Installation and Configuration Guide

Transcription

1 Installation and Configuration Guide VPN Authentication by BlackBerry Virtual Appliance Version 1.7.1

2 Published: SWD

3 Contents What is VPN Authentication by BlackBerry?... 5 Architecture: VPN Authentication by BlackBerry... 5 VPN authentication options...6 Connecting to a VPN network... 7 Data flow: Connecting to a VPN network using a BlackBerry OS device as the second factor...8 Data flow: Connecting to a VPN network using a BlackBerry 10 device as the second factor... 9 Data flow: Connecting to a VPN network using an ios or Android device as the second factor...10 How second-factor authentication with VPN Authentication by BlackBerry works...11 Installing the VPN Authentication server Environment requirements...13 Hardware requirements Software requirements...14 Install the VPN Authentication server VPN Authentication server ports...15 Configuring VPN Authentication for the first time...17 Confirm virtual machine and networking setup Configure Samba for the VPN Authentication server Start the configuration tool...19 Turn off the configuration tool...20 Start the VPN Authentication server Turn off the VPN Authentication server Configuring VPN server connectivity Supported authentication protocols for each authentication option...21 Configuring connectivity to the VPN Authentication server on a Cisco ASA Series VPN gateway Configuring connectivity to the VPN Authentication server on Citrix NetScaler...23 Configuring connectivity to the VPN Authentication server on a strongswan server...23 Configure VPN gateway connectivity in the VPN Authentication server Connecting the VPN Authentication server to Microsoft Active Directory...27 Connect the VPN Authentication server to Microsoft Active Directory...27

4 Configuring the connection to an EMM solution from BlackBerry Configuring support for high availability of an EMM solution from BlackBerry...29 Prerequisites: Connecting the VPN Authentication server to BES Connect the VPN Authentication server to BES Prerequisites: Connecting the VPN Authentication server to BES Connect the VPN Authentication server to BES Prerequisites: Connecting the VPN Authentication server to BES Connect the VPN Authentication server to BES Configure the VPN Authentication server to listen for responses from devices Configure a TLS connection for responses from BlackBerry 10 devices Customize the VPN Authentication app...37 Sending the VPN Authentication app to devices Sending the VPN Authentication app to BlackBerry 10 devices using BES Sending the VPN Authentication app to BlackBerry 10 devices using BES Sending the VPN Authentication app to BlackBerry OS devices using BES Sending the VPN Authentication app to BlackBerry OS devices using BES Sending the VPN Authentication app to ios or Android devices using BES Architecture: VPN Authentication high availability...41 Configuring high availability...41 Logging and reporting...43 Auditing authentication transactions Centralize logging or auditing using syslog Product documentation...46 Glossary Legal notice...49

5 What is VPN Authentication by BlackBerry? What is VPN Authentication by BlackBerry? 1 A VPN is one of the key methods that your users use to access your organization s content when they re on the go. When you permit users to connect to your network from the outside, you must make sure that only authenticated users can access content freely. In the past, security conscious organizations implemented two-factor authentication using hardware tokens to strongly authenticate users. However, hardware tokens can be costly to implement, are difficult to use, and aren t well-aligned with mobility or cloud-based trends. VPN Authentication by BlackBerry takes a different approach to VPN authentication. It uses your users BlackBerry 10, BlackBerry OS (version 6.0 to 7.1), ios, or Android devices as the second-factor for authentication. By using the devices that users have already activated, VPN Authentication provides the following benefits: Strong security based on PKI authentication and, for BlackBerry 10 and BlackBerry OS devices, hardware root of trust Better user experience because users don't need a hardware token and don't need to remember additional shared secrets or passcodes Improved cost structure because you can use something users already have, reduced support costs, and you don't need to purchase or replace additional hardware For more information about VPN Authentication, visit Architecture: VPN Authentication by BlackBerry VPN Authentication by BlackBerry consists of two components: A server that you install on your network An app that runs on users' devices 5

6 What is VPN Authentication by BlackBerry? Component Computer VPN gateway VPN Authentication server Description The computer is any device (for example, tablet, desktop, or laptop) that has a VPN profile installed and that a user wants to connect to your organization s network. The VPN gateway is a computer that accepts VPN connections. The VPN gateway and devices connect to the VPN Authentication server to provide second-factor authentication. The VPN Authentication server connects to the EMM solutions from BlackBerry that are installed in your environment to find the devices associated with a user and to send authentication requests to the VPN Authentication app that's installed on devices. You can install multiple instances of the server to set up active-active high availability. BES5, BES10, or BES12 Devices with VPN Authentication app BES5, BES10, and BES12 are the EMM solutions from BlackBerry that allow you to manage devices. The EMM solutions from BlackBerry provide the connection to the devices that are used as the second factor for VPN authentication. The devices are the smartphones or tablets that include the VPN Authentication app and are the second factor for VPN authentication. The devices are associated with users and managed by BES5, BES10, or BES12. They can be BlackBerry 10, BlackBerry OS (version 6 to 7.1), ios, or Android devices. For ios and Android devices, the VPN Authentication app is part of the BES12 Client. Related information Architecture: VPN Authentication high availability, on page 41 Sending the VPN Authentication app to devices, on page 38 VPN authentication options VPN Authentication by BlackBerry offers the following three authentication options: Authentication option Description Useful when Normal device password When a user connects to the VPN, the user is prompted to accept the VPN connection on the device. If the device is locked, the user must provide the device password. Your organization places usability as its most important goal for any deployment. 6

7 What is VPN Authentication by BlackBerry? Authentication option Description Useful when For BlackBerry 10 devices, users must provide the work space password if the work space is locked. This option is supported on all devices. Forced device password Microsoft Active Directory password When a user connects to the VPN, the user is always prompted to provide the device password, even if the device is unlocked. For BlackBerry 10 devices, users must provide the work space password. Users can accept the VPN connection on the device after they log in. This option is supported for BlackBerry 10 and BlackBerry OS (version 6.0 to 7.1) devices only. When a user connects to the VPN, the user is always prompted for the Windows password. After users log in, they can accept the connection on the device. This option is supported on all devices. Your organization stresses usability but wants to guard against someone picking up an unlocked device and accepting the VPN challenge. Your organization places security as its most important goal for any deployment. If users forget their devices, VPN Authentication includes a bypass option that allows users to log in to your network using Microsoft Active Directory authentication only. VPN Authentication uses Microsoft Active Directory groups to determine which authentication option to use. For example, if you want to use the "Forced device password" option, you can create a Microsoft Active Directory group called "ActiveDeviceAuthGroup" and add the user account to that group. Related information Supported authentication protocols for each authentication option, on page 21 Connecting to a VPN network To authenticate users so that they can connect to a VPN network, VPN Authentication by BlackBerry completes the following tasks: Authenticates the user's device Acts as a proxy for password authentication 7

8 What is VPN Authentication by BlackBerry? Combines the two results to determine whether authentication is successful The connection between the VPN gateway and the VPN Authentication server is established using RADIUS. Data flow: Connecting to a VPN network using a BlackBerry OS device as the second factor Note: For authentication to work, the BlackBerry OS device must be connected to a mobile network. 1. A user opens the VPN client on a computer or tablet, selects the appropriate VPN profile, and provides their username and password. 2. The VPN client makes the connection request to the VPN gateway. 3. The VPN gateway forwards the request to the VPN Authentication server. 4. The VPN Authentication server connects to Microsoft Active Directory to determine which authentication group the user account is in. 5. The VPN Authentication server connects to BES5 or BES12 to find the devices that are associated with the user. 6. BES5 or BES12 returns information about the devices that are associated with the user to the VPN Authentication server. 7. For each device that is associated with the user, the VPN Authentication server creates and sends a device authentication request to BES5 or BES BES5 or BES12 encrypts the request using AES-256 encryption and forwards the request to the list of devices that are associated with the user. The request is a push request that the BlackBerry MDS Connection Service sends through the BlackBerry Infrastructure. 9. If required by the authentication option that you chose or if the device is locked, the device prompts the user to log in. 10. The VPN Authentication app opens a dialog box on the device asking the user to accept or deny the request. 8

