INTEGRATION GUIDE. DIGIPASS Authentication for Microsoft UAG

Similar documents
INTEGRATION GUIDE. General Radius Config

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

INTEGRATION GUIDE. DIGIPASS Authentication for Microsoft Exchange ActiveSync 2007

INTEGRATION GUIDE. DIGIPASS Authentication for Office 365 using IDENTIKEY Authentication Server with Basic Web Filter

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

OVERVIEW. DIGIPASS Authentication for Office 365

MIGRATION GUIDE. Authentication Server

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

DIGIPASS Authentication for Cisco ASA 5500 Series

DIGIPASS Authentication for Check Point Connectra

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

DIGIPASS Authentication for Check Point Security Gateways

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

DIGIPASS Authentication for GajShield GS Series

Check Point FDE integration with Digipass Key devices

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

Identikey Server Getting Started Guide 3.1

DIGIPASS as a Service. Google Apps Integration

IDENTIKEY Appliance Administrator Guide

DIGIPASS Authentication for Juniper ScreenOS

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

Strong Authentication for Juniper Networks

DualShield. for. Microsoft TMG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

Strong Authentication for Juniper Networks SSL VPN

Hyper-V Installation Guide. Version 8.0.0

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

DIGIPASS Authentication for SonicWALL SSL-VPN

WHITE PAPER. Identikey Server 3.1 Strong Authentication solution for On-Demand Applications and SaaS

Creation date: 09/05/2007 Last Review: 31/01/2008 Revision number: 3

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

Secure your business DIGIPASS BY VASCO. The world s leading software company specializing in Internet Security

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

IDENTIKEY Server Windows Installation Guide 3.2

Digipass Plug-In for IAS troubleshooting guide. Creation date: 15/03/2007 Last Review: 24/09/2007 Revision number: 3

DIGIPASS Authentication for Windows Logon Product Guide 1.1

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0

Using Vasco IDENTIKEY Server with NetScaler

HOTPin Integration Guide: DirectAccess

Setup Guide. network support pc repairs web design graphic design Internet services spam filtering hosting sales programming

Technical Brief ActiveSync Configuration for WatchGuard SSL 100

Microsoft Dynamics GP Release

axsguard Gatekeeper Open VPN How To v1.4

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

WHITE PAPER. Identikey Server 3.1 Strong Authentication solution against MITM Attacks for e-banking

PaperClip. em4 Cloud Client. Manual Setup Guide

SafeNet Cisco AnyConnect Client. Configuration Guide

IDENTIKEY Server Windows Installation Guide 3.1

Identikey Server Windows Installation Guide 3.1

Creating a User Profile for Outlook 2013

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess

Strong Authentication for Cisco ASA 5500 Series

Cisco ASA. Implementation Guide. (Version 5.4) Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Microsoft Outlook 2010

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Internet Redundancy How To. Version 8.0.0

Outlook 2010 Setup Guide (POP3)

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web Access 1.06

How to Secure a Groove Manager Web Site

axsguard Gatekeeper Internet Redundancy How To v1.2

Digipass for Citrix VM3.0: troubleshooting guide. Creation date: 11/07/2007 Last Review: 30/11/2007 Revision number: 2

Strong Authentication for Microsoft SharePoint

Microsoft Outlook Web Access 2013 Authenticating Users Using SecurAccess Server by SecurEnvoy

SafeNet Authentication Service

Windows Live Mail Setup Guide

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web App. Technical Manual Template

Configuring Outlook for IMAP. Creating a New IMAP Account. Modify an Existing Account

Juniper SSL VPN Authentication QUICKStart Guide

BlackShield ID Agent for Remote Web Workplace

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

Standard Mailbox Software Setup Guide

Windows XP Exchange Client Installation Instructions

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

Defender Token Deployment System Quick Start Guide

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

HGC SUPERHUB HOSTED EXCHANGE

IP Tunnels September 2014

DIGIPASS Pack for Citrix on WI 4.5 does not detect a login attempt. Creation date: 28/02/2008 Last Review: 04/03/2008 Revision number: 2

Implementation Guide for protecting

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Strong Authentication for Microsoft TS Web / RD Web

