IIS SECURE ACCESS FILTER 1.3

Similar documents
McAfee One Time Password

MICROSOFT ISA SERVER 2006

SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit

OTP Server Integration Module

RoomWizard Synchronization Software Manual Installation Instructions

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

NSi Mobile Installation Guide. Version 6.2

BusinessObjects Enterprise XI Release 2

HYPERION SYSTEM 9 N-TIER INSTALLATION GUIDE MASTER DATA MANAGEMENT RELEASE 9.2

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Use Enterprise SSO as the Credential Server for Protected Sites

OTP Server. Integration module. Nordic Edge AD Membership Provider for Microsoft ASP.NET. Version 1.0, rev. 6. Nordic Edge

Reference and Troubleshooting: FTP, IIS, and Firewall Information

Installation Guide for Pulse on Windows Server 2012

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.

Installation Guide for Pulse on Windows Server 2008R2

FTP, IIS, and Firewall Reference and Troubleshooting

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Upgrade Guide BES12. Version 12.1

To install Multifront you need to have familiarity with Internet Information Services (IIS), Microsoft.NET Framework and SQL Server 2008.

Configuration Guide. BES12 Cloud

WhatsUp Gold v16.3 Installation and Configuration Guide

DIGIPASS Pack for Citrix on WI 4.5 does not detect a login attempt. Creation date: 28/02/2008 Last Review: 04/03/2008 Revision number: 2


Installation and Administration Guide. BlackBerry Web Desktop Manager for Microsoft Exchange. Version: 1.0 Service Pack: 1

DIGIPASS Authentication for GajShield GS Series

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Secure Messaging Server Console... 2

Configuration Guide BES12. Version 12.3

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

PRODUCT VERSION: LYNC SERVER 2010, LYNC SERVER 2013, WINDOWS SERVER 2008

Installation and Configuration Guide

SchoolBooking SSO Integration Guide

Exchange 2010 PKI Configuration Guide

Click Studios. Passwordstate. Installation Instructions

Sophos Mobile Control Installation guide

BlackBerry Enterprise Service 10. Version: Configuration Guide

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

qliqdirect Active Directory Guide

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Click Studios. Passwordstate. Installation Instructions

WEBCONNECT INSTALLATION GUIDE. Version 1.96

Setting Up SSL on IIS6 for MEGA Advisor

Integrating LANGuardian with Active Directory

Training module 2 Installing VMware View

Setup Guide: Server-side synchronization for CRM Online and Exchange Server

Microsoft Outlook Setup With Exchange Server. Outlook

Managing Qualys Scanners

Migrating helpdesk to a new server

Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2

A Guide to New Features in Propalms OneGate 4.0

HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

Vyapin Office 365 Management Suite

3 Setting up Databases on a Microsoft SQL 7.0 Server

Siteminder Integration Guide

Burst Technology. bt-webfilter User Guide

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

Pcounter CGI Utilities Installation and Configuration For Pcounter for Windows version 2.55 and above

Exchange 2013 mailbox setup guide

Virto Password Reset Web Part for SharePoint. Release Installation and User Guide

Request Manager Installation and Configuration Guide

Installation Guide v3.0

Virto Active Directory Service for SharePoint. Release Installation and User Guide

Apache Server Implementation Guide

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

Step by step guide to implement SMS authentication to Cisco ASA Clientless SSL VPN and Cisco VPN

Installing and Configuring vcenter Support Assistant

QUANTIFY INSTALLATION GUIDE

How To Manage Storage With Novell Storage Manager 3.X For Active Directory

MailEnable Connector for Microsoft Outlook

Aradial Installation Guide

Quick Start Guide for Parallels Virtuozzo

Millennium Drive. Installation Guide

Connecting to Delta College Exchange services off-campus

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

Migrating MSDE to Microsoft SQL 2008 R2 Express

Apple Mail Outlook Web Access (OWA) Logging In Changing Passwords Mobile Devices Blackberry...

