Integration Guide for eToken NG OTP with Check Point FW1 ™ R55

Transcription

Integration Guide for eToken
OTP Authentication Module
with Security Solutions
February, 2005
Contact Information
Support
If you have any questions regarding this package, its
documentation and content or how to obtain a valid software
license you may contact your local reseller or Aladdin's technical
support team:
Country /
Region
Support Email
Telephone
USA
[email protected]
1-212-329-6658
1-800-223-4277
EUROPE:
Austria,
Belgium,
France,
Germany,
Netherlands,
Spain,
Switzerland,
UK
[email protected]
00800-22523346
Ireland
[email protected]
0011800-22523346
Rest of the
World
[email protected]
+972-3-6362266
ext 2
Website
http://www.Aladdin.com/etoken
i
COPYRIGHTS AND TRADEMARKS
The eToken
system and its documentation are copyrighted © 1985 to present, by
Aladdin Knowledge Systems Ltd.
™
All rights reserved.
eToken is a trademark and ALADDIN KNOWLEDGE SYSTEMS LTD is a registered trademark of
Aladdin Knowledge Systems Ltd.
™
All other trademarks, brands, and product names used in this guide are trademarks of their
respective owners.
This manual and the information contained herein are confidential and proprietary to Aladdin
Knowledge Systems Ltd. (hereinafter “Aladdin”). All intellectual property rights (including,
without limitation, copyrights, trade secrets, trademarks, etc.) evidenced by or embodied in
and/or attached/connected/related to this manual, information contained herein and the
Product, are and shall be owned solely by Aladdin. Aladdin does not convey to you an interest
in or to this manual, information contained herein and the Product, but only a limited right of
use. Any unauthorized use, disclosure or reproduction is a violation of the licenses and/or
Aladdin's proprietary rights and will be prosecuted to the full extent of the Law.
DISCLAIMER
NEITHER ALADDIN NOR ANY OF ITS WORLDWIDE SUBSIDIARIES AND DISTRIBUTORS SHALL
BE OBLIGATED IN ANY MANNER IN RESPECT OF BODILY INJURY AND/OR PROPERTY DAMAGE
ARISING FROM THIS PRODUCT OR THE USE THEREOF. EXCEPT AS STATED IN THE ETOKEN
END USER LICENSE AGREEMENT, THERE ARE NO OTHER WARRANTIES, EXPRESSED OR
IMPLIED, REGARDING ALADDIN'S PRODUCTS, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The product
must be used and maintained in strict compliance with instructions and safety precautions
contained herein, in all supplements hereto and according to all terms of its End User License
Agreement. This product must not be modified or changed without the written permission of the
copyright holder.
All attempts have been made to make the information in this document complete and accurate.
Aladdin is not responsible for any direct or indirect damages or loss of business resulting from
inaccuracies or omissions. The specifications in this document are subject to change without
notice.
ii
ALADDIN KNOWLEDGE SYSTEMS LTD.
eTOKEN ENTERPRISE END USER LICENSE AGREEMENT
IMPORTANT INFORMATION - PLEASE READ THIS AGREEMENT CAREFULLY BEFORE OPENING
THE PACKAGE AND/OR USING THE CONTENTS THEREOF AND/OR BEFORE DOWNLOADING OR
INSTALLING THE SOFTWARE PROGRAM. ALL ORDERS FOR AND USE OF THE eTOKEN
ENTERPRISE PRODUCTS (including without limitation, libraries, utilities, diskettes, CD-ROM,
eToken™ keys and the accompanying technical documentation) (hereinafter “Product”)
SUPPLIED BY ALADDIN KNOWLEDGE SYSTEMS LTD. (or any of its affiliates - either of them
referred to as “ALADDIN”) ARE AND SHALL BE, SUBJECT TO THE TERMS AND CONDITIONS SET
FORTH IN THIS AGREEMENT. BY OPENING THE PACKAGE CONTAINING THE PRODUCTS
AND/OR BY DOWNLOADING THE SOFTWARE (as defined hereunder) AND/OR BY INSTALLING
THE SOFTWARE ON YOUR COMPUTER AND/OR BY USING THE PRODUCT, YOU ARE ACCEPTING
THIS AGREEMENT AND AGREEING TO BE BOUND BY ITS TERMS AND CONDITIONS.
IF YOU DO NOT AGREE TO THIS AGREEMENT DO NOT OPEN THE PACKAGE
AND/OR DOWNLOAD AND/OR INSTALL THE SOFTWARE AND PROMPTLY (within 7
days from the date you received this package) RETURN THE PRODUCTS WITH THE
ORIGINAL PACKAGE AND THE PROOF OF PAYMENT TO ALADDIN, ERASE THE
SOFTWARE, AND ANY PART THEREOF, FROM YOUR COMPUTER AND DO NOT USE IT IN
ANY MANNER WHATSOEVER.
1. Title & Ownership. The object code version of the software component of Aladdin’s eToken
Enterprise Product, including any revisions, corrections, modifications, enhancements,
updates and/or upgrades thereto about to be installed by you, (hereinafter in whole or any
part thereof defined as: "Software"), and the related documentation, ARE NOT FOR SALE
and are and shall remain in Aladdin’s sole property. All intellectual property rights
(including, without limitation, copyrights, trade secrets, trademarks, etc.) evidenced by or
embodied in and/or attached/connected/related to the Product, are and shall be owned
solely by Aladdin. This Agreement does not convey to you an interest in or to the Software,
but only a limited right of use revocable in accordance with the terms of this Agreement.
Nothing in this Agreement constitutes a waiver of Aladdin’s intellectual property rights under
any law.
2. License. Subject to payment of applicable fees, Aladdin hereby grants to you, and you
accept, a personal, nonexclusive and fully revocable limited License to use the Software, in
executable form only, as described in the Software accompanying technical documentation
and only according to the terms of this Agreement: (i) you may install the Software and use
it on computers located in your place of business, as described in Aladdin’s related
documentation; and (ii) you may merge and link the Software into your computer programs
for the sole purpose described in the accompanying technical guide provided by Aladdin
(“Technical Guide”).
3. Prohibited Uses. The Product must be used and maintained in strict compliance with the
instruction and safety precautions of Aladdin contained herein, in all supplements thereto
and in any other written documents of Aladdin. Except as specifically permitted in Sections 1
and 2 above, you agree not to (i) use, modify, merge or sub-license the Software or any
other of Aladdin’s Products, except as expressly authorized in this Agreement and in the
Technical Guide; and (ii) sell, license (or sub-license), lease, assign, transfer, pledge, or
share your rights under this License with/to anyone else; and (iii) modify, disassemble,
decompile, reverse engineer, revise or enhance the Software or attempt to discover the
Software’s source code; and (iv) place the Software onto a server so that it is accessible via
a public network; and (v) use any back-up or archival copies of the Software (or allow
someone else to use such copies) for any purpose other that to replace an original copy if it
is destroyed or becomes defective. If you are a member of the European Union, this
agreement does not affect your rights under any legislation implementing the EC Council
Directive on the Legal Protection of Computer Programs. If you seek any information within
the meaning of that Directive you should initially approach Aladdin.
iii
4. Maintenance and Support. Aladdin has no obligation to provide support, maintenance,
upgrades, modifications, or new releases under this Agreement.
5. Limited Warranty. Aladdin warrants, for your benefit alone, that (i) the Software, when
and as delivered to you, and for a period of three (3) months after the date of delivery to
you, will perform in substantial compliance with the Technical Guide, provided that it is used
on the computer hardware and with the operating system for which it was designed; and (ii)
that the eToken™ key, for a period of twelve (12) months after the date of delivery to you,
will be substantially free from significant defects in materials and workmanship.
