Section 4 Application Description - LDAP



Similar documents
Application Note. Using a Windows NT Domain / Active Directory for User Authentication NetScreen Devices 8/15/02 Jay Ratford Version 1.

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

HP Device Manager 4.7

NAS 206 Using NAS with Windows Active Directory

Windows Live Mail Setup Guide

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

DESKTOP CLIENT CONFIGURATION GUIDE BUSINESS

Standard Mailbox Software Setup Guide

StarterPlus Mailbox Software Setup Guide

Setting up Your Acusis Address. Microsoft Outlook

Windows XP Exchange Client Installation Instructions

How To Set Up An Outlook Mailbox On A Windows 2007 (For Free) With A Free Account On A Blackberry Or Ipad (For A Free) Or Ipa (For An Ipa) With An Outlook 2007 (Free) Or

Configuring Sponsor Authentication

Quickstart guide to Authentication

Configuring User Identification via Active Directory

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

Connecting to UNSW Exchange & zmail using MS Outlook Introduction

Quick Scan Features Setup Guide

HP Device Manager 4.6

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

How To - Implement Clientless Single Sign On Authentication with Active Directory

Microsoft Outlook 2010

Using Internet or Windows Explorer to Upload Your Site

3. On the Accounts wizard window, select Add a new account, and then click Next.

Setup Guide. network support pc repairs web design graphic design Internet services spam filtering hosting sales programming

Quality Center LDAP Guide

Configuring Outlook to send mail via your Exchange mailbox using an alternative address

Integrating LANGuardian with Active Directory

How To Create A Mailbox In Windows Mail On A Pc Or Mac Or Ipad (For A Mac)

Here, we will discuss step-by-step procedure for enabling LDAP Authentication.

Hosted Microsoft Exchange Client Setup & Guide Book

SCADA Security. Enabling Integrated Windows Authentication For CitectSCADA Web Client. Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.

Svn.spamsvn110. QuickStart Guide to Authentication. WebTitan Version 5


Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

Patriots Outlook Configuration

Professional Mailbox Software Setup Guide

FTP, IIS, and Firewall Reference and Troubleshooting

How to set up Outlook Anywhere on your home system

Case Closed Installation and Setup

IMAP and SMTP Setup in Clients

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

Setup 1of 2: AKO (NOT E ) Setup on Outlook 2010

Configuring Network Load Balancing with Cerberus FTP Server

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

Client configuration and migration Guide Setting up Thunderbird 3.1

Exchange 2003 Mailboxes

Microsoft Exchange Mailbox Software Setup Guide

How do I load balance FTP on NetScaler?

Instructions: Configuring Outlook 2003 with Exchange 2010 on the FIUMail

Outlook 2010 Setup Guide (POP3)

Active Directory Authentication Integration

Microsoft Exchange Mailbox Software Setup Guide

Deploying RSA ClearTrust with the FirePass controller

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

This information is provided for informational purposes only.

Note that if at any time during the setup process you are asked to login, click either Cancel or Work Offline depending upon the prompt.

NovaBACKUP xsp Version 15.0 Upgrade Guide

IIS, FTP Server and Windows

Configure Outlook 2007 for Brandeis Gmail

PaperClip. em4 Cloud Client. Manual Setup Guide

Remote Monitoring Service - Setup Guide for InfraStruXure Central and StruxureWare 1 5

LDAP Authentication and Authorization

How To - Implement Single Sign On Authentication with Active Directory

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

Professional Mailbox Software Setup Guide

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

NETASQ ACTIVE DIRECTORY INTEGRATION

How to connect to the diamonds wireless network with Vista.

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

1. Open Thunderbird. If the Import Wizard window opens, select Don t import anything and click Next and go to step 3.

Client Configuration Guide

HP Device Manager 4.6

Installing Policy Patrol on a separate machine

Two Factor Authentication in SonicOS

Knights Outlook Configuration

How to Logon with Domain Credentials to a Server in a Workgroup

Management Authentication using Windows IAS as a Radius Server

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

OUTLOOK EXPRESS ACCOUNT SETUP FOR USE WITH ELLIPSE ADVANCED SPAM FILTER

To install the SMTP service:

Versions Addressed: Microsoft Office Outlook 2010/2013. Document Updated: Copyright 2014 Smarsh, Inc. All right reserved

Update Instructions

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

How To Set Up Chime For A Coworker On Windows (Windows) With A Windows 7 (Windows 7) On A Windows 8.1 (Windows 8) With An Ipad (Windows).Net (Windows Xp

client configuration guide. Business

Exchange 2013 mailbox setup guide

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

Using Windows Task Scheduler instead of the Backup Express Scheduler

To enable an application to use external usernames and passwords, you need to first configure CA EEM to use external directories.

escan SBS 2008 Installation Guide

Quick Scan Features Setup Guide. Scan to Setup. See also: System Administration Guide: Contains details about setup.

