Borderware MXtreme. Secure Gateway QuickStart Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Transcription

1 Borderware MXtreme Secure Gateway QuickStart Guide Copyright 2005 CRYPTOCard Corporation All Rights Reserved

2 Overview MXtreme is a hardened appliance with a highly robust mail transfer agent (MTA) and gateway that prevents -borne threats from entering the network while protecting against spam and viruses. It also provides content and policy control with the industry s most comprehensive audit and reporting tools. Typically deployed in the DMZ or in parallel to the corporate firewall, MXtreme brokers all inbound and outbound mail traffic for comprehensive transaction management. Directory authentication allows users to be authenticated without having a local MXtreme account. When an unknown user logs in, MXtreme will send the UserID and password to the specified RADIUS or LDAP server. If the user is authenticated, MXtreme logs them in and provides access to the specified server or servers. RADIUS and LDAP are widely supported, and provide a convenient way of providing access to internal mail servers or web mail servers such as Outlook Web Access. Users who login locally to an Exchange server based on an Active Directory identity can use the same identity to use Outlook Web Access using MXtreme s Secure WebMail service. Note: If both RADIUS and LDAP services are defined, the system will try to authenticate via RADIUS first, and then LDAP if the RADIUS authentication fails. If using CRYPTO-Server with LDAP and RADIUS, CRYTPO-Server will first verify the userid against LDAP, then perform the authentication. In this mode failover to LDAP authentication is not recommended End-User responds to the MXtreme logon prompt by entering their logon name and CRYPTOCard generated One-time Password (OTP). MXtreme passes the authentication request via RADIUS to CRYPTO-Server. CRYPTO- Server authenticates the End-user and passes a RADIUS accept message back. MXtreme allows access to mail services on receipt of the RADIUS accept message. 3 rd Party Integration: Borderware Secure Gateway Quickstart Guide 1

3 Configuring RADIUS Authentication Select User Mailboxes / Directory Users from the menu to configure RADIUS authentication. Server Enter the FQDN or IP address of the RADIUS server. Shared Secret Enter the shared secret for the RADIUS server. A shared secret is a text string that acts as a password between a RADIUS server and client. Choose a secure shared secret of at least 8 characters in length, and include a mixture of upper and lowercase alphabetic characters, numbers, and special characters such as symbol. Timeout Enter a timeout value to contact the RADIUS server. Retry Enter the retry interval to contact the RADIUS server. The servers listed in the Accessible Servers option are configured via User Mailboxes / Secure WebMail. See the Secure WebMail and BorderPost section of the Mxtreme manual for more detailed information on configuring Secure WebMail. Note: When you add a RADIUS server, the administrator of the RADIUS server must also list this MXtreme Mail Firewall as a client using the same shared secret. All listed RADIUS servers must contain the same users and credentials. Configure the CRYPTO-Server If you wish to use the CRYPTO-Server as your RADIUS server, you must verify that the Protocol Server is configured to accept RADIUS communications. 3 rd Party Integration: Borderware Secure Gateway Quickstart Guide 2

4 Connect to the CRYPTO-Server using the Console, and choose Server -> System Configuration & Status from the menu. In the Entity column choose RadiusProtocol. Next look at the Value corresponding to the key NAS.2. The data in this value field defines which RADIUS clients are allowed to connect to the CRYPTO-Server, and the shared secret they must use. RadiusProtocol NAS.# keys By default, the CRYPTO-Server is configured to listen for RADIUS requests over UDP port 1812, from any host on the same subnet, using a shared secret of testing123. You can manually define as many RADIUS clients as desired by adding NAS.# entries to the CRYPTO-Server configuration. The syntax of the data for a NAS entry is as follows: <First IP>, <Last IP>, <Hostname>, <Shared Secret>, <Perform Reverse Lookup?>, <Authentication Protocols> Where: <First IP>: The first IP address of the RADIUS client(s) configured in this NAS.# key. 3 rd Party Integration: Borderware Secure Gateway Quickstart Guide 3

5 <Last IP>: The last IP address of the RADIUS client(s) configured in this NAS.# key. If only one IP address is defined by a NAS.# key, the <First IP> and <Last IP> will be the same. <Hostname>: Only applies in cases where the NAS.# key is for one host. Required for performing reverse lookup. <Shared Secret>: A string used to encrypt the password being sent between the CRYPTO-Server and the RADIUS client (i.e. the Check Point VPN/Firewall). You will need to enter the exact same string into the Check Point configuration in Section 3. The <Shared Secret> string can be any combination of numbers and uppercase and lowercase letters. <Perform Reverse Lookup?>: An added security feature of the CRYPTO-Server is its ability to verify the authenticity of a RADIUS client by cross-checking its IP address with the Domain Name Server. If this value is set to true, when the CRYPTO-Server receives a RADIUS request from the RADIUS client defined by this NAS.# entry, it sends a request to the DNS using the hostname set in the NAS.# entry. The DNS should respond with the same IP address as configured in the NAS.# entry, otherwise the CRYPTO-Server assumes that the RADIUS packet is coming from some other host posing as the RADIUS client, and ignores the request completely (also known as a man in the middle attack). <Authentication Protocols>: Many different authentication protocols can be used during RADIUS authentication. Common examples are PAP, CHAP,MS-CHAP and EAP. This setting determines which authentication protocols the CRYPTO-Server will allow from a given RADIUS client. Currently PAP and CHAP are the only available authentication protocols for RADIUS clients. NOTE: After changing or adding a NAS.# entry, click the Apply button. Verifying the CRYPTO-Server RADIUS Protocol Settings The RADIUSProtocol.dbg log on the CRYPTO-Server will include information about its RADIUS configuration. Each time the Protocol Server starts, the following information is logged: Adding IP range to to ACL with reverse lookup set to false Adding IP range to to ACL with reverse lookup set to false RADIUS protocol has established link with EJB server at jnp:// :1099 RADIUS Receiver Started: listening on port 1812 UDP. RADIUS Receiver Started: listening on port 1813 UDP. 3 rd Party Integration: Borderware Secure Gateway Quickstart Guide 4

6 This example indicates that the CRYPTO-Server is listening for RADIUS requests on UDP port 1812 (for authentication) and 1813 (for accounting), and RADIUS clients within the IP range of to As well, no reverse lookup is being performed. 3 rd Party Integration: Borderware Secure Gateway Quickstart Guide 5