Authentication Node Configuration. WatchGuard XTM

Authentication Node Configuration WatchGuard XTM Author: Signify Issue: Version 1.0 Date: xx Month 2013

Contents Introduction... 4 Configuration Prerequisites... 4 Knowledge and Access Rights... 4 Infrastructure... 4 Software/Hardware... 5 Integrating Signify s Service with your Authentication Node... 6 Authentication Node - Network Diagram and Configuration Information... 7 Configuration Checklist... 8 Stage 1: Requesting and configuring your authentication node... 9 Requesting the Authentication Node... 9 Selecting the Organisation... 10 Enter Auth Node Details... 11 Viewing Your Auth Node Request... 12 Processing the Request (Signify)... 13 Noting Down the IP Addresses and Port Number... 13 Your Shared Secret... 14 Stage 2: User Account Activation... 15 Stage 3: Firewall Configuration... 16 Stage 4: RADIUS Setup... 17 Introduction... 17 Login to the XTM UI... 17 Configuring RADIUS... 18 Stage 5: Configure Mobile VPN with SSL... 20 Introduction... 20 Step 1. Configure the XTM... 20 Step 2. Add RADIUS profile to your Organisation... 23 Step 3. Download SSL Client and test the login... 26 Signify Solutions Limited 2013 Confidential Page: 2 of 39

Stage 6: Configure Mobile VPN with IPSec... 28 Introduction... 28 Step 1. Configure your XTM appliance... 28 Step 2. Create the Client Configuration file... 31 Step 3. Install the IPSec client... 32 Step 4. Start and test the connection... 35 Stage 7: Troubleshooting... 37 Starting Up the Live Log Viewer... 37 Troubleshooting tips... 37 Signify Solutions Limited 2013 Confidential Page: 3 of 39

Introduction The WatchGuard XTM is a security appliance with many features, including firewall and VPN. The VPN features of the XTM are all client-based, where the user has to have an application installed on their device to be able to connect to the corporate network. The WatchGuard supports many VPN protocols, such as IPSec, PPTP, SSL and L2TP. This guide will instruct you how to configure SSL and IPSec VPNs with Signify s Two Factor Authentication (2FA) service using the RADIUS protocol. The configuration steps described in this guide should take around 30 minutes to complete each VPN. Configuration Prerequisites This document is a technical guide and has been written for administrators of Signify s Service who are assigned Tech Admin role. Knowledge and Access Rights This document assumes that you have the following Tech Admin role on Signify s Identity Management Centre (IMC). Full administration access rights to the WatchGuard XTM and a technical understanding of how to configure it. Configuration level access to your organisation s firewall(s) settings or a 3rd party who can configure the firewall(s) on your behalf. An understanding of where and when to use the RADIUS protocol. Infrastructure Before you begin the RADIUS configuration process to implement Two Factor Authentication, you must have your WatchGuard XTM set up in your infrastructure with the trusted interface and at least one external interface configured. Signify Solutions Limited 2013 Confidential Page: 4 of 39

Software/Hardware Supported software/hardware platforms for this guide include - WatchGuide XTM Series WatchGuard XTMv Series This guide was produced using the following platform - WatchGuard XTMv 11.7 Signify Solutions Limited 2013 Confidential Page: 5 of 39

Integrating Signify s Service with your Authentication Node The Signify authentication service is a centralised, on demand managed service. Signify's authentication servers are located across multiple data centres in order to provide a highly-available service. The diagram below shows the sequence of events that take place during a typical authentication process. As your authentication node communicates with Signify's authentication servers across the Internet, there are two important requirements to be aware of - Authentication traffic must come from a unique, static, public IP address. Signify require that authentication requests come from a public, Internet-routable IP address that is unique to your authentication node. If your authentication node is located on your private network (e.g. 10.x.x.x) then you will need to configure network address translation (NAT) to present your authentication node with an Internet address. Your firewall must allow authentication traffic between Signify and your authentication node. You will need to ask your firewall administrator to allow a specific authentication protocol (i.e. RADIUS) between your authentication node and the Signify authentication servers. Signify Solutions Limited 2013 Confidential Page: 6 of 39

