CYAN Secure Web Microsoft ISA Server Deployment Guide



Similar documents
Integrated Citrix Servers

Secure Web Appliance. SSL Intercept

Secure Web Appliance. Reverse Proxy

Deploying RSA ClearTrust with the FirePass controller

Deploying with Websense Content Gateway

Installation Guide Supplement

Windows XP Exchange Client Installation Instructions

Installation and configuration guide

Installation and configuration guide

ISA Server Plugins Setup Guide

WhatsUp Gold v16.3 Installation and Configuration Guide

User Identification and Authentication

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Secure Messaging Server Console... 2

DameWare Server. Administrator Guide

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Installing and Configuring vcenter Multi-Hypervisor Manager

V6 Client Deployment Preparation Check List

Windows Server Update Services 3.0 SP2 Step By Step Guide

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

Installing and Trouble-Shooting SmartSystems

Cyan Networks Secure Web vs. Websense Security Gateway Battle card

NEFSIS DEDICATED SERVER

Networking Best Practices Guide. Version 6.5

Installing and Configuring vcloud Connector

Configuring IBM HTTP Server as a Reverse Proxy Server for SAS 9.3 Web Applications Deployed on IBM WebSphere Application Server

Upgrade Guide BES12. Version 12.1

CYAN SECURE WEB APPLIANCE. User interface manual

Name Services (DNS): This is Quick rule will enable the Domain Name Services on the firewall.

Installation Guide. Websense Web Security Websense Web Filter. v7.1

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

ProxySG TechBrief Enabling Transparent Authentication

How To Upgrade A Websense Log Server On A Windows 7.6 On A Powerbook (Windows) On A Thumbdrive Or Ipad (Windows 7.5) On An Ubuntu (Windows 8) Or Windows

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

AVG Business SSO Connecting to Active Directory

Citrix XenApp 6.5 and XenDesktop 5.6 Security Standards and Deployment Scenarios Supplementary scenarios

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

Web Filter. SurfControl Web Filter 5.0 Installation Guide. The World s #1 Web & Filtering Company

App Orchestration 2.0

Migrating from Microsoft ISA Server 2004/2006 to Forefront Threat Management Gateway (TMG) 2010

Product Manual. Administration and Configuration Manual

Using LifeSize Systems with Microsoft Office Communications Server 2007

Security IIS Service Lesson 6

Configuration Guide. BES12 Cloud

Install MS SQL Server 2012 Express Edition

Installation Guide. Websense Web Security Websense Web Filter

Deploying System Center 2012 R2 Configuration Manager

Installation Guide for Pulse on Windows Server 2008R2

Introduction to Mobile Access Gateway Installation

Accops HyWorks v2.5. Quick Start Guide. Last Update: 4/18/2016

Use Enterprise SSO as the Credential Server for Protected Sites

Configuring Single Sign-on for WebVPN

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

Metalogix Replicator. Quick Start Guide. Publication Date: May 14, 2015

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Copyright Winfrasoft Corporation. All rights reserved.

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

Load Balancing McAfee Web Gateway. Deployment Guide

XIA Configuration Server

v5.2 Installation Guide for Websense Enterprise v5.2 Embedded on Cisco Content Engine

NSi Mobile Installation Guide. Version 6.2

Symantec AntiVirus Corporate Edition Patch Update

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

v Installation Guide for Websense Enterprise v Embedded on Cisco Content Engine with ACNS v.5.4

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

Managing Multi-Hypervisor Environments with vcenter Server

5 Easy Steps to Implementing Application Load Balancing for Non-Stop Availability and Higher Performance

Web Security Firewall Setup. Administrator Guide

Using LifeSize systems with Microsoft Office Communications Server Server Setup

CYAN SECURE WEB HOWTO. NTLM Authentication

SECURE FTP CONFIGURATION SETUP GUIDE

Installation Guide for Pulse on Windows Server 2012

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Sophos for Microsoft SharePoint startup guide

DC Agent Troubleshooting

Smoothwall Web Filter Deployment Guide

Software Activation. high security remote access. NCP Secure Entry Client

Contents. Platform Compatibility. Directory Connector SonicWALL Directory Services Connector 3.1.7

Upgrading VMware Identity Manager Connector

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

Server Management 2.0

Collax Web Security. Howto. This howto describes the setup of a Web proxy server as Web content filter.

Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles

Configuration Guide BES12. Version 12.3

Websense Content Gateway v7.x: Troubleshooting

Upgrading Websense Web Security Software

Managing Qualys Scanners

Coyote Point Systems White Paper

VMware vcenter Support Assistant 5.1.1

Conference Controller Deployment Guide

App Orchestration 2.5

Configuration Guide BES12. Version 12.2

Remote Console Installation & Setup Guide. November 2009

Outlook Web Access Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

Active Directory Management. Agent Deployment Guide

The PostBase Connectivity Wizard

Sophos Enterprise Console server to server migration guide. Product version: 5.1 Document date: June 2012

Transcription:

February 2010 Applies to: CYAN Secure Web 1.7.18 and above

Table of Contents 1 Introduction...2 2 Prerequisites...3 3 Deployment scenarios...4 3.1 Variant 1: CYAN Secure Web is downstream proxy...4 3.2 Variant 2: CYAN Secure Web is upstream proxy...4 3.3 Variant 3: CYAN Secure Web is transparent...4 4 Setup...6 4.1 CYAN Secure ISA Web plug in...6 4.2 Variant 1: CYAN Secure Web is downstream proxy...7 4.3 Variant 2: CYAN Secure Web is upstream proxy...11 4.4 Variant 3: CYAN Secure Web is transparent...13 2009 CYAN Networks Software GmbH - 1 -

1 Introduction CYAN Secure Web is an enterprise proxy server featuring content classifications in 26 different categories, protocol and application detection, caching functionality, seamless client authentication and even more security features. CYAN Secure Web perfectly integrates into your Microsoft ISA Server secured network, fully utilizing the security benefits of both Microsoft ISA Server and CYAN Secure Web. To support profiles based on your Active Directory users, a plug-in for Microsoft ISA Server is necessary to forward user information from Microsoft ISA Server to CYAN Secure Web. This document describes the supported deployment scenarios and also contains a guide for installation of CYAN Secure Web ISA plug-in. 2009 CYAN Networks Software GmbH - 2 -

2 Prerequisites CYAN Secure Web Stand-alone software installation of CYAN Secure Web version greater than 1.7.17. Please upgrade to the latest version if you are using an older version. Both Linux and Windows versions are supported to work with Microsoft ISA Server. CYAN Secure Web Appliance with CYAN Secure Web version greater than 1.7.17. Please use the CYAN Secure Web Appliance interface to upgrade to the latest version if you are using an older version. Microsoft ISA Server 2004 or higher CYAN Secure Web ISA plug-in Information on how to obtain the plug-in can be found on our webpage at http://www.cyan-networks.com/isa_plugin IsaConnectionCaching.exe This file is only needed for Setup variant 2: Cyan Secure Web is upstream proxy. 2009 CYAN Networks Software GmbH - 3 -

3 Deployment scenarios CYAN Secure Web can be deployed into your existing Microsoft ISA Server network in various ways. Each of these scenarios has its benefits as well as some downsides. 3.1 Variant 1: CYAN Secure Web is downstream proxy This scenario features a deployment as a downstream proxy, closer to the client than Microsoft ISA Server. Authentication using NTLM can either be done on CYAN Secure Web proxy or Microsoft ISA Server, but not both. Basic authentication can be passed through the CYAN Secure Web proxy engine to an upstream proxy, but does not feature seamless authentication on the client. CYAN Secure Web features two mechanisms to forward information about the client to an upstream proxy. First, a custom HTTP header X-Forwarded-For can be enabled which contains the clients IP address. Then there is the X-Authenticated-User HTTP header which contains the user domain and user name. Both can be enabled in the CYAN Secure Web Administration Interface by enabling Forward auth in Server -> Cascade -> HTTP Cascade rules. The CYAN Secure Web ISA plug-in must be installed on your Microsoft ISA Server to be able to pick up the user authentication from CYAN Secure Web correctly and set up the security context on Microsoft ISA Server. 3.2 Variant 2: CYAN Secure Web is upstream proxy This scenario features a deployment as an upstream proxy located after Microsoft ISA Server. Authentication using NTLM is done on Microsoft ISA Server and authentication information passed to CYAN Secure Web through the use of CYAN Secure Web ISA plug-in, which packs the user information into two HTTP headers X-Authenticated-User and X-Forwarded-For. The CYAN Secure Web Proxy must be configured to pick up this information for user authentication by enabling Trusted authentication at Authentication -> Setup -> Methods in the CYAN Secure Web Administration Interface. Please note that caching of HTTP objects must be disabled on Microsoft ISA Server and solely done on CYAN Secure Web, otherwise objects could be delivered to the client which are disallowed from CYAN Secure Web profiles. The CYAN Secure Web ISA plug-in must be installed on your Microsoft ISA Server to forward authentication information from your Microsoft ISA Server to CYAN Secure Web. Also, Web Chaining must be configured to forward HTTP and HTTPS requests to CYAN Secure Web. The file IsaConnectionCaching.exe must be executed on the ISA Server to configure the ISA Server's connection caching size. 3.3 Variant 3: CYAN Secure Web is transparent This scenario features a deployment as a transparent proxy located either before or after Microsoft ISA Server. User authentication is not supported in a transparent setup except IP based authentication schemes (IP Groups, Novell edirectory). Please note that if CYAN Secure Web is located after 2009 CYAN Networks Software GmbH - 4 -

ISA server, the Secure Web Proxy will only see the ISA servers IP address and authentication based on IP addresses does not make much sense. In this scenario, load balancing can only be done using WCCP in conjunction with a Cisco router or by using a third party load balancer. 2009 CYAN Networks Software GmbH - 5 -

