ProxySG TechBrief LDAP Authentication with the ProxySG What is LDAP Authentication? Today, the network can include elements such as LANs, WANs, an intranet, and the Internet. Many enterprises have turned to centralized directory-enabled applications to provide their users with seamless access to all of the applications, devices, and appliances they are authorized to use. Directory services simplify administration; additions and changes to permissions are made only once in the directory and are immediately available to all authorized users, directory-enabled applications, devices, and appliances. The Blue Coat ProxySG supports the use of an external LDAP-enabled directory for authentication and authorization of users on a per-group basis. LDAP group-based authentication for the Blue Coat ProxySG can be configured to support any LDAP-compliant directory including: Microsoft Active Directory Novell edirectory Sun Java System Directory Server Lotus Domino The Blue Coat ProxySG also provides the ability to locate a group or a single user in a single root of an LDAP directory information tree (DIT) through its VPM searching functionality. Once located, the user or group can be selected for inclusion in authentication. Why enable LDAP Authentication? The ProxySG makes use of your existing directory-based authentication by passing login requests to the directory service. There is no need to define an additional authentication mechanism when using the ProxySG. By keeping authentication centralized on your directory, a security administrator will always know who is accessing network resources and can easily define user/group-based policies to control access through the appliance. Implementing LDAP Authentication There are four steps to implementing LDAP authentication services on the ProxySG: 1. Create an LDAP Realm on the ProxySG 2. Configure LDAP properties on the ProxySG 3. Enable Authentication on the Blue Coat Policy 4. Test your LDAP authentication realm 1 Technical Brief
Step 1 - Create an LDAP Realm on the ProxySG Create a realm using the Blue Coat GUI Management Console by selecting the Authentication option. Then, select the LDAP Realm tab. Click the New button. The Add Realm dialog is displayed. Type in LDAP_Realm (or any name) as the Realm name; select Microsoft Active Directory as the directory type (or the directory you are using), and type in the primary LDAP Server s IP address. The port default is 389 and the user attribute type default is samaccountname. You may have to change these defaults for your particular LDAP configuration. Be sure to check with your LDAP administrator for specific configuration information. 2 Technical Brief
Step 2 Configure LDAP Properties on the ProxySG The next step is to configure any additional LDAP properties on the ProxySG. This section describes the available LDAP configuration pages and their options Use the LDAP Servers page to change the current default settings: Select server type: Microsoft, Novell, Sun, or Other Select LDAP Protocol Version (default is 3, 2 can be selected) Select whether to follow referrals (LDAP v3 only) Specify host and port for primary LDAP server Specify host and port for alternate server (optional) Enable/disable SSL as required (LDAP v3 only) Enable/disable verify server certificate as required Can specify multiple Base Distinguished Names (DNs) to search per realm Can specify a specific branch DN Base DN identifies the entry as starting point for search (dc=bluecoat, dc=com) At least one non-null base DN must be specified c=country cn=common name ou=organizational unit 3 Technical Brief
Specify multiple Base Distinguished Names (DNs) to search per realm You can instruct the ProxySG to search on a specific branch DN. The base DN identifies the entry as a starting point for searching such as dc=bluecoat, dc=com. At least one non-null base DN must be specified: c = country cn = common name ou = organization unit 4 Technical Brief
LDAP Search & Groups In this page you can specify whether to use anonymous as the search name or enforce user authentication with a different user name before allowing a search. Some Directories require a valid user to perform LDAP search and will not allow anonymous bind. This is the case with Active Directory, for example. LDAP directory attributes for an anonymous search typically only provide a subset of available information (as controlled by the network administrator). Specify whether to dereference aliases (default is Always) Groups The Groups Page allows an administrator to specify the member type and membership attribute type for the specific LDAP realm selected. The ProxySG enters defaults: Microsoft AD o Membership type:user o Membership attribute:memberof Netscape/Sun iplanet o Membership type:group o Membership attribute type:uniquemember Novell edirectory o Membership type:user o Membership attribute type:member 5 Technical Brief
LDAP Objectclasses LDAP objectclasses define the type of object the entry will be when a search is made by the ProxySG. For example, a user entry may have the attribute objectclass=user. Objectclass attribute values can vary among LDAP servers Objectclass attribute values are used by the Visual Policy Manager to browse the content of an LDAP server The objectclass list is customizable 6 Technical Brief
General realm settings From the LDAP General page you can enable/disable case-sensitivity depending on whether the LDAP server is case-sensitive. You can also do the following: Specify length of time to cache user credentials (default 900 seconds) Specify virtual URL if value is different than global virtual URL Specify display name for realm when authentication is presented to end user 7 Technical Brief
Step 3 Enable Authentication on the Blue Coat Policy To enable an LDAP realm authentication policy, use the Blue Coat management console. Select Policy and launch the Blue Coat Visual Policy Manager. 1. Under the Web Authentication tab Click on Add Rule. Highlight the Action field of new rule, right click and choose authenticate. A pop-up window will be displayed, select LDAP as the realm. 2. Click OK 3. Install the policy by selecting the Install Policies button. 8 Technical Brief
Step 4 Test your LDAP Authentication Realm Test the LDAP authentication by opening up a Web Browser (explicitly configured to go through the proxy). You will be prompted for your user name and password credentials as shown in the following login prompt. Type in the user name and password that has been supplied from your Active Directory domain. The URL requested will then be presented if the user credentials are valid. 408.220.2200 Direct 408.220.2250 Fax www.bluecoat.com Conclusion The ProxySG is designed to take advantage of existing authentication environments including LDAP directory servers. Utilizing existing authentication services saves time and money simplifying the deployment of the ProxySG. Most LDAP parameters are automatically configured to default settings on the ProxySG for easy deployment. Copyright 2004 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue Coat is a registered trademark of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Contact Blue Coat Systems 1.866.30BCOAT 408.220.2200 Direct 408.220.2250 Fax www.bluecoat.com 9 Technical Brief