Quick Start Guide (Version 5.7) Copyright 2013 Deepnet Security Limited Copyright 2013, Deepnet Security. All Rights Reserved. Page 1
Trademarks Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID, SmartID, TypeSense, VoiceSense, DevicePass, RemotePass and Site Stamp are trademarks of Deepnet Security Limited. All other brand names and product names are trademarks or registered trademarks of their respective owners. Copyrights Under the international copyright law, neither the Deepnet Security software or documentation may be copied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole or in part, without the prior written consent of Deepnet Security. Licence Conditions Please read your licence agreement with Deepnet carefully and make sure you understand the exact terms of usage. In particular, for which projects, on which platforms and at which sites, you are allowed to use the product. You are not allowed to make any modifications to the product. If you feel the need for any modifications, please contact Deepnet Security. Disclaimer This document is provided as is without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the document. Deepnet Security may make improvements of and/or changes to the product described in this document at any time. Contact If you wish to obtain further information on this product or any other Deepnet Security products, you are always welcome to contact us. Deepnet Security Limited Building 3 North London Business Park Oakleigh Road South London N11 1GN Tel: +44(0)20 3668 1580 Fax: +44(0)20 8446 3182 Web: www.deepnetsecurity.com Email: support@deepnetsecurity.com Copyright 2013, Deepnet Security. All Rights Reserved. Page 2
Table of Contents First-time Logon... 4 Management Console... 4 Login & Change Password... 5 Install License Key... 7 Quick Start... 9 Step 1: Application & Agent... 10 Step 2: Logon Procedure... 11 Step 3: Realm & Domain... 14 Step 4: Summary... 17 Tutorial... 18 Step 1: Create Identity Source... 18 Step 2: Create Domain... 19 Step 3: Create Realm... 20 Step 4: Create Logon Procedure... 21 Step 5: Create Application... 22 Step 6: Publish Application... 23 Copyright 2013, Deepnet Security. All Rights Reserved. Page 3
First-time Logon Management Console After the successful installation of the, a desktop icon named DualShield Management Console is placed on your desktop. Click the icon to launch the Management Console. If you are accessing the Management Console from a different machine other than the machine where the servers are installed, launch of your web browser and enter the URL below: or http://dualshield.yourdomain.com:8073/dmc https://dualshield.yourdomain.com:8073/dmc Where yourdomain.com is the domain name that you provided at the installation. If you changed the default port number 8073 then replace it with the port number that you provided for the Management Console. At the first time, it may take a minute or so for the server to start up. Below is the screenshot of the login page of the management console: Copyright 2013, Deepnet Security. All Rights Reserved. Page 4
Login & Change Password When you installed the authentication server, it created a default system administrator account with the following credentials: Login Name: sa Password: sa Enter the above credential to login. You will then be asked to reset the system administrator s password. You need to choose a password that meets the following policy: Minimum length: 6 Must include uppercase letter(s) Must include lowercase letters(s) Must include special letter(s) You can change the password policy once you have logged in. Copyright 2013, Deepnet Security. All Rights Reserved. Page 5
Please note that if you re accessing the management console from a remote PC, it will take about 1 minute to load up the UI. You have now successfully logged into the Management Console. Copyright 2013, Deepnet Security. All Rights Reserved. Page 6
Install License Key Before you continue, you must firstly install your license key. Select Configuration License, then click Import button: If the server has the access to the Internet, simply enter your license key, click Save button. Skip the rest of this section to the next chapter: Quick Start. If there is no Internet connection from the server machine, you need to obtain your license data from the licensing server. Find a machine that has Internet connection, enter the URL below in your browser: http://license.deepnetsecurity.com/register/install-license.htm Copyright 2013, Deepnet Security. All Rights Reserved. Page 7
Enter the License Installation Code displayed on the management console. You will shortly receive your license data key in your email box. Back to the management console. In the Import Licence window, select Licence Data from the Input field, then enter the license data that you just received. Click Save to save it. Copyright 2013, Deepnet Security. All Rights Reserved. Page 8
Quick Start DualShield is application centric. After all, its main purpose is to protect business applications with multi-factor authentication. The diagram below illustrates the key components in the system and how application is related to those components. Jane.Smith Authentication Agent N à N Application Application Application N à 1 Realm N à N Domain Domain Domain N à 1 Identity Source SQL AD LDAP Jane.Smith The quickest way to get started is to create an application by using the Application Wizard. The Wizard will create an application and all other components, namely Identity Source, Domain, Realm and Logon Procedure in a few steps. Copyright 2013, Deepnet Security. All Rights Reserved. Page 9
