DualShield for Implementation Guide (Version 5.2) Copyright 2011 Deepnet Security Limited Copyright 2011, Deepnet Security. All Rights Reserved. Page 1
Trademarks DualShield Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID, SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp are trademarks of Deepnet Security Limited. All other brand names and product names are trademarks or registered trademarks of their respective owners. Copyrights Under the international copyright law, neither the Deepnet Security software or documentation may be copied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole or in part, without the prior written consent of Deepnet Security. Licence Conditions Please read your licence agreement with Deepnet carefully and make sure you understand the exact terms of usage. In particular, for which projects, on which platforms and at which sites, you are allowed to use the product. You are not allowed to make any modifications to the product. If you feel the need for any modifications, please contact Deepnet Security. Disclaimer This document is provided as is without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the document. Deepnet Security may make improvements of and/or changes to the product described in this document at any time. Contact If you wish to obtain further information on this product or any other Deepnet Security products, you are always welcome to contact us. Deepnet Security Limited Northway House 1379 High Road London N20 9LP United Kingdom Tel: +44(0)20 8343 9663 Fax: +44(0)20 8446 3182 Web: www.deepnetsecurity.com Email: support@deepnetsecurity.com Copyright 2011, Deepnet Security. All Rights Reserved. Page 2
Table of Contents 1. Overview... 4 2. Preparation... 5 3. Configuration... 6 4. Authentication... 12 5. On-Demand Password... 14 5.1 Create a user-defined protocol for DPS...15 5.2 Create a access rule for DPS...16 5.3 Create a listener for DPS...19 5.4 Publish the DPS web site...21 5.5 Install the DualShield TMG Agent...25 5.6 Change the OWA portal settings in TMG...26 5.7 Change the Provisioning Server settings in DualShield...27 5.8 Test Authentication...28 Copyright 2011, Deepnet Security. All Rights Reserved. Page 3
1. Overview This implementation guide describes how to protect with two-factor authentication with the DualShield unified authentication platform. supports external authentication servers including Active Directory and RADIUS OTP. By leveraging those features in TMG, we can implement a two-factor authentication in TMG system in which the first factor will be the user s static password and second factor will be a one-time password. The user s static password will be authenticated by the customer s Active Directory server (domain controller) and the user s one-time password will be authenticated by the DualShield authentication server via RADIUS. DualShield provides a wide selection of portable one-time password tokens in a variety of form factors, ranging from hardware tokens, software tokens, mobile tokens to USB tokens. These include: Deepnet SafeID Deepnet MobileID Deepnet GridID Deepnet CryptoKey RSA SecurID VASCO DigiPass Go OATH-compliant OTP tokens In addition to the support of one-time password, DualShield also supports on-demand password for RADIUS authentication. The product that provides on-demand password in the DualShield platform is Deepnet T-Pass. Deepnet T-Pass is an on-demand, token-less strong authentication that delivers logon passwords via SMS texts, phone calls, twitter direct messages or email messages. The complete solution consists of the following components: DualShield Radius Server DualShield Authentication Server Copyright 2011, Deepnet Security. All Rights Reserved. Page 4
2. Preparation Prior to configuring TMG for two-factor authentication, you must have the DualShield Authentication Server and DualShield Radius Server installed and operating. For the installation, configuration and administration of DualShield Authentication and Radius servers, please refer to the following documents: DualShield Authentication Platform Installation Guide DualShield Authentication Platform Quick Start Guide DualShield Authentication Platform Administration Guide DualShield Radius Server - Installation Guide You also need to have a RADIUS application created in the DualShield authentication server. The application will be used for the two-factor authentication in TMG. The document below provides detailed instructions for RADIUS authentication with the DualShield Radius Server: VPN & RADIUS - Implementation Guide As an example in this document, we are going to going to add two-factor authentication to an OWA portal. Assuming that the OWA portal is already setup and operating. Copyright 2011, Deepnet Security. All Rights Reserved. Page 5
3. Configuration 1. Edit the Properties of the OWA listener and select the Authentication tab: Select HTML Form Authentication Enable Collect additional delegation credentials in the form Select RADIUS OTP 2. Click Configure Validation Servers Copyright 2011, Deepnet Security. All Rights Reserved. Page 6