9 What is VPN Authentication by BlackBerry? 11. After the user accepts or denies the request, the device forwards the response to the VPN Authentication server. The response is protected with SHA-256 hashing and a digital signature. The response is sent through the BlackBerry Infrastructure directly to the VPN Authentication server on port The VPN Authentication server performs the following actions: Sends a notification to the device that it received the response. Informs the VPN gateway whether the device authentication process was successful. 13. If the user accepts the request and if required by the authentication option that you chose, the VPN Authentication server connects to Microsoft Active Directory to authenticate the user. User authentication can occur using PAP or MS-CHAP. 14. The VPN Authentication server notifies the VPN gateway whether the authentication process was successful. 15. If the authentication process was successful, the VPN gateway permits the user to access the network. Note: If you are using bypass authentication, steps 5 to 12 are not completed. Data flow: Connecting to a VPN network using a BlackBerry 10 device as the second factor 1. A user opens the VPN client on a computer or tablet, selects the appropriate VPN profile, and provides their username and password. 2. The VPN client makes the connection request to the VPN gateway. 3. The VPN gateway forwards the request to the VPN Authentication server. 4. The VPN Authentication server connects to Microsoft Active Directory to determine which authentication group the user account is in. 5. The VPN Authentication server connects to BES10 or BES12 to find the devices that are associated with the user. 6. BES10 or BES12 returns information about the devices that are associated with the user to the VPN Authentication server. 7. For each device that is associated with the user, the VPN Authentication server creates and sends a device authentication request to BES10 or BES12. 9

10 What is VPN Authentication by BlackBerry? 8. BES10 or BES12 encrypts the request using AES-256 encryption and forwards the request to the list of devices that are associated with the user. The request is a push request that the BlackBerry MDS Connection Service sends through the BlackBerry Infrastructure. 9. If required by the authentication option that you chose or if the device is locked, the device prompts the user to log in. 10. The VPN Authentication app opens a dialog box on the device asking the user to accept or deny the request. 11. After the user accepts or denies the request, the device forwards the response to the VPN Authentication server. The response is encrypted using AES-256 encryption and sent through the BlackBerry Infrastructure. 12. The VPN Authentication server performs the following actions: Sends a notification to the device that it received the response Informs the VPN gateway whether the authentication process was successful 13. If the user accepts the request and if required by the authentication option that you chose, the VPN Authentication server connects to Microsoft Active Directory to authenticate the user. User authentication can occur using PAP or MS-CHAP. 14. The VPN Authentication server notifies the VPN gateway whether the authentication process was successful. 15. If the authentication process was successful, the VPN gateway permits the user to access the network. Note: If you are using bypass authentication, steps 5 to 12 are not completed. Data flow: Connecting to a VPN network using an ios or Android device as the second factor 1. A user opens the VPN client on a computer or tablet, selects the appropriate VPN profile, and provides their username and password. 2. The VPN client makes the connection request to the VPN gateway. 3. The VPN gateway forwards the request to the VPN Authentication server. 4. The VPN Authentication server connects to Microsoft Active Directory to determine which authentication group the user account is in. 10

11 What is VPN Authentication by BlackBerry? 5. The VPN Authentication server connects to BES12 to find the devices that are associated with the user. 6. BES12 returns information about the devices that are associated with the user to the VPN Authentication server. 7. For each device that is associated with the user, the VPN Authentication server creates and sends a device authentication request to BES BES12 forwards the request to the list of devices that are associated with the user. BES12 protects the request using TLS. The request is sent through the BlackBerry Infrastructure and the BlackBerry Infrastructure uses the APNs or GCM to notify the device of the request. 9. If required by the authentication option that you chose or if the device is locked, the device prompts the user to log in. 10. The BES12 Client opens a dialog box on the device asking the user to accept or deny the request. 11. After the user accepts or denies the request, the device forwards the response to the VPN Authentication server. The response is protected using TLS and proxied through BES The VPN Authentication server performs the following actions: Sends a notification to BES12 that it received the response Informs the VPN gateway whether the authentication process was successful 13. If the user accepts the request and if required by the authentication option that you choose, the VPN Authentication server connects to Microsoft Active Directory to authenticate the user. User authentication can occur using PAP or MS-CHAP. 14. The VPN Authentication server notifies the VPN gateway whether the authentication process was successful. 15. If the authentication process was successful, the VPN gateway permits the user to access the network. Note: If you are using bypass authentication, steps 5 to 12 are not completed. How second-factor authentication with VPN Authentication by BlackBerry works The process that VPN Authentication by BlackBerry uses to verify the second-factor is different depending on the device. In all instances, trust is established because an EMM solution from BlackBerry manages the device. The activation process between the device and the EMM solution from BlackBerry sets up a trusted connection between the user and the device that the VPN Authentication can use. For information about the trust established during the activation process, see the BES12 Security content. To verify the response from BlackBerry OS, the following actions occur: The BlackBerry Infrastructure must authenticate the device and send the device ID to the VPN Authentication server. The VPN Authentication server must verify the device ID by validating that it came from the BlackBerry Infrastructure as a trusted source. The VPN Authentication server must verify that the device ID that the BlackBerry Infrastructure adds to the response matches the device ID that the server received from BES5 or BES12 when it requested information about the devices associated with the user. 11

12 What is VPN Authentication by BlackBerry? To verify the response from BlackBerry 10 devices, the following actions occur: The VPN Authentication server must verify that the response was signed by the device private key. The response includes the device certificate, which the server can verify was signed by the BlackBerry signing authority system. The VPN Authentication server must verify that the device ID that the device sends in its response matches the device ID that the server received from BES10 or BES12 when it requested information about the devices associated with the user. To verify the response from ios and Android devices, the following actions occur: BES12 must verify that the device signed the response with the private key of the device certificate. After verification, BES12 forwards the response to the VPN Authentication server over a mutually authenticated TLS connection. The VPN Authentication server must verify that the device ID included with the response matches the device ID that the server received from BES12 when it requested information about the devices associated with the user. 12

13 Installing the VPN Authentication server Installing the VPN Authentication server 2 For information about software requirements and supported mobile device operating systems, see the Compatibility Matrix content. You can install VPN Authentication on the same computer as an EMM solution from BlackBerry, but, for maintainance and availability reasons, this configuration is not recommended. Environment requirements Item VPN gateway EMM solution from BlackBerry Virtual environment Company directory Requirement Any of the VPN gateways listed in the Compatibility Matrix content. Any of the EMM solutions listed in the Compatibility Matrix content. VMware vsphere hypervisor Microsoft Active Directory and users with Microsoft Active Directory accounts and valid addresses. Hardware requirements Item RAM CPU Requirement 2 GB 2 cores Both the RAM and CPU requirements are designed to allow for a connection to one instance of BES5, BES10, or BES12 and a sustained rate of approximately 30 requests per minute. Virtual machines The VPN Authentication server is packaged inside a virtual appliance. Due to known issues generating random numbers on virtual machines, you must configure the 13

14 Installing the VPN Authentication server Item Requirement hypervisor to provide access to hardware sources of randomness to the guest virtual machine that runs the VPN Authentication server. Otherwise, you may see delays in secure transactions between the VPN Authentication server and the EMM solution from BlackBerry. Port to Internet To support BlackBerry OS (version 6.0 to 7.1) devices, a port must be accesible from the Internet to permit an inbound connection from the BlackBerry Infrastructure. By default, the VPN Authentication by BlackBerry server uses port If you do not want to configure direct access from the Internet to this computer, you can configure a proxy server in the DMZ. For more information, visit to read KB Software requirements For more information about software requirements, ee the Compatibility Matrix content. Item Domain Browser Virtual appliance Other considerations Requirement The computer must be part of the domain that users are authenticated on. Any of the browsers listed in the Compatibility Matrix content. Any of the virtual appliances listed in the Compatibility Matrix content. VPN Authentication supports IPv4 for TCP/IP connections only. Install the VPN Authentication server Before you begin: Download the VPN Authentication by BlackBerry for Virtual Appliance software from myaccount.blackberry.com/myaccount/account/accountdownloads. Save the software package to a computer or network drive that is accessible by VMware vsphere Client. Untar the software package using a file archive utility. The VPN Authentication by BlackBerry for Virtual Appliance software is deployed as a virtual machine. It is packaged as an OVF template file and is deployed using the VMware vsphere Client. 1. Log in to the computer running the VMware vsphere Client using an account with local administrator privileges. 14

