External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy



Similar documents
External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Citrix Access Gateway Advanced Edition

External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with CiscoSecure ACS. Authenticating Users Using. SecurAccess Server. by SecurEnvoy

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Netscreen 25 Remote VPN Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Windows 2008 Server with Routing and Remote Access Service Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Windows 2012 R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

Full disk encryption with Sophos Safeguard Enterprise With Two-Factor authentication of Users Using SecurAccess by SecurEnvoy

Microsoft Office365 with Active Directory Federated Services (ADFS) Authenticating Users Using SecurAccess Server by SecurEnvoy

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Microsoft Outlook Web Access 2013 Authenticating Users Using SecurAccess Server by SecurEnvoy

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

SSH to Ubuntu Server Authenticating Users Using SecurAccess Server by SecurEnvoy

SecurEnvoy Windows Login Agent

Sophos UTM. Remote Access via SSL Configuring Remote Client

DIGIPASS Authentication for SonicWALL SSL-VPN

BlackShield ID Best Practice

A brief on Two-Factor Authentication

SecurEnvoy Reporting Wizard

DIGIPASS Authentication for GajShield GS Series

ZyWALL OTPv2 Support Notes

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

SecurEnvoy IIS Web Agent. Version 7.2

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

Sophos UTM. Remote Access via IPsec Configuring Remote Client

If you have questions or find errors in the guide, please, contact us under the following address:

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Step by step guide to implement SMS authentication to Cisco ASA Clientless SSL VPN and Cisco VPN

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

DIGIPASS Authentication for Juniper ScreenOS

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Sophos UTM. Remote Access via PPTP Configuring Remote Client

DIGIPASS Authentication for Check Point Connectra

SecurEnvoy Security Server Installation Guide

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

Establishing two-factor authentication with Cyberoam UTM appliances and HOTPin authentication server from Celestix Networks

DIGIPASS Authentication for Check Point Security Gateways

SecurEnvoy Security Server. SecurMail Solutions Guide

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

Cisco ASA. Implementation Guide. (Version 5.4) Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Configuring User Identification via Active Directory

Defender Token Deployment System Quick Start Guide

Access to Webmail services via a Non Trust Computer

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Sophos UTM. Remote Access via IPsec. Configuring UTM and Client

SSL SSL VPN

Authentication Node Configuration. WatchGuard XTM

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

Establishing two-factor authentication with Barracuda NG Firewall and HOTPin authentication server from Celestix Networks

Establishing two-factor authentication with Check Point and HOTPin authentication server from Celestix Networks

Preparing for GO!Enterprise MDM On-Demand Service

SCENARIO EXAMPLE. Case study of an implementation of Swiss SafeLab M.ID with Citrix. Redundancy and Scalability

HOTPin Integration Guide: DirectAccess

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

DIGIPASS Authentication for Cisco ASA 5500 Series

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

A Guide to New Features in Propalms OneGate 4.0

Integration Guide. Duo Security Authentication

MIGRATION GUIDE. Authentication Server

SecurEnvoy Security Server Administration Guide

Using different Security Policies on Group Level for AD within one Portal. SSL-VPN Security on Group Level. Introduction

DualShield. for. Microsoft TMG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

NETASQ ACTIVE DIRECTORY INTEGRATION

Palo Alto Networks GlobalProtect VPN configuration for SMS PASSCODE SMS PASSCODE 2015

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

Introduction. Before you begin. Installing efax from our CD-ROM. Installing efax after downloading from the internet

Employee Active Directory Self-Service Quick Setup Guide

BlackShield ID Agent for Remote Web Workplace

Accessing the Media General SSL VPN

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

Clientless SSL VPN Users

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

Hosted Microsoft Exchange Client Setup & Guide Book

IDENTIKEY Appliance Administrator Guide

iphone in Business How-To Setup Guide for Users

DIS VPN Service Client Documentation

F-Secure Messaging Security Gateway. Deployment Guide

Copyright 2013, 3CX Ltd.

