Implementation Guidelines. Dyna Pass. Wireless Secure Access



Similar documents
Configuring Global Protect SSL VPN with a user-defined port

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Accessing the Media General SSL VPN

Connecting to Miami University s EHR Solution (GE Centricity)

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

University Computing & Telecommunications Virtual Private Networking: How To/Self- Help Guide Windows 8.1 Operating System.

Kaseya 2. User Guide. Version 6.1

How to Use Remote Access Using Internet Explorer

Wireless Network Configuration Guide

Note that if at any time during the setup process you are asked to login, click either Cancel or Work Offline depending upon the prompt.

Palo Alto Networks GlobalProtect VPN configuration for SMS PASSCODE SMS PASSCODE 2015

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

VPN Overview. The path for wireless VPN users

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Web Authentication Application Note

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Aradial Installation Guide

If you have questions or find errors in the guide, please, contact us under the following address:

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

DIGIPASS Authentication for GajShield GS Series

Enable VPN PPTP Server Function

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Configuring Sponsor Authentication

Product Summary RADIUS Servers

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

ecopy ShareScan v4.3 Pre-Installation Checklist

Technical White Paper

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Citrix Access Gateway Advanced Edition

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

NovaBACKUP xsp Version 15.0 Upgrade Guide

A Guide to New Features in Propalms OneGate 4.0

Soft Solutions, Inc. 4-Sight FAX 7.5. Getting Started. Soft Solutions, Inc.

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

Network Security 1 Module 4 Trust and Identity Technology

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

7.1. Remote Access Connection

Understanding the Cisco VPN Client

Windows XP Exchange Client Installation Instructions

Small Business Server Part 2

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Application Note. Using a Windows NT Domain / Active Directory for User Authentication NetScreen Devices 8/15/02 Jay Ratford Version 1.

Citrix Access on SonicWALL SSL VPN

Using a VPN with Niagara Systems. v0.3 6, July 2013

DIS VPN Service Client Documentation

V Series Rapid Deployment Version 7.5

Hosted Microsoft Exchange Client Setup & Guide Book

Clientless SSL VPN Users

NAC Guest. Lab Exercises

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Integrating LANGuardian with Active Directory

Using RADIUS Agent for Transparent User Identification

Hosted Microsoft Exchange Client Setup & Guide Book

VPN AND CITRIX INSTALLATION GUIDE

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

LockoutGuard v1.2 Documentation


Virtual Code Authentication User s Guide. June 25, 2015

Knowledge Base Article: Article 218 Revision 2 How to connect BAI to a Remote SQL Server Database?

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Case Closed Installation and Setup

Remote Access: Citrix Client Setup

EMR Link Server Interface Installation

External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

extranet.airproducts.com Windows XP Client Configuration

Colubris TechNote. Testing and Troubleshooting Active- Directory. Revision 1.3 Mar Author: Dave Leger

Dell SonicWALL SRA 7.5 Citrix Access

Configuring User Identification via Active Directory

VPN PPTP Application. Installation Guide

my.airproducts.com Windows Vista Client Configuration

Mobile Admin Security

How to set up the HotSpot module with SmartConnect. Panda GateDefender 5.0

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Scenario: IPsec Remote-Access VPN Configuration

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

Transparent Identification of Users

SCADA Security. Enabling Integrated Windows Authentication For CitectSCADA Web Client. Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.

WatchGuard Mobile User VPN Guide

Advanced Event Viewer Manual

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Brazosport College VPN Connection Installation and Setup Instructions. Draft 2 March 24, 2005

SITRANS RD500 Configuring the RD500 with PSTN or GSM modems and Windows-based servers and clients for communication Objective:

Immotec Systems, Inc. SQL Server 2005 Installation Document

Sage Abra HRMS. Abra HRMS Security Considerations

SCENARIO EXAMPLE. Case study of an implementation of Swiss SafeLab M.ID with Citrix. Redundancy and Scalability

Accops HyWorks v2.5. Quick Start Guide. Last Update: 4/18/2016

Dlink DFL 800/1600 series: Using the built-in MS L2TP/IPSEC VPN client with certificates

Coillte IT has recently upgraded the Remote Access Solution to a new platform.