Authentication Node - Network Diagram and Configuration Information This diagram illustrates how the WatchGuard XTM integrates with Signify's service. In order to complete the configuration you will need to obtain, write down, and refer back to several pieces of information at various times throughout the configuration process. To help you with this process, we have provided the table below. Some of the values have already been filled in for you. At this stage there is no need to write anything down in this table; we will instruct you when this is required. Configuration Information Authentication Node name Public IP address of the WatchGuard XTM Authentication Protocol Primary IP address of the Signify server Secondary IP address of the Signify server Port Number... Radius...... 1645/udp Signify Solutions Limited 2013 Confidential Page: 7 of 39

Configuration Checklist There are 7 key stages in the configuration of the WatchGuard XTM appliance to work with Signify's service, all of which are described within this self-contained configuration guide. To assist you during the configuration process, we have provided this table below, which summarises each of the stages, and allows you to check off each stage as you work through the process. Enough space is provided so that you can optionally make any brief additional reminder/hint notes about each stage, which may be useful to you (or a 3 rd party) at a later time. Stage Notes 1. Request and configure your authentication node 2. User Account Activation 3. Configure Firewall 4. Radius Setup 5. Configure Mobile VPN with SSL 6. Configure Mobile VPN with IPSec 7. Troubleshooting Signify Solutions Limited 2013 Confidential Page: 8 of 39

Stage 1: Requesting and configuring your authentication node In order to complete this stage you will need Tech Admin role on Signify s Identity Management Centre (IMC). Before you can configure or test your authentication node, follow the instructions below which show you how to request a new authentication node and also obtain your RADIUS shared secret. To access your IMC, login to www.signify.net and click on My IMC Once you are logged in, you will see your My IMC screen, as shown below The contents of your own My IMC screen will be different from the example above and will display information about your own organisation. Some of the links and other options may also differ, depending on your access rights within the IMC. Requesting the Authentication Node You will find the link to request your authentication node under the Administration section in the navigation links on the left-hand side of the IMC. Click on the link Request Auth Node. Signify Solutions Limited 2013 Confidential Page: 9 of 39

Selecting the Organisation In the Request New Auth Node screen (see example below) you will see a single drop-down box from which you select the name of the organisation that this authentication node is being requested for. In most cases, there will be only one organisation listed, unless you administer for multiple organisations through the IMC. For the purposes of our example, we will use a fictitious organisation called Jacks IT Corporation. Select the correct organisation from the drop-down list. Click on the Enter Auth Node Details >> button. Signify Solutions Limited 2013 Confidential Page: 10 of 39

Enter Auth Node Details This will take you to the page shown below into which you enter the details for your new authentication node. Follow the instructions and recommendations below to complete the Request New Auth Node screen. When you re done, click the Submit New Request button. o Auth Node Name The name by which your users will know this authentication node. You do not need to include the organisation name as this will be automatically prefixed when viewing the authentication node. o Authentication Protocol Choose the RADIUS (full) option. o IP Address This is the unique, public IP address of your WatchGuard XTM. Signify require that authentication requests come from a public, Internet-routable IP address that is unique to your authentication node. If your authentication node is located on your private network (e.g. 10.x.x.x) then you will need to configure network address translation (NAT) to present your authentication node with an Internet address. Signify Solutions Limited 2013 Confidential Page: 11 of 39

o Shared Secret Select Generate unique shared secret o Technical Notes (Optional) You can put into this free-form text box any technical references or additional information that you want to record for yourself, or for any other 3 rd party who might need to administer your organisation s authentication nodes. o Login Instructions You can put into this free-form box some help information for your users. The text that you put here will be displayed on My IMC, and also on any temporary user access emails that you send out. o Copy User Activations From This allows you to copy user activations over from another authentication node. If you have many users set up on another authentication node that will switch over to using your WatchGuard XTM, NOW is the time to copy them over. Otherwise, once this authentication node is set up and live, the only way to transfer users from another authentication node will be via consolidation groups. If you are only doing a proof of concept to test Two-factor Authentication, then it is not advisable to copy users over from another authentication node. Leave this value set at no activations. Viewing Your Auth Node Request When you click on the Submit New Request button it takes you to the My Authentication Nodes screen (see next page), which shows a list of your authentication nodes, along with the information you need to configure them. The screen would typically show only one authentication node when you first start to configure authentication through Signify s service. Signify Solutions Limited 2013 Confidential Page: 12 of 39

