Using Microsoft Active Directory Server and IAS Authentication



Similar documents
Remote Firewall Deployment

VPNC Interoperability Profile

StoneGate SSL VPN Technical Note Adding Bundled Certificates

StoneGate Firewall/VPN How-To Evaluating StoneGate FW/VPN in VMware Workstation

StoneGate SSL VPN Technical Note Setting Up BankID

Stonesoft Firewall/VPN 5.4 Windows Server 2008 R2

StoneGate SSL VPN Technical Note Setting Up WPA Authentication

RELEASE NOTES. StoneGate Firewall/VPN v for IBM zseries

StoneGate SSL VPN Technical Note Setting Up SSO with Citrix Presentation Server

StoneGate IPsec VPN Client Release Notes for Version 4.3.0

StoneGate SSL VPN Technical Note Setting Up Sygate On-Demand

Release Notes for Version

How To Configure Windows Server 2008 as a RADIUS Server with MS-CHAP v2 Authentication

Application Note. Citrix Presentation Server through a Citrix Web Interface with OTP only

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

1.6 HOW-TO GUIDELINES

StoneGate SSL VPN Technical Note Setting up ActiveSync

VPN CLIENT ADMINISTRATOR S GUIDE

Intrusion Detection and Analysis for Active Response - Version 1.2. Installation Guide

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

version 1.0 Installation Guide

VPN CLIENT USER S GUIDE

Configuring Microsoft RADIUS Server and Gx000 Authentication. Configuration Notes. Revision 1.0 February 6, 2003

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

Dell Statistica Statistica Enterprise Installation Instructions

How To Connect Checkpoint To Gemalto Sa Server With A Checkpoint Vpn And Connect To A Check Point Wifi With A Cell Phone Or Ipvvv On A Pc Or Ipa (For A Pbv) On A Micro

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

StoneGate Installation Guide

LPR for Windows 95 TCP/IP Printing User s Guide

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

Installing the BlackBerry Enterprise Server Management Software on an administrator or remote computer

DP-313 Wireless Print Server

Stonesoft Corp. Stonegate Firewall and VPN

Configuring Internet Authentication Service on Microsoft Windows 2003 Server

Sample Configuration: Cisco UCS, LDAP and Active Directory

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0

LPR for Windows 95/98/Me/2000/XP TCP/IP Printing User s Guide. Rev. 03 (November, 2001)

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

Integrating LANGuardian with Active Directory

Remote Access Technical Guide To Setting up RADIUS

UFR II Driver Guide. UFR II Driver Ver ENG

Multi-factor Authentication using Radius

Strong Authentication for Juniper Networks SSL VPN

INTRODUCTION... 2 Windows Windows Mac OS X Ubuntu Advanced routing Windows Mac OS X Ubuntu...

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

Setup and Configuration Guide for Pathways Mobile Estimating

Security Provider Integration RADIUS Server

Active Directory Change Notifier Quick Start Guide

Administration Guide. SafeWord for Internet Authentication Service (IAS) Agent Version 2.0

WatchGuard Mobile User VPN Guide

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Defender EAP Agent Installation and Configuration Guide

Identikey Server Getting Started Guide 3.1

F IREWALL/VPN INSTALLATION GUIDE

Cloud Attached Storage

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

How to configure MAC authentication on a ProCurve switch

Dell One Identity Cloud Access Manager How to Configure for High Availability

Configuring WPA-Enterprise/WPA2 with Microsoft RADIUS Authentication

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

Step-by-Step Guide for Setting Up Network Quarantine and Remote Access Certificate Provisioning in a Test Lab

SolarWinds Migrating SolarWinds NPM Technical Reference

Dell Statistica Document Management System (SDMS) Installation Instructions

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

MobileStatus Server Installation and Configuration Guide

Symantec AntiVirus Corporate Edition Patch Update

FortiAuthenticator Agent for Microsoft IIS/OWA. Install Guide

Strong Authentication for Juniper Networks

To install the SMTP service:

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

Application Note: Integrate Cisco IPSec or SSL VPN with Gemalto SA Server. January

DIGIPASS Authentication for Cisco ASA 5500 Series

Application Note. Setting up RADIUS authentication on Opengear devices using Windows 2003 Internet Authentication Service

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

HOWTO: How to configure IPSEC gateway (office) to gateway

Microsoft Dynamics GP. Engineering Data Management Integration Administrator s Guide

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

NSi Mobile Installation Guide. Version 6.2

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

STONEGATE 5.2 I NSTALLATION GUIDE I NTRUSION PREVENTION SYSTEM

Microsoft IAS Configuration for RADIUS Authorization

DIGIPASS Authentication for GajShield GS Series

ACT! by Sage. Premium for Workgroups 2007 (9.0) Administrator s Guide to the ACT! Reader Utility

Lepide Active Directory Self Service. Installation Guide. Lepide Active Directory Self Service Tool. Lepide Software Private Limited Page 1

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

LOAD BALANCING 2X APPLICATIONSERVER XG SECURE CLIENT GATEWAYS THROUGH MICROSOFT NETWORK LOAD BALANCING

Veritas Cluster Server Database Agent for Microsoft SQL Configuration Guide

Contents Notice to Users

MIGRATION GUIDE. Authentication Server

HOTPin Integration Guide: DirectAccess

Step-by-Step Guide for Setting Up VPN-based Remote Access in a

Configuring Network Load Balancing with Cerberus FTP Server

HP Device Manager 4.6

Using Entrust certificates with Microsoft Office and Windows

Transcription:

StoneGate How-To Using Microsoft Active Directory Server and IAS Authentication StoneGate Firewall/VPN 3.0.7 and Management Center 4.1

Table of Contents Basic Scenario...page 3 Configuring a Windows 2003 Server for IAS Authentication...page 3 Configuring Users in Active Directory...page 8 Configuring an Active Directory Server Element in StoneGate...page 9 Table of Contents 2

Basic Scenario This document describes a configuration that includes a Microsoft Active Directory with Internet Authentication Service (IAS) on a Windows 2003 server and Stonesoft s StoneGate Firewall/VPN. The configuration uses the Remote Authentication Dial-in User Service (RADIUS) protocol for authentication. An external Active Directory Server that supports the RADIUS protocol can be used for user authentication in StoneGate. In this example, the user and password information is stored internally in an Active Directory and the users use Windows passwords for authentication. The StoneGate firewall requests the authentication information from the Active Directory server when the users authenticate to the firewall. The Active Directory information can be browsed and used in security policies in the StoneGate Management Client. Note The configuration details needed in your environment may differ from the example. The following sections describe the steps needed for setting up IAS authentication with Microsoft Active Directory in StoneGate. There are three main steps: 1. Configuring a Windows 2003 Server for IAS Authentication, on page 3. 2. Configuring Users in Active Directory, on page 8. 3. Configuring an Active Directory Server Element in StoneGate, on page 9. Start with Configuring a Windows 2003 Server for IAS Authentication. Configuring a Windows 2003 Server for IAS Authentication An Active Directory on a Windows 2003 server contains a list of users and their passwords which will be used with RADIUS to authenticate the users in StoneGate. To use IAS authentication, you must enable the Internet Authentication Service on the Windows 2003 server. Begin by Installing a Windows 2003 Server. Installing a Windows 2003 Server! To install a Windows 2003 server 1. Open the Control Panel and double-click Add/Remove Programs. 2. Click Add/Remove Windows Components. The Windows Components Wizard dialog opens. Illustration 1.1 Enabling Networking Services 3. Click Networking Services, and then click Details. The Networking Services dialog opens. Basic Scenario 3