6. Warranty Disclaimer. ALADDIN DOES NOT WARRANT THAT ANY OF ITS PRODUCT(S)
WILL MEET YOUR REQUIREMENTS OR THAT ITS OPERATION WILL BE UNINTERRUPTED OR
ERROR-FREE. TO THE EXTENT ALLOWED BY LAW, ALADDIN EXPRESSLY DISCLAIMS ALL
EXPRESS WARRANTIES NOT STATED HEREIN AND ALL IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE. NO ALADDIN’S DEALER, DISTRIBUTOR, RESELLER, AGENT OR
EMPLOYEE IS AUTHORIZED TO MAKE ANY MODIFICATIONS, EXTENSIONS, OR ADDITIONS
TO THIS WARRANTY. If any modifications are made to the Software or to any other part of
the Product by you during the warranty period; if the media and the eToken™ key is
subjected to accident, abuse, or improper use; the Product has not been properly installed,
operated, repaired or maintained in accordance with the instructions supplied by Aladdin;
the Product has been subjected to abnormal physical or electrical stress, negligence or
accident; or if you violate any of the terms of this Agreement, then the warranty in Section
5 above, shall immediately be terminated. The warranty shall not apply if the Software is
used on or in conjunction with hardware or program other than the unmodified version of
hardware and program with which the Software was designed to be used as described in the
Technical Guide.
7. Limitation of Remedies. In the event of a breach of this warranty, Aladdin's sole
obligation shall be, at Aladdin's sole discretion: (i) to replace or repair the Product, or
component thereof, that does not meet the foregoing limited warranty, free of charge; (ii)
to refund the price paid by you for the Product, or component thereof. Any replacement or
repaired component will be warranted for the remainder of the original warranty period or
30 days, whichever is longer. Warranty claims must be made in writing during the warranty
period and within seven (7) days of the observation of the defect accompanied by evidence
satisfactory to Aladdin. All Products should be returned to the distributor from which they
were purchased (if not purchased directly from Aladdin) and shall be shipped by the
returning party with freight and insurance paid. The Product or component thereof must be
returned with a copy of your receipt.
8. Exclusion Of Consequential Damages. The parties acknowledge that Product is
inherently complex and may not be completely free of errors. ALADDIN SHALL NOT BE
LIABLE (WHETHER UNDER CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE)
TO YOU, OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE (INCLUDING INDIRECT,
SPECIAL OR CONSEQUENTIAL DAMAGES), INCLUDING, WITHOUT LIMITATION, ANY LOSS
OR DAMAGE TO BUSINESS EARNINGS, LOST PROFITS OR GOODWILL AND LOST OR
DAMAGED DATA OR DOCUMENTATION, SUFFERED BY ANY PERSON, ARISING FROM
AND/OR RELATED WITH AND/OR CONNECTED TO DELIVERY, INSTALLATION, USE OR
PERFORMANCE OF THE PRODUCT AND/OR ANY COMPONENT OF THE PRODUCT, EVEN IF
ALADDIN IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
9. Limitation Of Liability. IN THE EVENT THAT, NOTWITHSTANDING THE TERMS OF THIS
AGREEMENT, ALADDIN IS FOUND LIABLE FOR DAMAGES BASED ON ANY DEFECT OR
NONCONFORMITY OF ITS PRODUCT(S), ITS TOTAL LIABILITY FOR EACH DEFECTIVE
PRODUCT SHALL NOT EXCEED THE PRICE PAID TO ALADDIN FOR SUCH PRODUCT.
10. Termination. Your failure to comply with the terms of this Agreement shall terminate your
license and this Agreement. Upon termination of this Agreement: (i) the License granted to
you in this Agreement shall expire and you, upon termination, shall discontinue all further
iv
use of the Software and other licensed Product(s); and (ii) you shall promptly return to
Aladdin all tangible property representing Aladdin’s intellectual property rights and all copies
thereof and/or shall erase/delete any such information held by it in electronic form. Sections
1, 3, 6-11 shall survive any termination of this Agreement.
11. Governing Law & Jurisdiction. This Agreement shall be construed and governed in
accordance with the laws of Israel (except for conflict of law provisions) and only the courts
in Israel shall have jurisdiction in any conflict or dispute arising out of this Agreement. The
application of the United Nations Convention of Contracts for the International Sale of Goods
is expressly excluded. The failure of either party to enforce any rights granted hereunder or
to take action against the other party in the event of any breach hereunder shall not be
deemed a waiver by that party as to subsequent enforcement of rights or subsequent
actions in the event of future breaches.
12. Government Regulation and Export Control. You agree that the Product will not be
shipped, transferred, or exported into any country or used in any manner prohibited by
applicable law. It is stipulated that the Product is subject to certain export control laws,
rules, and/or regulations, including, without limiting the foregoing, to the United States
and/or Israeli export control laws, rules, and/or regulations. You undertake to comply in all
respects with the export and re-export restriction as set forth herein and any update made
thereto from time to time.
13. Third Party Software. Product contains third party software, as set forth in Exhibit A. Such
third party’s software is provided “As Is” and use of such software shall be governed by the
terms and conditions as set forth in Exhibit A. If the Product contains any software provided
by third parties other than the software noted in Exhibit A, such third party’s software are
provided “As Is” and shall be subject to the terms of the provisions and condition set forth
in the agreements contained/attached to such software. In the event such agreements are
not available, such third party software shall be provided “As Is” without any warranty of
any kind and Sections 2, 3, 6, 8, 9-12 of this Agreement shall apply to all such third party
software providers and third party software as if they were Aladdin and the Product
respectively.
14. Miscellaneous. This Agreement represents the complete agreement concerning this
License and may be amended only by a written agreement executed by both parties. If any
provision of this Agreement is held to be unenforceable, such provision shall be reformed
only to the extent necessary to make it enforceable.
I HAVE READ AND UNDERSTOOD THIS AGREEMENT AND AGREE TO BE BOUND BY ALL
OF THE TERMS.
v
FCC Compliance
eToken USB has been tested and found to comply with the limits for a Class B digital device,
pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection
against harmful interference in a residential installation.
This equipment generates, uses and can radiate radio frequency energy and, if not installed and
used in accordance with the instructions, may cause harmful interference to radio
communications. However, there is no guarantee that interference will not occur in a particular
installation.
If this equipment does cause harmful interference to radio or television reception, which can be
determined by turning the equipment off and on, the user is encouraged to try to correct the
interference by one of the following measures:
a.Reorient or relocate the receiving antenna.
b.Increase the separation between the equipment and receiver.
c. Connect the equipment to an outlet on a circuit different from that to which the receiver is
connected.
d.Consult the dealer or an experienced radio/TV technician.
FCC Warning
Modifications not expressly approved by the manufacturer could void the user authority to
operate the equipment under FCC rules.
All of the above applies also to the eToken USB.
FCC authorities have determined that the rest of the eToken product line does not contain a
Class B Computing Device Peripheral and therefore does not require FCC regulation.
CE Compliance
The eToken product line complies with the CE EMC Directive and related
standards*. eToken products are marked with the CE logo and an eToken CE
conformity card is included in every shipment or upon demand.
*EMC directive 89/336/EEC and related standards EN 55022, EN 50082-1.
UL Certification
The eToken product line successfully completed UL 94 Tests for Flammability of Plastic Materials
for Parts in Devices and Appliances. eToken products comply with UL 1950 Safety of
Information Technology Equipment regulations.
ISO 9002 Certification
The eToken product line is designed and manufactured by Aladdin Knowledge
Systems, an ISO 9002-certified company. Aladdin's quality assurance system is
approved by the International Organization for Standardization (ISO), ensuring
that Aladdin products and customer service standards consistently meet
specifications in order to provide outstanding customer satisfaction.
vi
Certificate of Compliance
Upon request, Aladdin Knowledge Systems will supply a Certificate of Compliance to any
software developer who wishes to demonstrate that the eToken product line conforms to the
specifications stated. Software developers can distribute this certificate to the end user along
with their programs.