Table of Contents. Preface. Chapter 1: Getting Started with Endpoint Application Control. Chapter 2: Updating Components

Introduction to the Secure Gateway (SEG)

Access to Webmail services via a Non Trust Computer

Using Logon Agent for Transparent User Identification

Pcounter Web Report 3.x Installation Guide - v Pcounter Web Report Installation Guide Version 3.4

Kaseya Server Instal ation User Guide June 6, 2008

User Management Tool 1.6

Using LDAP Authentication in a PowerCenter Domain

AVG Business SSO Connecting to Active Directory

Table of Contents. CHAPTER 1 About This Guide CHAPTER 2 Introduction CHAPTER 3 Database Backup and Restoration... 15


Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

HOWTO: Installation of Microsoft Office SharePoint Server 2007

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

MGC WebCommander Web Server Manager

Installation & Configuration Guide

Windows XP Exchange Client Installation Instructions

Installing and Configuring WhatsUp Gold

Client configuration and migration Guide Setting up Thunderbird 3.1

Transcription:

OTP SERVER INTEGRATION MODULE IIS SECURE ACCESS FILTER 1.3 Copyright, NordicEdge, 2006 www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 1 of 14

1 Introduction 1.1 Overview Nordic Edge One Time Password Server adds an extra security layer to protect your applications. When the user id and password is successfully verified, a One Time Password is sent to the user s mailbox or mobile phone through SMS (Short Message Services). This One Time Password will be verified and only then will the user be authenticated to the application. 1.2 IIS Secure Access Filter Overview Nordic Edge Secure Access Filter for IIS enables strong authentication for applications running on Microsoft IIS Server, like Outlook Web Access (OWA). Use existing authentication technologies like Basic authentication in combination with our One Time Password protection to secure your web applications for use on the internet, intranet or extranet environments. It is also possible to us form based authentication using the OtpForm method. Product Features: - Supports Basic, Forms authentication - Installed as an ISAPI filter to protect all incoming requests - Inactivity expire time - Customizable login and error templates - Logging - Secure logoff - Supports proxy servers www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 2 of 14

1.3 Prerequisites & system requirements 1.3.1 OS IIS Secure Access Filter runs on the following Windows platforms: Windows NT 4 Server SP 6 Windows 2000 Server SP 4 Windows 2003 Server 1.3.2 IIS IIS Secure Access Filter runs on the following IIS versions: IIS 4, IIS 5, IIS 6 1.3.3 Active Directory & LDAP Active Directory must be setup and configured for Nordic Edge One Time Password Server to authenticate and retrieve mobile numbers for users. Nordic Edge OTP Server can use any LDAP v3 compatible Directory Service and also an ODBC compliant database server to perform authentication and mobile lookup. AD is the recommended Directory Service for IIS Secure Access Filter. 1.3.4 OTP Server Nordic Edge One Time Password Server 14C or higher. Nordic Edge OTP Server must be configured before the filter can be used. See Nordic Edge One Time Password Server Administration Manual for more information on how to configure this. www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 3 of 14

2 Installation 2.1 Installing IIS Secure Access Filter 2.1.1 Install IIS Secure Access Filter Follow these steps for a successful installation of IIS integration module: 1. Download the latest package and the latest revision of this document from the Nordic Edge One Time Password Server product site. 2. Unzip and copy to C:\Program Files\Nordic Edge\ or other location of choice. Be sure to change any references to the new location if changed. 3. Open IIS management console and select the web that should be protected. 4. Select properties and click the ISAPI-Filter tab. 5. Select add. 6. Enter OtpFilter13 as the name of the filter and browse for the OtpFilter13.dll found in the "install dir"/filter folder. Note that the dll can be placed in any folder as long as the ini file is placed in the same folder. 7. Click Apply. 8. Restart IIS to load the filter. Open the ISAPI-Filter tab again and check that the filter is running. Note that if you are running IIS 6.0, the filter will not be loaded until the first request has been made. 9. Continue to configure the filter described in Chapter 3 to change the default settings. Note that the installer will configure a number of attributes. 10. After all configuration parameters have been set, IIS must be restarted to load the new settings. Remember to set FilterActive=1 in the configuration file. www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 4 of 14