3. Select the RADIUS Servers tab 4. Click Add 5. Enter the server name or IP address of your DualShield Radius server Enter the shared secret and the Authentication port Click OK to save Copyright 2011, Deepnet Security. All Rights Reserved. Page 7
6. Select LDAP Servers tab Click Add and add your LDAP server settings Click Apply and OK to apply and save changes Copyright 2011, Deepnet Security. All Rights Reserved. Page 8
Finally, click the Apply button on the top to save and activate the changes. The third stage is to configure the DualShield server to add TMG as a Radius client and to create a Radius application with a logon procedure. Create a new logon procedure 1. Login to the DualShield management console 2. In the main menu, select Authentication Logon Procedure 3. Click the Create button on the toolbar 4. Enter Name and select RADIUS as the Type 5. Click Save 6. Click the Context Menu icon of the newly create logon procedure, select Logon Steps 7. In the popup windows, click the Create button on the toolbar 8. Select One-Time Password as the authenticator 9. Click Save Copyright 2011, Deepnet Security. All Rights Reserved. Page 9
Create a new application 1. In the main menu, select Authentication Applications 2. Click the Create button on the toolbar 3. Enter Name 4. Select Realm 5. Select the logon procedure that was just created 6. Click Save Add TMG as a Radius client 1. In the main menu, select RADIUS Clients 2. Click the Register button on the toolbar 3. Select the application that was created in the previous steps 4. Enter TMG s IP in the IP address 5. Enter the Shared Secret and make sure it is identical to the shared secret defined in the Radius server settings in the TMG. 6. Click Save Copyright 2011, Deepnet Security. All Rights Reserved. Page 10
We have now completed all necessary stages and steps in setting up two-factor authentication in TMG with DualShield. In our example, we have added to a OWA portal with two authentication factors, AD static password and DualShield one-time password. Let us proceed to testing the authentication. Copyright 2011, Deepnet Security. All Rights Reserved. Page 11
4. Authentication Launch your web browser and connect to the OWA portal. Users will now be asked to provide both Passcode and Password. Password is the field where users will need to enter their AD password (Static Password), and Passcode is the field where users will need to provide their one-time passwords (OTP). The DualShield passcode is defined the logon procedure in your DualShield server. In our example, we defined One-Time Password in the logon procedure. Which means that users will be able to use any one-time password token supported by the DualShield to authenticate to the OWA portal. You can also add the On-Demand Password to the list of authenticator in your logon procedure. Copyright 2011, Deepnet Security. All Rights Reserved. Page 12
Your users will now be able to use Deepnet T-Pass as well to authenticate to OWA. Copyright 2011, Deepnet Security. All Rights Reserved. Page 13
5. On-Demand Password If you enable On-Demand Password in DualShield, then your users will be able to use Deepnet T-Pass as their authentication method. A typical question with On-Demand password is how can users request to have their password delivered in real time? Using the configuration that we have set up in above steps, users can t request to have their password delivered in real time. Users will need to have a password pre-delivered before they can logon. The system administrator can push out on-demand passwords to users, or users can use the self-service console to obtain an on-demand password. Once a user has successfully logged in, the DualShield server will then automatically send out a new password to be used by the user at next logon. If the pre-delivery method described above is not a viable solution to you, then you need to install the DualShield TMG Agent which will enable users to request on-demand password in real time at logon. The rest of this document describes how to configure TMG with the DualShield TMG Agent. The diagram below illustrates the architecture of the solution: As an example, we make the following assumptions: 1. The network domain is DeepnetTest32.com 2. The DualShield platform including its Authentication Server (DAS) and Provisioning Server (DPS) is installed and operating in HTTP mode 3. The FQDN of the DualShield platform is DualShield.DeepnetTest32.com 4. The internal port number of the DualShield Provisioning Server (DPS) is 8072 5. The public host name of the DPS to be published is Mail.DeepnetSecurity.com 6. The public port number of the DPS is also 8072 7. The FQDN of the Exchange Server is Exchange.DeepNetTest32.com 8. The public host name of the OWA published is Mail.DeepnetTest32.com The entire configuration process involves the following stages: 1. Create a user-defined protocol for DPS 2. Create a access rule for DPS 3. Create a listener for DPS Copyright 2011, Deepnet Security. All Rights Reserved. Page 14