vii
Table of Contents
Chapter 1........................................................................................ 1
Introduction ................................................................................................................1
The Challenge.............................................................................................................1
Solution.......................................................................................................................2
Prerequisites ..............................................................................................................2
OTP Authentication Modes .......................................................................................3
Chapter 2........................................................................................ 5
OTP Overview.............................................................................................................5
Chapter 3........................................................................................ 7
IAS Overview ..............................................................................................................7
Chapter 4........................................................................................ 9
VPN Environment Settings .......................................................................................9
Traditional VPN Overview .......................................................................................11
Clientless VPN Overview.........................................................................................13
Chapter 5...................................................................................... 15
Check Point ..............................................................................................................15
Check Point Traditional VPN Setup .......................................................................15
Server Configuration ..............................................................................................15
SecureClient Configuration with OTP ....................................................................30
Check Point Clientless VPN Setup.........................................................................47
Prerequisites ..........................................................................................................48
Check Point Connectra Setup ...............................................................................54
Chapter 6...................................................................................... 65
Cisco .........................................................................................................................65
Cisco Traditional VPN Setup ..................................................................................65
viii
Prerequisites ......................................................................................................... 65
Cisco Clientless VPN Setup ................................................................................... 79
Server Configuration ............................................................................................. 79
Chapter 7 ...................................................................................... 97
Microsoft .................................................................................................................. 97
Microsoft Traditional VPN Setup ........................................................................... 97
Server Configuration ............................................................................................. 98
Create an Access Rule Allowing VPN Clients Access to the Internal Network .. 108
Create New User Set .......................................................................................... 116
Enabling Dial-in Access for the Administrator Account....................................... 120
Running the VPN Connection ............................................................................. 127
Chapter 8 .................................................................................... 129
OWA Settings ........................................................................................................ 129
Configuring SSL .................................................................................................... 129
Using a Certificate to Access OWA Securely ..................................................... 137
How to Configure Forms-Based Authentication OWA ........................................ 140
Chapter 9 .................................................................................... 145
IAS Settings ........................................................................................................... 145
Configuring RADIUS Clients in IAS..................................................................... 147
Configuring Remote Access Policies in IAS ....................................................... 150
Introduction
CHAPTER 1
Chapter 1
Introduction
The purpose of this document is to show how the eToken NG
OTP offering, working together with various leading VPN vendors
such as Cisco, Check Point, and Microsoft, can implement strong
user authentication through the RADIUS protocol.
This document focuses on both remote Clientless SSL-VPN
based and IPSec VPN technologies to connect user communities,
depending on their access environments and access
requirements.
The solutions in this document describe the principle steps in
integrating Aladdin’s One Time Password authentication in front
of an IAS Radius server extended with the eToken OTP plug-in.
The Challenge
In today’s world, most enterprise applications impose an access
control mechanism and require user identification before access
is permitted. Most applications use the old-fashioned username
and password concept to allow access. However, using a
password has several the disadvantages; Passwords are costly
to administer, hard to remember and vulnerable to attacks. Static
passwords can be copied, “sniffed” or cracked, if not secure
enough.
1
2
Integration Guide for eToken NG OTP with Security Solutions
Solution
Traditional IPSec VPN and Clientless VPN SSL Web-based help
businesses deliver applications to remote staff, mobile
employees, business partners, suppliers and customers. Both
Traditional and Clientless VPN allow remote users to securely
access business applications, files and data on your network,
from anywhere, with a VPN client or Web browser.
eToken NG enables users to generate One-Time Passwords to
ensure a higher security level when accessing e-business and
e-banking applications and allow for more secure transactions. By
using eToken NG OTP technology, you eliminate the weakest link
in any security infrastructure; the use of static passwords that are
easily stolen, guessed, reused, or shared.
Prerequisites
For full integration and successful implementation of the eToken
Authentication Module, as described in this Integration Guide,
verify that the following prerequisites are fulfilled:
•
Good knowledge and understanding of Microsoft technology,
specifically:
• Active Directory (AD)
• Internet Authentication Server (IAS).
•
Good knowledge and understanding of Aladdin eToken
solutions, specifically:
• eToken PKI
• eToken Token Management System (TMS).
Knowledge and understanding of at least one of the following
firewall solutions, Cisco, Check Point or Microsoft, is imperative.
Introduction
CHAPTER 1
OTP Authentication Modes
The eToken OTP Authentication Module can be implemented in
one of the following ways.
•
Using the OTP dynamic value instead of a static password.
With this feature enabled, you can generate a One-Time
Password (OTP), by entering your username and the OTP
displayed value in the Password field on the URL for
Clientless VPN or in the client login dialog when using
traditional VPN.
•
Using two-factor authentication, that is, both the OTP number
and the user network password in order to gain access to the
network. Some kind of encryption should be used between
the user machine and the RADIUS client (for example,
RRAS), this encryption can be IPSEC on other method. Enter
your username and the OTP +Network password in the
Password field on the URL for Clientless VPN or in the client
login dialog if using traditional VPN
•
Using two-factor authentication based on a second password
(OTP PIN) that is managed through the OTP TMS connector.
Enter your username and the OTP + OTP PIN in the
Password field on the URL for Clientless VPN or in the client
login dialog if using traditional VPN.
In the scope of this Integration Guide, only the first mode is
discussed in detail. For information or assistance concerning the
additional methods, please contact the eToken technical Support
Center.
3
4
OTP Overview
CHAPTER 2
Chapter 2
OTP Overview
The eToken NG OTP supports the One-Time Password (OTP)
Algorithm submitted to the Internet Engineering Task Force
(IETF) by the initiative for Open AuTHentication (OATH).
OATH is an industry initiative with the mission to drive the
ubiquity of strong authentication across all networks, applications
and devices.
The HOTP (HMAC-based One Time Password) algorithm is
based on an increasing counter value and a static symmetric key,
known only to the eToken NG OTP and the validation service
which is the OTP plug-in on the IAS.
The algorithm is event-based so that it can be embedded in high
volume devices, such as Java smart cards, USB dongles and
GSM SIM cards.
The HOTP algorithm basic block function computes an HMACSHA-1 value and the truncation method to extract an HOTP
value.
HOTP (K, C) = Truncate (HMAC-SHA-1(K, C))
Where K= key and C=Moving Count Factor
The key and moving factors are generated on the eToken NG
OTP during the user enrollment with the TMS with the OTP
connector.
5
6
During the enrollment of an OTP profile on an eToken NG, OTP
parameters (key and moving factor) are generated on the eToken
NG OTP and saved as a virtual token under the user object in
Active Directory.
The eToken OTP plug-in is implemented using the Internet
Authentication Service Extensions (IASE) API, which enables
software developers to write their own extensions to IAS.
IASE allows the eToken plug in to implement the OATH
authentication methods for remote access.
When the VPN server (RADIUS Client) forwards authentication
requests to the IAS RADIUS server, the OTP plug-in that is
installed on the IAS server validates the OTP against the virtual
token saved in the user object in AD.
IAS Overview
CHAPTER 3
Chapter 3
IAS Overview
RADIUS is a client-server protocol that enables network access
equipment (used as RADIUS clients) to submit authentication and
accounting requests to a RADIUS server.
The IAS RADIUS server has access to user account information
in the Active Directory and can check network access
authentication credentials. If your credentials are authentic and
the connection attempt is authorized, the RADIUS server
authorizes your access on the basis of specified conditions and
logs the network access connection in an accounting log.
A RADIUS client (typically a dial-up server, VPN server, or
wireless access point) sends user credentials and connection
parameter information in the form of a RADIUS message to a
RADIUS server.
The RADIUS server authenticates and authorizes the RADIUS
client request, and sends back a RADIUS message response.
RADIUS clients also send RADIUS accounting messages to
RADIUS servers. Additionally, the RADIUS standards support the
use of RADIUS proxies. A RADIUS proxy is a computer that
forwards RADIUS messages between RADIUS-enabled
computers.
7
8
IAS supports the Internet Engineering Task Force (IETF)
standards for RADIUS described in RFCs 2865 and 2866. When
an IAS server is a member of an Active Directory® domain, IAS
uses the directory service as its user account database and is
part of a single sign-on solution. The same set of credentials is
used for network access control (authenticating and authorizing
access to a network) and to log on to an Active Directory domain.
When the eToken OTP plug-in extension is implemented with the
RADIUS IAS, the OTP plug-in that is installed on the IAS server
validates the OTP against the virtual token saved in the user
object in AD.
VPN Environment Settings
CHAPTER 4
Chapter 4
A typical company has a central site connected to the Internet
through a router. A branch office exists and is also connected to
the Internet. Some people travel a lot and can be considered
remote users. Other people work from their home office.
When at the central site, users have access to applications and
files, printing and e-mail. For remote users, branch office or home
office this tends to be more complicated and sometimes leads to
problems.
The VPN server is installed into the corporate network behind the
broadband Internet access router. It connects to both the WAN
and the LAN using two separate Ethernet ports. Remote users
enter either the URL of the VPN sever in their Web browser for a
Clientless VPN SSL encrypted session, or alternatively they enter
their traditional VPN client site credentials for an IPSec encrypted
tunnel.
