BlackShield ID Agent for Terminal Services Web and Remote Desktop Web



Similar documents
BlackShield ID Agent for Remote Web Workplace

Strong Authentication for Microsoft TS Web / RD Web

Strong Authentication for Microsoft SharePoint

Agent Configuration Guide

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web Access 1.06

BlackShield ID MP Token Guide. for Java Enabled Phones

Implementation Guide for protecting

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web App. Technical Manual Template

BlackShield ID PRO. Steel Belted RADIUS 6.x. Implementation Guide. Copyright 2008 to present CRYPTOCard Corporation. All Rights Reserved

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

Strong Authentication for Juniper Networks SSL VPN

Apache Server Implementation Guide

Strong Authentication for Cisco ASA 5500 Series

Juniper SSL VPN Authentication QUICKStart Guide

Agent Configuration Guide for Microsoft Windows Logon

Strong Authentication for Microsoft Windows Logon

Cisco ASA Authentication QUICKStart Guide

Strong Authentication for Juniper Networks

Check Point FW-1/VPN-1 NG/FP3

RSA Authentication Manager 7.1 Basic Exercises

How to Secure a Groove Manager Web Site

LDAP Synchronization Agent Configuration Guide for

Rohos Logon Key for Windows Remote Desktop logon with YubiKey token

How To Secure An Rsa Authentication Agent

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Juniper Networks SSL VPN Implementation Guide

RSA Security Analytics Netflow Collection Configuration Guide

RSA Security Analytics Netflow Collection Configuration Guide

SafeNet Authentication Service Agent for Windows Logon. Configuration Guide

Cisco VPN Concentrator Implementation Guide

BlackShield Authentication Service

External Authentication with Windows 2012 R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

Microsoft IAS and NPS Agent Configuration Guide

DIGIPASS Authentication for Check Point Security Gateways

BlackShield ID Best Practice

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Defender Token Deployment System Quick Start Guide

RSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide

Installation Guide. SafeNet Authentication Service

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Retail Deployment Guide. Microsoft Dynamics AX 2012 Feature Pack

Quick Start Guide For Ipswitch Failover v9.0

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

LDAP Synchronization Agent Configuration Guide

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

WhatsUp Gold v16.2 Installation and Configuration Guide

DIGIPASS Authentication for Cisco ASA 5500 Series

RSA SecurID Software Token Security Best Practices Guide

WhatsUp Gold v16.3 Installation and Configuration Guide

2X Cloud Portal v10.5

Sophos for Microsoft SharePoint startup guide

Remote Logging Agent Configuration Guide

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring SSL VPN on the Cisco ISA500 Security Appliance

IIS, FTP Server and Windows

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

Technical Brief for Windows Home Server Remote Access

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Contents Notice to Users

RSA Authentication Agent 7.1 for Microsoft Windows Installation and Administration Guide

How To Set Up Chime For A Coworker On Windows (Windows) With A Windows 7 (Windows 7) On A Windows 8.1 (Windows 8) With An Ipad (Windows).Net (Windows Xp

Enterprise Self Service Quick start Guide

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Virtual Data Centre. User Guide

SafeWord Domain Login Agent Step-by-Step Guide

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

McAfee One Time Password

Web Remote Access. User Guide

NSi Mobile Installation Guide. Version 6.2

MIGRATION GUIDE. Authentication Server

Aventail Connect Client with Smart Tunneling

SAS Agent for Outlook Web App

Omniquad Exchange Archiving

Integration Guide. SafeNet Authentication Service. VMWare View 5.1

MobileStatus Server Installation and Configuration Guide

SafeNet Authentication Service

Version 3.8. Installation Guide

RemotelyAnywhere Getting Started Guide

Metalogix SharePoint Backup. Advanced Installation Guide. Publication Date: August 24, 2015

Application Note. ShoreTel 9: Active Directory Integration. Integration checklist. AN June 2009

Update and Installation Guide for Microsoft Management Reporter 2.0 Feature Pack 1

WhatsUp Gold v16.1 Installation and Configuration Guide

Setting Up Scan to SMB on TaskALFA series MFP s.