Endpoint Security VPN for Windows 32-bit/64-bit

Payment Card Industry and Citrix XenApp and XenDesktop Deployment Scenarios

How to setup PPTP VPN connection with DI-804HV or DI-808HV using Windows PPTP client

Information Services. Accessing the University Network using a Virtual Private Network Connection (VPN), with Windows XP Professional

Scenario: Remote-Access VPN Configuration

UBC Digital Signage Service: CoolSign 5.0 Initial Set- up Guide

Experiment # 6 Remote Access Services

How to make a VPN connection to our servers from Windows 8

Transcription:

Implementation Guidelines Dyna Pass Wireless Secure Access

Implementation Guidelines Implementation Guidelines Abstract This document describes implementations. Examples are based on different technologies used for Remote Access to private networks. It doesn t cover all issues or details; it is only intended to give basic fundamentals for how can be implemented. Overview can be installed and configured in many different ways in your network. The purpose of this document is to give some general guidelines about how to implement in different environments. Basically assigns passwords and control User Accounts in a. The can be implemented as a Windows NT, a W2000 Active Directory or a NOVELL NDS/eDirectory. Selected users in the can be controlled by. These users can request a password by sending an SMS from his mobile phone to the server. responds to the request with a number of actions. Checks if the request originates from a registered mobile phone The account is enabled (it will be disabled when the configured time limit expires) A random password is assigned to the account. The password is returned to the user as an SMS to the users mobile phone. The user can now log on to the domain using the received password. When the time limit expires he will no longer be able to logon to the domain, the account is disabled and the password does not exist anymore. This does not necessarily mean that he cannot continue working when the time limit has expired. He can still use the resources he did set up during the initial login but he will not be able to allocate new resources. NAS/Firewall verifies user with domain controller When you configure to control users in your main logon domain the result is that the user must always get a password from to be able to access resources on the network. Selected users, for Page 2

Implementation Guidelines example critical accounts and users with dial in access can be controlled by. The procedure is always the same regardless of where the user is located when he tries to log on. If you want maximum security and protection for your network you should select this configuration and use for all users. Obviously this means a change of the log on procedures to the domain for all users. It also affects the way you log on when you want to use your machine for local tasks only. Cached log on to the domain (using last successful domain log on name and password) when you power up your computer off line is still possible but since the password is valid only for a short time and frequently changed you will sooner or later loose it (probably by deleting the corresponding message from your phone). In this situation you must physically connect to the domain or use a local account to be able to log on and access your computer. If you consider your current "in the office" log on procedures safe and don't want to change these, you can install to control only remote access users. This can be implemented in many different ways and this document will show some examples. Let Create the Door and Provide the Key The general idea in all examples is to let control the Entrance to your network. Once you are inside your normal domain security policies and procedures are used. To achieve this we set up a separate domain and configure to control the users in this domain. This domain contains only the users that are allowed access from the outside world. The Network Access Server (NAS) always ask this domain controller to verify the user before he is connected to your network. User names in the domain can be the same as in the main domain. Note however that there are no trusts between the domain and the main domain. NAS/Firewall verifies users with Using RADIUS Protocol Dial In Users Only The NAS can be of different nature, for example Microsoft RRAS or CISCO VPN concentrator as long as it can verify a user against the domain. This can be done using the RADIUS protocol or the Microsoft Page 3

