Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID



Similar documents
Strong Authentication for Juniper Networks

Juniper SSL VPN Authentication QUICKStart Guide

Strong Authentication for Juniper Networks SSL VPN

Implementation Guide for protecting

Cisco ASA Authentication QUICKStart Guide

Juniper Networks SSL VPN Implementation Guide

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Strong Authentication for Cisco ASA 5500 Series

BlackShield ID Agent for Remote Web Workplace

BlackShield ID PRO. Steel Belted RADIUS 6.x. Implementation Guide. Copyright 2008 to present CRYPTOCard Corporation. All Rights Reserved

Strong Authentication for Microsoft TS Web / RD Web

Check Point FW-1/VPN-1 NG/FP3

Strong Authentication for Microsoft SharePoint

Apache Server Implementation Guide

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Cisco VPN Concentrator Implementation Guide

BlackShield ID MP Token Guide. for Java Enabled Phones

BlackShield ID Best Practice

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Active Directory Synchronization Agent for CRYPTO-MAS1.7

ESET SECURE AUTHENTICATION. Check Point Software SSL VPN Integration Guide

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

ESET SECURE AUTHENTICATION. SonicWall SSL VPN Integration Guide

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

DIGIPASS Authentication for Check Point Connectra

Product Guide Addendum. SafeWord Check Point User Management Console Version 2.1

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Remote Logging Agent Configuration Guide

Defender Token Deployment System Quick Start Guide

SafeNet Authentication Service

SAM Context-Based Authentication Using Juniper SA Integration Guide

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Agent Configuration Guide

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

Update Instructions

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

ZyWALL OTPv2 Support Notes

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

How to integrate RSA ACE Server SecurID Authentication with Juniper Networks Secure Access SSL VPN (SA) with Single Node or Cluster (A/A or A/P)

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

Update Instructions

DIGIPASS Authentication for Check Point Security Gateways

Windows Live Mail Setup Guide

Integration Guide. SafeNet Authentication Service. VMWare View 5.1

DualShield Authentication Platform

HOTPin Integration Guide: DirectAccess

Cisco ASA. Implementation Guide. (Version 5.4) Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

DIGIPASS Authentication for Cisco ASA 5500 Series

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

Update Instructions

BlackShield Authentication Service

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

Secure Access Portal. Getting Started Guide for using the Secure Access Portal. August Information Services

DualShield. for. Microsoft TMG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

Installation Guide. SafeNet Authentication Service

MadCap Software. Upgrading Guide. Pulse

Outlook Express. Make Changes in Red: Open up Outlook Express. From the Menu Bar. Tools to Accounts - Click on Mail Tab.

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

DIGIPASS Authentication for GajShield GS Series

Security Provider Integration RADIUS Server

Creating IBM Cognos Controller Databases using Microsoft SQL Server

DIGIPASS Authentication for SonicWALL SSL-VPN

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

These additional levels of security are NOT required if you are using a Derbyshire County Council machine on council premises.

SafeNet Cisco AnyConnect Client. Configuration Guide

LDAP Synchronization Agent Configuration Guide

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

DIS VPN Service Client Documentation

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

RSA SecurID Ready Implementation Guide

Configuring IBM Cognos Controller 8 to use Single Sign- On

Welcome Guide for MP-1 Token for Microsoft Windows

Folder Proxy + OWA + ECP/EAC Guide. Version 2.0 April 2016

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

Digipass Plug-In for IAS troubleshooting guide. Creation date: 15/03/2007 Last Review: 24/09/2007 Revision number: 3

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

SAML Authentication with BlackShield Cloud

Rohos Logon Key for Windows Remote Desktop logon with YubiKey token

MIGRATION GUIDE. Authentication Server

Protected Trust Directory Sync Guide

Update Instructions

Using RD Gateway with Azure Multifactor Authentication

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

Authentication Node Configuration. WatchGuard XTM

Integration Guide. SafeNet Authentication Service. Oracle Secure Desktop Using SAS RADIUS OTP Authentication

SecurEnvoy IIS Web Agent. Version 7.2

SafeWord Domain Login Agent Step-by-Step Guide

RSA Authentication Manager 7.1 Basic Exercises

Training module 2 Installing VMware View

Microsoft IAS and NPS Agent Configuration Guide

Accessing the Media General SSL VPN

A brief on Two-Factor Authentication

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Transcription:

Implementation Guide for Juniper SSL VPN SSO with OWA with BlackShield ID Copyright 2009 CRYPTOCard Inc. http:// www.cryptocard.com

Copyright Copyright 2009, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard. Trademarks BlackShield ID, BlackShield ID SBE and BlackShield ID Pro are either registered trademarks or trademarks of CRYPTOCard Inc. All other trademarks and registered trademarks are the property of their owners. Additional Information, Assistance, or Comments CRYPTOCard s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your partner directly for support needs. To contact CRYPTOCard directly: International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042 support@cryptocard.com For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com. Related Documentation Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation and interoperability guides: http://www.cryptocard.com. Publication History Date Changes Version April 15, 2009 Document created 1.0 July 9, 2009 Copyright year updated 1.1 October 16, 2009 Minor updates 1.2 BlackShield ID Implementation Guide for Juniper SSL VPN SSO i

Table of Contents Overview...1 Applicability...1 Assumptions...1 Operation...1 Preparation and Prerequisites...2 Configuration...2 Adding the RADIUS Server... 2 Troubleshooting...8 Failed Logons... 8 Agent Upgrade... Error! Bookmark not defined. BlackShield ID Implementation Guide for Juniper SSL VPN SSO ii