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

Copyright

pcanywhere Advanced Configuration Guide

Microsoft Outlook Web Access 2013 Authenticating Users Using SecurAccess Server by SecurEnvoy

Oracle Enterprise Manager

RSA Authentication Manager 8.1 Help Desk Administrator s Guide

SAS Agent for Outlook Web Access

Cloud Authentication. Getting Started Guide. Version

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Using DC Agent for Transparent User Identification

Transcription:

Agent for Terminal Services Web and Remote Desktop Web 2010 CRYPTOCard Corp. All rights reserved. http:// www.cryptocard.com

Copyright Copyright 2010, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard. Trademarks CRYPTOCard and the CRYPTOCard logo are registered trademarks of CRYPTOCard Inc. in the Canada and/or other countries. All other goods and/or services mentioned are trademarks of their respective companies. License agreement This software and the associated documentation are proprietary and confidential to CRYPTOCard, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by CRYPTOCard. Note on encryption technologies This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product. Contact Information CRYPTOCard s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your partner directly for support needs. To contact CRYPTOCard directly: International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042 support@cryptocard.com For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com. BlackShield ID Agent for Terminal Services Web and Remote Desktop Web i

Related Documentation Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation and interoperability guides: http://www.cryptocard.com. Publication History Date Changes Version Sept 7, 2010 Document created 1.0 BlackShield ID Agent for Terminal Services Web and Remote Desktop Web ii

Table of Contents Applicability...1 Overview...2 Authentication Modes...2 TSWeb\RDWeb - Standard Authentication Mode (Hardware and Software)...3 TSWeb\RDWeb - Standard Authentication Mode (Hardware, Software and GrIDsure/SMS)...3 TSWeb\RDWeb - Split Authentication Mode...4 Preparation and Prerequisites...5 Installing the BlackShield ID IIS 7 Agent...5 Configuring IIS for use with the BlackShield ID Agent...5 Enabling the BlackShield ID IIS 7 Agent for Terminal Services Web or Remote Desktop Web...6 BlackShield ID IIS 7 Agent Configuration Tool...7 Policy Tab...7 Authentication Methods Tab...8 Exceptions Tab...9 Communications Tab...10 Logging Tab...11 Localization Tab...12 BlackShield ID Agent for Terminal Services Web and Remote Desktop Web iii

Applicability This integration guide is applicable to: Summary Authentication Server BlackShield ID Server 2.4 or higher BlackShield ID Server 2.6.573 or higher (GrIDsure support) Network TCP Port 80 or 443 Supported Operating Systems Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Small Business Server 2008 Supported Web Servers IIS 7.0 IIS 7.5 Supported Applications and Objects Remote Desktop Web Terminal Services Web Sites, Virtual Directories, Applications Supported IIS Authentication Type Microsoft Authentication (Basic Authentication) Supported Web Browsers Internet Explorer 7, 8 Firefox 3.x Additional Web Browsers Requirements Cookies must be enabled JavaScript must be enabled ActiveX plug-ins (software token detection only) BlackShield ID Agent for Terminal Services Web and Remote Desktop Services 1

Overview The BlackShield ID Agent for IIS 7 is designed for Terminal Services Web and Remote Desktop Web but may also be used for IIS 7 websites where the authentication method is configured to use Microsoft authentication. The agent ensures web based resources are accessible only by authorized users, whether working remotely or inside the firewall by prompted for additional CRYPTOCard credentials during logon. Authentication Modes There are two login authentication modes available in the BlackShield ID agent. Mode Description Standard Authentication Mode Split Authentication Mode Standard Authentication Mode enables a single stage login process. Microsoft and CRYPTOCard credentials must be entered into the CRYPTOCard login page. Split Authentication Mode enables a two-stage login process. In the first stage, users provide their Microsoft credentials. In the second stage, users provide their CRYPTOCard credentials. This mode allows Administrators to control authentication dialogs based on Microsoft groups or token type (such as GrIDsure). This is the preferred mode when migrating from static to one-time passwords. By default, Split Authentication mode is enabled. The authentication mode can be modified after installation using the BlackShield IIS 7 Agent Configuration Tool. BlackShield ID Agent for Terminal Services Web and Remote Desktop Web 2