Illustration 1.2 Networking Services Dialog 4. Select Internet Authentication Service and click OK. 5. Click Next. 6. If prompted, insert your Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition compact disc. 7. After the Windows 2003 server is installed, click Finish, and then click Close. The Windows 2003 server is now installed and Internet Authentication Service should be included in the list of programs if you select Start Programs Administrative Tools. Proceed to Enabling the Windows 2003 Server to Read User Accounts in Active Directory. Enabling the Windows 2003 Server to Read User Accounts in Active Directory Once you have installed the Windows 2003 server, you must enable it to read the user accounts listed in the Active Directory.! To enable the Windows 2003 server to read user accounts in Active Directory 1. Select Start Programs Administrative Tools Internet Authentication Service. The Internet Authentication Service window opens. Illustration 1.3 Registering Server in Active Directory 2. Right-click Internet Authentication Service and select Register Server in Active Directory from the menu. The Register Internet Authentication Service in Active Directory dialog opens. 3. Click OK. The Windows 2003 server is now registered. Proceed to Adding StoneGate Firewall as RADIUS Client for the Windows 2003 Server. Configuring a Windows 2003 Server for IAS Authentication 4

Adding StoneGate Firewall as RADIUS Client for the Windows 2003 Server You must next define the StoneGate firewall as a RADIUS client for the Windows 2003 server.! To add StoneGate Firewall as RADIUS Client for the Windows 2003 server 1. Select Start Programs Administrative Tools Internet Authentication Service. The Internet Authentication Service window opens. 2. Right-click RADIUS Clients and select New RADIUS Client from the menu. The New Radius Client dialog opens. Illustration 1.4 New RADIUS Client Properties 3. Enter the name and IP address of the StoneGate firewall node and click Next. 4. As Additional Information, leave RADIUS Standard as the Client-Vendor and set a shared secret (see Illustration 1.5). Note You must use the same shared secret also for the Active Directory Server element that you use in StoneGate. See Creating an Active Directory Server Element in StoneGate, on page 9. Illustration 1.5 New RADIUS Client - Additional Information 5. Click Finish. 6. If you have a clustered firewall, repeat steps 1-4 for the other firewall nodes. When you have added all the firewall nodes, they should be listed under RADIUS Clients in the Internet Authentication Service window. Proceed to Adding a Remote Access Policy in the Windows 2003 Server to Authorize Requests from Firewall Node(s). Configuring a Windows 2003 Server for IAS Authentication 5

Adding a Remote Access Policy in the Windows 2003 Server to Authorize Requests from Firewall Node(s) You must create a remote access policy to authorize requests from the firewall node(s) to the Windows 2003 server.! To add a remote access policy in the Windows 2003 server 1. Open Internet Authentication Service in the Start Programs Administrative Tools menu. The Internet Authentication Service window opens. 2. Right-click Remote Access Policies and select New Remote Access Policy from the menu. The New Remote Access Policy Wizard opens. Illustration 1.6 New Remote Access Policy 3. Click Next. 4. As the Policy Configuration Method, select Set up a custom policy (see Illustration 1.7). 5. Enter a name for the policy and click Next. Illustration 1.7 Selecting Policy Configuration Method 6. As the In Policy Conditions, click Add to add a Policy Condition. The Select Attribute dialog opens. 7. Select Client-Friendly-Name and click Add. 8. Enter a client-friendly name for the StoneGate firewall node and click OK. Note The client-friendly name must be the same as the name you set for the firewall node in Adding StoneGate Firewall as RADIUS Client for the Windows 2003 Server, on page 5. 9. Click Add to add another Policy Condition.The Select Attribute dialog opens. 10.Select Client-IP-Address and click Add. 11.Enter the Authentication NDI address of the StoneGate firewall node and click OK. See Illustration 1.8 for an example of Remote Access Policy conditions. Note If you use a firewall cluster, you must define a Remote Access Policy separately for each node. Configuring a Windows 2003 Server for IAS Authentication 6