1 Summary. Step by Step Guide to implement SMS authentication to Bluecoat ProxySG

iphone in Business How-To Setup Guide for Users

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Xopero Backup Build your private cloud backup environment. Getting started

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Application Note: Integrate Juniper IPSec VPN with Gemalto SA Server. October

Transcription:

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy Contact information SecurEnvoy www.securenvoy.com 0845 2600010 1210 Parkview Arlington Business Park Theale Reading RG7 4TY Phil Underwood Punderwood@securenvoy.com Special thanks to Christian Louis of Astaro AG for Astaro configuration

Astaro AG Astaro Security Gateway UTM appliance Integration Guide This document describes how to integrate an Astaro AG Astaro Security Gateway UTM appliance with SecurEnvoy two-factor Authentication solution called SecurAccess. The Astaro AG Astaro Security Gateway UTM appliance provides - Secure Remote Access to the internal corporate network. SecurAccess provides two-factor, strong authentication for remote Access solutions (such as Astaro s Security Gateway series), without the complication of deploying hardware tokens or smartcards. Two-Factor authentication is provided by the use of your PIN and your Phone to receive the onetime passcode. SecurAccess is designed as an easy to deploy and use technology. It integrates directly into Microsoft s Active Directory and negates the need for additional User Security databases. SecurAccess consists of two core elements: a Radius Server and Authentication server. The Authentication server is directly integrated with LDAP or Active Directory in real time. SecurEnvoy Security Server can be configured in such a way that it can use the existing Microsoft password. Utilising the Windows password as the PIN, allows the User to enter their UserID, Windows password and One Time Passcode received upon their mobile phone. This authentication request is passed via the Radius protocol to the SecurEnvoy Radius server where it carries out a Two-Factor authentication. SecurEnvoy utilises a web GUI for configuration, as does the Astaro AG Astaro Security Gateway UTM appliance. All notes within this integration guide refer to this type of approach. The equipment used for the integration process is listed below: Astaro AG Astaro ASG, Ver. 7.501 SecurEnvoy Windows 2003 server SP1 IIS installed with SSL certificate (required for remote administration) Active Directory installed or connection to Active Directory via LDAP protocol. SecurAccess software release v5.1.501 2005 SecurEnvoy Ltd. All rights reserved Confidential Page 2

Index 1.0 Pre Requisites... 3 2.0 Configuration of Astaro Security Gateway (ASG) UTM appliance for SSL VPN users. 4 2.1 Add a new backend authentication RADIUS server... 4 3.0 Configuration of SecurEnvoy... 6 3.1 Enable Auto User creation for the RADIUS users... 7 3.2 Allow RADIUS users to access the End-User Portal... 7 3.3 Allow RADIUS users to use the SSL VPN client... 8 3.4 Login to the user Portal and download the SSL VPN client... 8 3.5 Use of RADIUS authenticated users for other components... 9 4.1 Use SecurEnvoy Authentication with PPTP... 10 4.2 User SecurEnvoy to authenticate administrative access... 11 4.3 Use SecurEnvoy to control web surfing... 11 5.0 Limitations:... 12 1.0 Pre Requisites It is assumed that the Astaro AG Astaro Security Gateway appliance is setup and operational. An existing Domain user can authenticate using a Domain password and access applications, your users can access through SSL VPN using local accounts or Domain accounts. Securenvoy Security Server has a suitable account created that has read and write privileges to the Active Directory, if firewalls are between the SecurEnvoy Security server, Active Directory servers, and the Astaro Security Gateway, additional open ports will be required. NOTE: SecurEnvoy requires LDAP connectivity either over port 389 or 636 to the Active Directory servers and port 1645 or 1812 for RADIUS communication from the Astaro UTM appliance. NOTE: Add radius profiles for each Astaro UTM appliance that requires Two-Factor Authentication. 2005 SecurEnvoy Ltd. All rights reserved Confidential Page 3

2.0 Configuration of Astaro Security Gateway (ASG) UTM appliance for SSL VPN users To enable a SecurEnvoy Two-Factor authentication logon to the Astaro Security Gateway UTM appliance, login to the administration interface. See diagrams below 2.1 Add a new backend authentication RADIUS server Log in to the WebAdmin interface of the ASG via https://<yourasgsip>:4444 Go to Users -> Authentication -> Servers Add a new server by clicking on the New Server button 2005 SecurEnvoy Ltd. All rights reserved Confidential Page 4