TSWeb\RDWeb - Standard Authentication Mode (Hardware and Software) 1. The user enters the URL into their web browser. 2. The BlackShield agent examines the incoming request against its IP Range Exclusions/Inclusions list to determine if CRYPTOCard authentication can be ignored. 3. If IP address exclusion is detected, CRYPTOCard credentials are not required. The user authenticates using Microsoft credentials. 4. If IP address exclusion is not detected, a CRYPTOCard enabled login page appears. 5. If a software token is detected, the CRYPTOCard login page will display a Token, PIN, Microsoft Password and Microsoft Domain field. An option to toggle between hardware and software token mode is available. 6. If a software token is not detected, the CRYPTOCard login page will display a Microsoft Username, Microsoft Password and OTP field. 7. The user enters their Microsoft and CRYPTOCard credentials into the login page. If both sets of credentials are valid, the user is presented with their web site otherwise, the attempt is rejected. TSWeb\RDWeb - Standard Authentication Mode (Hardware, Software and GrIDsure/SMS) 1. The user enters the URL into their web browser. 2. The BlackShield agent examines the incoming request against its IP Range Exclusions/Inclusions list to determine if CRYPTOCard authentication can be ignored. 3. If IP address exclusion is detected, CRYPTOCard credentials are not required. The user authenticates using Microsoft credentials. 4. If IP address exclusion is not detected, a CRYPTOCard enabled login page appears. 5. If a software token is detected, the CRYPTOCard login page will display a Token, PIN, Microsoft Password and Domain field. The option to toggle between hardware, software and GrIDsure/SMS token mode is available. 6. If a software token is not detected, the CRYPTOCard login page will display a Microsoft Username, Microsoft Password and OTP field. The option to toggle between hardware and GrIDsure/SMS Challengeresponse token mode is available. 7. The user enters their Microsoft and CRYPTOCard credentials into the login page. If both sets of credentials are valid, the user is presented with their web site otherwise, the attempt is rejected. 8. In GrIDsure/SMS Challenge-response mode the user enters their Microsoft credentials into the login page. If the Microsoft credentials are valid the user is presented with a GrIDsure grid or provided with an OTP via SMS. If the CRYPTOCard credentials entered are valid, the user is presented with their web site otherwise, the attempt is rejected. BlackShield ID Agent for Terminal Services Web and Remote Desktop Web 3

TSWeb\RDWeb - Split Authentication Mode 1. The user enters the URL into their web browser. 2. The BlackShield agent examines the incoming request against its IP Range Exclusions/Inclusions list to determine if CRYPTOCard authentication can be ignored. 3. If IP address exclusion is detected, CRYPTOCard credentials are not required. The user authenticates and logs into the web site using their Microsoft credentials. 4. If IP address exclusion is not detected, the user is presented with a Microsoft Username, Microsoft Password field. If the Microsoft credentials are valid, the user is allowed to continue otherwise the attempt is rejected. 5. The BlackShield agent examines the Microsoft username against its Group Authentication Exceptions list to determine if CRYPTOCard authentication can be ignored. 6. If a group authentication exception is detected, CRYPTOCard credentials are not required. The user is presented with their web site. 7. If a group authentication exception is not detected, the BlackShield agent examines the Microsoft username against its GrIDsure and SMS authentication group list. 8. If a GrIDsure or SMS authentication group match is detected, the user is presented with their GrIDsure grid or provided with an OTP via SMS. If the CRYPTOCard credentials are valid, the user is presented with their web site otherwise, the attempt is rejected. 9. If a software token is detected, the CRYPTOCard login page will display the token name and a PIN field. The option to toggle between hardware and software mode is available. 10. If a software token is not detected, the CRYPTOCard login page will display an OTP field. 11. The user enters their CRYPTOCard credentials into the login page. If the credentials are valid, the user is presented with their web site otherwise, the attempt is rejected. BlackShield ID Agent for Terminal Services Web and Remote Desktop Web 4