In our example screen below we can see the request for Jacks IT Corporation WatchGuard XTMv (New Request). At the moment there are no IP addresses displayed in the Auth Servers column for our new authentication node; the addresses will appear here once Signify has processed your request, as described below. Processing the Request (Signify) Signify will typically respond to your request for a new authentication node within 4 hours (during UK business hours). Once the processing of the request is completed, Signify will send you a confirmation email to let you know that your authentication node is ready for testing. Noting Down the IP Addresses and Port Number Once you have received the email from Signify confirming the authentication node is now ready, you can go back into the My Authentication Nodes screen (open your My IMC screen and select My Auth Nodes), which will now be displaying the IP addresses of the primary and secondary Signify servers, and also the port number. You will need the IP addresses and port number later on in the configuration process, so Using the Configuration Information table provided on page 7, make a note of the IP addresses and Port Number so that you have the information to hand when you configure your firewall (Stage 3) and your WatchGuard XTM (Stages 5 and 6). Signify Solutions Limited 2013 Confidential Page: 13 of 39

Your Shared Secret Once you have noted down the IP address and port number configuration information Click on the blue RADIUS shared secret link on the previous screen. As shown below, this will display your unique RADIUS shared secret (which will be different from the one shown in the image). Signify strongly recommends that you do not write down your RADIUS shared secret at any time, and that only trusted employees within your organisation should have access to it. The shared secret should never be shared outside of your organisation. If necessary, the shared secret can be obtained by an authorised user at any time through My IMC, so there is never any need to write it down. You will need to provide the shared secret when you configure Radius in Stage 4, so to simplify that configuration process (and to maintain security of the shared secret) we recommend that you now do the following Highlight the shared secret value in the above screen Click CTRL+C to copy it Open up the NOTEPAD application on the local PC where you are doing the configuration Click CTRL+V to paste in the shared secret value Leave the NOTEPAD application open, minimise it, but do NOT save the file The RADIUS configuration instructions in Stage 4 will tell you when to retrieve this value, and you will also be reminded at that point to close down your NOTEPAD application to ensure continued security of your shared secret. Signify Solutions Limited 2013 Confidential Page: 14 of 39

Stage 2: User Account Activation To complete the configuration, you need a User Account activation on your authentication node. If you do not have a User Account already activated, or if you want to activate a separate User Account for the purpose of testing out the configuration, follow these instructions below - Open My IMC Select My Auth Nodes Against the new Authentication node, select Edit to open the View/Edit Authentication Node screen. Against 'User Activations:', select Add to open the Create Activation screen, like the one shown here. Fill-in the options on the above screen as follows - o User From the drop-down box, select the user account you wish to activate. o Authentication Node Select the new authentication node you created in Stage 1. o User Name This is automatically filled in once you ve selected a value from the User drop-down box. o Activation type Select 'Permanent' When you re done, click on the Create Activation button to complete the User Account activation against your new authentication node. Signify Solutions Limited 2013 Confidential Page: 15 of 39

Stage 3: Firewall Configuration If you ve not already done so, now is the time to configure your organisation s firewall. This will require several potential changes that either you or your firewall administrator will need to make to the configuration. Configure your firewall to permit the correct ports for the Signify Service. This is the Port Number value in the configuration table on Page 7. Configure your firewall to allow RADIUS protocol traffic to the Signify authentication servers. The parameter differs by firewall, but your firewall administrator will know how to do this. If you are using private IP addresses for your internal network, you must use network address translation (NAT) to translate your private (inside) IP addresses into globally unique (outside) IP addresses. Your firewall administrator will know how to do this. Your firewall will also need to allow replies to the outbound traffic, although this is typically the default configuration and will not require any special configuration. Signify Solutions Limited 2013 Confidential Page: 16 of 39

