoft Active Directory Federation Services
F5 Deployment Guide Deploying F5 with Microsoft Active Directory Federation Services This F5 deployment guide provides detailed information on how to deploy Microsoft Active Directory Federation Services
More informationApache Server Implementation Guide
Apache Server Implementation Guide 340 March Road Suite 600 Kanata, Ontario, Canada K2K 2E4 Tel: +1-613-599-2441 Fax: +1-613-599-2442 International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042
More informationDESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014
DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014 Contents Overview... 2 System requirements:... 2 Before installing... 3 Download and installation... 3 Configure DESLock+ Enterprise Server...
More informationMcAfee One Time Password
McAfee One Time Password Integration Module Outlook Web App 2010 Module version: 1.3.1 Document revision: 1.3.1 Date: Feb 12, 2014 Table of Contents Integration Module Overview... 3 Prerequisites and System
More informationXerox DocuShare Security Features. Security White Paper
Xerox DocuShare Security Features Security White Paper Xerox DocuShare Security Features Businesses are increasingly concerned with protecting the security of their networks. Any application added to a
More informationJuniper Networks Secure Access Kerberos Constrained Delegation
Juniper Networks Secure Access Kerberos Constrained Delegation Release 6.4 CONTENT 1. BACKGROUND...3 2. SETTING UP CONSTRAINED DELEGATION...5 2.1 ACTIVE DIRECTORY CONFIGURATION...5 2.1.1 Create a Kerberos
More informationXIA Configuration Server
XIA Configuration Server XIA Configuration Server v7 Installation Quick Start Guide Monday, 05 January 2015 1 P a g e X I A C o n f i g u r a t i o n S e r v e r Contents Requirements... 3 XIA Configuration
More informationBlackBerry Enterprise Service 10. Version: 10.2. Configuration Guide
BlackBerry Enterprise Service 10 Version: 10.2 Configuration Guide Published: 2015-02-27 SWD-20150227164548686 Contents 1 Introduction...7 About this guide...8 What is BlackBerry Enterprise Service 10?...9
More informationThird Party Integration
APPENDIXG This appendix contains the following sections: Overview, page G-1 BlackBerry Enterprise Server, page G-1 Blue Coat, page G-2 Check Point, page G-3 Firebox, page G-4 ISA Server/Forefront TMG,
More informationWindows XP Exchange Client Installation Instructions
WINDOWS XP with Outlook 2003 or Outlook 2007 1. Click the Start button and select Control Panel: 2. If your control panel looks like this: Click Switch to Classic View. 3. Double click Mail. 4. Click show
More informationSetup Guide Access Manager Appliance 3.2 SP3
Setup Guide Access Manager Appliance 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS
More informationThis chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:
CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access
More informationUser Guide. Cloud Gateway Software Device
User Guide Cloud Gateway Software Device This document is designed to provide information about the first time configuration and administrator use of the Cloud Gateway (web filtering device software).
