GTA SSO Auth. Single Sign-On Service. Tel: +1.407.380.0220 Fax. +1.407.380.6080 Email: info@gta.com Web: www.gta.com



Similar documents
GTA SSO Auth. Single Sign-On Service. Tel: Fax Web:

GTA SSL Client & Browser Configuration

GB-OS. Certificate Management. Tel: Fax Web:

Installing the IPSecuritas IPSec Client

GB-OS Version 6.2. Configuring IPv6. Tel: Fax Web:

Installing the SSL Client for Linux

Installing the Shrew Soft VPN Client

Configuring GTA Firewalls for Remote Access

Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TDVPNWGSOHO

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

Technical Document. Creating a VPN. GTA Firewall to Linksys Cable/DSL Router TDVPNLINKSYS

Technical Document. Creating a VPN. GTA Firewall to Cisco PIX 501 TDVPNPIX

GB-OS Version 5.3. GTA SSL Sentinel. Tel: Fax Web:

GNAT Box VPN and VPN Client

Configuring IKEv2 VPN for Mac OS X Remote Access to a GTA Firewall

Shrew Soft VPN Client Configuration for GTA Firewalls

HP Device Manager 4.7

Integrated Citrix Servers

Release Notes for Version

Contents Notice to Users

v6.1 Websense Enterprise Reporting Administrator s Guide

Use QNAP NAS for Backup

Server Installation Guide ZENworks Patch Management 6.4 SP2

Web Remote Access. User Guide

AIMS Installation and Licensing Guide

Installation Guide Supplement

How To Manage Storage With Novell Storage Manager 3.X For Active Directory

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

Enabling Single Sign- On for Common Identity using F5

NetIQ Sentinel Quick Start Guide

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

Sample Configuration: Cisco UCS, LDAP and Active Directory

Telephony System Integrator s Guide for ShoreTel. Citrix EasyCall Gateway 3.0

Installation Guide. Novell Storage Manager for Active Directory. Novell Storage Manager for Active Directory Installation Guide

Synthetic Application Monitoring

Dell Statistica Statistica Enterprise Installation Instructions

Lepide Active Directory Self Service. Installation Guide. Lepide Active Directory Self Service Tool. Lepide Software Private Limited Page 1

BASIC FIREWALL SERVICES

Setting Up a Unisphere Management Station for the VNX Series P/N Revision A01 January 5, 2010

Heroix Longitude Quick Start Guide V7.1

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

StoneGate SSL VPN Technical Note Setting Up BankID

4.0. Offline Folder Wizard. User Guide

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # )

CA Nimsoft Service Desk

IIS, FTP Server and Windows

EVault Endpoint Protection 7.0 Single Sign-On Configuration

Strong Authentication for Microsoft SharePoint

DOCUMENTATION MICROSOFT SQL BACKUP & RESTORE OPERATIONS

Getting Started with Symantec Endpoint Protection

SQL Express to SQL Server Database Migration MonitorIT v10.5

EMR Link Server Interface Installation

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

CA Nimsoft Monitor. Probe Guide for IIS Server Monitoring. iis v1.5 series

Dell One Identity Cloud Access Manager Installation Guide

Agent Configuration Guide

XenClient Enterprise Synchronizer Installation Guide

Aventail Connect Client with Smart Tunneling

CA Nimsoft Service Desk

Troubleshooting Procedures for Cisco TelePresence Video Communication Server

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

SSL VPN User Guide Access Manager 3.1 SP5 January 2013

Sophos Mobile Control Installation guide

Installation Guide. Websense Web Security Websense Web Filter. v7.1

Immotec Systems, Inc. SQL Server 2005 Installation Document

Novell Access Manager

Web Security Firewall Setup. Administrator Guide

Cisco Expressway IP Port Usage for Firewall Traversal. Cisco Expressway X8.1 D December 2013

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Rebasoft Auditor Quick Start Guide

