CYAN SECURE WEB HOWTO. NTLM Authentication



Similar documents
How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

PineApp Surf-SeCure Quick

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

IIS, FTP Server and Windows

escan SBS 2008 Installation Guide

How To - Implement Single Sign On Authentication with Active Directory

NSi Mobile Installation Guide. Version 6.2

Secure Web. Authentication and Access Control

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Spam Marshall SpamWall Step-by-Step Installation Guide for Exchange 5.5

CYAN SECURE WEB APPLIANCE. User interface manual

How to Join QNAP NAS to Microsoft Active Directory (AD)

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Configuring a Windows 2003 Server for IAS

Enterprise Knowledge Platform

Enterprise Knowledge Platform 5.6

2X ApplicationServer & LoadBalancer Manual

Chapter Thirteen (b): Using Active Directory Integration

Getting Started Guide

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Configuring MailArchiva with Insight Server

AVG Business SSO Connecting to Active Directory

SCADA Security. Enabling Integrated Windows Authentication For CitectSCADA Web Client. Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.

Install MS SQL Server 2012 Express Edition

Secure Web Appliance. SSL Intercept

Svn.spamsvn110. QuickStart Guide to Authentication. WebTitan Version 5

ibaan ERP 5.2a Configuration Guide for ibaan ERP Windows Client

F-Secure Messaging Security Gateway. Deployment Guide

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

NovaBACKUP xsp Version 15.0 Upgrade Guide

How To Use 1Bay 1Bay From Awn.Net On A Pc Or Mac Or Ipad (For Pc Or Ipa) With A Network Box (For Mac) With An Ipad Or Ipod (For Ipad) With The

OneLogin Integration User Guide

Reference and Troubleshooting: FTP, IIS, and Firewall Information

QUANTIFY INSTALLATION GUIDE

Livezilla How to Install on Shared Hosting By: Jon Manning

Quick Start Guide for VMware and Windows 7

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

Parallels Plesk Panel

FTP, IIS, and Firewall Reference and Troubleshooting

How To - Implement Clientless Single Sign On Authentication with Active Directory

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Integrating LANGuardian with Active Directory

Training module 2 Installing VMware View

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Introweb Remote Backup Client for Mac OS X User Manual. Version 3.20

Immotec Systems, Inc. SQL Server 2005 Installation Document

Lenovo Online Data Backup User Guide Version

Using RADIUS Agent for Transparent User Identification

SonicWALL Security Quick Start Guide. Version 4.6

Alcatel-Lucent Extended Communication Server Active directory synchronization : installation and administration

Nagios XI Monitoring Windows Using WMI

Using LDAP Authentication in a PowerCenter Domain

Setting up VMware Server v1 for 2X VirtualDesktopServer Manual

Cloud Services ADM. Agent Deployment Guide

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

F-SECURE MESSAGING SECURITY GATEWAY

NETASQ SSO Agent Installation and deployment

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

HELP DOCUMENTATION SSRPM WEB INTERFACE GUIDE

Quick Start Guide for Parallels Virtuozzo

Active Directory Management. Agent Deployment Guide

1. Installation Overview

CLEO NED Active Directory Integration. Version 1.2.0

Aradial Installation Guide

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

Freshservice Discovery Probe User Guide

ECA IIS Instructions. January 2005

OFFICE OF KNOWLEDGE, INFORMATION, AND DATA SERVICES (KIDS) DIVISION OF ENTERPRISE DATA

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Linux Development Environment Description Based on VirtualBox Structure

Project management integrated into Outlook

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

Windows XP Exchange Client Installation Instructions

Expresso Quick Install

Installation & Configuration Guide

Preparing for GO!Enterprise MDM On-Demand Service

Nevepoint Access Manager 1.2 BETA Documentation

NAS 206 Using NAS with Windows Active Directory

User Migration Tool. Note. Staging Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0(1) 1

NeoMail Guide. Neotel (Pty) Ltd

FlexSim LAN License Server

VoIPon Tel: +44 (0) Fax: +44 (0)

Quickstart Guide. First Edition, Published September Remote Administrator / NOD32 Antivirus 4 Business Edition

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Installation and Configuration Guide

qliqdirect Active Directory Guide

Laboration 3 - Administration

Using Logon Agent for Transparent User Identification

Exchange 2013 mailbox setup guide

Configuring Security Features of Session Recording

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS

SIMIAN systems. Setting up a Sitellite development environment on Windows. Sitellite Content Management System

How to Logon with Domain Credentials to a Server in a Workgroup

Here, we will discuss step-by-step procedure for enabling LDAP Authentication.