15 Installing the VPN Authentication server 2. Open the VMware vsphere Client and select File > Deploy OVF Template. 3. Select the source location of the OVF template file and click Next. 4. Verify the OVF template file details and click Next. 5. Specify a name and folder location for your virtual appliance machine and click Next. 6. Specify a host or cluster where your virtual appliance machine is to run and click Next. 7. Specify a datastore for your virtual appliance machine's disk file and click Next. 8. Select a disk format for your virtual appliance machine. Thin Provision is recommended. 9. Specify a bridged network for your virtual appliance machine to use and click Next. 10. Verify all options configured for your virtual appliance machine, select Power on after deployment, and then click Finish. VPN Authentication server ports The following table provides a list of the default ports that the VPN Authentication by BlackBerry server uses. Unless specified, you can change them when you configure the VPN Authentication server using the configuration tool. When you install several VPN Authentication servers to configure high availability, you can specify the same ports for each server. If a defined listening port is not available, the VPN Authentication server writes an error message to the log file after you configure and start the server. Port Purpose 389 or 636 This is the outbound port that the VPN Authentication server uses to connect to Microsoft Active Directory. Port 389 is the default LDAP port and port 636 is the default LDAPS port. 443 This is the outbound port that the VPN Authentication server uses to report license compliance to the BlackBerry Infrastructure. This is also the outbound port that the VPN Authentication server uses to query for user information from BlackBerry Web Services in BES5 environments. You cannot change this port This is the outbound port that the VPN Authentication server uses to connect to the BES12 database This is the inbound UDP port that the VPN Authentication server uses as the primary port for RADIUS communication with the VPN gateway. You cannot change this port. 15

16 Installing the VPN Authentication server Port Purpose 3443 This is the inbound HTTPS port that the VPN Authentication server uses to receive responses from BlackBerry 10 devices through BES10 or BES This is the inbound HTTPS port that the VPN Authentication server uses to receive responses from ios and Android devices through BES This is the outbound HTTP port that the VPN Authentication server uses to send push data to the BlackBerry MDS Connection Service for BlackBerry OS devices. This port applies when connecting to BES5 or BES This is the inbound HTTP port that the VPN Authentication server uses to receive responses from BlackBerry OS devices through the BlackBerry Infrastructure. You must open this port in your firewall or configure a proxy server in the DMZ This is the HTTP inbound port that the configuration tool uses This is the outbound port that the VPN Authentication server uses to query BES12 for information about which devices are associated with a user and to push data to ios and Android devices. You cannot change this port This is the outbound HTTP port that the VPN Authentication server uses to send push data to the BlackBerry MDS Connection Service for BlackBerry 10 devices. This port applies when connecting to BES This is the outbound HTTP port that the VPN Authentication server uses to send push data to the BlackBerry MDS Connection Service for BlackBerry 10 devices. This port applies when connecting to BES and above This is the inbound port that the VPN Authentication server uses to receive push notifications from BES5, BES10, or BES12. Push notifications apply for BlackBerry 10 or BlackBerry OS devices only. The VPN Authentication server uses port for the first BES5, BES10, or BES12 instance that you add, and then increments by one for each additional instance. You cannot change these ports This is the outbound port that the VPN Authentication server uses to query for user information from BlackBerry Web Services in BES10 environments. 16

17 Configuring VPN Authentication for the first time Configuring VPN Authentication for the first time 3 When you configure VPN Authentication by BlackBerry for the first time, you perform the following actions. Task Description Confirm virtual machine and networking setup. For more information, see Confirm virtual machine and networking setup. Configure Samba. For more information, see Configure Samba for the VPN Authentication server. Start the configuration tool. For more information, see Start the configuration tool. Connect the VPN Authentication server to your VPN gateway. For more information, see Configuring VPN server connectivity. Connect the VPN Authentication server to your Microsoft Active Directory. For more information, see Connecting the VPN Authentication server to Microsoft Active Directory. Connect the VPN Authentication server to BES5, BES10, or BES12. For more information, see Configuring the connection to an EMM solution from BlackBerry. Customize the VPN Authentication app message. For more information, see Customize the VPN Authentication app. Turn off the configuration tool. For more information, see Turn off the configuration tool. Start the VPN Authentication server. For more information, see Start the VPN Authentication server. Send the VPN Authentication app to devices. For more information, see Sending the VPN Authentication app to devices. 17

18 Configuring VPN Authentication for the first time Task Description Optionally, turn off the VPN Authentication server. For more information, see Turn off the VPN Authentication server. Confirm virtual machine and networking setup Before you start the VPN Authentication server, perform the following steps to confirm your virtual machine and networking setup. 1. Log in to your virtual machine with the bb2fa_admin administrator account using the default password: pass_2fa_2. When booting up, the virtual machine will automatically try to acquire an IP address from the network. 2. Make sure that your virtual machine has acquired an IP address from the network by running the following command: ip addr. Check the command response that the IP address assigned to interface "ens33." 3. Pick a host name that belongs to the Microsoft Active Directory domain. 4. Set the host name of your virtual machine by running the following command: sudo hostnamectl set-hostname <new hostname> 5. Follow the menu prompts to set a host name for the domain to which your computer belongs: a. Select Set system hostname and press Enter. b. Enter a new host name. Make sure to select a host name that belongs to the Microsoft Active Directory domain. c. Select OK and press Enter. 6. Make sure that the host name has been set by running the following command: hostname 7. Restart your virtual machine for the host name change to take effect by running the following command: sudo reboot 8. Log back in to the virtual machine. 9. Verify your DNS configuration by running the following command: sudo cat /etc/resolv.conf The virtual machine should pick up the DNS servers in the network automatically. Configure Samba for the VPN Authentication server Before you start the VPN Authentication server, complete the following steps to configure Samba. 18

19 Configuring VPN Authentication for the first time 1. Log in to the virtual machine you created for VPN Authentication using the bb2fa_admin administrator account. 2. At the command prompt, change to the home/bb2fa/bb2fa folder. 3. Run the config-samba.sh script using the following command: sudo./config-samba.sh 4. Enter your domain information for the following parameters: Workgroup: Enter the Windows Workgroup name, a shorthand for the FQDN of the authentication domain. Realm: Enter the FQDN of the authentication domain. Service account name: Enter the username and password of an account with sufficient permissions to join the virtual machine to the Microsoft Active Directory domain. This account can be the same account that is used to query Microsoft Active Directory during VPN Authentication operation (see Connecting the VPN Authentication server to Microsoft Active Directory. Alternatively, enter a separate account that is used solely for this join operation. Service account password: The password for the user. 5. Press Enter. 6. In the command prompt window, verify that a message confirming that Samba configuration is complete and successful appears. If the configuration fails, the script provides instructions to cancel the configuration changes so that you can start over. Start the configuration tool You use configuration tool to configure VPN Authentication by BlackBerry. You can access it from a browser. For information about the browsers that the configuration tool supports, see the Compatibility Matrix content. Before you begin: Make sure JavaScript or Active scripting (depending on your browser) is turned on. Make sure "Allow websites to prompt for information using scripted windows" is turned on in Windows Internet Explorer. 1. Log into the virtual machine you created for VPN Authentication. 2. From the command prompt, change to the home/bb2fa/bb2fa folder. 3. Generate a password obfuscation keystore by running the following command:./keysetup.sh. This generates a passwordkeystore.pk12 file in the home/bb2fa/bb2fa folder. 4. Run the configurator-start.sh script using the following command:./configurator-start.sh <ip address> <port>. Specifying the port number is optional (defaulting to 8827), but the IP address is required to make sure that the webpage is accessible outside the virtual machine. 5. Check the <install_dir>/logs.txt file to verify that a message similar to "Started ServerConnector@61decc8c{HTTP/1.1} {<ip address>:8827}" message appears. 19