In the Shortcuts panel, click the Application Wizard link to launch the wizard. The application wizard consists of 4 steps. Step 1: Application & Agent DualShield supports various types of applications, e.g. Windows, VPN, Web, VMWare View and 2X etc. An application must be published on an agent that can support the type of the application. Application Name: Application Type: Agent: The name of application to be created. The type of the application The agent on that the application will be published Copyright 2013, Deepnet Security. All Rights Reserved. Page 10
Step 2: Logon Procedure A logon procedure defines how users will be authenticated if they attempt to access the application, such as the total number of factors (steps) that user must be authenticated with, and the form of the factor to be used in each step. You can select an existing logon procedure from the list, or you can create a new one by pressing the add (+) button. If you decide to add a new logon procedure then the logon procedure wizard will be launched: Enter the name of the logon procedure to be created, leave the option ICE unchecked. Click Next to continue: Copyright 2013, Deepnet Security. All Rights Reserved. Page 11
On this page you will need to add one or more logon steps depending on the type of the application and your authentication policy. Click the Create button to add a logon step: A logon step can include more than one authenticator. If you include multiple authenticators in a step, then your users will be allowed to use any authenticator in the list on the step. Copyright 2013, Deepnet Security. All Rights Reserved. Page 12
Once you have added all steps needed for the logon procedure, press Finish button. Click Next button to continue. Copyright 2013, Deepnet Security. All Rights Reserved. Page 13
Step 3: Realm & Domain In DualShield, An Identity Source refers to a physical media that stores a database of users, and a Domain is a local structure that uses an identity source to define an organisation of users. Multiple domains can be grouped into a Realm. An application can be accessed by a domain of users or users from a group of domains (realm). Therefore, an application must be linked to a realm. Select an existing realm from the list, or pressing the add (+) button to create a new realm: Enter the name for the new realm to be created. Select an existing domain from the list, or press the add (+) button to create a new domain: Copyright 2013, Deepnet Security. All Rights Reserved. Page 14
Select an existing Identity Source from the list, or press the add (+) button to create a new identity source: Enter the name of the Identity Source to be created. DualShield supports internal identity sources that are stored in its SQL database, as well as external identity source, i.e. LDAP user directories. Select the type of the identity source, e.g. LDAP Select the provider of the identity source, e.g. Active Directory Click the Next button to continue. Copyright 2013, Deepnet Security. All Rights Reserved. Page 15
The page shows how to connect to an Active Directory. Directory URL: Enter the URL of connecting LDAP directory in the form of ldap://ip-address, or ldap://host-name Access User: Based DN: A user who has the right to access all user accounts in the directory Select the Base DN in the LDAP directory that is to be used to build the domain Click the Finish button (skip the subsequent pages): Copyright 2013, Deepnet Security. All Rights Reserved. Page 16
DNS Name: The Fully Qualified Domain Name (FQDN) of the domain. DNS Name is used by the IIS Agent for web applications. NetBios Name: The host or machine name of the domain. NetBios name is used by the Windows Agent for Windows logon. Click the Save button to finish the creation of the new identity source. Click the Next button to continue to the last page: Summary Step 4: Summary Click the Finish button the finish the Application Wizard. Copyright 2013, Deepnet Security. All Rights Reserved. Page 17
Tutorial In the last chapter, we used the Application Wizard to quickly create an application and all of its associated components. In this tutorial, we will demonstrate how to manually create an application and all other components needed for the application, step by step, so that you will learn in details how the system works. Step 1. Create an Identity Source that s linked to an Active Directory Step 2. Create a Domain from the Identity Source Step 3. Create a Realm to include the Domain Step 4. Create a Logon Procedure and its Logon Steps Step 5. Create an Application and link it to the Realm. Step 6. Publish the Application Step 1: Create Identity Source Identity Source is the fundamental data component for building up the entire system. An identity source can be internal or external. An internal identity source uses the SQL database as its data store, and must be created from the ground up. An external identity source is linked to an existing AD or LDAP directory. To create an identity source, select Identity Identity Source from the main menu click Create button in the toolbar The Identity Source Creation Wizard is launched: Copyright 2013, Deepnet Security. All Rights Reserved. Page 18