Virtual CD v10. Network Management Server Manual. H+H Software GmbH

Installation Notes for Outpost Network Security (ONS) version 3.2

Active Directory Management. Agent Deployment Guide

Setting up Hyper-V for 2X VirtualDesktopServer Manual

Installation Overview

Transcription:

CYAN SECURE WEB HOWTO June 2008 Applies to: CYAN Secure Web 1.4 and above

NTLM helps to transparently synchronize user names and passwords of an Active Directory Domain and use them for authentication. With NTLM you can access the Internet via the CYAN Secure Web proxy server without entering your user name and password in the Internet Explorer. This document provides an overview and step-by-step instructions on how to install and configure NTLM authentication with CYAN Secure Web. Contents 1 Overview...1 2 Using direct access to Active Directory...3 2.1 Basic configuration...4 2.2 Configure authentication service...6 2.3 Install and configure sauth service on Windows...7 2.4 Setup authentication...9 2.5 Configure an authentication instance...10 3 Using Samba for authentication...11 3.1 Install and configure Samba...11 3.2 Install and configure Secure Authentication...13 3.3 Configure Active Directory...14 3.4 Configure an authentication instance...15 4 Assign profiles...16 1 Overview There are 2 ways of using the Active Directory as user base for authenticating requests in CYAN Secure Web: Secure Authentication daemon (sauth) is running on a Windows machine. This way all user queries are satisfied by directly accessing the ADS. Secure Authentication daemon (sauth) is running on a Linux machine and uses Samba to authenticate users. Both methods allow retrieval of user and groups from the Active Directory and support both authentication methods - basic and NTLM. Only one of these methods can be implemented, since the location of the sauth daemon needs to be different. This HowTo guide is split into 2 parts, each covering one way of using Windows authentication. Choose your preferred method and follow the directions there. If you follow this Howto, you will have a configured instance and be able to authenticate users via the Windows domain. If you need more information, please feel free to contact Cyan Networks Support at support@cyan-networks.com. 2008 CYAN Networks Software GmbH - 1 -

2 Using direct access to Active Directory The Windows machine running Secure Authentication daemon needs to be member of the Windows domain you want to authenticate through. It is also possible to authenticate via a trusted domain. Following diagram shows the communication channels that will be established: Sauth will run as a local system account. You can check the status of sauth via the sauth_mgr (part of the setup package) or via the Services screen in your Control Panel. Please note that to access all Active Directory data, the machine has to have sufficient rights in the Active Directory. This means, that the service needs to be installed directory on the domain controller or the machine has to be part of an administrative group for NTLM authentication to work. The configuration consists of several parts. You need to: configure the sauth service on Windows lift access restriction to the configuration server on Linux machine set authentication to use remote sauth daemon configure authentication instance with Windows domain All of these settings are covered in this guide. Note: Please make sure that your Windows firewall settings are correct. 2008 CYAN Networks Software GmbH - 2 -

2.1 Basic configuration In this step you allow the secure authentication daemon to access configuration data on Secure Web. To do this, you need to setup a component login for sauth. Open your Web browser and type in the address of your CYAN Secure Web installation: https://<your IP address>:9992/sweb You can either use the IP address or the host name of the machine. After a successful connection, you should see this window: The default username is admin and the default password is also admin. Don't forget to activate the expert mode, otherwise you won't see some of the settings. Now change to Admin / Admin User / Components: 2008 CYAN Networks Software GmbH - 3 -

Then click the Add button: Fill in a name and password. Please remember these settings, since you need to supply them to sauth after the Windows installation. Allowed IP is the IP address of the machine sauth will be running on. You may enter 0.0.0.0/0 as IP address to allow access from all machines. For security reasons it is strongly recommended to enter the IP of the windows host running sauth. By doing this, you may only enter your ip address without the netmask. Note: If you allow access from all machines, the connection is protected by the password entered here, but you should make sure, that no outside source is able to access the configuration data. 2008 CYAN Networks Software GmbH - 4 -