DIGIPASS Authentication for GajShield GS Series

StoneGate SSL VPN Technical Note Adding Bundled Certificates

Sophos UTM. Remote Access via SSL Configuring Remote Client

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

BlackShield ID Agent for Remote Web Workplace

SSL VPN Server Guide Access Manager 3.1 SP5 January 2013

CA Nimsoft Monitor Snap

Disaster Recovery. Websense Web Security Web Security Gateway. v7.6

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Remote Console Installation & Setup Guide. November 2009

Defender 5.7. Remote Access User Guide

Mashup Sites for SharePoint 2007 Authentication Guide. Version 3.1.1

Mashup Sites for SharePoint 2007 Authentication Guide. Version 3.2.1

Dell One Identity Cloud Access Manager SonicWALL Integration Overview

Universal Management Service 2015

Strong Authentication for Juniper Networks

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

Strong Authentication for Juniper Networks SSL VPN

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

v5.2 Installation Guide for Websense Enterprise v5.2 Embedded on Cisco Content Engine

Citrix XenApp Manager 1.0. Administrator s Guide. For Windows 8/RT. Published 10 December Edition 1.0.1

Configuring Global Protect SSL VPN with a user-defined port

Strong Authentication for Cisco ASA 5500 Series

Cloud Authentication. Getting Started Guide. Version

DameWare Server. Administrator Guide

Transcription:

GTA SSO Auth Single Sign-On Service SSOAuth200912-01 Global Technology Associates 3505 Lake Lynda Drive Suite 109 Orlando, FL 32817 Tel: +1.407.380.0220 Fax. +1.407.380.6080 Email: info@gta.com Web: www.gta.com

Table of Contents GTA SSOAuth... 1 Requirements for Single Sign-On 1 Operating the Single Sign-On Server 1 Server Mode 1 Client mode 1 How the Single Sign-On Server Works 2 SSOAuth Installation 2 SSOAuth Configuration 3 Firewall Configuration 4 Configuring Groups 6 Group Policies 7 Testing the Single Sign-On Authentication 7 Frequently Asked Questions 8 Legal Notices... 11 ii Table of Contents

GTA SSOAuth Active Directory Single Sign-On service is an authentication method which allows users to authenticate only once when logging into a Windows Active Directory domain. When a user logs into the domain and attempts to access the Internet via a GTA firewall, the firewall checks to see if the user s IP address is in the Authentication Server database. If yes, the firewall retrieves the group, matching policies, to see if the Internet access is allowed. The Single Sign-On Authentication (SSOAuth) server maintains the database of users that have authenticated via Active Directory. Requirements for Single Sign-On GB-OS version 5.1.0 or later Windows 2003, 2003 R2 or Active Directory server. Active Directory server must have a valid certificate and certificate service installed GTA Single Sign-On server installed on the Active Directory server.net Framework 2.0 (or above) If a Windows firewall is enabled, the host with SSOAuth service installed must be configured to accept connections from the GTA firewall for SSOAuth. The default port is TCp/8443. Operating the Single Sign-On Server Server Mode The SSOAuth servers are installed on other hosts, or on the Active Directory server itself. The firewall and SSOAuth clients then connect to the SSOAuth server. Client mode This mode is used when there is more than one AD server. In this mode, the clients point to the SSOAuth server and are installed on the AD servers. The SSOAuth server builds a database of all users that authenticate on the network. 1

How the Single Sign-On Server Works 1. Users login into their PC or PC s that are members of a domain. 2. When the credentials are checked on the Active Directory server the Single Sign-On server adds the login of the user to it s database. This information includes the user name, IP address, and group. 3. Next, a user opens a Web browser or other application which requires Internet access. 4. When the packet reaches the firewall, the packet from the host is matched against a policy which requires authentication. The firewall checks the SSOAuth server for the IP address. 5. The SSOAuth server returns the user name and group to the firewall. 6. If the group returned matches the group referenced by a policy, the connection is allowed. Otherwise, it is denied and logged as authentication required. User 3. User opens Web application GB-2000 6. If group matches policy, access allowed. Otherwise, denied. Internet 1. User logs into the domain 4. Firewall checks SSOAuth server for IP address 5. SSOAuth server returns group and user name Active Directory Server 2. User added to SSOAuth Database Figure 1: Authentication via SSOAuth SSOAuth Installation SSOAuth Server installation requires a user with administrative permissions on the Active Directory server. 1. Download SSOAuth from the GTA Support Center or install from the CD. Running the windows installer will set up all files required for the service. 2. Export the certificate after the GTA SSOAuth service is installed and started. This certificate will be used to validate that the firewall is connecting to the SSOAuth server. By default the certificate is exported in DER format. The certificate is located in the GTA directory, GTA SSOAuth folder. 2