Overview By default Juniper SSL VPN logons requires that a user provide a correct user name and password to successfully logon. This document describes the steps necessary to augment this logon mechanism with strong authentication by adding a requirement to provide a one-time password generated by a CRYPTOCard token using the implementation instructions below. This document will also describe how to add SSO for OWA. Applicability This integration guide is applicable to: Security Partner Information Security Partner Juniper Networks Product Name and Version SA 700 / 6.2R1 (build 13255) Protection Category SSL Remote Access CRYPTOCard Server Authentication Server Version BlackShield ID Small Business Edition 1.2+ Professional Edition 2.3+ Assumptions 1. BlackShield ID has been installed and configured and a Test user account can be selected in the Assignment Tab. 2. BlackShield ID NPS IAS Agent has been installed and configured on the NPS IAS Server to accept RADIUS authentication from the Juniper SSL VPN. Operation This document provides step by step instruction on how to configure the Juniper SSL VPN to send RADIUS authentication to an external RADIUS Server. BlackShield ID implementation guide for Juniper SSL VPN 1

Preparation and Prerequisites 1. Verify that a Test user account with a static password, can successfully authenticate via the Juniper SSL VPN 2. Ensure that Ports 1812 UDP and 1813 UDP are open to the NPS / IAS Server 3. The NPS IAS Agent must be configured to use either port 80 or port 443 to send authentication requests to the BlackShield ID server. 4. Ensure that you add a condition in IAS under Remote Access Policies. In the Remote Access Policies right click Authenticate to BlackShield and select Properties. Click Edit Profile and select the Advanced tab. Add an Attribute named Filter-Id with the value of CCUser1. Apply the changes and restart IAS. 5. Create or define a Test account that will be used to verify that the Juniper SSL VPN has been properly installed and configured. Verify that this account can successfully authenticate using a standard password before attempting to apply changes and test authentication using a token. Ensure that the user name for this account exists in BlackShield ID by locating it in the Assignment Tab. Configuration Adding the RADIUS Server To add a new RADIUS Server, click Auth Servers. BlackShield ID implementation guide for Juniper SSL VPN SSO 2

From the dropdown box next to the New: heading, choose "Radius Server", and click on the "New Server..." button. Fill in the information for the Primary CRYPTO-Server in the New RADIUS Server page. Note: Fill the information in the Backup Server section if there is a Secondary BlackShield Server. Check the Users authenticate using tokens and one-time passwords box and click on "Save Changes". A New User Realm must be configured. Click on User Realm. Click on Users Authentication Realm section BlackShield ID implementation guide for Juniper SSL VPN SSO 3

Select the Role Mapping Tab Click on New Rule Beside the Rule based on click on the drop down menu and select User attribute. Then click Update. In the Name field, enter a name for reference. In this example CC Role Map was used. Select Filter-Id (11) for the attribute, and enter in CCUser1 for the attribute name. Click Save Changes when finished. BlackShield ID implementation guide for Juniper SSL VPN SSO 4

In the General tab of the User Realm add the Active Directory Authentication as the first server. Check Additional authentication server and add the RADIUS authentication. Beside Username is: check predefined as: and enter <USERNAME>. Do not leave it as <USER>. Edit the Default Sign-In Page or the page that you are using so that the Secondary password reads OTP. BlackShield ID implementation guide for Juniper SSL VPN SSO 5

In Resource Profiles / Web add a new Profile for OWA. Make sure in to add the Users in the Roles tab. In the Exchange System Manager uncheck Enable Forms Based Authentication. The SSO will not work with Forms Based Authentication. Edit the Default Sign-In Page or the page that you are using so that the Secondary password reads OTP. BlackShield ID implementation guide for Juniper SSL VPN SSO 6

Testing CRYPTOCard Authentication The next step is to test the new configured CRYPTOCard Two Factor Authentication. Open up a web browser and go to http://junipersslvpn.dns.name/ Enter in your username, Active Directory password and a CRYPTOCard generated Passcode Click Sign In If you successfully authenticate, then the following screen should appear. BlackShield ID implementation guide for Juniper SSL VPN SSO 7

Troubleshooting Failed Logons Symptom: Login Failed Indication: 11/19/2008 12:36:49 PM Henry Authentication Failure 312191514 192.168.21.120 Invalid OTP Possible Causes: Solution: The One Time Password provided for the user is incorrect. Attempt to re-authenticate against BlackShield again. If it comes up as invalid OTP again, test the token out via the BlackShield ID Manager. Symptom: Login Failed Indication: 11/19/2008 12:47:24 PM Henry Authentication Failure 312191514 192.168.21.120 Invalid PIN Possible Causes: Solution: The PIN provided for the user is incorrect. Attempt to re-authenticate against BlackShield again. If it comes up as invalid PIN again, changing the initial PIN back to default and forcing a PIN change would solve the issue, or have the user access the BlackShield Self Service page. Symptom: Login Failed Indication: 11/19/2008 12:36:49 PM Henry Authentication Failure 312191514 192.168.21.120 Invalid OTP Possible Causes: Solution: The One Time Password provided for the user is incorrect. Attempt to re-authenticate against BlackShield again. If it comes up as invalid OTP again, test the token out via the BlackShield ID Manager. BlackShield ID implementation guide for Juniper SSL VPN SSO 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information