DualShield supports internal identity sources that are stored in its SQL database, as well as external identity source, i.e. LDAP user directories. We are going to create an external identity source that is linked to an AD. Enter Name, Description Select LDAP in the Type list Select Active Directory in the Provider list Directory URL: Enter the URL of connecting LDAP directory in the form of ldap://ip-address, or ldap://host-name Access User: Based DN: A user who has the right to access all user accounts in the directory Select the Base DN in the LDAP directory that is to be used to build the domain Follow the on-screen instruction to complete the set-up. Step 2: Create Domain An identity source is just a data store. It needs to be linked to a domain so that the users in the store can be managed through the Management Console. To create a domain, select Directory Domains from the main menu click Create button in the toolbar The Domain Creation window is displayed: Copyright 2013, Deepnet Security. All Rights Reserved. Page 19
Select the Identity Source that we just created, i.e. Deepnet Labs, and enter the DNS Name and NetBios name of the domain DNS Name: The Fully Qualified Domain Name (FQDN) of the domain. DNS Name is used by the IIS Agent for web applications. NetBios Name: The host or machine name of the domain. NetBios name is used by the Windows Agent for Windows logon. Click the Save button. Step 3: Create Realm The purpose of a realm is to create a group of domains, and to bind this group of domains to an application. To create a realm, Select Authentication Realms from the main menu Click Create button in the toolbar Enter the Name Select a domain from the list, e.g. DeepnetLabs.com Click Save Copyright 2013, Deepnet Security. All Rights Reserved. Page 20
Step 4: Create Logon Procedure In DualShield, a logon procedure defines how users should be authenticated when they attempt to logon to an application. A logon procedure consists of one or more logon steps. In each logon step, the system administrator defines the authenticators that can be used by users to authenticate themselves. Before we publish an application, we must define the logon procedure for the application. Each application can have a customised logon procedure which specifies how the user should authenticate at logon. For VPN applications, you can specify what authentication factors, such as static password and one-time password, to be used and how these factors should be combined to form a passcode. To create a logon procedure, Select Authentication Logon Procedure from the main menu Click Create on the toolbar Name the Logon Procedure ( VPN in this demo) Select RADIUS from the Type list (as it will be used for a VPN application) Click Save button. A logon procedure has been created. Now, we need to add logon steps to the newly created logon procedure: Click the context menu icon of the Logon Procedure ( VPN in this demo) Select Logon Steps in the context menu Select Create button on the toolbar in the Logon Steps windows Copyright 2013, Deepnet Security. All Rights Reserved. Page 21
Select the appropriate option. For now, we will select Static Password as we want to firstly test the VPN application without two-factor authentication. Later, we will modify the authentication method to be Static Password + One-Time Password after we have learned how to create or assign twofactor authentication tokens to users. Click Save to save settings. Step 5: Create Application In this demo, we want to create an application for VPN access. To create an application, Select Authentication Applications from the main menu Click Create button in the toolbar Enter the Name Select a realm from the list. ( Deepnet Labs in this demo) Select a Logon Procedure ( VPN in this demo) Click Save Copyright 2013, Deepnet Security. All Rights Reserved. Page 22
We have now completed the process of creating an application by going through the creation of an Identity Source, Domain, Realm and Application. The next step is to publish the application we just created. Step 6: Publish Application As it is a VPN application, it has to be published on a VPN agent, i.e. a RADIUS server. Please refer to the RADIUS Server Installation Guide and install a RADIUS server. Assuming that we have successfully installed an RADIUS server named Radius on 59. To publish an application, Select Authentication Agents from the main menu A list of Agents is displayed: Click the context menu icon of the Agent ( Radius on 59 in this demo) Select Applications from the context menu Copyright 2013, Deepnet Security. All Rights Reserved. Page 23
Select the application you wish to publish ( VPN in this demo) Click Save button The application VPN is now published through the RADIUS agent Radius on 59. Now that you have created an application and published it on an agent, the last step in configuration is the agent itself. Depending on the type of the agent, the configuration varies. Please refer to the following documents for the instructions of agent configuration: VPN & RADIUS Implementation Guide Windows Logon Implementation Guide Mac Logon Implementation Guide IIS 6/7 Implementation Guide SSO & SAML- Integration Guide === END OF DOCUMENT === Copyright 2013, Deepnet Security. All Rights Reserved. Page 24