3 Configuration 3.1 Filter configuration All settings for the filter are defined in the OtpFilter13.ini file. This file must exist in the same folder as the filter dll (OtpFilter13.dll). If any parameters are missing default data will be used by the filter. Several parameters specify URL or file paths which obviously must be valid for the filter to run properly. All file paths used by the filter must have the necessary access rights. 3.1.1 Parameters Value FilterActive OtpTemplateURL LogoffURL Meaning FilterActive specifies if the filter is active or not. If set to 1 the filter is activated and if set to 0 the filter is deactivated and does not perform any actions. Default value is 0. OtpTemplateURL specifies the URL for the page which collects the OTP challenge from the user. The default value is '/otpweb/logon.asp'. Note that if any images or other resources is used on the logon template those resources must be excluded using the ExcludeUrl directive. LogoffURL specifies the URL for the page that should be used to reset OTP authentication for the logged on user. This could by any page. The default value is '/otpweb/logoff.asp'. Note that if any images or other resources is used on the logon template those resources must be excluded using the ExcludeUrl directive. www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 5 of 14

Value ErrorTemplateURL IncludeUrl ExcludeUrl MaxCacheUsers CacheReorderThreshold OtpQueryString OtpServerList Meaning ErrorTemplateUrl specifies the URL for the template that the filter redirects any errors to. The default value is '/otpweb/error.asp'. Note that if any images or other resources is used on the logon template those resources must be excluded using the ExcludeUrl directive. IncludeUrl specifies the URL's that the filter should include in a comma separated list. If an empty value is used the filter will protect root. The default value is '/otpweb'. ExcludeUrl specifies the URL that the filter should exclude in a comma separated list. The filter will only trigger on URL's with its base from IncludeUrl. This must be used for pages specified in LogonTemplateUrl, LogoffUrl or ErrorTemplateUrl if they include any resources like images, css etc. Use empty value to not exclude any URL's. The default value is '/otpweb/open'. MaxCacheUsers specifies the maximum amount of users that simultanously can exist in the filters user cache. Note that this setting may affect server memory usage and performance. A higher setting will use more RAM memory. The default value is '1000'. CacheReorderThreshold specifies the point when a user should be moved to the top of the cache. Note that this setting may affect performance. The default value is '50'. OtpQueryString specifies which query string parameter should be used by the filter to read the OTP challange from the logon page. The default value is 'otppwd'. OtpServerList specifies the OTP fail-over servers in a comma separated list. Each server contains dns:port where dns is the server dns name, like 123.123.123.123 or otp.company.com and port is the portnumber that the OTP server listens to. The default value is '127.0.0.1:3100'. The filter will always try the first server in the list. www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 6 of 14

Value EnableLogging LogPath LogLevel SecurityLevel CacheExpireTime AuthMode OtpFormLogonTemplateUrl Meaning EnableLogging specifies if logging is enabled or not. If set to 1 logging is enabled and if set to 0 logging is disabled and does not perform any logging. Default value is 0. LogPath specifies the URL for the log file. The default value is 'C:\Inetpub\Filter\OtpFilter.log'. If the log file is not found or cannot be read or created, the filter will not be started. LogLevel specifies the level of log information written to the log file. The default value is 0. LogLevel can be set to 0,1,2 and 99. Higher values means that more information is written to the log file. Note that extensive logging affects performance. Only use LogLevel 99 for debug or test purposes. SecurityLevel specifies the level of security for the filter. The highest security value is 1. Set security value to 2 to allow OTP in mixed mode that makes it possible to configure OTP to disable the need for an OTP challange for certain users. Only use security levels of 2 and higher for debugging and test purposes. Production environments should always use security level 1. The default value is 1. CacheExpireTime specifies the amount of time in seconds that users are allowed to be inactive. If a user has been inactive for the specified time the user will need to login again with a new OTP. The default value is 3600 (1 hour). Set the value to 0 to never expire users. AuthMode specifies which authentication mode to use. Valid authentication modes are Basic and OtpForm.On IIS only basic authentiction must be used for all protected paths (both included and excluded URL's). Default value is Basic. OtpFormLogonTemplateURL specifies the template to use for collecting user credentials, when using OtpForm authentication mode. Default value is /otpweb/otpform.asp. www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 7 of 14