Stage 4: RADIUS Setup Introduction Before setting up either the SSL client (Stage 5) or IPSec client (Stage 6), the Signify RADIUS information from your AuthNode needs to be entered into the WatchGuard XTM so that it knows where to send authentication traffic when your users authenticate with the VPN clients. Login to the XTM UI All of the configuration of the WatchGuard XTM described in this guide is carried out on the XTM s Web UI, which is a graphical user interface for administering the XTM through a web browser. Login to the XTM as Admin Shown below is an example of XTM s UI when logged in as Admin - Signify Solutions Limited 2013 Confidential Page: 17 of 39

Configuring RADIUS Down the left side of the Admin console Click Authentications Select Servers In the Authentication Servers pane Select the RADIUS tab Select the Primary Server Settings tab Click the Enable RADIUS Server option Signify Solutions Limited 2013 Confidential Page: 18 of 39

In the above screen, enter all the relevant Primary Server Settings for your AuthNode - IP Address: Enter the primary IP address of the Signify authentication server * Port: Port number * * See configuration information table on page 7 Passphrase: Your unique secret key Copy and paste this value from the Notepad file that you opened at the end of Stage 1 Confirm: (Re-paste the secret key) Timeout: 6 seconds Retries: 1 Group Attribute: 11 Dead time: 600 minutes Important Note. Once you have pasted in your shared secret, and before continuing to the next stage, close down the Notepad application where you temporarily stored the shared secret. Click Save Then click the Secondary Server Settings tab (see below) Click the Enable Secondary RADIUS Server checkbox Enter the required information for the Secondary Server This information will be the same as for the primary server above, except for the IP address, see table on page 7 Click Save when done Signify Solutions Limited 2013 Confidential Page: 19 of 39

Stage 5: Configure Mobile VPN with SSL If you want to configure the XTM s IPSec VPN, skip forward to Stage 6. Introduction Now that the RADIUS authentication servers have been setup, the following section will show the configuration steps for setting up Signify s 2FA service with the XTM s Mobile VPN with SSL. Step 1. Configure the XTM Login to the XTM UI as Admin Click VPN Select Mobile VPN with SSL In the Mobile VPN with SSL VPN pane Click the Activate Mobile VPN with SSL checkbox Signify Solutions Limited 2013 Confidential Page: 20 of 39

Click the General tab. In the Firebox IP Addresses or Domain Names section, enter the Primary (and, if applicable, the Secondary) IP address or domain name that your users will connect to for your VPN In the Networking and IP address pool section, you can set how you want your users VPN traffic to be routed. In the example below, we have selected Bridge VPN traffic and given a small range of private IP s to assign to VPN users once they are authenticated. Click Save Signify Solutions Limited 2013 Confidential Page: 21 of 39

Click the Authentication Tab Click the checkbox next to the RADIUS (Default) authentication server. You can also specify which users are allowed to access the VPN. In the example below we have allowed all users to authenticate, so have left the default SSLVPN-Users rule in place. Click Save Signify Solutions Limited 2013 Confidential Page: 22 of 39

Step 2. Add RADIUS profile to your Organisation In order for the XTM to allow VPN users to authenticate with it, you must configure a RADIUS attribute in the IMC for your organisation and AuthNode. This RADIUS attribute will be sent to the XTM when a user successfully authenticates with Signify. When this attribute is received by the XTM, it checks its value and if correct it will allow the user to establish a VPN connection with the XTM. Log into the IMC Select Advanced Administration Click Organisations Enter your organisation s name in the Search For text box Click Search Locate and click the name of your Organisation on the right panel Signify Solutions Limited 2013 Confidential Page: 23 of 39

Towards the bottom of the left pane in the above screen, there will be an option for Organisational Preferences, as shown below. Click View You will now see an option for Default RADIUS Profile Click Add As shown below, enter a name for your RADIUS Profile (e.g. WatchGuard XTM ) In the Filter-Id box, enter SSLVPN-Users Click Save Signify Solutions Limited 2013 Confidential Page: 24 of 39