20 Configuring VPN Authentication for the first time After you finish: You can access the configuration tool in one of the following ways: On any computer that can access the virtual machine you created for VPN Authentication, open a browser and browse to where <computername> is the FQDN or IP address and <port> is the port number that you specified in step 3. Note: After you configure VPN Authentication, it is recommended that you turn off the configuration tool. Related information Turn off the configuration tool, on page 20 Turn off the configuration tool After you configure VPN Authentication by BlackBerry, you can turn off the configuration tool so that unauthorized users can't access it. 1. From the command prompt window that you are running the configuration tool in, press the X key.. 2. Close the command prompt window. Start the VPN Authentication server 1. Log in to the virtual machine you created for VPN Authentication using the bb2fa_admin administrator account.. 2. From the command prompt, change to the home/bb2fa/bb2fa folder. 3. Run the following command: bb2fa start After you finish: Check the bb2fa.log file in <install_dir>/logs to determine if the server started correctly. The following message should appear "com.blackberry.bb2fa.launcher - BlackBerry VPN Authentication server waiting for requests..." Related information Configuring VPN Authentication for the first time, on page 17 Turn off the VPN Authentication server 1. Log in to the virtual machine you created for VPN Authentication using the bb2fa_admin administrator account.. 2. From the command prompt, change to the home/bb2fa/bb2fa folder. 3. Run the following command: bb2fa stop After you finish: Check the bb2fa.log file in <install_dir>/logs to determine if the server stopped 20

21 Configuring VPN server connectivity Configuring VPN server connectivity 4 On your VPN server, the VPN Authentication by BlackBerry server must be configured as a RADIUS server to which authentication requests are forwarded. You must also configure a VPN profile or client that permits users to select VPN Authentication when they log in to VPN from their computers. For each VPN Authentication server in your environment, the RADIUS server must have the following options: IP address or FQDN of the computer that hosts the VPN Authentication server Timeout between 60 and 90 seconds for the connection between the VPN server and the VPN Authentication server Unique shared secret Authentication port set to 1812 Depending on the available authentication options, one of PAP, MS-CHAP v1, MS-CHAP v2, or EAP-MSCHAP The VPN profile must have the timeout set between 30 and 60 seconds for the connection between the VPN client on user s computers and the VPN server. For instructions on how to configure a RADIUS server or VPN profile, see the documentation for the VPN server that you are using. For a list of supported VPN servers, see the Compatibility Matrix content. Related information Supported authentication protocols for each authentication option, on page 21 Supported authentication protocols for each authentication option The following table shows the authentication protocols that the VPN authentication options available with VPN Authentication by BlackBerry support. VPN authentication option Normal device password Forced device password Microsoft Active Directory password Bypass option Supported authentication protocols PAP PAP MS-CHAP v1, MS-CHAP v2, PAP, EAP-MSCHAP MS-CHAP v1, MS-CHAP v2, PAP, EAP-MSCHAP 21

22 Configuring VPN server connectivity Related information VPN authentication options, on page 6 Connecting the VPN Authentication server to Microsoft Active Directory, on page 27 Configuring connectivity to the VPN Authentication server on a Cisco ASA Series VPN gateway If you are using a Cisco ASA Series VPN gateway, you can create the VPN profile using the information below. For detailed instructions on how to configure the VPN profile, visit to read the Cisco ASA Series documentation. When you create the profile, you must set the following options to support VPN Authentication: For each VPN Authentication server in your environment, create a RADIUS AAA Server Group with the following options: IP address or FQDN of the computer that hosts VPN Authentication Timeout between 60 and 90 seconds for the connection between the VPN gateway and VPN Authentication Unique shared secret Authentication port set to 1812 MS-CHAP v2 compatible For the connection between the VPN client on user s computers and the VPN gateway, set the timeout between 30 and 60 seconds. You must configure the timeout in the Cisco AnyConnect VPN client profile file (an XML file) that must be installed on users' computers. Password management option, if you are configuring the profile to support MS-CHAP v2 authentication You must complete the following actions to finish the profile creation process: Enable the VPN tunnel payload encapsulation protocol (for example, the IPSEC-IKE v2 protocol) All the commands that are required for the associated VPN policy group All the commands that are required for the associated Cisco AnyConnect VPN client profile and the creation of the XML file itself All the commands that are required for the associated VPN tunnel group You do not need to configure additional certificate authentication. When you configure VPN gateway connectivity in the VPN Authentication server, you must provide the RADIUS shared secret that you create in the VPN profile. 22

23 Configuring VPN server connectivity Configuring connectivity to the VPN Authentication server on Citrix NetScaler If you are using Citrix NetScaler, you can configure the connection to the VPN Authentication by BlackBerry server by adding it as a RADIUS server. If you have more than one VPN Authentication server in your environment, you must configure a separate RADIUS server for each. For detailed instructions on how to configure NetScaler, visit to read the NetScaler documentation. For example, you can configure a connection to one VPN Authentication server and use VPN Authentication as the default authentication method. If you want to configure this example, in the configuration utility for NetScaler, you must set the authentication settings under the global settings as follows: "Maximum Number of Users", "Max Login Attempts" and "Failed Login Timeout" as required by your organization Authentication type set to RADIUS IP address set to the VPN Authentication server Port set to 1812 Timeout between 60 and 90 seconds for the connection between NetScaler and the VPN Authentication server (this value must match the timeout value that you specify in the VPN Authentication server configuration tool) Unique shared secret "Enable NAS IP address extraction" selected "Password Encoding" set to the authentication protocol supported by the VPN authentication option you've chosen (VPN Authentication does not support the "chap" option) Accounting set to Off Configuring connectivity to the VPN Authentication server on a strongswan server To configure connectivity to the VPN Authentication by BlackBerry server on a strongswan server, you must modify the ipsec.conf and the eap-radius.conf files. For more information about these files and how to configure strongswan, visit 23

24 Configuring VPN server connectivity ipsec.conf configuration The ipsec.conf file is located in the /etc directory. You must add a new conn section for the VPN Authentication server. For example: conn <name> keyexchange=ikev2 rightauth=eap-radius rightsendcert=never eap_identity=%any auto=add Setting <name> keyexchange=ikev2 rightauth=eap-radius rightsendcert=never eap_identity=%any auto=add Description The unique name for the new connection section. It is a common practice for that name to reflect some key characteristics of the connection itself (for example, IPSec-IKEv2-radius). This setting specifies the key exchange method (for example, IKEv1, IKEv2). The VPN Authentication server does not use this setting, but you must include it in the conn section to enable proper key exchange with VPN clients. You must make sure that the VPN clients that connect to the strongswan server use the same key exchange method. This setting specifies that the strongswan server must use EAP over RADIUS to authenticate VPN clients for this type of connection. This setting specifies that user certificates are not used for client authentication. This setting specifies the identity of the VPN client to use for authentication. The VPN Authentication server does not use this setting, but you must include it in the conn section. The "%any" value instructs the strongswan server to pass the identity provided by the VPN client. This setting specifies that this connection section is active. The VPN Authentication server does not use this setting, but you must include it in the conn section. eap-radius.conf configuration The eap-radius.conf file is located in the /etc/strongswan.d/charon directory. It specifies the details for EAP over RADIUS authentication. The default configuration file has all the settings that you must configure, but most of them are commented out and some of them do not have any value assigned. You must modify the required settings by removing the number sign (#) and setting their values as described in the following table. 24

25 Configuring VPN server connectivity Setting accounting=no nas_identifier port=1812 secret=<shared secret> server=<ip of VPNAuth server> ike_to_radius=1, 2, 311:1, 311:11, 311:25 Description This setting prevents strongswan from sending RADIUS accounting information to the VPN Authentication server. This optional setting specifies the NAS-Identifier to include in RADIUS messages. You can use this setting if multiple strongswan servers are using the same VPN Authentication server. This setting specifies the port used by the VPN Authentication server to receive RADIUS requests for authentication. This setting specifies the shared secret between strongswan and the VPN Authentication server. When you configure VPN server connectivity in the VPN Authentication server, you must type the RADIUS shared secret that you specify here. This setting specifies the IP address or FQDN of the VPN Authentication server. This setting specifies a comma-separated list of numbers that represent the list of RADIUS attributes that strongswan needs to forward to the VPN Authentication server. Numbers separated by colons indicate vendor-specific attributes. The first number identifies the vendor (for example, 311 is the number for Microsoft), and the second number identifies the attribute type. This setting is in the forward section of the configuration file. radius_to_ike=311:26, 311:17, 311:16 This setting specifies a comma-separated list of numbers that represent the list of RADIUS attributes that the VPN Authentication server needs to forward to strongswan. Numbers separated by colons indicate vendor-specific attributes. The first number identifies the vendor (for example, 311 is the number for Microsoft), and the second number identifies the attribute type. This setting is in the forward section of the configuration file. Configure VPN gateway connectivity in the VPN Authentication server Before you begin: Obtain the IP address and shared secret for the VPN gateways. 25