IDENTIKEY Server Product Guide

Intel Active Management Technology with System Defense Feature Quick Start Guide

Omniquad Exchange Archiving

StarterPlus Mailbox Software Setup Guide

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

SSL VPN Technology White Paper

Preparing Your Server for an MDsuite Installation

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1

RoomWizard Synchronization Software Manual Installation Instructions

MadCap Software. Upgrading Guide. Pulse

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Transcription:

INTEGRATION GUIDE DIGIPASS Authentication for Microsoft UAG

Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document. Copyright Copyright 2012 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO, Vacman, IDENTIKEY, axsguard, DIGIPASS and logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners. 1 DIGIPASS Authentication for Microsoft UAG

Table of Contents 1 Overview... 5 2 Technical Concepts... 6 2.1 Microsoft... 6 2.1.1 Forefront Unified Access Gateway 2010... 6 2.1.2 Exchange 2010... 6 2.2 VASCO... 6 2.2.1 IDENTIKEY Authentication server... 6 3 Microsoft setup... 7 3.1 Architecture... 7 3.2 Prerequisites... 7 3.3 Microsoft... 7 3.3.1 Microsoft Forefront Unified Access Gateway Management... 7 3.4 Test the setup... 17 4 Solution... 18 4.1 Architecture... 18 4.2 Microsoft... 18 4.2.1 Microsoft Forefront Unified Access Gateway Management... 18 4.3 IDENTIKEY Authentication Server... 20 4.3.1 Policies... 21 4.3.2 Client... 22 4.3.3 User... 22 4.3.4 DIGIPASS... 23 4.4 Test the Solution... 25 5 Challenge/Response... 26 5.1 Architecture... 26 5.2 IDENTIKEY Authentication Server... 27 2 DIGIPASS Authentication for Microsoft UAG

5.2.1 Policy... 27 5.2.2 User... 27 5.3 Test the Solution... 29 6 FAQ... 31 7 Appendix... 31 3 DIGIPASS Authentication for Microsoft UAG

Reference guide ID Title Author Publisher Date ISBN 4 DIGIPASS Authentication for Microsoft UAG

1 Overview This whitepaper describes how to configure a Microsoft forefront Unified Access Gateway in combination with the VASCO IDENTIKEY Authentication Server. That way an extra security layer can be added to the gateway solution. 5 DIGIPASS Authentication for Microsoft UAG

2 Technical Concepts 2.1 Microsoft 2.1.1 Forefront Unified Access Gateway 2010 Forefront Unified Access Gateway 2010 (UAG) delivers comprehensive, secure remote access to corporate resources for employees, partners, and vendors on both managed and unmanaged PCs and mobile devices. Utilizing a combination of connectivity options, ranging from SSL VPN to Direct Access, as well as built in configurations and policies, Forefront UAG provides centralized and easy management of your organization's complete anywhere access offering. 2.1.2 Exchange 2010 Exchange 2010 server is the Simple Mail Transfer Protocol (SMTP) server created by Microsoft. 2.2 VASCO 2.2.1 IDENTIKEY Authentication server IDENTIKEY Authentication Server is an off-the-shelf centralized authentication server that supports the deployment, use and administration of DIGIPASS strong user authentication. It offers complete functionality and management features without the need for significant budgetary or personnel investments. IDENTIKEY Authentication Server is supported on 32bit systems as well as on 64bit systems. IDENTIKEY Appliance is a standalone authentication appliance that secures remote access to corporate networks and web-based applications. The use and configuration of an IDENTIKEY Authentication Server and an IDENTIKEY Appliance is similar. 6 DIGIPASS Authentication for Microsoft UAG

3 Microsoft setup Before adding 2 factor authentication it is important to validate a standard configuration without One Time Password (OTP). 3.1 Architecture 3.2 Prerequisites Basic installation and configuration of Microsoft UAG Accessible Outlook Web Access (OWA). Authentication method for the OWA has to be Integrated Windows authentication 3.3 Microsoft 3.3.1 Microsoft Forefront Unified Access Gateway Management Click HTTPS Connections Select Click here to create an HTTPS trunk 7 DIGIPASS Authentication for Microsoft UAG