SSOAuth Configuration Figure 2: GTA SSOAuth Configuration Field Name Mode Valid Duration Port Server (Client mode only) Service Certificate Database Table A: GTA SSOAuth Configuration Description GTA SSOAuth service operates in two modes, either Server or Client. Client mode can only be utilized if more than one Active Directory server is running GTA SSOAuth. Server mode allows firewalls to connect directly to the Active Directory server to query its database of authenticated domain users. When a direct connection between the Active Directory server and the firewall is not available, client mode is utilized. Client mode will connect to a GTA SSOAuth service running in server mode to propagate domain authentication information. The amount of time an authenticated domain user remains in the GTA SSOAuth database before requiring the user to reauthenticate with the domain. The SSL port the GTA SSOAuth service uses for firewall and GTA SSOAuth client connections. The address of a GTA SSOAuth service running in server mode. Starts or stops the GTA SSOAuth Service. Exports the Active directory server certificate. If not highlighted, this indicates the Active Directory server certificate may not be valid. Show Contents in the Event Log: Exports current database to the Windows Event log. Clear: Clears the entire authenticated user database. Clearing the database may force users to re-login to their systems. 3

Firewall Configuration 1. Import the SSOAuth server certificate to the firewall (Configure>VPN>Certificates). Click NEW and name the certificate. 2. Select import and browse to where you have downloaded or stored the GTA SSOAuth server certificate. Select DER for the format. Click OK, then save. Figure 3.0: Importing the SSOAuth Server Certificate Your certificate list should display something similar to the one below. If the TYPE does not display as certificate then there was a possible issue with the import. a. Confirm that the file type imported, and the file type selected, match. b. Confirm the imported certificate is a valid certificate. Figure 3.1: Certificate Display 3. Configure the Authentication and Single Sign-On service at Accounts>Authentication. Table B: Configuring Authentication Field Name Enable Automatic Policies Service Port Valid Description Starts the authentication service on the firewall. Create policies automatically to allow the service to run properly. The policies will be based on the service port. Port the authentication service will run on and accept GBAuth connections to. NOTE: SSOAuth does NOT require GBAuth. Sets the duration by which the firewall will re-check authentication. Figure 3.2: Configuring Authentication 4

Table C: Configuring SSOAuth Field Name Enable Server Certificate Binding Interface Description Starts the Active Directory Single Sign-On service. Field to enter the server IP or name. If using names, DNS must be configured. Firewall can connect to up to 3 Single Sign-On servers. Certificate of the Single Sign-On server imported to the firewall. Used in special cases, such as VPN when the connection from the firewall needs to be sourced from a specific firewall interface. Figure 3.3: Configuring SSOAuth Once the firewall is successfully connected to the Single Sign-On server it will log the following in Monitor>Log Messages>Management Aug 4 11:06:52 pri=5 msg= SSOauth: Connecting to server 10.10.1.243:8443 type=mgmt Aug 4 11:06:52 pri=5 msg= SSOauth: Connected to server (10.10.1.243) successfully type=mgmt Aug 4 11:06:53 pri=5 msg= SSOauth: Server (10.10.1.243) ready type=mgmt Figure 3.4: Single Sign-On Log Message Failure to see the log messages may indicate a connection issue. a. Check that the firewall can ping and traceroute to the IP address of the server. b. If this fails, check for any host based firewalls that may be blocking the connections and confirm the service is running. If the connection is via a VPN then you will need to set the binding interface to the local protected network interface. 5