26 Configuring VPN server connectivity 1. In the configuration tool, on the menu bar, click VPN. 2. Click Add new VPN server. 3. In the VPN server friendly name field, type a unique name for the VPN gateway that you are connecting to. 4. In the VPN server IP address field, type the IP address of the VPN gateway. 5. In the Shared secret and Confirm shared secret fields, type and confirm the shared secret of the VPN gateway. 6. Click Add VPN server. 7. Repeat these steps for each VPN gateway that you want to add. 8. Click Commit changes. After you finish: Delete the example VPN gateways. 26

27 Connecting the VPN Authentication server to Microsoft Active Directory Connecting the VPN Authentication server to Microsoft Active Directory 5 You can connect VPN Authentication by BlackBerry to one or more servers in your Microsoft Active Directory domain. VPN Authentication uses Microsoft Active Directory to determine which authentication option is supported by a particular user. The supported authentication option is determined by group membership. You must create the following groups in Microsoft Active Directory and add the appropriate user accounts to each group: A bypass group that you can use for users who might have lost their devices or forgotten them. This group permits users to still log in to your VPN network using Microsoft Active Directory authentication only. The default name that VPN Authentication uses for this group is "BypassSecondFactorGroup". A group for each authentication option your organization supports. The available authentication methods are: Forced Microsoft Active Directory password authentication on the computer (the default name that VPN Authentication uses for this group is "EnterpriseAuthGroup") For BlackBerry 10 and BlackBerry OS only, forced password authentication on the device (the default name that VPN Authentication uses for this group is "ActiveDeviceAuthGroup") Password authentication on the device only when the device is locked (the default name that VPN Authentication uses for this group is "PassiveDeviceAuthGroup") If required, you can change the group names. If you are not using one of the authentication options, do not create the group in Microsoft Active Directory. VPN Authentication by BlackBerry supports subgroups, nested to the third level. Note: Each user can only belong to one authentication group. If a user belongs to the bypass group and another authentication group, VPN Authentication uses bypass authentication. Related information Supported authentication protocols for each authentication option, on page 21 Connect the VPN Authentication server to Microsoft Active Directory Before you begin: To permit VPN Authentication to find user accounts in Microsoft Active Directory, you must create an LDAP user account and password that VPN Authentication can use to connect to Microsoft Active Directory. 1. In the configuration tool, on the menu bar, click Active Directory. 27

28 Connecting the VPN Authentication server to Microsoft Active Directory 2. In the Server name field, type the FQDN or IP address of the Microsoft Active Directory server or the FQDN of the DNS pool. 3. In the Port field, type the port that the Microsoft Active Directory server uses. 4. In the Security drop-down list, select the security method that Microsoft Active Directory uses. 5. In the UserID and Domain of service account field, type the name of the LDAP user account that VPN Authentication can use to connect to Microsoft Active Directory. You can use the or <domain>/<userid> formats. 6. In the Password and Confirm password fields, type the password of the LDAP user account. 7. In the Query DN field, type the DN to the area in the Microsoft Active Directory tree where VPN Authentication can start searching for user accounts. 8. In the Windows domain field, type the domain that user accounts exist in. 9. In the Microsoft Active Directory groups for VPN Authentication options section, type the names of the groups that you created in Microsoft Active Directory. Note: The group name fields cannot be blank. If you are not using one of the authentication options, leave the group name at its default value and do not create the group in Microsoft Active Directory. 10. Click Update settings. 11. Click Commit changes. Related information VPN authentication options, on page 6 28

29 Configuring the connection to an EMM solution from BlackBerry Configuring the connection to an EMM solution from BlackBerry 6 This section outlines how you configure connections to EMM solutions from BlackBerry. Configuring support for high availability of an EMM solution from BlackBerry If you configured high availability for BES5, BES10, or BES12, VPN Authentication by BlackBerry can connect to multiple servers in a single EMM domain to increase fault tolerance and perform load-balancing. For BES5 and BES10, VPN Authentication supports separate pools for the connections to the BlackBerry Administration Service (for user-to-device mapping) and BlackBerry MDS Connection Service (for push requests to devices). For BES5 and BES10, you must verify the following: When you configure the DNS pool for the BES5 or BES10 instances in the DNS server, all instances must have an assigned host name and must be resolvable using reverse DNS. The SSL certificate that is in the BES5 or BES10 keystores must establish trust for all the BES5 or BES10 instances and the BlackBerry Administration Service pool. You can use a wildcard certificate (for example, *.example.com) or a certificate that includes the FQDNs of all the servers and the FQDN of the BlackBerry Administration Service pool in the SAN field. For information on how to import SSL certificates into the keystores, see the BES10 Configuration content or the BES5 Administration content. For BES12, note the following: Currently, users cannot activate a device managed by BES12 Cloud to use VPN Authentication. For environments with BES12 Cloud, a separate on-premises BES12 instance is required to manage this product. In environments with both cloud and on-premises BES12 instances, the same device cannot be managed by both solutions. However, a single user with different devices (for example, a work device and a personal device) on each BES12 solution is supported. Future versions of VPN Authentication will directly support cloud solution users. 29

30 Configuring the connection to an EMM solution from BlackBerry Prerequisites: Connecting the VPN Authentication server to BES12 Note: Currently, users cannot activate a device managed by BES12 Cloud to use VPN Authentication. For environments with BES12 Cloud, a separate on-premises BES12 instance is required to manage this product. In environments with both cloud and on-premises BES12 instances, the same device cannot be managed by both solutions. However, a single user with different devices (for example, a work device and a personal device) on each BES12 solution is supported. Future versions of VPN Authentication will directly support cloud solution users. Obtain the following information from all BES12 domains that you want to connect to: FQDN of the BES12 server or pool FQDN of the Microsoft SQL Server that hosts the BES12 database If the database is using static ports, the port of the Microsoft SQL Server (by default, 1433) Name of the BES12 database For SQL authentication with the BES12 server, username and password of a Microsoft SQL Server account that can access the BES12 database (this account can be the account you specified when you installed BES12, or a Microsoft SQL Server account with the db_datareader role that you created specifically for VPN Authentication) In environments where the VPN Authentication server is deployed as a virtual appliance, the account password used by VPN Authentication to access the BES12 database cannot contain special characters. Only alphanumeric characters are supported. This applies to both SQL Server authentication and Microsoft Active Directory authentication. For NTLM authentication with the BES12 database server: Verify that the Active Directory service account that VPN Authentication uses is in the same Microsoft Active Directory domain as the BES12 database server. Verify that the Active Directory service account can access the BES12 database. Optionally, the FQDN and port of the BlackBerry MDS Connection Service instance or pool that BlackBerry 10 devices use Optionally, the FQDN and port of the BlackBerry MDS Connection Service instance or pool that BlackBerry OS (version 6.0 to 7.1) devices use Connect the VPN Authentication server to BES12 Complete this task for each BES12 domain that you want to connect VPN Authentication by BlackBerry to. 30

31 Configuring the connection to an EMM solution from BlackBerry 1. In the configuration tool, on the menu bar, click BlackBerry EMM. 2. Click Add BlackBerry EMM. 3. In the EMM server friendly name field, type a unique, descriptive name for the BES12 instance or domain. 4. Under EMM solution type, select BES In the EMM server FQDN field, type the FQDN of the computer that hosts BES12 or the FQDN of the BES12 pool. 6. In the BES12 database FQDN field, type the FQDN of the database server. 7. In the BES12 database port field, type the port number for the database server. If your database uses dynamic ports (for example, it is a named instance of SQL), type Select the Use SSL? option if the VPN Authentication server must connect to the database server using SSL. 9. Optionally, in the BES12 database instance field, type the instance name of the BES12 database. 10. In the BES12 database name field, type the name of the BES12 database. 11. Perform one of the following tasks: Task Configure support for SQL authentication Steps 1. In the BES12 database username field, type the name of the Microsoft SQL Server account that can access the BES12 database. 2. In the BES12 database password and Confirm BES12 database password fields, type the password for the account. Configure support for NTLM authentication Select the Use NTLM authentication option. Selecting this option enables three fields: username, password and domain. Enter your Active Directory information in these fields. 12. In the Push for BlackBerry 10 devices section, perform the following tasks: a. In the Hostname field, type the FQDN for the BlackBerry MDS Connection Service instance or pool that sends push requests to BlackBerry 10 devices. b. In the Port field, type the port that BlackBerry MDS Connection Service uses. By default, the HTTP port is In the Push for BlackBerry OS devices section, perform the following tasks: a. In the Hostname field, type the FQDN for the BlackBerry MDS Connection Service instance or pool that sends push requests to BlackBerry OS devices. b. In the Port field, type the port that BlackBerry MDS Connection Service uses. By default, the HTTP port is In the Response port for ios and Android, type the port number that ios and Android devices can use to send responses to the VPN Authentication server. The default port is The port increments by one for each BES12 domain that you add. 31