Illustration 1.8 Adding Policy Conditions - Example 12.Click Next. 13.As Permissions, select Grant remote access permission and click Next. Illustration 1.9 Remote Access Policy - Permissions 14.In the next dialog, click Edit Profile. The Edit Dial-in Profile dialog opens. 15.Switch to the Authentication tab. 16.Uncheck the MS-CHAP and CHAP options and check Unencrypted authentication (PAP, SPAP). Illustration 1.10 Edit Dial-in Profile - Authentication Tab 17.Click OK. 18.Click Next and then Finish. 19.If you have a clustered firewall, repeat steps 1-13 to authorize access from all the firewall nodes. The Windows 2003 server configuration for IAS authentication is now complete. Proceed to Configuring Users in Active Directory. Configuring a Windows 2003 Server for IAS Authentication 7

Configuring Users in Active Directory The next step is to configure that the users listed in the Active Directory are allowed to authenticate with RADIUS. Allowing a User in Active Directory to Authenticate with RADIUS! To allow a user in Active Directory to authenticate with RADIUS 1. Select Start Programs Administrative Tools Active Directory Users and Computers on the Windows 2003 Server. 2. Double-click the user who should be able to authenticate with RADIUS. The Properties dialog opens. 3. Switch to the Dial-in tab. Illustration 1.11 User Properties - Dial-in Tab 4. For Remote Access Permission (Dial-in or VPN), select Allow access. 5. Switch to the Account tab and make sure that Store password using reversible encryption is selected in the Account options. Illustration 1.12 User Properties - Account Tab Note If this option was not already selected in the user s Properties, you must save the user s password again after selecting the Store password using reversible encryption setting. Right-click the user and select Reset password from the menu that opens. Note The Store password using reversible encryption setting must also be enabled for Password Policy in the Windows 2003 server s Default Domain Controller Policy Settings. If this setting is not enabled for Password Policy, the Store password using reversible encryption setting in the user s Account options will not have any effect. 6. Click OK. Configuring Users in Active Directory 8

Configuring an Active Directory Server Element in StoneGate The next step is to configure an Active Directory Server in StoneGate. Start by Creating an Active Directory Server Element in StoneGate. Creating an Active Directory Server Element in StoneGate The Active Directory Server element contains both the user directory and the authentication service options needed to use a Microsoft 2003 server for user authentication.! To define an Active Directory Server element 1. Click the Configuration button in the toolbar to switch to the Configuration view. 2. Right-click the Network Elements category in the tree view and select New Active Directory Server from the menu that opens. The Active Directory Server Properties dialog opens. Illustration 1.13 Active Directory Server Properties - General Tab 3. Specify a unique Name and IP Address for the server. 4. In this example, leave the Location and Contact Addresses at default values. You need to modify their values only if there is a NAT device between a firewall and the Active Directory server, so that the firewall cannot connect directly to the Active Directory Server s IP address. 5. Define the Timeout for how long StoneGate waits for the server to reply. Continue by configuring the server s LDAP settings as instructed in Configuring Active Directory Server s LDAP Settings. Configuring an Active Directory Server Element in StoneGate 9

Configuring Active Directory Server s LDAP Settings The LDAP settings include user information and other settings that StoneGate uses to connect to the Active Directory server. Make sure there are matching definitions on the Active Directory server.! To Configure LDAP User Services 1. Switch to the LDAP tab of the Active Directory Server Properties dialog. Illustration 1.14 Active Directory Server Properties - LDAP Tab 2. Define the domain used as the base for Distinguished Names (DN) in the Base DN field as it is defined on the Active Directory server (e.g., dc=example, dc=com ). 3. In the Bind User ID field, define the Distinguished Name of the User ID the StoneGate firewall uses when connecting to the Active Directory server (e.g., uid=admin, ou=administrators ). 4. In the Bind Password field, enter the password of the User ID the StoneGate firewall uses when connecting to the Active Directory server. 5. For Schema, leave the default value Standard. 6. Leave the UserID Attribute and Group Member Attribute at the default values. 7. Leave the default port (TCP port 389) as the Port Number. Proceed to Configuring Active Directory Server s Authentication Settings. Configuring Active Directory Server s Authentication Settings You can use the Active Directory Server s Internet Authentication Service to authenticate the users. The protocol used is RADIUS.! To configure the authentication settings 1. In the Active Directory Server Properties dialog, switch to the Authentication tab. Illustration 1.15 Active Directory Server - Authentication Tab 2. Make sure that the Port Number is correct for your Active Directory Server s IAS. Configuring an Active Directory Server Element in StoneGate 10