2005 SecurEnvoy Ltd. All rights reserved Confidential Page 5

Choose Backend: Radius Click on the + sign next to Server and enter Name: SecurEnvoy RADIUS server Type: Host Address: your SecurEnvoy IP Address In the Pop-Up and click Save Enter the Shared secret value according to your SecurEnvoy configuration. Please note that the Test button does not work for Test server settings but only if you enter a valid Username: and Password: (OTP) 3.0 Configuration of SecurEnvoy SecurEnvoy Radius configuration is set up to authenticate both the PIN and Passcode component. By default SecurEnvoy use the domain password as the PIN component. This allows an easy to use mechanism for the end user without having to first enrol for a PIN. SecurEnvoy supplies the second factor of authentication, which is the dynamic one time passcode (OTP) which is sent to the user s mobile phone. Launch the SecurEnvoy admin interface, by executing the Local Security Server Administration link on the SecurEnvoy Security Server. 1. Click the Radius Button 2. Enter IP address and Shared secret for each Citrix Web Interface server that wishes to use SecurEnvoy Two-Factor authentication. 3. Make sure the Authenticate Passcode Only (Pin not required) checkbox is unticked. 4. Press Update 5. Now Logout 2005 SecurEnvoy Ltd. All rights reserved Confidential Page 6

3.1 Enable Auto User creation for the RADIUS users Go to Users-> Authentication -> Global Settings and enable Create users automatically. Now click Apply. After that choose End-User Portal and SSL VPN below and click Apply. 3.2 Allow RADIUS users to access the End-User Portal In order to get their SSL VPN client and configuration, users have to initially log in to the End User portal. Make sure that RADIUS authenticated users are allowed to log in. 2005 SecurEnvoy Ltd. All rights reserved Confidential Page 7

Go to Management-> User Portal and add the Radius Users group to the list of allowed users. You can choose this group by clicking on the Folder icon and drag and drop it from the list on the left. 3.3 Allow RADIUS users to use the SSL VPN client Go to Remote Access -> SSL and make sure that the Radius Users group is also listed under Users and Groups. Again use the Folder icon and drag and drop the group in the according field. 3.4 Login to the user Portal and download the SSL VPN client Access your user portal under https://<yourasgsip> and log in with your SecurEnvoy Domain User ID and your assigned OTP / RADIUS password 2005 SecurEnvoy Ltd. All rights reserved Confidential Page 8

Go to Remote Access and download the SSL VPN installation package (1 st link) and install it on your clients PC. If you start the SSL connection, you can now enter your Username and your PIN+OTP under Password: 3.5 Use of RADIUS authenticated users for other components You can also use SecurEnvoy authenticated users with IPSec VPN. Just enable the XAUTH option to check for OTP: 2005 SecurEnvoy Ltd. All rights reserved Confidential Page 9

4.1 Use SecurEnvoy Authentication with PPTP Go to Remote Access -> PPTP and change the authentication method to RADIUS Use SecurEnvoy Authentication with L2TP over IPSec 2005 SecurEnvoy Ltd. All rights reserved Confidential Page 10

Go to Remote Access -> L2TP over IPSec and chance Access Control -> Authentication via: to RADIUS 4.2 User SecurEnvoy to authenticate administrative access Go to Management -> WebAdmin Settings -> Access Control and add the RADIUS Users or RADIUS group to the list of Allowed Administrators or Allowed Auditors: 4.3 Use SecurEnvoy to control web surfing RADIUS users can also be used to control access to the HTTP proxy. 2005 SecurEnvoy Ltd. All rights reserved Confidential Page 11

Go to Web Security -> HTTP/S and choose either Basic User Authentication or Transparent with authentication and add the RADIUS group or single users to the list of allowed users/groups. Allow only single users from the SecurEnvoy RADIUS server to access specific resources In order to limit access to specific users and not the whole SecurEnvoy user base, create local users with a matching user name. Those users are auto-generated upon first login to the User Portal but can be also pre-created by adding them manually Go to Users -> Users and click New user... Use the same user name as used in the backend (e.g. your Active Directory) and choose Authentication: Remote. Make sure to activate Backend sync: You can now use this single user in every access control segment mentioned above. 5.0 Limitations: As the Astaro Security Gateway does at the moment not support Challenge-Response it is not possible to use the Real Time SMS feature. The solution only works with preloaded or timed OTPs. 2005 SecurEnvoy Ltd. All rights reserved Confidential Page 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information