The VPN server uses External Authentication. Users are
authenticated through an IAS RADIUS authentication server.
While the VPN servers operate as RADIUS clients, they can pass
credentials from the client to the RADIUS server for end-user
OTP authentication.
9
10
By introducing eToken NG OTP at the user side, strong user
authentication can be obtained. The eToken NG OTP generates
a One-Time Password (OTP). The user enters a username in the
User Name field and the OTP in the Password field on the URL
for Clientless VPN or in the client login dialog if using traditional
VPN. The VPN server (Radius Client) forwards the authentication
request to the IAS RADIUS server. The IAS RADIUS server
verifies the One-Time Password in Active Directory If the
authentication is successful; you can access to the VPN server.
CHAPTER 4
Notes:
1. In this Integration Guide when using traditional VPN access,
authentication is based on OTP only. In the clientless VPN solutions
that are presented in the following chapters, after the SSL VPN tunnel
is established, a second additional authentication, with username
and password Is required in front of the specific internal resource
(OWA-Outlook Web Access) in Order to provide an additional layer
of security.
2. You may already have IAS installed to handle VPN access, and
/or Outlook over the Web as well. If not, refer to Chapter 8,
Configuring SSL for information about OWA configuration and
Chapter 9, Configuring RADIUS Clients in IAS for information about
IAS configuration.
3. In order to enable eToken NG with OTP capability, the assumption
is made that the basic necessary configuration of the TMS and OTP
connector has already been done. For more information on OTP
configuration, refer to the eToken OTP Authentication Admin Guide.
4. In this document only the first OTP solution described in the OTP
authentication modes section is presented. For more information
about the OTP authentication modes, refer to the eToken OTP
Authentication Admin Guide.
Traditional VPN Overview
The first scenario that is described in this Integration Guide is
when a VPN server is installed into the corporate network behind
the broadband Internet access router and responds to VPN
clients wishing to access the protected internal resources. The
NAS requires user authentication with a One Time Password
during the IPSec tunnel establishment. Upon successful
authentication, a remote user is granted access to the protected
network and is able to access its OWA (Outlook Web Access)
account.
In this Integration Guide, you perform an additional authentication
in front of OWA with username and password. The following
prerequisites should be configured for supporting OTP
authentication with security GW using VPN client software to
support VPN tunnels.
11
12
•
Define the NAS as Radius client to support user
authentication with MS IAS.
•
Install TMS and configure OTP plug-in on IAS.
•
Enroll remote users with OTP profiles and configure VPN
client software to access protected network by the NAS.
When all configuration issues are completed, launch the VPN
client software and enter your username and One Time Password
in the authentication dialog. If the VPN tunnel is successfully
established, you are granted access to the protected network.
IPSec VPN gateways are usually implemented on the perimeter
firewall and permit or deny remote access to entire private
subnets.
CHAPTER 4
Clientless VPN Overview
The second scenario that is described in this Integration Guide is
when a SSL VPN server is installed into the corporate network
behind the broadband Internet access router and responds to
SSL VPN clients wishing to access the protected internal
resources. SSL is better suited for scenarios where trust is limited
or where installed certificates are impractical such as business
partner desktops, public kiosk PCs and personal home
computers. The Network Access Server (NAS), which acts as a
Web proxy, responds to Https requests requiring access to
protected Web resources. You are required to authenticate before
accessing a Web resource. Upon successful authentication the
remote user is granted access to the protected network and is
able to access his OWA account after performing additional
authentication in front of OWA. Basically in any of the described
security solutions configurations the following perquisites should
be configured in order to support OTP;
•
Setup NAS to support SSLVPN tunnels (clientless).
•
Define the NAS as Radius client to support user
authentication with MS IAS.
•
Install TMS and configure OTP plug-in on IAS.
•
Enroll remote users with OTP profiles.
When all configuration issues are completed, launch a browser
and type the OWA URL link to port 443. During SSL tunnel
establishment you are required to authenticate with a username
and One Time Password in the authentication dialog. If the SSL
tunnel is successfully established, the user is redirected to the
OWA authentication form. At this point, you are authenticated
once more with the domain username and password in front of
OWA to access the user account.
13
14
Check Point
CHAPTER 5
Chapter 5
Check Point
Check Point Traditional VPN Setup
In this section the Check Point SecureClient is configured to
support user authentication with OTP to establish a VPN tunnel to
the internal network and access to protected resources.
In general, the following major steps should be configured as
follows:
•
Configure FW-1 policy to support SecureClient encrypted
connection requests to the GW.
•
Configure Check Point with Active Directory.
•
Configure FW-1 policy to support SecureClient encrypted
connection requests to the GW.
•
Install SecureClient on the client machine and configure it with
a username and password authentication.
This solution was tested using the following software and
hardware versions.
•
Check Point NG ™R55.
Server Configuration
•
Domain controller on 2003 server with the following
components:
• eToken Management System (TMS) version 1.1
• eToken OTP connector
• Microsoft IAS server with OTP plug-in version 1.0
• eToken NG with RTE 3.60
15
16
Prerequisites
In the testing lab it is assumed that the following settings are
configured:
•
IAS is configured as described in Chapter 9.
•
OTP plug-in is installed on top of the IAS server.
For more information on how to install the OTP plug-in, refer
to the eToken OTP Authentication Admin Guide.
•
An eToken NG OTP enrolled with OTP seed for a domain
user.
For details on how to enroll a user with eToken NG OTP
capabilities, refer to the eToken OTP Authentication Admin
Guide.
Check Point Configuration with Active Directory
¾ To configure LDAP account unit:
1 Log in to the Check Point Policy Editor.
2 Go to Policy Menu > Global Properties.
Check Point
CHAPTER 5
3 From the LDAP Account Management branch, select Use
LDAP Account Management as displayed:
4 Click OK.
5 In the SmartDashboard Manage menu select Servers.
Right-click LDAP Account Unit and select New LDAP
Account Unit from the displayed menu.
17
18
The LDAP Account Unit Properties dialog is displayed:
6 In the General tab, configure the following parameters:
Name: Enter descriptive name.
In the Account Unit usage area, select the both the CRL
retrieval and User management checkboxes.
Set the Profile type to Microsoft_AD.
Check Point
CHAPTER 5
7 Click the Servers tab. The following dialog is displayed:
8 Click Add to add your server. The LDAP Server Properties
dialog is displayed.
19
20
9 Set all the necessary parameters, including:
Host: Your LDAP server (If you have a separate A.D. server,
create an object for that and select that as the host
Login DN: cn=administrator,cn=users,dc=farida,dc=com
10 Enter the administrator’s password in the designated fields.
11 Set the relevant permissions (Read data and/or Write Data),
as displayed.
12 Click the Encryption tab. The following dialog is displayed:
13 Select the Use SSL checkbox. Click Fetch and set Min/Max
Encryption Strength to Strong for Min and Strong for Max
as displayed.
14 Click OK. The Servers tab of the LDAP Account Unit
Properties dialog is redisplayed.
15 Set the Early Version Compatibility (in the Servers tab).
Check Point
CHAPTER 5
16 Click the Objects Management tab. Select your A.D. object
from the Mange objects on dropdown list and then click
Fetch branches to fetch the active Directory branches. The
branches should be seen in the Branches in use area as
displayed.
Note:
Additional Branches should be added manually: If additional
OUs were created on the A.D their LDAP names should be
added manually in order to fetch their content to FW-1.
For PKI authentication, it is recommended to add the LDAP
name of the CRL for CRL checking during PKI authentication.
21
22
17 Click on the Authentication tab. Select all the checkboxes in
the Allowed authentication schemes area, and select the
Use user template checkbox, as displayed:
18 In the Tree pane of Check Point SmartDashboard, click the
Users tab and expand the objects tree. Double-click on the
account name entry and verify that all AD accounts are
fetched in the object list section as displayed:
Check Point
CHAPTER 5
Note:
In the preceding screen shot, the first red rectangle represents
the default branches that are fetched from the Active
Directory. The CDP red rectangle is added manually to the
account unit for CRL checking during PKI authentication
between FW-1 and IIS.
Define External Group
To utilize Active Directory for authenticating your remote users,
you must first create an External Group, as follows.