32 Configuring the connection to an EMM solution from BlackBerry 15. Click Add server. 16. Click Commit changes. After you finish: Delete the examples. Prerequisites: Connecting the VPN Authentication server to BES10 Obtain the following information from all BES10 domains that you want to connect to: BlackBerry Administration Service pool name or the FQDN of the computer that hosts the BlackBerry Administration Service One of the following: To use native BlackBerry Administration Service authentication to connect to the BlackBerry Web Services for BlackBerry Device Service, administrator account and password in BlackBerry Administration Service with BlackBerry Administration Service authentication configured and either the Security Administrator or the Enterprise Administrator role To use Microsoft Active Directory authentication to connect to the BlackBerry Web Services for BlackBerry Device Service, a Microsoft Active Directory account and password in BlackBerry Administration Service with either the Security Administrator or the Enterprise Administrator role FQDN and port number of the BlackBerry MDS Connection Service central push server or pool Connect the VPN Authentication server to BES10 Complete this task for each BES10 domain that you want to connect VPN Authentication by BlackBerry to. 1. In the configuration tool, on the menu bar, click BlackBerry EMM. 2. Click Add BlackBerry EMM. 3. In the EMM server friendly name field, type a unique, descriptive name for the BES10 instance or domain. 4. Under EMM solution type, select BES In the EMM server FQDN field, type the FQDN of the computer that hosts a BlackBerry Administration Service or the BlackBerry Administration Service pool name. 6. In the BlackBerry Web Services port field, type the port number that the BlackBerry Web Services uses. The default port is Perform one of the following tasks: 32

33 Configuring the connection to an EMM solution from BlackBerry Task Configure support for BlackBerry Administration Service authentication Configure support for Microsoft Active Directory authentication Steps In the Authentication method list, select Direct authentication. In the Authentication method list, select Microsoft Active Directory authentication. 8. In the BlackBerry Web Services username field, type the administrator account that you created for VPN Authentication in the BlackBerry Administration Service. 9. In the BlackBerry Web Services password field, type the password for the administrator account. 10. In the Push for BlackBerry 10 devices section, perform the following tasks: a. In the Hostname field, type the FQDN for the BlackBerry MDS Connection Service instance or pool that sends push requests to BlackBerry 10 devices. b. In the Port field, type the port that BlackBerry MDS Connection Service uses. By default, the HTTP port is Click Add server. 12. Click Commit changes. After you finish: Delete the examples. Prerequisites: Connecting the VPN Authentication server to BES5 Obtain the following information from all BES5 domains that you want to connect to: BlackBerry Administration Service pool name or the FQDN of the computer that hosts the BlackBerry Administration Service Port that the BlackBerry Web Services uses (by default, 443) One of the following: To use native BlackBerry Administration Service authentication to connect to the BlackBerry Web Services, administrator account and password in BlackBerry Administration Service with BlackBerry Administration Service authentication configured and either the Security Administrator or the Enterprise Administrator role To use Microsoft Active Directory authentication to connect to the BlackBerry Web Services, a Microsoft Active Directory account and password in BlackBerry Administration Service with either the Security Administrator or the Enterprise Administrator role FQDN and port number of the BlackBerry MDS Connection Service instance or pool 33

34 Configuring the connection to an EMM solution from BlackBerry Connect the VPN Authentication server to BES5 Complete this task for each BES5 domain that you want to connect VPN Authentication by BlackBerry to. 1. In the configuration tool, on the menu bar, click BlackBerry EMM. 2. Click Add BlackBerry EMM. 3. In the EMM server friendly name field, type a unique, descriptive name for the BES5 instance or domain. 4. Under EMM solution type, select BES5. 5. In the EMM server FQDN field, type the FQDN of the computer that hosts a BlackBerry Administration Service or the BlackBerry Administration Service pool name. 6. In the BlackBerry Web Services port field, type the port number that the BlackBerry Web Services uses. The default port is Perform one fo the following tasks: Task Configure support for BlackBerry Administration Service authentication Configure support for Microsoft Active Directory authentication Steps In the Authentication method list, select Direct authentication. In the Authentication method list, select Microsoft Active Directory authentication. 8. In the BlackBerry Web Services username field, type the administrator account that you created for VPN Authentication in the BlackBerry Administration Service. 9. In the BlackBerry Web Services password field, type the password for the administrator account. 10. In the Push for BlackBerry OS devices section, perform the following tasks: a. In the Hostname field, type the FQDN for the BlackBerry MDS Connection Service instance or pool that sends push requests to BlackBerry OS devices. b. In the Port field, type the port that BlackBerry MDS Connection Service uses. By default, the HTTP port is Click Add server. 12. Click Commit changes. After you finish: Delete the examples. 34

35 Configure the VPN Authentication server to listen for responses from devices Configure the VPN Authentication server to listen for responses from devices 7 You must set up VPN Authentication by BlackBerry so that devices know where to send their responses. Note: You configure the response port for ios and Android devices when you connect VPN Authentication to BES In the configuration tool, on the menu bar, click General. 2. In the VPN Authentication FQDN (for BlackBerry 10, ios and Android devices) field, type the FQDN of the computer that hosts the VPN Authentication server. 3. In the Server FQDN for Internet access (BlackBerry OS only) field, type the FQDN of the computer that hosts the VPN Authentication server or the FQDN of a proxy server in the DMZ that can forward responses from BlackBerry OS devices. 4. Verify that the default port numbers in the VPN Authentication response ports section are not in use by another application. If there are conflicts, update the port numbers. 5. Click Update settings. 6. Click Commit changes. Related information Connect the VPN Authentication server to BES12, on page 30 Configure a TLS connection for responses from BlackBerry 10 devices Before you begin: On BlackBerry 10 devices, in the Browser certificate store in the work space, install the root certificate of the CA that you re using to generate the signing certificate. For information on how to send CA certificates to devices, see the BES12 Administration content or the BES10 BDS Administration content and BES10 UDS Administration content. You can complete the following task to configure TLS for the connection between the VPN Authentication by BlackBerry server and BlackBerry 10 devices when the devices forward their responses to the VPN Authentication server. 1. Generate a private signing key and place it in the keystore used by the VPN Authentication server. a. Open a command prompt window. b. Change to the <install_dir>/bb2fa-config/listeners/bb10 folder. c. Run the following command: 35

36 Configure the VPN Authentication server to listen for responses from devices../../../jdk/jre/bin/keytool -genkey -keyalg RSA -alias bb2fa -keystore bb10_server.jks d. At the Enter keystore password prompt, type password. Press Enter. e. At the What is your first and last name? prompt, type the FQDN or IP address of the computer that hosts the VPN Authentication server. This entry must match the VPN Authentication FQDN (for BlackBerry 10, ios and Android devices) field that you configured in step 2 of Configure the VPN Authentication server to listen for responses from devices. f. Press Enter. g. Proceed through the remaining prompts. h. Verify that the CN matches the VPN Authentication FQDN (for BlackBerry 10, ios and Android devices) field that you configured in step 2 of Configure the VPN Authentication server to listen for responses from devices. i. Type yes. Press Enter. 2. To generate a CSR, run the following command:../../../jdk/jre/bin/keytool -certreq -alias bb2fa -keystore bb10_server.jks file <mycsrfile.csr> 3. Use the CSR file to obtain a signed certificate from your organization s CA. 4. Add the signed certificate to the keystore used by the VPN Authentication server. a. Open a command prompt window. b. Change to the <install_dir>\bb2fa-config\listeners\bb10 folder. c. Run the following command:../../../jdk/jre/bin/keytool -keystore bb10_server.jks -import -alias bb2fa -file <yourcertfile.p7b> -trustcacerts d. At the Enter keystore password prompt, type password. Press Enter. e. If a message that asks whether to install the certificate even though it isn't trusted appears, type yes. Press Enter. f. Proceed through the remaining prompts. 5. In the configuration tool, in the General tab, in the VPN Authentication response ports section, select the Use TLS? option. 6. Click Update settings. 7. Click Commit changes. 36