Implementation Guidelines standard protocol. You must install Microsoft IAS (included in W2000 server) to enable the RADIUS support on the domain controller. Logon Procedures The total login procedure will take place in two steps. Step one is a controlled logon with the NAS to open the door and step two is a "normal" logon to the "normal" logon domain with the username and password used "in the office". Depending of the type of logon client used and the way Dial Up Networking in the client computer is configured this procedure is transparent to the user. For example, if you use MS Dial Up Networking and mark the checkbox Logon to active, the second step will be performed automatically with the credentials used when the user originally logged on to his computer. If these credentials are not valid the user will be prompted to enter user name and password again as a part of the second step in the logon procedure Recommendations The most frequent way of using together with remote access is to let the user request for a password from his mobile phone. This opens up the possibilities to introduce the time limits for passwords and the automatic disabling of user accounts. Suitable timeframe is normally set to 10 15 minutes, which leaves the user this time for logon. With this setting ALL accounts will be disabled when not in use. There will be no accounts open for logon or brute force attacks. Maximum security in can be achieved by a combination of an individual prefix. The user has to combine the prefix with the password received by the mobile phone. The prefix is never sent to the GSM phone, it is only known by the user and. User names in the domain can be the same as in the main domain. The reason for this is that it will be transparent for the users and they don t have to remember different usernames (most likely they won t even notice that they are using different accounts) Note however that there are no trusts between the domain and the main domain. Miscellaneous No changes are required in the and the logon procedures used when connected directly to the LAN. Administration of the Remote Access users is minimal, merely that the user has an account in the Server. No particular user rights other than allow dial in access should be set. requires no special software or add-ins in the client computers. Page 4

Implementation Guidelines and Secure Access Using Modems. The user has to be authenticated by using the name and password for the domain before he can access the network. Afters successful authentication he can proceed to logon to the corporate domain using the credentials supplied at power on of the client computer. If this is not successful, or automatic logon to domain is disabled, the user will be prompted to enter user name and password. Modem W2000/Active Directory (IAS - Radius Server) Acces Router Modem pool The server is a MS Windows 2000 Server with Active Directory, containing all users that have been granted Remote Access rights. is installed as a service and is using MS SQL Server as its system database. Authentication Service (IAS) is installed if the Access Router is using a Radius Client for authentication. With IAS installed the server will act as a Radius Server. It s recommended that there are no trusts between the and server. Access Router/Modem pool All authentications are passed through to the server, which checks the username and password. If the corporate network. This Access Router or Modem Pool is either using Radius or Microsoft standard protocol to A.D. for enquiries. Page 5

Implementation Guidelines and VPN Tunnel Server The user has to be authenticated by using the name and password for the domain before he can access the network. Afters successful authentication he can proceed to logon to the corporate domain using the credentials supplied at power on of the client computer. If this is not successful, or automatic logon to domain is disabled, the user will be prompted to enter user name and password. VPN client W2000/Active Directory (IAS - Radius Server) NAS VPN Server The server is a MS Windows 2000 Server with Active Directory, containing all users that have been granted Remote Access rights. MS SQL Server hosts the system database. Authentication Service (IAS) is installed if the Access Router/VPN Tunnel Server is using a Radius Client for authentication. With IAS installed the server will act as a Radius Server. It s recommended that there are no trusts between the and server. VPN Tunnel Server All authentications are passed through to the server, which checks the username and password. If the user has a valid and enabled account and is entering a valid password the tunnel will be established and the user will be granted access to the corporate network. The VPN Tunnel Server is using Radius or Microsoft standard protocol to A.D. for enquiries. Note that the VPN server is published through the firewall with a public IP address. Page 6

Implementation Guidelines and Secure Web Access The user has to be authenticated by using the name and password for the domain before he can access the WEB server or part of the WEB server. Afters successful authentication he can access protected pages and directories in the WEB server. Depending on which resources and services that are available to the user he can now logon to those services such as WEB mail etc. WEB Browser W2000/Active Directory (IAS - Radius Server) WEB Server with authentication control The server is a MS Windows 2000 Server with Active Directory, containing all users that have been granted Remote Access rights. MS SQL Server hosts the system database. Authentication Service (IAS) is installed if the WEB server is using a Radius Client for authentication. With IAS installed the server will act as a Radius Server. It s recommended that there are no trusts between the and server. WEB server All authentications are passed through to the server, which checks the username and password. If the user has a valid and enabled account and is entering a valid password then the user will be granted access to the WEB server or part of the WEB server. The WEB server is using Radius or Microsoft standard protocol to A.D. for enquiries. The WEB server is published through the firewall with a public IP address. Page 7