1 Launch the SmartDashboard GUI and click on the Users icon.
To see the users, make sure you have the Objects Tree and
Objects List open (these can be opened by clicking on the
View Menu and selecting the corresponding options).
2 A branch entitled LDAP Groups is displayed in the Tree
pane.
3 Right-click LDAP Groups and select New LDAP Group from
the popup menu. Set the properties, as displayed:
23
24
4 Enter a descriptive name (in this example MS_AD), select the
relevant account unit, and select the group’s scope (this
should be the Account Unit you already created).
Note:
Group Scope: Notice that in the above dialog, All
Account-Unit’s Users is selected. This means that a user that
exists anywhere in the Active Directory database can
authenticate.
5 Click OK to save the new setting.
Check Point
CHAPTER 5
6 Open up your VPN-1 Gateway object. Click on the
Authentication branch and enable the appropriate
authentication schemes. Select the RADIUS checkbox as
displayed:
7 Click OK to apply the setting.
8 Select the SmartDirectory (LDAP) branch, as displayed:
25
26
or
In older versions of Check Point, click the LDAP Account
Manager branch:
9 Select the Display list of distinguished names (DNs) for
matching UIDs on login checkbox. In the Account Units
Query group, select Selected Account Unit list A new dialog
is displayed.
10 Click Add to add the predefined account unit, as displayed:
Check Point
CHAPTER 5
11 Click OK to save the new setting.
RADIUS Object Configuration
In order to enable user authentication using RADIUS protocol, a
RADIUS object should be defined so that FW-1 is able to
communicate with the IAS server located on the domain controller
during the user authentication session.
¾ To configure a RADIUS object:
1 In the Tree pane of the SmartDashboard, expand Servers
and OPSEC Applications and select the RADIUS branch.
Right-click and select New RADIUS, as displayed:
27
28
2 The RADIUS Server Properties dialog is displayed:
3 Enter a name for the RADIUS object, and select the host that
represents the server or create a new object.
4 Enter the Shared Secret that was defined on the IAS and
leave the other default parameters as displayed:
5 Click OK to save the settings.
Template Adjustment to Support Radius
Authentication
It is important to set the properties for your template correctly.
This template holds user properties such as encryption and
password method. In this section, the default template is used (it
is possible to have multiple templates).
Check Point
CHAPTER 5
This section describes some of the properties of the template and
also the properties of a user linked to that template. In this
example, the template was tied to the LDAP Account Unit.
1 In the Tree pane, expand Users and Templates, and then
select Default as displayed:
2 Double-click Default to open the User Template Properties
– Default dialog and select the Authentication tab as
displayed:
29
30
3 From the Authentication Schemes dropdown list, select
RADIUS. Then, select the RADIUS server object from the
Select a RADIUS Server or Group of Servers dropdown list
as displayed:
4 Click OK to save the new settings.
SecureClient Configuration with OTP
This section describes how Check Point SecureClient is
configured to support user authentication with OTP to establish a
VPN tunnel to the internal network and access to protected
resources.
In general the following major steps should be performed as
follows:
•
Install SecureClient on the client machine and configure it with
a username and password authentication.
•
Configure FW-1 policy to support a SecureClient encryption
connection to the GW and afterwards access to the internal
network.
•
Configure an external user dB (Active Directory) with Radius
authentication. (Those settings have already been configured,
for more information refer to Chapter 3.)
Check Point
CHAPTER 5
¾ To set FW-1 with SecureClient:
1 Log in to the Check Point Policy Editor.
2 Go to the Policy MenuÎGlobal Properties.
3 Expand the Remote Access branch and select VPN - Basic.
In the IKE over TCP area, select the Gateways support IKE
over TCP checkbox as displayed:
4 Click OK to save the new settings.
31
32
5 In the Tree pane, expand the Check Point folder and select
the gateway as displayed:
6 Double click on the gateway object. The Check Point
Gateway Properties dialog is opened. Select General
Properties in the Tree pane. In the right pane, in the Check
Point Products area, select both the SecureClient Policy
Server and VPN checkboxes as displayed:
Check Point
CHAPTER 5
Note:
Policy Server should be installed. Secure Client requires
installation of Policy server that manages desktop security
policy.
7 In the Tree pane, click VPN. The VPN dialog is displayed:
8 Beneath the VPN communities list near the top of the dialog,
click Add to add a community in which the gateway is to
participate. The Add This Gateway To Community dialog is
displayed:
33
34
9 Select RemoteAccess and click OK.
10 In the VPN dialog, the community area is updated as
displayed:
Check Point
CHAPTER 5
11 In the Tree pane, click Authentication. In the Policy Server
area, select a user group from the Users dropdown list. By
default All Users is displayed:
12 Click OK to update the settings of FW-1 object.
13 In the SmartDashboard, click the VPN Manager tab as
displayed:
35
36
14 Double click the RemoteAccess object. The Remote Access
Community Properties dialog is displayed:
15 In the Tree pane, click Participating Gateways and verify
that the FW-1 object is displayed on the right:
Check Point
CHAPTER 5
16 Select Participant User Groups. The following dialog is
displayed:
17 Click Add. The Add Participant Users Groups dialog is
displayed:
37
38
18 Select one or more groups and click OK to update this section
as displayed:
19 Click OK to update the Remote Access community.
20 Click on the Desktop Security tab and add inbound and
outbound rules as displayed:
21 Click on the Security tab and define the following rule as
displayed:
Check Point
CHAPTER 5
22 Double-click on the VPN cell. The VPN Match Condition
dialog is opened. In the Match conditions area, select Only
connections encrypted in specific VPN Communities as
displayed:
23 Click Add. The Add Community to rule dialog is opened.
Select the RemoteAccess community as displayed:
24 Click OK to update the match condition and then click OK
again to update the VPN cell.
39
40
25 Click the Install Policies button in the SmartDashboard
toolbar to install the policy.
The Install Policy dialog is displayed. In this case two policies
are installed: one for the FW-1 policy and one for the desktop
policy as displayed:
26 Click OK.
¾ To set up SecureClient for OTP:
1 Install SecuRemote/Client version R56 (AI) Use the default
installation setting and click Next where required and reboot
the computer.
Check Point
CHAPTER 5
2 After logging on to the computer, the SecureClient icon is
displayed to the right of the System Tray:
3 Double click the SecureClient icon. The VPN-1 Secure Client
dialog is displayed indicating that no site is defined and asks if
you want to create a new site.
4 Click Yes. The Site Wizard dialog is displayed:
5 Type in the site name or IP address as displayed:
41
42
6 Click Next. The Authentication Method dialog is displayed:
7 Leave the default authentication method setting for username
and password, and click Next.
8 The User Details dialog is displayed. Enter the username and
OTP password retrieved from the eToken NG as displayed:
Check Point
CHAPTER 5
9 Click Next. The Select Connectivity Setting dialog is
displayed. Select the Advanced radio button as displayed:
10 Click Next. The Advanced Settings dialog is displayed.
Select Perform IKE over TCP option as displayed:
43
44
11 Click Next. A connection to the site is initiated. If the client is
successfully connected to the site you are asked to approve
the site certificate as displayed:
12 Click Next. Topology is updated on the client machine and the
site is created.
13 Upon successful site creation, the Site Created Successfully
dialog is displayed:
Check Point
CHAPTER 5
14 Click Finish. You are prompted to connect now if desired.
Click Yes. The Check Point VPN-1 SecureClient
Connection dialog is displayed:
15 Press the OTP Generation button on the eToken NG-OTP.
The eToken displays a random one-time password
16 Enter the OTP password in the Password field and click
Connect.
45
46
17 A connection is initiated and the Check Point VPN-1
SecureClient Connect Progress dialog is shown as
displayed:
18 A connection success notification is displayed in the Check
Point VPN-1 SecureClient Connect Progress dialog at the
end of VPN tunnel construction as displayed:
Check Point
CHAPTER 5
Check Point Clientless VPN Setup
This next solution illustrates how to configure Check Point
Connectra™ appliance with Aladdin OTP solution. Connectra™ is
a Web Security Gateway that provides both SSL VPN and
integrated Web security. Connectra provides both Web-based
and network-level access over SSL. Connectra is a gateway used
by remote users to access resources on a corporate network.