37 Customize the VPN Authentication app Customize the VPN Authentication app 8 You can update the message that the VPN Authentication by BlackBerry app displays to users when they connect to your VPN network. A number of factors limit the text in the message. The configuration tool lets you know how many characters you can use in the message. Note: Messages to ios devices are limited to 255 characters. If the size of your message is greater than 255 characters, the configuration tool displays a warning that you cannot send messages to ios devices. This limitation does not affect other device types. To reduce the message size, you can leave the "Confirm button text" and "Decline button text" fields blank. The app on the device uses the default "Confirm" and "Decline" text if the message does not include the button text. 1. In the configuration tool, on the menu bar, click General. 2. In the Message title field, type the title that you want the app to display in its message. For example, "Example Organization's VPN." 3. In the Message field, type the message that you want the app to display to users. This message explains to users what is required from them. 4. In the Confirm button text field, type the text that appears on the button users can tap to confirm second-factor authentication. 5. In the Decline button text field, type the text that appears on the button users can tap to decline second-factor authentication. 6. In the Timeout (seconds) field, type the amount of time, in seconds, before the authentication transaction expires. 7. Click Update settings. 8. Click Commit changes. 37

38 Sending the VPN Authentication app to devices Sending the VPN Authentication app to devices 9 The app is available for any BlackBerry 10, BlackBerry OS (version 6 to 7.1), ios, or Android device that an EMM solution from BlackBerry manages. Sending the VPN Authentication app to BlackBerry 10 devices using BES12 The VPN Authentication by BlackBerry app is included in the installation folder. You must perform the following actions to send the app to BlackBerry 10 devices when you are using BES12: Copy the.bar file from the software bundle to a location that the BES12 management console can access. If you have not yet completed this task, use the BES12 management console to specify a shared network location for internal apps. In the BES12 management console, add the.bar file as an internal app. In the BES12 management console, assign the app to user accounts or groups. For devices with a work space, the app is installed in the work space. Users can install it using BlackBerry World for Work if you do not make the installation mandatory. For more information, see the BES12 Administration content. Sending the VPN Authentication app to BlackBerry 10 devices using BES10 The VPN Authentication by BlackBerry app is included in the installation folder. You must perform the following actions to send the app to devices: Copy the.bar file from the software bundle to a location that BlackBerry Administration Service can access. If you have not yet completed this task, use the BlackBerry Administration Service to specify a shared network folder for apps. In the BlackBerry Administration Service, add the app to the BlackBerry Administration Service app repository. 38

39 Sending the VPN Authentication app to devices In the BlackBerry Administration Service, create a software configuration. In the BlackBerry Administration Service, add the app to the software configuration. In the BlackBerry Administration Service, assign the software configuration to user accounts or groups. For devices with a work space, the app is installed in the work space. Users can install it using BlackBerry World for Work if you do not make the installation mandatory. For more information, see the BES10 BDS Administration content and BES10 UDS Administration content. Sending the VPN Authentication app to BlackBerry OS devices using BES12 The VPN Authentication by BlackBerry app is included in the installation folder. You must perform the following actions to send the app to BlackBerry OS (version 6.0 to 7.1) devices over the wireless network when you are using BES12. The app is a BlackBerry Java Application. Copy the BlackBerryVPNAuthentication_OTA.zip file from the software bundle to a location that the BES12 management console can access. If you have not yet completed this task, use the BES12 management console to specify a shared network location for internal apps. In the BES12 management console, add the app to the shared network folder, following the instructions for BlackBerry OS devices. In the BES12 management console, create a software configuration. You can use the Standard Required or Standard Optional application control policy. In the BES12 management console, add the app to the software configuration. In the BES12 management console, assign the software configuration to a user account or user group. To distribute the app using BlackBerry Web Desktop Manager, use the BlackBerryVPNAuthentication_Desktop.zip in <install_dir>/deviceapp/bbos instead. For more information, see the BES12 Administration content. Sending the VPN Authentication app to BlackBerry OS devices using BES5 The VPN Authentication by BlackBerry app is included in the installation folder. You must perform the following actions to send the app to BlackBerry OS (version 6.0 to 7.1) devices over the wireless network when you are using BES5. The app is a BlackBerry Java Application. 39

40 Sending the VPN Authentication app to devices Copy the BlackBerryVPNAuthentication_OTA.zip file from the software bundle to a location that the BlackBerry Administration Service management console can access. If you have not yet completed this task, use the BlackBerry Administration Service to specify a shared network folder for apps. In the BlackBerry Administration Service, add the app to the application repository. In the BlackBerry Administration Service, create a software configuration. You can use the Standard Required or Standard Optional application control policy. In the BlackBerry Administration Service, add the app to the software configuration. In the BlackBerry Administration Service, assign the software configuration to user accounts or groups. To distribute the app using BlackBerry Web Desktop Manager, use the BlackBerryVPNAuthentication_Desktop.zip in <install_dir>/deviceapp/bbos instead. For more information, see the BES5 Administration content. Sending the VPN Authentication app to ios or Android devices using BES12 The VPN Authentication by BlackBerry app is packaged with the BES12 Client. The BES12 Client is installed on any ios or Android device that is managed by BES12. You do not need to perform any additional tasks to send the app to ios or Android devices. Any updates made to the app are pushed to the devices using the app stores. For more information about the BES12 Client, see the BES12 Administration content. 40

41 Architecture: VPN Authentication high availability Architecture: VPN Authentication high availability 10 VPN Authentication by BlackBerry supports active-active high availability. You can install multiple instances of the VPN Authentication server to provide load-balancing for authentication requests and to promote reliability. The following diagram shows a high availability scenario. Some VPN solutions might include a load balancer, and in that scenario a separate load balancer is not required. Configuring high availability You can use the same ports for all VPN Authentication servers. To maintain the unique encryption of configuration information, it is recommended that you do not copy the bb2fa-config.json file between VPN Authentication servers. You must use the configuration tool to configure each server separately. Task Description If you have not already done so, set up high availability for your VPN gateway. For more information, see the documentation for your VPN gateway. Install two or more VPN Authentication servers. During subsequent installations, you can choose not to select the VPN Authentication app files. You do not need to install the files more than once. For more information, see Installing the VPN Authentication server. On the VPN server, create a profile for the VPN Authentication servers in your environment. Configure the VPN clients on your users computers to use the profile. 41

42 Architecture: VPN Authentication high availability Task Description For more information, see Configuring VPN server connectivity. For each VPN Authentication server, set up the configuration tool for use. For more information, see Start the configuration tool. For each VPN Authentication server, connect it to the VPN gateway. For more information, see Configuring VPN server connectivity. For each VPN Authentication server, connect it to your Microsoft Active Directory. You can use the same information that you used for the first VPN Authentication server that you configured. For more information, see Connecting the VPN Authentication server to Microsoft Active Directory. For each VPN Authentication server, connect it to BES5, BES10, or BES12. You can use the same information that you used for the first VPN Authentication server that you configured. For more information, see Configuring the connection to an EMM solution from BlackBerry. For each VPN Authentication server, customize the VPN Authentication app message. You can use the same message that you used for the first VPN Authentication server that you configured. For more information, see Customize the VPN Authentication app. For each VPN Authentication server, turn off the configuration tool. For more information, see Turn off the configuration tool. For each VPN Authentication server, start the Virtual Appliance service. For more information, see Start the VPN Authentication server. If you have not already done so, send the VPN Authentication app to devices. For more information, see Sending the VPN Authentication app to devices. 42