2.2 Configure authentication service In this step you set up the service parameters for the sauth daemon. Change to Server / Auth Server / Setup: Bind IP: This value is used by the sauth daemon to specify on which IP address it should listen for incoming requests. By default, this should be 0.0.0.0 to enable listening on all available IPs. Bind Port: Default is 9995. The IP and port values entered here need to be accessible from your Secure Web machine. If you change the port value here, don't forget to update the corresponding value on the Authentication / Setup / Auth Server dialog. 2008 CYAN Networks Software GmbH - 5 -

2.3 Install and configure sauth service on Windows In this step you will make all configuration necessary on the Windows machine. Download the sauth daemon installation package from our homepage to your Windows machine: http://www.cyan-networks.com/en/secure-auth-for-windows-2.html Run the CYAN Secure Authentication Daemon for Windows.msi and follow the installation on the screen. After the installation, run Cyan Secure Authentication Manager from your start menu and you will see this window: IP address: Enter the IP address of your Secure Web server Port: should stay as 9991 unless you need to map the port differently User name: enter the same user name as in step 2. (Admin / Admin User / Components) Password: enter the same password as in step 2. Now save your settings. You can check the connection to the Secure Web configuration server using the test button. 2008 CYAN Networks Software GmbH - 6 -

Change to the Service tab: In the Service tab you will find the current status of the sauth service. Here you see the status of the sauth daemon. Click on Start to initialize the service. To update the status click on Refresh. The text: Service is running should appear. In order to use NTLM authentication the sauth service needs to have enough rights to Access the Active Directory. To grant these rights to the sauth service, you can either install the service on a domain controller run the service as local system service (default) and add the machine to the Administrators group 2.3.1 Install the service on a domain controller If the machine you installed is a domain controller, you don't need to modify anything. 2.3.2 Run the service as local system service and add the machine to the Administrators group Open your Active Directory Users and Computers configuration panel. Double-click the Administrators group and on the members panel push the Add... button. Add the machine running the sauth service. You need to restart the machine for the change to take effect. Note: You must include Computers in the Object types selection to let the Active Directory accept a computer object. 2008 CYAN Networks Software GmbH - 7 -

2.4 Setup authentication In this step you configure sweb access to the sauth daemon. Change to Authentication / Setup / Auth Server. Host: Change this setting to the IP address of the Windows machine where you installed the sauth daemon. If you change the port setting on the Server / Auth Server / Setup dialog, you need to change it here as well. Change to the submenu Methods and check that NTLM is enabled. 2008 CYAN Networks Software GmbH - 8 -

2.5 Configure an authentication instance In this step you configure a Windows authentication instance. This instance will be communicating with the sauth daemon to retrieve user data and verify authentication information. From the menue select Authentication / Instances and click on the Add button on the right side to add a new instance. Name: The instance will later on be referenced in Profile Assignment by the name entered here. Make sure that Enable and Via Auth Server are checked. The option Via Auth Server instruct sweb to send all authentication requests to the sauth daemon on your Windows machine. Instance character encoding: Choose the appropriate code page for you Windows system. (e.g. Latin1 for Windows running Western European codepages) Type: Choose Active Directory. This enables Windows authentication. Domain: Enter the pre-windows2000 domain name (NETBIOS domain name). Note: After you clicked on the save button, you need to update the configuration, so the instance data (user names, etc.) can be fetched from the domain controller. To do so, click on the Update button in the top row. Now your instance configuration is ready please continue to chapter 4. 2008 CYAN Networks Software GmbH - 9 -

3 Using Samba for authentication In this configuration, the Secure Authentication daemon (sauth) is running on the same machine as Secure Web. All requests are passed to sauth, which in turn queries the Active Directory via a Samba interface. Samba modules needed are ntlm_auth and winbind. If you have a working Samba installation, you only need to perform section 3.1.3. 3.1 Install and configure Samba In this guide we will cover installing Samba on a Debian or Ubuntu distribution. Only the most basic settings are provided here to be able to use sauth authentication services. For more details on Samba or other distributions please refer to the Samba and/or distribution documentation on how to set up Samba. You need to be logged in as root on the CYAN Secure Web machine. Install the Samba package with: # apt get install winbind You will get all the necessary samba modules as dependencies. The default settings are mostly correct. You need to change three things. 3.1.1 Alter /etc/samba/smb.conf file Use an editor to add or change the following 3 settings in the config file: workgroup = <your pre windows2000 domain name (NETBIOS name)> realm = <your ADS domain name> security = ads Note: The 'security' setting is already in place, but commented out with a ';'. Be sure to delete the semicolon when changing the setting. 3.1.2 Join ADS domain To be able to use any ADS services, your machine needs to be member of the domain. To do so, just invoke this command. # net join ads U Administrator Password: Joined domain <your NETBIOS domain name> You will be asked for the password of the Windows domain's Administrator user. Note: If you don't want to use the Administrator user, change the '-U' switch to your preferred user name. Be aware that the user needs to have sufficient rights to allow a computer to join the domain. 2008 CYAN Networks Software GmbH - 10 -