4. Publish the DPS web site 5. Install the DualShield TMG Agent 6. Change the OWA portal settings in TMG The DualShield Provisioning Server is a web service that delivers on-demand passwords. Therefore, it needs to the published as a web site on TMG. The process is similar to the way OWA web portal is published but requires some extra settings due to the nonstandard HTTP port number being used for DPS (8072). 5.1 Create a user-defined protocol for DPS As DPS works on a non-standard HTTP port, we have to define a new protocol. In the Toolbox Protocols, select New Protocol from the menu 1. Enter the name for the new protocol to be created 2. Add an inbound TCP protocol with IP range of 8072 3. Click Finish 4. Click Apply on the top to save changes Copyright 2011, Deepnet Security. All Rights Reserved. Page 15
5.2 Create a access rule for DPS In the Tasks, click Create Access Rule 1. Enter the name for the new rule 2. Select Allow 3. Click Add Copyright 2011, Deepnet Security. All Rights Reserved. Page 16
4. Select HTTP 8072 from the User- Defined protocols Click Add 5. Click Next 6. Click Add Copyright 2011, Deepnet Security. All Rights Reserved. Page 17
7. Select External Click Add 8. Click Next 9. Add Local Host in the Destinations Copyright 2011, Deepnet Security. All Rights Reserved. Page 18
10. Click Finish 11. Click Apply on the top to save changes 5.3 Create a listener for DPS In the Toolbox Network Objects, select New Web Listener from the menu 1. Enter the name for the new listener Copyright 2011, Deepnet Security. All Rights Reserved. Page 19
2. Select Do not require SSL 3. Select External 4. Select No Authentication Copyright 2011, Deepnet Security. All Rights Reserved. Page 20
5. Click Finish 6. Click Apply on the top to save changes 5.4 Publish the DPS web site In the Tasks, click Publish Web Sites 1. Enter the name for the web site 2. Select Allow Copyright 2011, Deepnet Security. All Rights Reserved. Page 21
3. Select Use non-secured connections 4. Enter the host name of your DualShield Provisioning Server Copyright 2011, Deepnet Security. All Rights Reserved. Page 22
5. Enter /dps/* in the path 6. Enter the public host name of DPS 7. Select DPS Listener that was created in the previous stage Copyright 2011, Deepnet Security. All Rights Reserved. Page 23
8. Click Finish 9. Click Apply on the top to save changes 10. Double click the newly published DPS web site 11. Select Bridging tab Copyright 2011, Deepnet Security. All Rights Reserved. Page 24
12. Enable Redirect requests to HTTP port, and enter 8072 Click Test Rule 13. Click OK to save 14. Click Apply on the top to save changes 5.5 Install the DualShield TMG Agent 1. In Windows Explorer, navigate to: C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates 2. Clone the entire folder 'Exchange' to a new folder named ExchangeDualShield 3. Unzip the DualShield TMG Agent package (DualShieldTMG.1.1.zip), extract the content to the above newly created folder. 4. Open jquery.dps.js with a text editor, such as the Notepad Replace the URL in the first line which reads: Copyright 2011, Deepnet Security. All Rights Reserved. Page 25
var DPS_Host = 'http://mail.deepnettest32.com:8072'; with the real URL of your DPS. Save the file 5. Open usr_pwd_pcode.htm in a text editor Locate the following line of text in the file: <link href="/cookieauth.dll?getpic?formdir=@@formdir&image=logon_style.css" type="text/css" rel="stylesheet"> Insert the following line of text underneath the above line: <link href="/cookieauth.dll?getpic?formdir=@@formdir&image=dualshield.css" type="text/css" rel="stylesheet"> Append the following lines of text to the end of the file: <script src="/cookieauth.dll?getpic?formdir=@@formdir&image=jquery-1.7.min.js" type="text/javascript"></script> <script src="/cookieauth.dll?getpic?formdir=@@formdir&image=jquery.json-2.3.min.js" type="text/javascript"></script> <script src="/cookieauth.dll?getpic?formdir=@@formdir&image=jquery.blockui.js" type="text/javascript"></script> <script src="/cookieauth.dll?getpic?formdir=@@formdir&image=jquery.dps.js" type="text/javascript"></script> Save the file. 6. Restart the 'Microsoft Forefront TMG Firewall' service 5.6 Change the OWA portal settings in TMG Double click the OWA portal that is already published, to bring up its properties. Click Application Settings tab. Copyright 2011, Deepnet Security. All Rights Reserved. Page 26
Enable Use customized HTML Enter ExchangeDualShield which is the folder name we created in the previous stage Click Test Rule Click OK Click Apply on the top to save changes 5.7 Change the Provisioning Server settings in DualShield In the DualShield Management Console, select Authentication Agents in the main menu, click the context menu of the Provisioning Server and select Applications In the list of the applications, select the application for TMG (e.g. radius in our example). Click Save Copyright 2011, Deepnet Security. All Rights Reserved. Page 27
We have now completed all stages and steps in configuring TMG with the DualShield Agent. 5.8 Test Authentication Now, when users attempt to logon to the OWA portal To request an on-demand password, users will firstly enter their User Name and Password (AD Password), and then click one of the delivery icons (e.g. the Email icon). If the credentials provided are correct, DPS server will generate an on-demand one-time password ( Passcode ) and deliver it to the user in the defined delivery channel (e.g. email). --- END --- Copyright 2011, Deepnet Security. All Rights Reserved. Page 28