3. Type or paste the Shared Secret. It is used to authenticate the connection from StoneGate to the Windows 2003 server. Note The shared secret must be the same as the one you entered for the firewall node(s) in Adding StoneGate Firewall as RADIUS Client for the Windows 2003 Server, on page 5. 4. Specify the Number of Retries. If StoneGate fails to connect to the Windows 2003 server, it tries to connect again the specified number of times before giving up on the authentication. 5. Click OK. Proceed to Defining Domains. Defining Domains Each Active Directory Server has its own domain in StoneGate. One domain can be selected as the default domain. Users who belong to the default domain need not specify the domain (for example: username@domain ) when they are authenticating.! To define a new domain 1. Click the Configuration button in the toolbar to switch to the Configuration view. 2. Right-click Firewall Configuration in the left panel and select New Domain from the menu that opens. The Domain Properties dialog opens. Illustration 1.16 Domain Properties - General Tab 3. Enter the Name for the new domain. If the domain you are creating is not to be the default domain, users must type in the domain name when they authenticate. 4. Select the checkbox Default Domain, if this domain will be used for all or most authentications. Naturally, only one domain can be the default domain, so the selection is automatically cleared from the previous domain when you select the option for some different domain. 5. The defined Active Directory Servers that have no domain yet are shown on the left. Select the correct server and click Add to bind the server to the domain. 6. Switch to the Default Authentication tab to select the authentication service. 7. Click Select. A list of authentication services opens. 8. Select IAS authentication and click Select. Illustration 1.17 Domain Properties - Default Authentication Tab 9. Click OK. Configuring an Active Directory Server Element in StoneGate 11

You have now completed all of the steps required in StoneGate for setting up the Windows 2003 server as an Active Directory Server. You can now browse the users listed in the Active Directory with the Management Client. Go to Users and then to the new domain you just created to browse the list of users (see Illustration 1.18). Illustration 1.18 Browsing Users Proceed to Modifying Firewall Policy to Allow IAS Authentication Connections to allow the connections needed for IAS authentication. Modifying Firewall Policy to Allow IAS Authentication Connections If the Active Directory server is located in a different network than the Management Server, make sure that the servers are able to communicate using the LDAP protocol. This makes it possible to browse the user information from the Active Directory server. To use IAS authentication for mobile VPN users, the Firewall Policy must contain an Access Rule for mobile VPN traffic with the proper user and authentication parameters (see Illustration 1.19). Illustration 1.19 Example of Access Rules Allowing Use of Active Directory Note The firewall allows its own RADIUS connections to the Active Directory server by default. If the rules inherited from the default template are included in the policy, it is not necessary to add a rule for the RADIUS connections. Tip: The Windows Event Viewer shows an event for each authentication attempt. The event is visible in the System category under Event Viewer with IAS as the source. This provides useful information for troubleshooting. Select Start Programs Administrative Tools Event Viewer to open the Event Viewer. The IAS authentication configuration in StoneGate is now complete. For information on configuring VPNs, see the StoneGate Administrator s Guide. Configuring an Active Directory Server Element in StoneGate 12

Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Copyright and Disclaimer Copyright 2000 2007 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMA- TION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUD- ING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Revision: SGHT_20070905 www.stonesoft.com Stonesoft Corp. Itälahdenkatu 22a FIN-00210 Helsinki Finland tel. +358 9 4767 11 fax +358 9 4767 1234 Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA tel. +1 770 668 1125 fax +1 770 668 1131 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information