Click Auth Nodes Enter your XTM s Auth Node name in the Search For text box Click Search Locate and click on the name of your Auth Node displayed in the right-hand pane. You will see a drop-down box next to Assign RADIUS Profile (see below) Select the RADIUS profile you created above (e.g. WatchGuard XTM ) Click Change You have now completed the configuration of Signify s 2FA service with the XTM s Mobile VPN with SSL. Signify Solutions Limited 2013 Confidential Page: 25 of 39

Step 3. Download SSL Client and test the login Having configured your XTM s Mobile VPN with SSL and setup your RADIUS profile, the final step is to test that everything is configured correctly by downloading the SSL VPN client from the XTM, installing it onto a client machine, and then carrying out a test login. Browse to the XTM s external interface IP ( this is the IP address that your users would enter in their SSL VPN client) An example format would be something like this https://<enter_external_ip_here>:4100/sslvpn.html If successful, you should be presented with a WatchGuard login screen like the one shown below. Enter your Signify 2FA credentials and click Login This will display the Items Available to Download screen, as shown below. Download the Windows or Mac client as appropriate and install to the client machine from where you intend to test the login process. Signify Solutions Limited 2013 Confidential Page: 26 of 39

Once the SSL VPN client has been installed on the client machine Launch the VPN client, and the login screen will appear Enter the public IP of your XTM in the Server box Then enter your Signify 2FA credentials in the User name and Password boxes Click Connect Once the client has successfully authenticated, in the task bar on the client machine you should see a green W icon indicating that you have successfully connected to the WatchGuard XTM. If the WatchGuard Mobile VPN with SSL login screen does not appear, or if it does not display the Signify 2FA challenge for Username and Passcode, refer to: Stage 7 - Troubleshooting Signify Solutions Limited 2013 Confidential Page: 27 of 39

Stage 6: Configure Mobile VPN with IPSec If you want to configure the XTM s SSL VPN, refer back to Stage 5. Introduction This section describes the steps required for configuring and testing Signify s 2FA service with the XTM s Mobile VPN with IPSsec. Step 1. Configure your XTM appliance Login to the XTM UI as Admin Click VPN Select Mobile VPN with IPSec In the Mobile VPN with IPSec pane Click the Add button. Signify Solutions Limited 2013 Confidential Page: 28 of 39

Select the General tab in the settings pane (shown below), then enter the following details Group name: Authentication Server: Passphrase: Confirm: Primary: Secondary: Session Timeout: Idle Timeout: Enter a name for your new group (e.g. IPSec Test ) Select RADIUS from the drop-down Enter a passphrase that will be shared between the IPsec client and the WatchGuard XTM. This passphrase can be whatever you choose it to be Re-enter the passphrase above The WatchGuard s XTM primary IP address to which the users IPSec clients will connect An alternative IP address for the WatchGuard XTM, to which users IPSec clients can also connect. 480 minutes 30 minutes Click Save when done Signify Solutions Limited 2013 Confidential Page: 29 of 39

Now select the Resources tab (see below) On this tab you can set which resources your users are allowed to access. In the example below we have ticked Allow All traffic through tunnel but you may wish to limit it to certain IP addresses or subnets. The next step is to add addresses into the Virtual IP Address Pool which will give connected users a private IP for your network Select the appropriate option (e.g. Host IP) from the Choose Type drop-down Enter the IP address (or range of addresses) in the Host IP text box Click Add to add the address or range of addresses into the display above Click Save Signify Solutions Limited 2013 Confidential Page: 30 of 39

When you click save above, you will be automatically returned to the Mobile VPN with IPSec screen below, and you will now see your IPSec configuration appear in the Groups display Step 2. Create the Client Configuration file We are now going to create a configuration file that will be used by your users IPSec client to connect to the WatchGuard XTM. As shown below, click to highlight the IPSec group (e.g. IPSec Test) that you created above Select WatchGuard Mobile VPN from the Client drop-down list Click Generate Signify Solutions Limited 2013 Confidential Page: 31 of 39