More informationAdvanced Administration
BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 10.2 Advanced Administration Guide Published: 2014-09-10 SWD-20140909133530796 Contents 1 Introduction...11 About this guide...12 What
More informationUser Identification and Authentication
User Identification and Authentication Vital Security 9.2 Copyright Copyright 1996-2008. Finjan Software Inc.and its affiliates and subsidiaries ( Finjan ). All rights reserved. All text and figures included
More informationVMware Identity Manager Administration
VMware Identity Manager Administration VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
More informationDeploying the BIG-IP System v11 with Microsoft SharePoint 2010 and 2013
Deployment Guide Document version 3.2 What's inside: 2 What is F5 iapp? 2 Prerequisites and configuration notes 4 Configuration example 5 Preparation Worksheet 6 Configuring SharePoint Alternate Access
More informationDell SonicWALL SRA 7.5 Citrix Access
Dell SonicWALL SRA 7.5 Citrix Access Document Scope This document describes how to configure and use Citrix bookmarks to access Citrix through Dell SonicWALL SRA 7.5. It also includes information about
More informationv7.8.2 Release Notes for Websense Content Gateway
v7.8.2 Release Notes for Websense Content Gateway Topic 60086 Web Security Gateway and Gateway Anywhere 12-Mar-2014 These Release Notes are an introduction to Websense Content Gateway version 7.8.2. New
More informationWHITE PAPER Citrix Secure Gateway Startup Guide
WHITE PAPER Citrix Secure Gateway Startup Guide www.citrix.com Contents Introduction... 2 What you will need... 2 Preparing the environment for Secure Gateway... 2 Installing a CA using Windows Server
More informationBlue Coat Security First Steps Transparent Proxy Deployments
Transparent Proxy Deployments SGOS 6.5 Third Party Copyright Notices 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE,
More informationWeb Interface with Active Directory Federation Services Support Administrator s Guide
Web Interface with Active Directory Federation Services Support Administrator s Guide Web Interface with Active Directory Federation Services (ADFS) Support Citrix Presentation Server 4.0 for Windows Copyright
More informationVMware Identity Manager Connector Installation and Configuration
VMware Identity Manager Connector Installation and Configuration VMware Identity Manager This document supports the version of each product listed and supports all subsequent versions until the document
More informationwww.novell.com/documentation SSL VPN Server Guide Access Manager 3.1 SP5 January 2013
www.novell.com/documentation SSL VPN Server Guide Access Manager 3.1 SP5 January 2013 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation,
More informationEntrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates
Entrust Managed Services Entrust Managed Services PKI Configuring secure LDAP with Domain Controller digital certificates Document issue: 1.0 Date of issue: October 2009 Copyright 2009 Entrust. All rights
More informationM86 Web Filter USER GUIDE for M86 Mobile Security Client. Software Version: 5.0.00 Document Version: 02.01.12
M86 Web Filter USER GUIDE for M86 Mobile Security Client Software Version: 5.0.00 Document Version: 02.01.12 M86 WEB FILTER USER GUIDE FOR M86 MOBILE SECURITY CLIENT 2012 M86 Security All rights reserved.
More informationBlackShield ID Agent for Terminal Services Web and Remote Desktop Web
Agent for Terminal Services Web and Remote Desktop Web 2010 CRYPTOCard Corp. All rights reserved. http:// www.cryptocard.com Copyright Copyright 2010, CRYPTOCard All Rights Reserved. No part of this publication
More informationTenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.
Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,
More informationUser Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream
User Manual Onsight Management Suite Version 5.1 Another Innovation by Librestream Doc #: 400075-06 May 2012 Information in this document is subject to change without notice. Reproduction in any manner
More informationMixed Authentication Setup
Mixed Authentication Setup Version 8.2 January 1, 2016 For the most recent version of this document, visit our documentation website. Table of Contents 1 Overview 3 2 IIS installed components 3 2.1 Creating
More informationDEPLOYMENT GUIDE CONFIGURING THE BIG-IP LTM SYSTEM WITH FIREPASS CONTROLLERS FOR LOAD BALANCING AND SSL OFFLOAD
DEPLOYMENT GUIDE CONFIGURING THE BIG-IP LTM SYSTEM WITH FIREPASS CONTROLLERS FOR LOAD BALANCING AND SSL OFFLOAD Configuring the BIG-IP LTM system for use with FirePass controllers Welcome to the Configuring
More informationConfiguring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication
Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication This application note describes how to authenticate users on a Cisco ISA500 Series security appliance. It includes these
More informationSSL VPN Server Guide. Access Manager 3.2 SP2. June 2013
SSL VPN Server Guide Access Manager 3.2 SP2 June 2013 Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A
More informationSSL Interception on Proxy SG
SSL Interception on Proxy SG Proxy SG allows for interception of HTTPS traffic for Content Filtering and Anti Virus, and for Application Acceleration. This document describes how to setup a demonstration
More information