Through an integrated Connectra Web portal, users can access
Web applications and resources, file shares, and email. The
appliance can be located at the front end where users can access
it directly or located in the DMZ protected by a firewall.
The last configuration is considered more secure and is detailed
in the following solution. You must authenticate before you can be
granted access to the Web portal. In the current integration, a
remote user is required to authenticate using Aladdin’s OTP
solution based on RADIUS protocol in order to access to the
Connectra Web portal. On the Web portal, you are able to grant
access resources based on the group permission to which each
user belongs.
The drawing below illustrates the network topology that was
utilized for testing.
hardware versions below:
•
Check Point Connectra™ 1.0 build 603 support 50 concurrent
connections.
47
48
•
components:
• MS IAS server with OTP Authentication Module plug-in
version 1.0
• eToken NG OTP and PKI Client (RTE) 3.60
Prerequisites
In the testing lab it is assumed that the following settings have
been configured:
1 IAS is configured as described in chapter 9.
2 OTP plug-in is installed on top of the IAS server.
For details on how to install the OTP plug-in, refer to the
eToken OTP Authentication Admin Guide.
3 An eToken NG OTP enrolled with OTP seed for a domain
user.
For details on how to enroll a user with eToken NG OTP
Guide.
4 OWA is installed and configured as described in Chapter 8.
5 Adjust on the IAS snap-in remote access policy with the
‘Class’ attribute that returns the name of the group to which
the authenticated user belongs in the Active Directory.
Note:
This should be identical to the RADIUS group defined on the
Connectra).
6 Adjust FW-1 policy to allow connection to/from Connectra
according to the following table:
Rule Source
Destination
Service
Action
Remarks
Check Point
CHAPTER 5
1
Admin
Host
Connectra
HTTPS/
4433
Accept
Administrator
access
2
Any
Connectra
HTTPS
Accept
End user Access
to Connectra
Portal
3
Connectra
eXchange_Server
HTTPS
Accept
Connectra access
to OWA 2003
4
Connectra
Radius_Server
Radius
Accept
Enable User auth
with Radius
server
5
Connectra
DNS_Server
DNS
Accept
Name resolution
by Connectra
(Optional )
¾ To set up a remote access policy:
1 Access the IAS snap-in. In the Tree pane, click Remote
Access Policy in the Tree pane. In the right pane, select
Connection to other access servers, as displayed:
49
50
2 Double click on the policy. The <policy> Properties dialog is
shown as displayed.
Check Point
CHAPTER 5
3 Select the Grant remote access permission radio button,
Click Edit Profile …. The Edit Dial-in Profile dialog is shown
as displayed.
4 Under the Authentication tab select only Unencrypted
Authentication as displayed.
51
52
5 Select the Advanced tab as displayed.
6 Click Add. Select the Class attribute as displayed and click
Add.
Check Point
CHAPTER 5
7 In the Attribute Information dialog, type the name of the
group as defined on the Connectra as displayed:
8 This attribute is returned by IAS within the access accept
information to the Connectra. This value addresses the user
to a certain group.
9 Click OK to add the attribute as displayed:
10 Click OK to approve the setting on the remote access policy.
Click OK again and restart the IAS to update the setting.
53
54
Check Point Connectra Setup
It is assumed that Connectra is configured using the built-in
wizard. For more information on Connectra basic configuration,
refer to Check Point formal documentation.
In order to set up the Web portal for remote users, perform the
following steps:
•
Define the authentication method on the Connectra as the
Radius server.
•
Define external Radius group.
•
Define a link to a protected resource. OWA 2003 is defined as
an example.
To access Connectra as an administrator, enter the following
URL: https://<Connectra_IP_Adress>:4433 and provide a
username and a password.
Radius Authentication Setup
¾ To set up RADIUS authentication:
1 Access the Connectra Device Status dialog as displayed:
Check Point
CHAPTER 5
2 In the Tree pane, expand User and Groups and then expand
Authentication. Select Radius Server as displayed:
3 Enter the following details, as displayed:
4 Click Apply to save the setting
55
56
Setting a Connection to OWA
¾ To define a URL resource (OWA) for an authorized
group:
1 In the Tree pane, expand Applications and click Mail
servers as displayed:
2 Click New and select Outlook Web Access from the
dropdown list.
Check Point
CHAPTER 5
The following dialog is displayed:
3 Enter a name for the URL resource host name or IP address
and select the SSL Port radio button. This informs Connectra
that contact the exchange server is SSL.
4 Click Apply to save the setting. The following dialog is
displayed:
57
58
External Group Definition
¾ To define an external group:
1 In the Tree pane, expand Users and Groups and select User
Groups as displayed:
2 Click New and select Radius Group from the dropdown list.
3 In the Group tab, enter the group name as displayed:
Check Point
CHAPTER 5
4 Click the Mail Server tab and select the predefined resource
for that group by adding it to the right column as displayed:
5 Click Apply to save the setting as displayed:
Running the Solution
On the client station, you only need to start the HTTPS session to
Connectra and authenticate twice: The first time you authenticate
against the Connectra with a username and OTP password and
the second time you authenticate against the OWA with
username and network password.
59
60
¾ To access authorized resources:
1 Start https or http session to the external interface of the
Concentrator in one of the following forms:
http(s)://<external_IP / <hostname >/
2 You are prompted to enter your username and password in
the WebVPN authentication form as displayed:
3 Press the OTP Generation button on the eToken NG-OTP.
The eToken displays a random one-time password
Check Point
CHAPTER 5
4 Enter your username and the generated OTP and click Sign
In as displayed:
5 Upon successful authentication, the Connectra Portal dialog
is displayed:
61
62
6 Click on the OWA 2003 link to redirect to OWA. The OWA
Authentication form is displayed. Enter Domain\user name
and domain Password.
7 Click Continue to access your account as displayed:
Check Point
CHAPTER 5
Troubleshooting Tips
This section provides logging information that can be set up on
Connectra when configuration problems occur during the
integration.
¾ To access the log view on Connectra:
1 In the Tree pane, expand Status and Logs, and then select
Traffic Logs. The following view is displayed:
63
64
2 To adjust log details options, click Log Settings in the Tree
pane, select the preferred log setting to be modified and click
Apply as displayed:
Cisco
CHAPTER 6
Chapter 6
Cisco
Cisco Traditional VPN Setup
This chapter describes how to configure the Concentrator to
accept VPN connections of users with OTP password
authentication.
hardware versions:
•
Cisco Concentrator 3005 with software version 4.17.
•
components:
Prerequisites
In the testing lab it is assumed that the following settings have
been configured as follows:
•
IAS is configured as described in chapter 9
•
For more information on how to install the OTP plug-in refer to
the eToken OTP Authentication Admin Guide.
65
66
•
user. For details on how to enroll a user with eToken NG OTP
Guide.
The following basic steps are performed to configure Cisco IPSec
VPN:
1 Configure IP addresses pool for VPN clients.
2 Configure an IKE Proposal.
3 Configure the SA.
4 Set up Tunnel Group to support IPSec.
¾ To configure IP addresses pool for VPN clients:
1 Expand Configuration | System | Address Management
and select Assignment. In the main pane, select the Use
Address Pools checkbox.
2 Click Apply.
Cisco
CHAPTER 6
3 The Address Management dialog is displayed. Click Pools
to configure the VPN addresses pool.
4 Click Add to add an address pool.
67
68
5 Enter the IP address pool and click Add.
6 Click Save needed on the upper right corner to save the
changes
7 Click OK to close the Save Successful dialog.
¾ To configure IKE Proposal:
1 Expand Configuration > Tunneling and Security > IPSec
and select IKE Proposals.
2 Select the predefined proposal CiscoVPNClient-3DES-MD5.
Click Activate if it appears in the Inactive Proposals dialog.
Cisco
CHAPTER 6
3 Click Modify.
4 Make sure the Authentication Mode is configured to
Preshared Keys (XAUTH) and click Apply.
¾ To configure the IPSec policy:
1 Expand Configuration > Policy Management > Traffic
Management and select SAs. Select ESP-3DES-MD5.
69
70
2 Click Modify.
3 In the IKE Parameters area, select None (Use Preshared
Keys) from the Digital Certificate dropdown list and select
CiscoVPNClient-3DES-MD5 from the IKE Proposal
dropdown list. Click Apply to set the changes.