Once you have clicked the Generate button, you will be prompted to save the configuration file. Click Save to save the configuration file to a location on your own machine. You are now ready to install the IPSec client onto a user machine for testing. Step 3. Install the IPSec client On the user s machine where you wish to install the IPSec client Browse to the following URL to download and install the NCP Secure Entry client http://www.ncp-e.com/en/downloads/download-vpn-client.html Once the NCP Secure Entry Client has been installed onto your user s machine Run the client program Select Configuration Select Profiles Click Add/Import Signify Solutions Limited 2013 Confidential Page: 32 of 39

Select Profile Import Click Next Click the button and locate the configuration file that you generated earlier in step 2 Click Next Confirm the import by clicking Next Signify Solutions Limited 2013 Confidential Page: 33 of 39

You will now be asked to optionally enter your Username and Credentials to be saved to the client. You will not want to do this as you are using Signify s 2FA and your users password will always be different each time they login. Click Next Your profile should then be successfully imported. Click Finish You will be automatically returned to the Available Profile screen. Tick the Default box to make your new profile the default. Click OK Your new profile has now been loaded into the client user s machine. Signify Solutions Limited 2013 Confidential Page: 34 of 39

Step 4. Start and test the connection You can now start and test the client connection to your WatchGuard XTM, and also check to make sure that the Signify 2FA authentication is working. Select Connection Click the Connection button to start the connection If the connection is successful, you will be prompted to enter your Signify 2FA credentials. Enter the credentials Click OK Signify Solutions Limited 2013 Confidential Page: 35 of 39

Your user client should then successfully connect to the WatchGuard XTM and a connection established message will be displayed as confirmation. If the WatchGuard Mobile VPN with IPSec login screen does not appear, or if it does not display the Signify Two Factor challenge for Username and Passcode, refer to: Stage 7 - Troubleshooting Signify Solutions Limited 2013 Confidential Page: 36 of 39

Stage 7: Troubleshooting This section provides some hints and tips on what to do if you experience a problem testing the Two Factor Authentication in Stages 5 and 6. Starting Up the Live Log Viewer If you experiencing problems with your testing, we recommend that you open up the IMC Live Log Viewer, as this will allow you to view the message traffic between your WatchGuard XTM logon page and the Signify server. Open MY IMC and select Logs and Reports At 'Log Type:', select Live Authentication Logs Select Launch Live Log Viewer and you will see a screen like the one below Troubleshooting tips If the WatchGuard XTM log on page does not display the Signify challenge for Username and Password, or if the Signify challenge was displayed but an attempt to login using Signify Two Factor Authentication failed, check your IMC Live Log Viewer for error messages. There are two error messages that commonly appear in the Log Viewer when problems are encountered during the testing of Two Factor Authentication. Problem: "User not on agent host" message This message indicates an issue with the configuration of the authentication node. Check that the username you entered in the WatchGuard XTM log on page matches the user account that you activated in Stage 2. If the user account name is correct, check that the name of authentication node in the Log Viewer matches the name of the authentication node that you setup in Stage 1. If the names do not match, check with your firewall administrator that NAT is set correctly. If the authentication node names match up correctly, check that the Two Factor Authentication passcode (PIN & tokencode) that you entered in the WatchGuard XTM log on page matches the token serial number being displayed in the Log Viewer. If necessary, reenter the passcode again to ensure that it has been entered correctly. Signify Solutions Limited 2013 Confidential Page: 37 of 39

Problem: "Syntax Error" message Check that the RADIUS shared secret that you saved into Notepad in Stage 1 was correctly supplied to the Radius setup in Stage 4 (page 19). You can go back and find the shared secret again by following the instructions under Noting down the IP Address and Port Number and then Noting down your shared secret towards the end of Stage 1. In addition to the above, there may be other IMC events and messages visible in the Log Viewer. Most of them should be self-explanatory, but if you need help with your troubleshooting please contact Signify Admin Support (Tel: +44 1223 472571 between 09:00 17:30GMT, Monday to Friday). If there is no activity in the IMC Log Viewer, re-visit Stage 3 and check with your firewall administrator that the configuration of the firewall has been completed. Signify Solutions Limited 2013 Confidential Page: 38 of 39

Signify Solutions Limited Endeavour House Chivers Way, Vision Park Histon, Cambridge Cambridgeshire CB24 9ZR www.signify.net