3.1.3 Set permissions for winbindd usage winbindd is used to channel all user requests to the ADS domain controller. The user running sauth (sweb by default) needs to be allowed to use winbindd. To do this, simply add the sweb user to the winbindd_priv group. (This group was added by the installation of winbindd) # adduser sweb winbindd_priv Restart the winbindd daemon to reload its settings. # /etc/init.d/winbind restart Samba is ready to use now. 2008 CYAN Networks Software GmbH - 11 -

3.2 Install and configure Secure Authentication Now that Samba is set up, you need to install and start the sauth daemon. # apt get install cyan sweb 1.4 sauth # /etc/init.d/sweb start Use your browser to access the CYAN Secure Web user interface. https://<your IP address>:9992/sweb Change to Authentication / Setup / Auth Server. Host: This needs to be set to localhost. Port: 9995 Change to the submenu Methods and check that NTLM is enabled. 2008 CYAN Networks Software GmbH - 12 -

3.3 Configure Active Directory Active Directory has by default a limit of 1000 LDAP search entries returned. If you have a user and group directory which has more that 1000 entries, not all of them would be transmitted to CYAN Secure Web with this method. If you Active Directory consists of less users, you can skip this section. To change this value, log into your domain controller as Administrator and start a console window (click on Start -> Run... and type cmd ) and start ntdsutil. C:\> ntdsutil ntdsutil: ldap policies ldap policy: connections server connections: connect to server SERVERNAME Connected to SERVERNAME using credentials of locally logged on user server connections: q ldap policy: show values Policy Current(New) MaxPoolThreads 4 MaxDatagramRecv 1024 MaxReceiveBuffer 10485760 InitRecvTimeout 120 MaxConnections 5000 MaxConnIdleTime 900 MaxActiveQueries 20 MaxPageSize 1000 < this value is too small MaxQueryDuration 120 MaxTempTableSize 10000 MaxResultSetSize 262144 MaxNotificationPerConn 5 ldap policy: set maxpagesize to <number> ldap policy: commit changes ldap policy: q ntdsutil: q Disconnecting from SERVERNAME... Set the value <number> to anything higher that your amount of users and groups together. Your Active Directory will now return all your user and groups when queried by LDAP. 2008 CYAN Networks Software GmbH - 13 -

3.4 Configure an authentication instance In this step you configure a Windows authentication instance. This instance will be communicating with the sauth daemon to retrieve user data and verify authentication information. From the menue select Authentication / Instances and click on the Add button on the right side to add a new instance. Name: The instance will later on be referenced in Profile Assignment by the name entered here. Make sure that Enable and Via Auth Server are checked. The option Via Auth Server instruct sweb to send all authentication requests to the sauth daemon. Instance character encoding: Choose the appropriate code page for you Windows system. (e.g. Latin1 for Windows running Western European codepages) Type: Choose ADS via Samba. Host: Host name or IP address of your domain controller. Port: Port of the LDAP access to your domain controller (389 by default) User/Password: Credentials of Administrator user to access ADS by LDAP. Domain: Enter the full qualified domain name of your Active Directory domain. Advanced settings: If you enable this setting, you will be presented will all LDAP settings. Use this, in case you need to modify LDAP access to ADS. Note: After you clicked on the save button, you need to update the configuration, so the instance data (user names, etc.) can be fetched from the domain controller. To do so, click on the Update button in the top row. The instance configuration is finished, now you are ready to assign profiles to your users. 2008 CYAN Networks Software GmbH - 14 -

4 Assign profiles Irrespective of the type of instance, you can assign now profiles to the users or groups from the configured domain. Change to Authentication / Profile Assignment: Choose your profile assignments criteria and click on search. Now you should see all your users and groups from your Windows domain matching the criteria. Simply choose a profile for each entry you need and click on save afterwards. Note: Do not forget to click the update button to notify sweb and sauth to reload the configuration. 2008 CYAN Networks Software GmbH - 15 -

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information