4 Click Save Needed in the upper right corner to save the
changes.
Cisco
CHAPTER 6
5 Click OK to close the Save Successful dialog.
¾ To configure a tunnel group:
1 Expand Configuration > User Management and select
Groups. Click Add Group to add a new group.
2 Enter the name OTP in the Group Name field and set a
password (minimum 4 characters) in the Password field.
71
72
3 Click the IPSec tab.
4 Verify that the following parameters are set as shown:
IPSec SA attribute is set to ESP-3DES-MD5.
Tunnel Type attribute is Remote Access.
Authentication attribute is RADIUS.
Scroll down and click Apply.
Cisco
CHAPTER 6
changes.
6 Click OK to close the pop up Save Successful dialog.
73
74
Client Configuration
¾ To install and configure the VPN Client:
1 Open the Cisco VPN Client installation file. The Cisco
Systems VPN Client Set-up dialog is shown as displayed.
2 Click Next.
Cisco
CHAPTER 6
3 Click Yes to accept the license agreement.
4 Click Next and accept the destination folder.
75
76
5 Click Next and accept the name of the program folder.
6 Click Finish. The Computer restarts to apply the installation.
Cisco Client Configurations
¾ To install and configure the Cisco Client:
1 After logon, click Start > Programs > Cisco Systems VPN
Client and run VPN Client.
2 Click New to create a new site.
Cisco
CHAPTER 6
3 Enter the following details:
• Enter the name Concentrator in the Connection Entry
field.
• Enter the IP address of the Concentrator in the Host field.
• Enter the group name OTP in the Name field.
• Enter the group password in the Password and the
Confirm Password fields.
4 Click Save to save the VPN Connection Entry.
5 Run the Solution.
77
78
¾ To initiate a VPN tunnel:
1 Double-click the Concentrator connection entry.
2 The User Authentication dialog is displayed. Enter a
username in the Username field. Generate an OTP password
and enter it in the Password field. Click OK to login.
Cisco
CHAPTER 6
3 VPN tunnel is successfully completed.
Cisco Clientless VPN Setup
The Cisco VPN Concentrator is a virtual private network (VPN)
platform. The role of the Concentrator is to allow access to the
internal network in a secure method.
This solution was tested using the software and hardware
versions below.
•
Cisco Concentrator 3005 with software version 4.17.
Domain controller on 2003 server with the following components:
• OWA is installed and configured as described in Chapter 8
Prerequisites
In the testing lab is assumed that the following settings are
configured as follows:
•
79
80
•
•
user. For instruction how to enroll a user with eToken NG
OTP capabilities refer to the eToken OTP Authentication
Admin Guide.
The Concentrator software version 4.1 introduces a feature called
WebVPN. This feature allows clientless VPN connection through
SSL tunnel.
The WebVPN feature requires user authentication to establish an
SSL tunnel that allows access to email accounts with the Outlook
Web Access (OWA).
The IAS server is used as a RADIUS server for centralized
authentication of users.
The following tasks are required for setup:
•
Configuration of SSL VPN on the External
•
Configuration of RADIUS server
•
RADIUS server authentication testing
•
SSL connection to the Concentrator
•
Running the Solution
The setup requirements mentioned above are described in detail
in the following sections.
Note:
OWA 2003 is supported by Cisco Concentrator release 4.1.7
Cisco
CHAPTER 6
Configuring SSL VPN on the External Interface
1 Log in to Cisco Concentrator Web-based management.
2 The Main Menu dialog is displayed.
81
82
3 In the Tree pane, expand Configuration and select
Interfaces.
4 Click Ethernet 2 (Public), the Configuring Ethernet
Interface 2 (Public) dialog is displayed.
Cisco
CHAPTER 6
5 Click the WebVPN tab. The WebVPN Parameters dialog is
displayed.
6 Select the both the Allow WebVPN HTTPS sessions and
Redirect HTTP to HTTPS checkboxes, and click Apply.
changes.
83
84
8 In the Tree pane, expand Configuration | Tunneling and
Security | WebVPN, and select Servers and URLs.
9 Click Add and enter the URL of the OWA.
Cisco
CHAPTER 6
10 Click Add to add the URL of the Outlook Web Access in the
end user homepage.
11 Expand Configuration | User Management | Base Group.
The General Parameters dialog is displayed.
85
86
12 Scroll down to the Tunneling Protocols attribute and select
the WebVPN checkbox.
13 Scroll up and click the WebVPN tab. The WebVPN
Parameters are displayed:
Cisco
CHAPTER 6
14 Select the Enable Outlook/Exchange Proxy checkbox, scroll
down and click Apply.
15 Click Save needed on the upper right corner to save the
changes.
¾ To configure SSL VPN on the external interface:
1 Expand Configuration | System | Servers and select
Authentication.
87
88
2 Click Add to add the IAS as a RADIUS server.
3 Select RADIUS from the Server Type dropdown list and enter
the ISA server IP address in the Authentication Server field,
and click Apply.
4 Click Save needed in the upper right corner to save the
changes.
Cisco
CHAPTER 6
¾ To test RADIUS server authentication:
1 Click on the RADIUS server and click Test.
2 Enter the username and OTP password, and click OK.
89
90
3 The Success dialog is displayed. Click Continue.
Note:
If the test fails, the Concentrator and the IAS are not configured
properly.
Cisco
CHAPTER 6
¾ To enable SSL connection to the Concentrator:
1 Expand Administration | Certificate Management. The
Certificate Management dialog is displayed:
2 Click Generate on the Public Interface to generate an SSL
certificate.
91
92
3 Select the size of the RSA Keysize and click Generate.
Note:
By default an n SSL certificate is generated automatically for
the Concentrator interfaces.
This certificate that is self-signed certificate. The only parameter
that can be modified is the RSA Keysize.
Running the WebVPN Solution
On the client side, open a Web browser and initiate an HTTPS
session to the Concentrator.
After a successful login to the Concentrator, the user homepage
displays the link to the Outlook Web Access.
Cisco
CHAPTER 6
¾ To access to personal email account with OWA:
1 Open a Web browser and start an HTTPS or HTTP session to
the external interface of the Concentrator.
2 Click Yes to trust the certificate of the Concentrator. The
Concentrator Login dialog is displayed.
3 Enter the Username and OTP Password, and click Login.
93
94
4 Click the Outlook Web Access link that you created.
5 Enter the Username and domain Password, and click Log
On.
Cisco
CHAPTER 6
6 The Outlook Web Access is displayed:
95
96
Microsoft
CHAPTER 7
Chapter 7
Microsoft
Microsoft Traditional VPN Setup
Microsoft Internet Security and Acceleration (ISA) Server 2004 is
the advanced application-layer firewall, virtual private network
(VPN), and Web cache solution that enables customers to easily
maximize existing IT investments by improving network security
and performance.
To make Virtual Private Network (VPN) access to your internal
network possible through Microsoft Internet Security and
Acceleration Server 2004, you must configure the user accounts
of the VPN clients, the access rules on the ISA Server computer,
and a VPN connection on the client computer.
To do so, you need to perform the following tasks:
•
Configure the ISA Server computer as a VPN server
•
Configure VPN client access
•
Create a VPN access rule
•
Verify the VPN network rule
•
Configure of a VPN connection
The setup issues above are described in detail in the following
sections (except for VPN connection configuration, which is
described on the next chapter).
97
98
This chapter presents a solution in which the user authenticates
to the ISA VPN server with username and password to get
access to the OWA server. To do so, you should have an
exchange server and IIS server in your domain. In this
demonstrated solution, form-based authentication is
implemented.
hardware versions below:
•
Microsoft ISA server 2004 4.0.2161.50.
•
components:
Prerequisites
In the testing lab is assumed that the following settings are
configured as follows:
•
•
•
user. For instruction how to enroll a user with eToken NG
OTP capabilities refer to the eToken OTP Authentication
Admin Guide.
Configure the ISA Server as a VPN Server
By default, the VPN server component is disabled. The first step
is to enable the VPN server feature and configure the VPN server
components.
Microsoft
CHAPTER 7
Perform the following steps to enable and configure the ISA
Server 2004 VPN Server:
1 Open the Microsoft Internet Security and Acceleration Server
2004 management console and expand the server name.