Select Portal trunk 8 DIGIPASS Authentication for Microsoft UAG

Trunk name: uag Public host name: uag IP address: 10.4.0.223 HTTP port: 80 HTTPS port: 443 You need to select an authentication server Click Add At this moment there is no authentication server configured yet Click Add Server Type: Active Directory 9 DIGIPASS Authentication for Microsoft UAG

Server name: AD Select Use local Active Directory forest authentication Base DN: CN=Users,DC=labs,DC=Vasco,DC=com Level of nested groups: 0 User: LABS\administrator Password: password of LABS\administrator Click OK Select AD Click Select Select User select from a server list Check Show server names 10 DIGIPASS Authentication for Microsoft UAG

Select Server Certificate Select Use Forefront UAG access policies 11 DIGIPASS Authentication for Microsoft UAG

Click Finish Under the Applications window perform next actions Click Add 12 DIGIPASS Authentication for Microsoft UAG

Select Web Select Microsoft Exchange Server (all versions) Select Microsoft Exchange Server 2010 Check Outlook Web Access Application name: owa 13 DIGIPASS Authentication for Microsoft UAG

Select Configure an application server Select IP/Host Address: mail.labs.vasco.com Public host name: uag 14 DIGIPASS Authentication for Microsoft UAG

You need to select an authentication server Click Add Select AD Click Select Click Close Check use SSO Check Add portal and toolbar link Portal name: owa Application URL: https://uag.labs.vasco.com/owa/ Icon URL: images/application/owa2010.gif Uncheck Open in new window 15 DIGIPASS Authentication for Microsoft UAG

Check Authorize all users Click Finish Click Click Click Activate Click Finish 16 DIGIPASS Authentication for Microsoft UAG

3.4 Test the setup The test we are performing is a log on to the created UAG website, using Active Directory username and password. When logged on to the site OWA will be accessed. Browse to the URL: https://uag.labs.vasco.com User name: Demo AD Password: Test12345 Click Log On Click Owa 17 DIGIPASS Authentication for Microsoft UAG

4 Solution 4.1 Architecture 4.2 Microsoft 4.2.1 Microsoft Forefront Unified Access Gateway Management Select the UAG site Click Configure 18 DIGIPASS Authentication for Microsoft UAG

Select Authentication A second authentication, for the two factor authentication, must be selected. Click Add To use the Identikey server, a RADIUS serves has to be added. Click Add Server Type: Radius Server Name: Identikey Ip address/host: 10.4.0.13 Port: 1812 Secret Key: Test12345 Secret Key = Shared Secret Click OK Select Identikey 19 DIGIPASS Authentication for Microsoft UAG

Click Select Click Close Select Users authenticate to each server Check Authenticate to each server with the same user name Click OK Click Click Click Activate Click Finish 4.3 IDENTIKEY Authentication Server There are lots of possibilities when using IDENTIKEY Authentication Server. We can authenticate with: Local users (Defined in IDENTIKEY Authentication Server) Active Directory (Windows) In this whitepaper we will use Local users to authenticate. 20 DIGIPASS Authentication for Microsoft UAG

4.3.1 Policies In the Policy the behavior of the authentication is defined. It gives all the answers on: I have got a user and a password, what now? Create a new Policy Policy ID : Test Inherits From: Base Policy Inherits means: The new policy will have the same behavior as the policy from which he inherits, except when otherwise specified in the new policy. Example: Base Policy New Policy Behaviour 1 a New policy will do a 2 b New policy will do b 3 c f New policy will do f 4 d New policy will do d 5 e g New policy will do g The new policy is created, now we are going to edit it. Click edit 21 DIGIPASS Authentication for Microsoft UAG

Local Authentication : Digipass/Password Click Save 4.3.2 Client In the clients we specify the location from which IDENTIKEY Authentication Server will accept requests and which protocol they use. We are going to add a new RADIUS client. Client Type : select Radius Client from select from list Location : 10.4.0.223 Policy ID : Select the Policy that was created in Policies Protocol ID: RADIUS Shared Secret: Test12345 Confirm Shared Secret: reenter the shared secret Click Save 4.3.3 User We are going to create a user. 22 DIGIPASS Authentication for Microsoft UAG