Implementation Guidelines and CITRIX Secure Gateway NFuse The user has to be authenticated by using the name and password for the domain before he can access the WEB server with Citrix NFUSE. After authentication he can access protected pages where he can make the NFUSE logon to the Citrix Metaframe Server(s). After a successful logon to NFUSE the Citrix STA will issue a ticket to the user through the Citrix CSG and the session is now handled by the Citrix CSG. WEB Browser W2000 Active Directory WEB Server IIS with authentication control NFUSE Citrix CSG Citrix MetaFrame Server(s) Citrix STA The server is a MS Windows 2000 Server with Active Directory, containing all users that have been granted Remote Access rights. MS SQL Server hosts the system database. Authentication Service (IAS) is installed if the WEB server is using a Radius Client for authentication. With IAS installed the server will act as a Radius Server. It s recommended that there are no trusts between the and server. WEB server/nfuse All authentications are passed through to the server, which checks the username and password. If the WEB server with Citrix NFUSE. The WEB server is using Radius or Microsoft standard protocol to A.D. for enquiries. The WEB server is published through the firewall with a public IP address. Page 8

Implementation Guidelines in a Mixed Environment The user has to be authenticated by using the name and password for the domain before he can access the different services such as Modem/Access Router, VPN Tunnel and WEB Access (including NFUSE). Afters successful authentication he can access different resources depending on access medium and resources given by the. WEB browser Modem VPN Conc. (Radius Client) W2000 Active Directory WEB Server Authentication control NFUSE Acces Router Modem pool Citrix MetaFrame Server(s) Citrix STA The server is a MS Windows 2000 Server with Active Directory, containing all users that have been granted Remote Access rights independently of which service that is used. MS SQL Server hosts the system database. Authentication Service (IAS) is installed if the any service is using a Radius Client for authentication. With IAS installed the server will act as a Radius Server. It s recommended that there are no trusts between the and server. Page 9

Implementation Guidelines Access Router/Modem Pool All authentications are passed through to the server, which checks the username and password. If the corporate network. This Access Router or Modem Pool is either using Radius or Microsoft standard protocol to A.D. for enquiries. VPN Tunnel Server All authentications are passed through to the server, which checks the username and password. If the user has a valid and enabled account and is entering a valid password the tunnel will be established and the user will be granted access to the corporate network. The VPN Tunnel Server is using Radius or Microsoft standard protocol to A.D. for enquiries. Note that the VPN server is published through the firewall with a public IP address. WEB Server All authentications are passed through to the server, which checks the username and password. If the WEB server. The WEB server is using Radius or Microsoft standard protocol to A.D. for enquiries. The WEB server is published through the firewall with a public IP address. WEB Server/NFUSE All authentications are passed through to the server, which checks the username and password. If the WEB server with Citrix NFUSE. The WEB server is using Radius or Microsoft standard protocol to A.D. for enquiries. The WEB server is published through the firewall with a public IP address. Page 10

Implementation Guidelines and Firewall authentication The user has to be authenticated by using the name and password for the domain before he can access services on 2. After successful authentication trough the Firewall the user can access protected services such as WEB mail, Terminal servers etc. Depending on which resources and services that are available to the user he can now logon to those services. WEB Browser 2 W2000/Active Directory (IAS - Radius Server) WEB Server with authentication control The server is a MS Windows 2000 Server with Active Directory, containing all users that have been granted Remote Access rights. MS SQL Server hosts the system database. Authentication Service (IAS) is installed if the Firewall is using a Radius Client for authentication. With IAS installed the server will act as a Radius Server. It s recommended that there are no trusts between the and server. Firewall All authentications are passed through to the server, which checks the username and password. If the 2. The requirement on the Firewall is that it supports external directory for authentication e.g. Radius or native Microsoft API. Page 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information