Configuring Microsoft Outlook for First Time Use. with POP3 provided by Blue Tangerine Solutions

Hosted Microsoft Exchange Client Setup & Guide Book

How To Send Mail From A Macbook Access To A Pc Or Ipad With A Password Protected Address (Monroe Access) On A Pc (For Macbook) Or Ipa (For Ipa) On Pc Or Macbook (For

NAS 109 Using NAS with Linux

PineApp Surf-SeCure Quick

MultiSite Manager. Setup Guide

Transcription:

Section 4 Application Description - LDAP This section describes the applications and configuration required for authentication utilizing Windows 2000 Server s Active Directory features and a NetScreen network security appliance via LDAP. User Authentication for Access to External Services NetScreen Security functionality provides a means to implement Access Policies that require users wishing to traversal the device, to gain access to network resources, ie.. the Internet first authenticate with a user name and password. Instead of utilizing the internal user database available in ScreenOS, the NetScreen device can be configured to use and external LDAP user database that multiple NetScreen devices can use or other network devices can use. LDAP authentication eliminates the need for device by device management of the access databases on each device. The user database resides on the LDAP server. Each device authenticates the user credentials, his user-name and password, from the LDAP server. This greatly simplifies management user administration for large number of network devices. 5 2 3 4 1 Win2K Server 1. Local network attached host attempts connection to an Internet located service Copyright 2002 NetScreen Technologies, INC. 16

2. NetScreen Appliance intercepts connection attempt prompts user for name and password then requests user authentication from Win2K Server s Active Directory. 3. Win2K Server s Active Directory verifies user name and password and responds accordingly. 4. NetScreen Appliance either permits the connection or rejects it based on response from Win2K Server. 5. If connection accepted user may open his connection to the external service. Copyright 2002 NetScreen Technologies, INC. 17

Section 5 Installing and Configuring Win2k for LDAP Authentication Note: that it is assumed the Windows 2000 server has been configured to be a domain controller and is already running Active Directory. If you have not installed and configure the domain controller you can click on Configure Your Server in the Administrative Tools folder under Control Panel and use the Microsoft provided wizard to configure Active Directory. Configure Users to Authenticate via Active Directory Click on Start->Programs->Administrative Tools->Active Directory Users and Computers Copyright 2002 NetScreen Technologies, INC. 18

Click on Action->New->User then enter full name or first name and last name. Note: Microsoft Windows 2000 Active Directory does not implement the inetorgperson class, so binds cannot be made to the User Logon name. Binds are made to the Full name. The implication of this is the name entered at logon time must be the full name. In the above example Bob Smith would be the name entered when attempting LDAP authentication through a NetScreen network security appliance. The bind attempt will fail for bsmith. When you are finished entering the user information click next and proceed. Enter the user password and click finished. You are now finished configuring Windows 2000 Server for LDAP authentication. Copyright 2002 NetScreen Technologies, INC. 19

Section 6 Configuring NetScreen ScreenOS and Testing Authentication Configure the NetScreen security appliance for LDAP authentication via the NetScreen WebUI The following illustrates ScreenOS 3.0 on a NetScreen-5XP. Configuration is similar on other model NetScreens running earlier versions of ScreenOS. Log into the NetScreen's web UI. Click on Configure and then the Authen tab. Click the LDAP Server radio button and configure the IP address of the server and port number. The Common Name Identifier must be set to cn. The Distinguished Name must be set to: cn=<name of user database>,dc=<domain name>,dc=<domain extension> Example where: Users is the name of the user database and test.com is the domain name and extension. cn=users,dc=test,dc=com Copyright 2002 NetScreen Technologies, INC. 20

Create a policy that you ll use authentication with. In this case, an outgoing telnet policy, so the user must authenticate in order to telnet to hosts external to the trusted network. Copyright 2002 NetScreen Technologies, INC. 21

Test the Authentication When workstation on the inside is used to attempt a telnet connection to an external host. An authentication request appears on the users screen and if the user authenticates with a name/password of a user in the Active Directory the user will be able to make a telnet connection. The user must then log onto the external host with a user name and password locally administered by that external host. To verify a successful authentication, go to Log->Event Log. A log entry will exist for the authentication. Copyright 2002 NetScreen Technologies, INC. 22

Configure the NetScreen for LDAP authentication via the NetScreen CLI. Type the following CLI commands to set up user authentication for external access to http services: Command set auth type 3 set auth ldap server-name 10.10.1.75 cn=users,dc=test,dc=com cn set policy outgoing any any http permit auth log Description Sets the authorization type to LDAP Sets the LDAP server IP address and required parameters Sets an outgoing policy for HTTP and logs events associated with it. Test the Authentication When workstation on the inside is used to attempt a telnet connection to an external host. An authentication request appears on the users screen and if the user authenticates with a name/password of a user in the Active Directory the user will be able to make a telnet connection. The user must then log onto the external host with a user name and password locally administered by that external host. To verify a successful authentication type: Command get log event Description A log entry will exist for the authentication. Note: User authentication can only be done via HTTP, FTP or Telnet. These protocols allow for NetScreen to send a request back to the user requesting user credentials. If other protocols are desired to be restricted, then the user would first have to authentic via one of the three listed protocols and then establish a connection using the other protocol. Copyright 2002 NetScreen Technologies, INC. 23

Conclusion ScreenOS ability to use external user databases allows for the particle implementation of access policies requiring user authentication. Companies can leverage their user database from Microsoft s Windows 2000 Active Directory when using their NetScreen network security appliances. NetScreen supports both RADIUS and LDAP protocols to suit the network managers needs. Network managers can take advantage of centralized user databases provide by Active Directory to restrict access to external network resources from NetScreen products. Utilizing equipment and software they may already exist in the network will save significant capital expense. Authentication from a centralized source saves many man-hours of configuration time and prevents database divergence which is likely to happen using locally administered user databases. Together NetScreen s authentication and Windows 2000 provide add an additional layer of security to the network at an optimize operational and capital expense. Copyright 2002 NetScreen Technologies, INC. 24