Preparation and Prerequisites Ensure that the web site is configured to use Basic Authentication and NTML is disabled. Ensure that TCP port 80 or 443 is open between the BlackShield ID IIS 7 agent and the BlackShield ID Server. Administrative rights to the Windows system are required during installation and configuration of the BlackShield ID IIS 7 Agent. Installing the BlackShield ID IIS 7 Agent 1. Log on to the IIS 7 web server as a user with administrative privileges. 2. Locate and run the BlackShield ID Agent for IIS 7 x64.exe installation package. 3. Accept the license agreement. 4. Select the installation destination folder then proceed with the installation. Configuring IIS for use with the BlackShield ID Agent The BlackShield ID agent for IIS 7 requires that Terminal Services Web and Remote Desktop Web are configured to use Basic Authentication. Prior to enabling the BlackShield agent the following must be performed: Remote Desktop Web 1. Launch the IIS Manager from Administrative Tools. 2. Expand Computer Name, Sites, Default Web Site then RDWeb. 3. Select Pages. In the IIS section of the Features View pane select Authentication. 4. Disable Anonymous and Forms Authentication then enable Basic Authentication. Terminal Services Web 1. Launch the IIS Manager from Administrative Tools. 2. Expand Computer Name, Sites then Default Web Site. 3. Select TS. In the IIS section of the Features View pane select Authentication. 4. Disable Windows Authentication then enable Basic Authentication. BlackShield ID Agent for Terminal Services Web and Remote Desktop Web 5

Enabling the BlackShield ID IIS 7 Agent for Terminal Services Web or Remote Desktop Web These basic instructions are required to enforce CRYPTOCard authentication during logon to Terminal Services Web or Remote Desktop Web. For more in-depth information on each setting, refer to the BlackShield ID IIS 7 Agent Configuration Tool section. 1. Select Start, All Programs, CRYPTOCard, BlackShield ID Agent for IIS 7, IIS 7 Agent Configuration. 2. In the Policy Tab under All Web Sites select Default Web Site. In Protected Applications select /RDWeb/Pages for Remote Desktop Web or /TS for Terminal Services Web. Select Enable Agent then any additional settings required within this tab. 3. Select the Communications tab; verify the Authentication Server Settings reflect the location of the BlackShield ID server. 4. Verify that all other tabs meet your requirements. 5. Apply the settings. The IIS server will restart for the settings to take effect. BlackShield ID Agent for Terminal Services Web and Remote Desktop Web 6

BlackShield ID IIS 7 Agent Configuration Tool The BlackShield ID IIS 7 agent configuration tool allows for the modification of various features available within the BlackShield ID Agent for IIS 7. Policy Tab The Policy tab provides the ability to select a web site then protect web based resources with CRYPTOCard authentication. When a website is selected, all settings defined within each tab apply to the specific website. If another web site is select, all tabs revert to their customized or default settings allowing a different configuration to be applied. Web Site All Web Sites: Allows the selection of the web site. The web site selection will determine the list displayed within Protected Applications. Protected Applications: Allows the selection of a single or multiple application or virtual directory. Authentication Processing Enable Agent: Turns the IIS 7 agent on or off. Default value: Disabled BlackShield ID Agent for Terminal Services Web and Remote Desktop Web 7

Session Timeout: Specifies the amount of time the user may remain idle before they are required to reauthenticate with their CRYPTOCard credentials. Default value: 10 Client IP Address Forwarding If selected, the remote client IP address will be sent to the BlackShield ID Server. Otherwise, the web server s IP Address will be used. Default value: Enabled. Authentication Methods Tab The Authentication Methods tab allows for the selection of the login authentication method and web page authentication layout presented to the user. Authentication Methods Standard Authentication Mode: Standard Authentication Mode enables a single step login process. Microsoft and CRYPTOCard credentials must be entered into a single login page. Default value: Disabled. Standard Authentication Mode provides the option to select one of two login templates: Hardware and Software Token Detection: If a software token is detected, the login page will display a Token, PIN, Microsoft Password and Microsoft Domain field otherwise a Microsoft Username, Microsoft Password and OTP field is displayed. The option to toggle between Hardware and Software token mode will be available if a software token is detected on the local workstation. BlackShield ID Agent for Terminal Services Web and Remote Desktop Web 8