43 Logging and reporting Logging and reporting 11 The VPN Authentication by BlackBerry stores its log files in <install_dir>/logs. There are four log files: bb2fa.log is the main log file that includes all the messages that the VPN Authentication server writes. For example, it includes startup and shutdown messages and messages related to the progress of authentication. key_log.txt is the file that contains messages related to the creation and status of the keys that the VPN Authentication server requires to protect sensitive information such as passwords. bb2fa-audit.log is a comma-delimited audit file that records each authentication request that the VPN Authentication server made. VPN Authentication uses the Apache log4j logging tool for logging. By default, the VPN Authentication server writes log messages at the Info level. The VPN Authentication server creates new log and audit files daily. When the log or audit file is created, the previous log or audit file is time-stamped as bb2fa.<date>.log or b2fa-audit.log.<date>. You can change the logging level and where VPN Authentication stores the log and audit files using the log4j.properties file in <install_dir>/bb2fa-config. For more information, read the Apache log4j 2 User s Guide at Auditing authentication transactions VPN Authentication by BlackBerry records each authentication request that it makes in an audit log file when the request expires. The audit log file includes the following information about each request: Date and time of request Request ID User ID of the user in BES5, BES10, or BES12 Authentication option BB10 devices found associated to the user, and confirmation of successful request to the devices ios/android devices found associated to the user BBOS devices found associated to the user For successful requests, the device ID (for BlackBerry 10 and BlackBerry OS devices, the device ID is the device PIN, for ios and Android devices, the device ID is the perimeter ID) Duration of authentication request, in seconds Result of request (for example, if it was successful, denied, or timed out) 43

44 Logging and reporting For example: ,16:02:32.413,f58ab935,user01,BB10,12G34H56,ENTERPRISE_PW, ,AUTH_SUCCEEDED The audit log file is a comma-delimited file that you can open in any software that supports CSV. It is named bb2fa-audit.log and is stored in <install_dir>/logs. Centralize logging or auditing using syslog You can configure VPN Authentication by BlackBerry so that it writes its log files, its audit files, or both to a centralized syslog server instead of local files. Note: This task demonstrates one way to centralize logging. For more information about how to configure logging, read the Apache log4j 2 User s Guide at 1. Browse to the <install_dir>/bb2fa-config folder. 2. Back up the log4j.properties file. 3. Open the log4j.properties file in a text editor. 4. To send log messages to a central syslog server, perform the following actions: a. Change the value of log4j.rootlogger to one of the following: To write log messages only to a syslog server, ALL, syslog To write log messages locally and to a syslog server, ALL, logfile, syslog b. Add the following lines: log4j.appender.syslog=org.apache.log4j.net.syslogappender log4j.appender.syslog.threshold=info log4j.appender.syslog.sysloghost=<hostname>:<port> log4j.appender.syslog.layout=org.apache.log4j.patternlayout log4j.appender.syslog.layout.conversionpattern=[%-5p] %c - %m%n c. Set the value of log4j.appender.syslog.sysloghost to the host name and port of your syslog server. d. Optionally, to remove local logging, delete the following lines: # Log file output log4j.appender.logfile=org.apache.log4j.dailyrollingfileappender log4j.appender.logfile.layout=org.apache.log4j.patternlayout log4j.appender.logfile.layout.conversionpattern=%d{iso8601} [%-5p] (%t) %c - %m%n log4j.appender.logfile.datepattern='.'yyyy-mm-dd log4j.appender.logfile.threshold = INFO 44

45 Logging and reporting log4j.appender.logfile.append=true log4j.appender.logfile.file=logs/bb2fa.log 5. To send audit messages to a central syslog server, perform the following actions: a. Change the value of log4j.logger.auditlogger to one of the following: to write audit messages only to a syslog server, ALL, auditsyslog to write audit messages locally and to a syslog server, ALL, auditfile, auditsyslog b. Add the following lines: log4j.appender.auditsyslog=org.apache.log4j.net.syslogappender log4j.appender.auditsyslog.threshold = INFO log4j.appender.auditsyslog.sysloghost=<hostname>:<port> log4j.appender.auditsyslog.layout=org.apache.log4j.patternlayout log4j.appender.auditsyslog.layout.conversionpattern=%d{yyyy-mmdd},%d{hh:mm:ss.sss},%m%n c. Set the value of log4j.appender.syslog.sysloghost to the host name and port of your syslog server. You must use a different port for the audit file than for for the log file. d. Optionally, to remove local auditing, delete the following lines: # Audit log output log4j.appender.auditfile=org.apache.log4j.dailyrollingfileappender log4j.appender.auditfile.layout=org.apache.log4j.patternlayout log4j.appender.auditfile.layout.conversionpattern=%d{yyyy-mmdd},%d{hh:mm:ss.sss},%m%n log4j.appender.auditfile.datepattern='.'yyyy-mm-dd log4j.appender.auditfile.threshold = INFO log4j.appender.auditfile.append=true log4j.appender.auditfile.file=logs/bb2fa-audit.log 6. Save your changes. 7. Restart the VPN Authentication service. 45

46 Product documentation Product documentation 12 To read the following guides or additional related materials, visit Resource VPN Authentication by BlackBerry Compatibility Matrix Description Software requirements for the VPN Authentication server Supported mobile operating systems Supported VPN gateways Supported EMM solutions from BlackBerry VPN Authentication by BlackBerry Release Notes Descriptions of known issues and potential workarounds 46

47 Glossary Glossary 13 AAA AES APNs Authentication, Authorization, Accounting Advanced Encryption Standard Apple Push Notification service BES5 BlackBerry Enterprise Server 5 BES10 BlackBerry Enterprise Service 10 CA CSR DMZ DNS EAP EAP-MS-CHAP EMM FQDN GCM HTTP HTTPS IKE IP IPsec LDAP LDAPS MS-CHAP NIC NTLM PAP PIN certification authority certificate signing request A demilitarized zone (DMZ) is a neutral subnetwork outside of an organization's firewall. It exists between the trusted LAN of the organization and the untrusted external wireless network and public Internet. Domain Name System Extensible Authentication Protocol Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol Enterprise Mobility Management fully qualified domain name Google Cloud Messaging Hypertext Transfer Protocol Hypertext Transfer Protocol over Secure Sockets Layer Internet Key Exchange Internet Protocol Internet Protocol Security Lightweight Directory Access Protocol Lightweight Directory Access Protocol over SSL Microsoft Challenge Handshake Authentication Protocol network interface card NT LAN Manager Password Authentication Protocol personal identification number 47

48 Glossary PKI RADIUS SAN SHA SQL SSL TCP/IP TLS UDP VPN XML Public Key Infrastructure Remote Authentication Dial In User Service subject alternative name Secure Hash Algorithm Structured Query Language Secure Sockets Layer Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of communication protocols that is used to transmit data over networks, such as the Internet. Transport Layer Security User Datagram Protocol virtual private network Extensible Markup Language 48

49 Legal notice Legal notice BlackBerry Limited. Trademarks, including but not limited to BLACKBERRY, BES, EMBLEM Design, GOOD, GOOD WORK, LOCK Design, MANYME, MOVIRTU, SECUSMART, SECUSMART & Design, SECUSUITE, SECUVOICE, VIRTUAL SIM PLATFORM, WATCHDOX and WORKLIFE are the trademarks or registered trademarks of BlackBerry Limited, its subsidiaries and/or affiliates, used under license, and the exclusive rights to such trademarks are expressly reserved. All other trademarks are the property of their respective owners. Android is a trademark of Google Inc. Apache log4j is a trademark of The Apache Software Foundation. Cisco and Cisco AnyConnect are trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. Citrix and NetScaler are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. ios is a trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. ios is used under license by Apple Inc. Java and JavaScript are trademarks of Oracle and/or its affiliates. Microsoft, Active Directory, Internet Explorer, SQL Server, Windows, and Windows Phone are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Check Point is a trademark of Check Point Software Technologies LTD. All other trademarks are the property of their respective owners. This documentation including all documentation incorporated by reference herein such as documentation provided or made available on the BlackBerry website provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its affiliated companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of BlackBerry technology in generalized terms. BlackBerry reserves the right to periodically change information that is contained in this documentation; however, BlackBerry makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all. This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or third-party websites (collectively the "Third Party Products and Services"). BlackBerry does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the third party in any way. EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON- INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY 49

50 Legal notice LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON- PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY. THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS. IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION. Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with BlackBerry's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with BlackBerry's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with BlackBerry. 50

51 Legal notice The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION. BlackBerry Limited 2200 University Avenue East Waterloo, Ontario Canada N2K 0A7 BlackBerry UK Limited 200 Bath Road Slough, Berkshire SL1 3XE United Kingdom Published in Canada 51