4 Setup 4.1 CYAN Secure ISA Web plug-in Place the two DLLs, CyanISA2SWEB.dll and CyanSWEB2ISA.dll, into your ISA server installation directory (for example C:\Program Files\Microsoft ISA Server). Note: Visit our website http://www.cyan-networks.com/isa_plugin for information on how to obtain the ISA plug-in DLLs. Then, open up a command prompt (Start -> Run -> cmd.exe), change to your ISA server installation directory (cd C:\Program Files\Microsoft ISA Server\) and register the necessary DLL, depending on your deployment scenario, with the following commands: C:\Program Files\Microsoft ISA Server\> regsvr32 CyanSWEB2ISA.dll C:\Program Files\Microsoft ISA Server\> regsvr32 CyanISA2SWEB.dll Note: Only register the DLL for the deployment scenario you intend to use. CyanSWEB2ISA.dll must be used if your Secure Web server is going to pass requests to your ISA server. This is variant 1 as described in 3.1 Variant 1: CYAN Secure Web is downstream proxy. CyanISA2SWEB.dll is necessary if your ISA server is going to cascade (Web Chaining) to your Secure Web server. This is variant 2 as described in 3.2 Variant 2: CYAN Secure Web is upstream proxy. Make sure that the ISA services are running, otherwise registering a DLL will fail. If registration succeeds, the plug-ins should be available on the Microsoft ISA server console now. You may need to restart the console to have the plug-ins show up for you. After the CyanISA2SWEB.dll has been registered, you should be able to see the following: Illustration 1: Correctly enabled CyanISA2SWEB plug-in 2009 CYAN Networks Software GmbH - 6 -

After the CyanSWEB2ISA.dll has been registered, you should be able to see the following: Illustration 2: Correctly enabled CyanSWEB2ISA plug-in 4.2 Variant 1: CYAN Secure Web is downstream proxy CYAN Secure Web needs to be configured to pass HTTP requests to an upstream Microsoft ISA server and include authentication information (user, IP) into this request. To do this, open up the CYAN Secure Web administration interface and navigate to Server -> Cascade -> HTTP Cascade. Add a rule to direct the web traffic to your Microsoft ISA server as shown below: Illustration 3: HTTP Cascade rule for an upstream ISA server The rule will make sure that all traffic originating from 0.0.0.0/0 (everything) to target URL * (everything) will be directed through an upstream proxy server 10.1.4.232 port 8080 (your Microsoft ISA server). Authentication information is forwarded to the upstream ISA server via means of the X-Authenticated-User header. 2009 CYAN Networks Software GmbH - 7 -

The Secure Web ISA plug-in (CyanSWEB2ISA.dll) will pick up this information and base firewall rules on this information. This needs the CyanAuthentication authentication scheme to be enabled on your client network. Illustration 4: Microsoft ISA server with CyanAuthentication enabled on the internal network To base web-access firewall rules on the available user information, you will need to add the allowed users to these rules. Open up your web-access firewall rule, click on the Users tab and add a new User sets by clicking on New in the Add Users dialog. 2009 CYAN Networks Software GmbH - 8 -

Illustration 5: Properties of a Firewall Policy rule This will create a group SecureWeb (the name is just an example and can be altered). Now you will need to add users to this group. 2009 CYAN Networks Software GmbH - 9 -

Illustration 6: Adding an user to the user set Please note that you need to choose the CyanAuthentication provider when adding new users, otherwise ISA server will not be able to connect the user information passed from CYAN Secure Web to the user list configured here. The last step is to add your newly created user set to the web access firewall policy. 2009 CYAN Networks Software GmbH - 10 -

4.3 Variant 2: CYAN Secure Web is upstream proxy Microsoft ISA server must be configured to pass web traffic to a CYAN Secure Web upstream proxy. To do this, you need to enable Web Chaining on the ISA server and prepare your CYAN Secure Web to pick up user authentication forwarded from the ISA server. Please note that you need to have working authentication of your clients against Microsoft ISA server, otherwise no user information will be passed along by the CYAN Secure Web ISA plug-in. Setup of client authentication against ISA server is not part of this document. While the ISA Server is running you have to execute the file IsaConnectionCaching.exe. This automatically configures the ISA Server's connection caching size. This must be done in order to establish a seamless authorization between ISA Server and CYAN Secure Web. 2009 CYAN Networks Software GmbH - 11 -

Illustration 7: Microsoft ISA server cascading to a CYAN Secure Web proxy CYAN Secure Web needs to be configured to trust authentication information passed from ISA server and the CYAN Secure Web ISA plug-in. You will need to enable Trusted Authentication and fill in the IP(s) of your Microsoft ISA Server systems so CYAN Secure Web will trust information from these sources. Additionally, an authentication instance needs to be configured to get user- and group information from an authentication source. This source is preferably a Microsoft Active Directory connected with the CYAN Authentication Daemon. ISA server forwards the user information to Secure Web in the form of DOMAINNAME\Username. Therefore you must configure your authentication instance to use the Domain and have the option Use Domain prefix enabled. Setup of this is covered in a separate document and not provided here. 2009 CYAN Networks Software GmbH - 12 -

4.4 Variant 3: CYAN Secure Web is transparent Since CYAN Secure Web is placed transparently in the network before or after Microsoft ISA server, there is nothing to be set up in ISA server nor Secure Web to make them work together. 2009 CYAN Networks Software GmbH - 13 -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information