Value OtpFormUserParam OtpFormPasswordParam DefaultDomainName Meaning OtpFormUserParam specifies the parameter that is used to send the username in the GET response from the logon page. Default value is username. If changed make sure to also change the OTP form logon template. OtpFormPasswordParam specifies the parameter that is used to send the password in the GET response from the logon page. Default value is password. If changed make sure to also change the OTP form logon template. DefaultDomainName specifies what windows domain name to use if no domain name is supplied by the user. Default value is empty. www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 8 of 14

3.2 IIS configuration 3.2.1 Filter templates The filter uses three templates to display the OTP logon page (if using OtpForm authentication mode), OTP challenge page and OTP error page. These templates can be custom made to fit any corporate standards. If the default templates are changed, they must still perform certain functions for the filter to work properly. Do not remove any code that is marked as necessary by the filter. The templates can be placed in any folder as long as it can be added as a directory in IIS. Create template directories in IIS: 1. Open IIS manager. 2. Browse to the web site where the filter is installed. 3. Right-click on the web site and select to create a new virtual directory. 4. Add otpweb as the alias for the directory. Browse for the folder that contains the templates, install dir/otpweb/generic. The alias does not need to be named otpweb, just make sure that the configuration file is updated accordingly. 5. Set authentication type to Basic. If using OtpForm the folder /open and the files specified by ErrorTemplateURL and OtpFormLogonTemplateUrl must be set to anonymous authentication. 6. Update the configuration file to point to the logon, challenge and error templates. If there are any images or other resources in any templates or logoff URL, those resources must be placed in a directory that is excluded from the filter. This is done using the ExcludeUrl parameter in the configuration file. Note: All linked resources under a protected URL must be included in the IncludeURL or in the ExcludeURL configuration parameter. If not, unexpected results could occur. www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 9 of 14

3.2.2 Authentication Type The filter supports Basic and form based authentication types, but IIS must only be set to Basic authentication. Make sure that all resources that should be protected by the filter use the chosen authentication type (exceptions are pages used before the user is authenticated by the filter). Set authentication type in IIS: 1. Open IIS manager. 2. Browse to the web site where the filter is installed. 3. Browse to the directory that should be protected. 4. Right-click and select properties. 5. Select the Directory Security tab and then edit. 6. Select Basic authentication. These settings must also match the setting of the filter configuration file. 7. Continue with step 3 for all resources that should be protected. Note! Due to basic authentication being used, web site should use HTTPS (SSL), since basic authentication type send user name and password in clear text over the internet. www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 10 of 14

3.3 OTP Configuration For the filter to communicate with the NordicEdge OTP Server correctly certain configuration parameters must be set on the NordicEdge OTP Server. First OTP must be able to lookup the user name sent to the NordicEdge OTP Server by the filter. This means that the IIS server must be set up as a client and that an LDAP or SQL must be configured to lookup the user s mobile number. Detailed information about configuring the NordicEdge OTP Server please consult the NordicEdge One Time Password Server administration manual. 3.3.1 Client sample Make sure that the IIS server is added as a client in Nordic Edge OTP Server. For detailed information about Nordic Edge OTP server parameters, please consult the Nordic Edge One Time Password Server administration manual. www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 11 of 14

3.3.2 Modify client sample: For detailed information about Nordic Edge OTP server parameters, please consult the Nordic Edge One Time Password Server administration guide. www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 12 of 14

3.3.3 Edit LDAP database sample Make sure that the search filter can retrieve the user names that should be used by the filter to authenticate through the Nordic Edge OTP Server. For detailed information about Nordic Edge OTP server parameters, please consult the Nordic Edge One Time Password Server administration guide. www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 13 of 14

4 Appendix A: Misc 4.1 Memory planning The filter stores all user information in an in-memory cache for fast lookups and a minimal performance overhead. To calculate how much RAM memory the server needs for the expected amount of users, use the formula below. Note that the operating system, IIS server and other services also need memory to run properly. RAM needed by filter (Kb) = 1.2Kb * max amount of users 4.2 Troubleshooting For troubleshooting and support, please go to http://www.nordicedge.se. www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 14 of 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information