Configuring Groups You will need to configure groups and security polices if you wish to use groups beyond the default firewall groups. By default all Single Sign-On users are members of the following groups: Single Sign-On Users ALL_Users You can use the User Groups located on your domain server on the firewall. To do this you will need to configure the same groups on your GTA firewall. This is located in the Accounts>Groups section. Figure 4.0: Configuring Groups 1. Click the NEW button and enter the name of the group on the Active Directory server. 2. Enter a description, click OK, and save. Note It is important that the group name on the firewall matches exactly witht he group name in the Active Directory server. For more information on configuring groups, consult the GTA Users Guide. Note The VPN section is not applicable to Single Sign-On users. 6

Group Policies Once the groups are configured, you will need to create specific policies to apply to each group. This is located in the security policy section. 1. Create a new policy by clicking NEW or EDIT an existing policy. In our example below, all users wishing to use http must authenticate and be a member of the Single Sign-On Users group. This is one of the default groups for Single Sign-On. Figure 4.1: Configuring Policies 2. Once a user is authenticated they will appear in the Monitor >Authenticated section. The user name, and group will display. In the example below, the use Aaron Support is in the group Administrators. Figure 4.2: User/Group Example Testing the Single Sign-On Authentication 1. Once the service is installed and configured, create an outbound policy which references the users group and log into the Windows domain. 2. Attempt to browse the Internet. In addition to showing the firewall logs, the monitor section will include the User ID. The following is an example log message of user Aaron Support going to Google. Aug 8 18:35:56 pri=5 msg= Accept outbound, NAT cat _ action=pass dstname=www.google.com proto=80/tcp src=172.16.50.8 srcport=1108 user= Aaron Support nat=199.120.225.62 natport=1108 dst=209.85.165.104 dstport=80 rule=1 sent=470 rcvd=176 pkts _ sent=1 pkts _ rcvd=1 op=get arg=/gen _ 204 Figure 5: Monitor Log Message GTA Reporting Suite and GB Commander can be used to run detailed reports based on user names. 7

Frequently Asked Questions Q: Is GBAuth required to use SSOAuth service? No, GBAuth is no longer required for internal users. External users accessing tunnels or matching remote access policies, and not logged into the domain, may still need to use GBAuth. Q: My user is logged into the domain. However, the firewall shows them as not authenticated. Check that the user is not logged in locally to their PC. Checking the server security event log may prove helpful in confirming whether the user is logged into the domain. However, security event logs may be rather large. Also, check that the user s host has the correct DNS entries for their domain. Q: Export certificate is not available from the GTA SSOAuth configuration application. This usually means the certificate for the Active Directory server is not valid. Check that you have a valid server certificate. You may need to install the certificate service and create a new certificate, then re-start the GTA SSOAuth service. Q: How does the server know when a user has logged off? Log offs are not well maintained on Windows domains. However, GTA firewalls re-check authentication based on the Valid Time configured in the firewall Web interface under Accounts>Authentication>Advanced. Figure 6.0: Valid time Configuration The VALID time is the interval in minutes in which the firewall will re-check authentication. A smaller number means the firewall will check more frequently for users logged off or changes to the IP address authentication. A larger valid number means the firewall will check less often for authentication changes. Q: My users show up in the monitor section of the firewall. However, they are still unable to access the Internet. Confirm the user s group and the policy. If the group they are in does not match the group referenced by the policy, the connection will be denied. Q: How do Terminal or Citirix server users work with GTA SSOAuth? Terminal server and Citirx connections are cases where multiple users use the same host. When users log into a Citrix or Terminal server the SSOAuth server only sees one IP address. Normally, this is the first user signed into the domain and uses that IP address. The SSOAuth server cannot determine different groups for multiple users on the same host. 8