User ID: Demo 4.3.4 DIGIPASS The purpose of using IDENTIKEY Authenticaction Server, is to be able to log in using One Time Passwords (OTP). To make it possible to use OTP we need to assign a DIGIPASS to the user. The Digipass is a device that generates the OTP s. Open the user by clicking on its name Select Assigned Digipass Click ASSIGN Click Next Grace period: 0 Days Grace period is the period that a user can log in with his static password. The first time the user uses his DIGIPASS the grace period will expire. Click ASSIGN 23 DIGIPASS Authentication for Microsoft UAG

Click Finish 24 DIGIPASS Authentication for Microsoft UAG

4.4 Test the Solution A logon will be performed using the Active Directory credentials in combination with an OTP provided by a VASCO DIGIPASS. When logged on to the site OWA will be accessed. Browse to the URL: https://uag.labs.vasco.com User name: Demo AD Password: Test12345 Identikey Password: One Time Password (OTP) generated by digipass Click Log On Click Owa 25 DIGIPASS Authentication for Microsoft UAG

5 Challenge/Response The easiest way to test challenge/response is to use (Back-Up) Virtual DIGIPASS. Virtual DIGIPASS is a solution where an OTP is sent to your E-mail account or mobile phone, after it was triggered in a user authentication. The trigger mechanism is configured in the policy (see later). Virtual DIGIPASS is a DIGIPASS that needs to be ordered like a Hardware DIGIPASS Back-Up Virtual DIGIPASS is a feature that must be enabled while ordering other DIGIPASS (Hardware, DIGIPASS for Mobile, DIGIPASS for Web or DIGIPASS for Windows) Availability of Back-Up virtual DIGIPASS can be checked in the IDENTIKEY web administration. Select a DIGIPASS > Click on the first application and scroll down. For test purposes a demo DPX file (named Demo_VDP.DPX) with Virtual Digipass is delivered with every IDENTIKEY Authentication Server 5.1 Architecture This solution makes use of an SMS-gateway (for SMS or text messages) or SMTP-server (for mail). The first step is to configure one of the servers. This is done in the Message Delivery Component (MDC) configuration. For more information see the IDENTIKEY Authentication Server manuals. Popular SMS-gateways: http://www.clickatell.com 26 DIGIPASS Authentication for Microsoft UAG

http://www.cm.nl http://www.callfactory.com 5.2 IDENTIKEY Authentication Server 5.2.1 Policy The configuration virtual Digipass can be used is done in the policy. Select the policy created in Policies. This should be Test. Select Test Go to Virtual Digipass Click Edit Delivery Method: SMS BVDP Mode: Yes Permitted Request Method: KeywordOnly Request Keyword: IwantOTP Click Save The request method is the trigger to send the message. The trigger can be: Static password: as stored inside IDENTIKEY Authentication Server (different for each individual user) Keyword: a text message (the same for all users) 5.2.2 User IDENTIKEY Authentication Server needs to know, where to send the mail or SMS. Therefor the User should be added. Select a user: Demo Click User Info Click Edit 27 DIGIPASS Authentication for Microsoft UAG

Mobile: +32 (for the sms) Email Address: mail@server.com (for mail) Click save 28 DIGIPASS Authentication for Microsoft UAG

5.3 Test the Solution This test consists of triggering a text message or a mail by logging in with Active Directory credential in combination with a Keyword (IwantOTP). In a second step the OTP received in Text message or mail is inserted into the system. Browse to the URL: https://uag.labs.vasco.com User name: Demo AD Password: Test12345 Identikey Password: IwantOTP Click Log On Enter one Time Password: One Time Password (OTP) received by mail or text message to your mobile Click Log On Click Owa 29 DIGIPASS Authentication for Microsoft UAG

30 DIGIPASS Authentication for Microsoft UAG DIGIPASS Authentication for Microsoft UAG

6 FAQ 7 Appendix 31 DIGIPASS Authentication for Microsoft UAG

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information