Hardware, Software, GrIDsure and SMS Challenge Token Detection: If a software token is detected, the login page will display a Token, PIN, Microsoft Password and Microsoft Domain field. If required, a set of radio button options can be used to select a different token type. If no software token exists, the user will be presented with a Microsoft Username, Microsoft Password and OTP field along with an option to enable a GrIDsure/SMS Challenge login page. Split Authentication Mode: Split Authentication Mode enables a two-stage login process. In the first stage, users provide their Microsoft credentials. In the second stage, users provide their CRYPTOCard credentials. Default value: Enabled. This mode provides the following advantages over Standard Authentication Mode. Microsoft group exclusions may be used to slowly migrate users from static passwords to a combination of static and one-time passwords. Allows Administrators to specify via Microsoft Groups, users who have been provided with GrIDsure or SMS Challenge response tokens. This provides a more seamless login experience as the agent displays exactly what is required from the user. GrIDsure Tab (Optional): Allows an Administrator to specify a Microsoft group, which contains CRYPTOCard users who have been assigned a GrIDsure token. When the agent detects a user within this group, it will automatically display a GrIDsure grid after they have provided valid Microsoft credentials. SMS Challenge-Response Tab (Optional): Allows an Administrator to specify a Microsoft group, which contains CRYPTOCard users who have been assigned an SMS Challenge-response token. When the agent detects a user within the group, it will automatically provide them with a one-time password via SMS after they have provided valid Microsoft credentials. Exceptions Tab The Exceptions tab allows specific Microsoft groups or network traffic to bypass CRYPTOCard authentication. By default, all users are required to perform CRYPTOCard authentication unless otherwise defined by exclusion. IP Range Exceptions/Inclusions Allows an Administrator to define which network traffic requires CRYPTOCard authentication. By default, all networks are required to perform CRYPTOCard authentication. BlackShield ID Agent for Terminal Services Web and Remote Desktop Web 9

Group Authentication Exceptions Group authentication exceptions omit single and/or multiple domain groups from performing CRYPTOCard authentication. Only one group filter option is valid at any given time, it cannot overlap with another group authentication exception. Default value: Everyone must use CRYPTOCard. The following group authentication exceptions are available: Everyone must use CRYPTOCard: All users must perform CRYPTOCard authentication. Only selected groups will bypass CRYPTOCard: All users are required to perform CRYPTOCard authentication except the Microsoft Group(s) defined. Only selected groups must use CRYPTOCard: All users are not required to perform CRYPTOCard authentication except the Microsoft Group(s) defined. Adding a group authentication exception entry will display the following: From this location: Select the location from which the results will be searched. Enter the group name to select: Used in conjunction with Check Names or Show all. Allows searches for Microsoft groups. Highlight already selected groups in search results: If a Microsoft Group has already been configured in the exception, it will appear as a highlighted result. Communications Tab This tab deals primarily with the connection options for the BlackShield ID Server. BlackShield ID Agent for Terminal Services Web and Remote Desktop Web 10

Authentication Server Settings Primary Server (IP:Port): Used to configure the IP address / hostname of the primary BlackShield ID Server. Default is port 80. Alternatively Use SSL can also be selected. Default TCP port for SSL requests is 443. Failover Server (Optional): Used to configure the IP address / hostname of the failover BlackShield ID Server. Default is port 80. Alternatively Use SSL can also be selected. Default TCP port for SSL requests is 443. Attempt to return to primary Authentication Server every: Sets the Primary Authentication server retry interval. This setting only takes effect when the agent is using the Failover Server entry. Communication Timeout: Sets the maximum timeout value for authentication requests sent to the BlackShield ID Server. Agent Encryption Key File: Used to specify the location of the BlackShield ID Agent Key File. Authentication Test Allows Administrators to test authentication between the agent and the BlackShield ID Server. Server Status Check Performs a communication test to verify a connection to the BlackShield ID Server. Logging Tab Logging Level: Adjusts the logging level. For log levels, 1, 2 and 3, only the initial connection between the agent and server attempts are logged. Log level 5 sets the agent in debug mode. Default value is 3. Log File location: Specifies the location of the log files. The log file is rotated on a daily basis. The default location is: \Program Files\CRYPTOCard\BlackShield id\iis7\bin\web_site_name\log\. BlackShield ID Agent for Terminal Services Web and Remote Desktop Web 11

Localization Tab The settings in this tab represent the prompts and information messages supplied by the agent. These can be modified as necessary to improve usability. The Messages.txt file can also be manually modified outside of the configuration tool. This file can be found in the \Program Files\CRYPTOCard\BlackShield ID \IIS7\LocalizedMessages folder. BlackShield ID Agent for Terminal Services Web and Remote Desktop Web 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information