Q: How can I tell if the firewall has the correct certificate or what certificate is being used? The application event log on your Active Directory server will show the certificate being used by the SSOAuth service. Example: Event Type: Information Event Source: GTA SSOAuth Event Category: None Event ID: 0 Date: 7/28/2008 Time: 1:17:10 PM User: N/A Computer: QA-WS2003-2 Description: Selected Certificate: [Subject]: CN=qa-ws2003-2.sso.gta.com [Issuer]: CN=qa-ws2003-2, DC=sso, DC=gta, DC=com [Effective]: 6/16/2008 4:35:07 PM [Expires]: 6/16/2009 4:35:07 PM [Key Usage]: Digital Signature, Key Encipherment (a0) Figure 6.1: Event Log 1. Compare the certificate subject from the event log to the certificate subject imported into your firewall and referenced by the service. Figure 6.2: Certificate Details 2. If the certificates do not match, export the certificate using the SSOAuth configuration application and re-import to the firewall. Verification gives the following error after importing the server certificate: WARNING: Certificate 1, status unable to get local issuer certificate. Figure 6.3: Verification Warning Message 3. To correct the verification, import the authority certificate used to create the Active Directory certificate. 9

Q: How can I tell the contents of the SSOAuth database? Using the SSOAuth Configuration Tool you can send the current database to the hosts event log. This will contain all users currently logged in since the service started. Figure 6.4: Events in Event Log Q: I just started my SSOAuth service and no users are in the database? The SSOAuth database is cleared on each re-start and users must re-login to be added to the database. 10

Legal Notices Copyright 1996-2009, Global Technology Associates, Incorporated (GTA). All rights reserved. Except as permitted under copyright law, no part of this manual may be reproduced or distributed in any form or by any means without the prior permission of Global Technology Associates, Incorporated. Technical Support GTA includes 30 days up and running installation support from the date of purchase. See GTA s Web site for more information. GTA s direct customers in the USA should call or email GTA using the telephone and email address below. International customers should contact a local Authorized GTA Channel Partner. Tel: +1.407.380.0220 Email: support@gta.com Disclaimer Neither GTA, nor its distributors and dealers, make any warranties or representations, either expressed or implied, as to the software and documentation, including without limitation, the condition of software and implied warranties of its merchantability or fitness for a particular purpose. GTA shall not be liable for any lost profits or for any direct, indirect, incidental, consequential or other damages suffered by licensee or others resulting from the use of the program or arising out of any breach of warranty. GTA further reserves the right to make changes to the specifications of the program and contents of the manual without obligation to notify any person or organization of such changes. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation for their use. GTA assumes no responsibility with regard to the performance or use of these products. Every effort has been made to ensure that the information in this manual is accurate. GTA is not responsible for printing or clerical errors. Trademarks & Copyrights GB-OS, Surf Sentinel, Mail Sentinel and GB-Ware are registered trademarks of Global Technology Associates, Incorporated. GB Commander is a trademark of Global Technology Associates, Incorporated. Global Technology Associates and GTA are service marks of Global Technology Associates, Incorporated. Microsoft, Internet Explorer, Microsoft SQL and Windows are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Adobe and Adobe Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. UNIX is a registered trademark of The Open Group. Linux is a registered trademark of Linus Torvalds. BIND is a trademark of the Internet Systems Consortium, Incorporated and University of California, Berkeley. WELF and WebTrends are trademarks of NetIQ. Sun, Sun Microsystems, Solaris and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and/or other countries. Java software may include software licensed from RSA Security, Inc. Some products contain software licensed from IBM are available at http://oss.software.ibm.com/icu4j/. Some products include software developed by the OpenSSL Project (http://www.openssl.org/). Mailshell and Mailshell Anti-Spam is a trademark of Mailshell Incorporated. Some products contain technology licensed from Mailshell Incorporated. All other products are trademarks of their respective companies. Global Technology Associates, Inc. 3505 Lake Lynda Drive, Suite 109 Orlando, FL 32817 USA Tel: +1.407.380.0220 Fax: +1.407.380.6080 Web: http://www.gta.com Email: info@gta.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information