Click on the Virtual Private Networks (VPN) node.
2 Click on the Tasks tab in the Task pane. Click the Enable
VPN Client Access link.
3 Click Apply to save the changes and update the firewall
policy.
4 Click OK in the Apply New Configuration dialog.
5 Click the Configure VPN Client Access link. The VPN
Clients Properties dialog is shown as displayed.
99
100
6 In the General tab, change the value for the Maximum
number of VPN clients allowed from 5 to 10. Click the
Groups tab.
The ISA firewall needs to be a member of the Active Directory
domain to have access to domain groups. Since we do not
want to make the ISA firewall a member of the domain in this
scenario, we do not need to add any groups on the Groups
tab.
Microsoft
CHAPTER 7
7 Click the Protocols tab. In the Protocols tab, select the
Enable L2TP/IPSec checkbox.
Note:
You will need to issue a machine certificate to the ISA Server
2004 firewall/VPN server, and to the connecting VPN clients,
before you can use L2TP/IPSec. Alternatively, you can use a
pre-shared key for the IPSec security negotiations.
101
102
8 Click the User Mapping tab. Select the Enable User
Mapping checkbox. Select the When username does not
contain a domain, use this domain checkbox. Enter LAB in
the Domain Name field.
Note:
These settings will only apply when using RADIUS authentication.
These settings are ignored when using Windows authentication
(such as when the ISA Server 2004 firewall machine belongs to
the domain and you explicitly enter domain credentials).
9 Click Apply and then click OK. You may see a Microsoft
Internet Security and Acceleration Server 2004 dialog
informing you that you need to restart the computer for the
settings to take effect. If so, click OK in the dialog.
Microsoft
CHAPTER 7
10 In the console tree of the ISA Server Management, click
Virtual Private Networks. On the Tasks tab, click the Select
Access Networks link.
11 In the Virtual Private Networks (VPN) Properties dialog,
click the Access Networks tab. Note that the External
checkbox is selected. This indicates that the external interface
is listening for incoming VPN client connections. You can
choose other interfaces, such as DMZ or extranet interfaces,
if you wish to provide dedicated VPN services to trusted hosts
and networks.
12 Click the Address Assignment tab. Select Internal from the
Use the following network to obtain DHCP, DNS and
WINS services dropdown list. This is a critical setting, as it
defines the network on which access to the DHCP is made.
103
104
Note:
In this example a DHCP server is used on the internal network to
assign addresses to VPN clients. The DHCP server will not assign
DHCP options to the VPN clients unless you install the DHCP
Relay Agent on the ISA Server 2004 firewall/VPN server
machine. You have the option to create a static address pool
of addresses to be assigned to the VPN clients. If you choose to
use a static address pool, you will not be able to assign DHCP
options to these hosts. Also, if you choose to use a static
address pool, you should use an off-subnet network ID.
13 Click the Address Assignment tab, select the Static
address pool option, as displayed:
14 In the Address Assignment tab, click Add. The IP Address
Range Properties dialog is displayed.
15 Configure the IP address range as follows:
In the Starting address field, enter the first IP address of the
range of IP addresses that you want to assign to VPN clients.
In the Ending address field, enter the last IP address of the
range of IP addresses that you want to assign to VPN clients,
and then click OK.
Microsoft
CHAPTER 7
16 Click Advanced, click Use the following DNS server
addresses, and then type the IP addresses of an internal
primary DNS server and an internal backup DNS server (if
exist) in the corresponding boxes as displayed:
17 If you want to specify a Windows Internet Naming Service
(WINS) server, click Use the following WINS server
addresses, and then type the IP addresses of a primary
WINS server and a backup WINS server in the corresponding
boxes (not implemented in the current integration).
105
106
18 Click on the Authentication tab. Note that the default setting
is to enable only PAP.
19 Click the RADIUS tab to configure the ISA Server 2004
firewall VPN server to use RADIUS to authenticate the VPN
users with the IAS server that is using OTP authentication.
Microsoft
CHAPTER 7
20 Select Use RADUIS for authentication checkbox and then
click on the RADIUS Servers… to define MS-IAS as the
RADIUS server as displayed:
21 Click Add… the Add RADIUS Server dialog is displayed.
Enter the RADIUS server parameters as shown:
107
108
22 Click OK. The RADIUS Server dialog is updated as
displayed:
23 Click Apply in the Virtual Private Networks (VPN)
Properties dialog and then click OK.
policy.
25 Click OK in the Apply New Configuration dialog.
26 Restart the ISA Server 2004 firewall machine.
Create an Access Rule Allowing VPN
Clients Access to the Internal Network
The ISA Server 2004 firewall will be able to accept incoming VPN
connections after the restart. However, the VPN clients cannot
access any resources on the internal network because there are
no Access Rules enabling this access. You must create an
Access Rule that allows members of the VPN clients' network
access to the internal network. In contrast to other combined
firewall VPN server solutions, the ISA Server 2004 firewall VPN
server applies access controls for network access to VPN clients.
Microsoft
CHAPTER 7
In this example, you will create an Access Rule allowing all traffic
to pass from the VPN clients network to the internal network. In a
production environment you would create more restrictive access
rules so that users on the VPN clients' network have access only
to resource they require.
¾ To create an Access Rule to allow VPN clients
unrestricted access to the Internal network:
1 In the Microsoft Internet Security and Acceleration Server
2004 management console, expand the server name and
click the Firewall Policy node. Right click the Firewall Policy
node, point to New and click Access Rule.
2 In the Welcome to the New Access Rule Wizard dialog,
enter a name for the rule in the Access rule name field. In
this example the rule is named Remote Access. Click Next.
109
110
3 In the Rule Action dialog, select the Allow option and click
Next.
4 In the Protocols dialog, select All outbound protocols from
the This rule applies to dropdown list. Click Next.
Microsoft
CHAPTER 7
Note:
You can control the protocols that the VPN clients use by
modifying the access rule after you create it.
5 In the Access Rule Sources dialog, click Add.
6 In the Add Network Entities dialog, expand the Networks
folder and double-click. VPN Clients and then click Close.
111
112
7 In the Access Rule Sources dialog click Next.
8 In the Access Rule Destinations dialog, click Add,
Microsoft
CHAPTER 7
9 In the Add Network Entities dialog, expand the Networks
folder and double-click Internal and then click Close.
10 In the Access Rule Destinations dialog click Next.
113
114
11 In the User Sets dialog, accept the default setting, All Users,
and click Next.
Microsoft
CHAPTER 7
12 In the Completing the New Access Rule Wizard dialog,
click Finish.
13 The Microsoft Internet Security & Acceleration Server 2004
page is shown as displayed.
policy.
15 The Apply New Configuration dialog is shown as displayed.
115
116
16 Click OK. The VPN client policy is now at the top of the
Access Policy list.
Create New User Set
Note
If you do not have a user set created, click New, and then follow the
steps in the New User Set Wizard to create a user set for the
individual VPN users or for a group that contains your VPN users.
Microsoft
CHAPTER 7
¾ To create a user set:
1 In the New User Set Wizard, click Add.
2 Select RADIUS. The Add User dialog is displayed.
117
118
3 Select the All Users in Namespace option and click OK. The
Users dialog is updated as displayed:
4 Click Next, and then click Finish in the next dialog to close
the New User Set Wizard.
5 The Add Users dialog is updated with the new group as
displayed:
Microsoft
CHAPTER 7
6 Click Add to add the group for the access rule as displayed:
7 Click Next, and then click Finish to close the access rule
wizard as displayed:
119
120
8 Click Apply to update the firewall policy, and then click OK.
Note
You may have to modify the order in which your rules appear
so that an earlier rule does not prevent this rule from being
applied. To move this access rule up, right-click the rule, and
then click Move Up. When you have finished changing the
order of your firewall policy rules, click Apply to update the
firewall policy, and then click OK.
Enabling Dial-in Access for the
Administrator Account
In non-native mode Active Directory domains, all user accounts
have dial-in access disabled by default. You must enable dial-in
access on a per account basis for these non-Native mode Active
Directory domains. In contrast, native mode Active Directory
domains have dial-in access controlled by Remote Access Policy
by default.
In the example herein, the Active Directory is in Windows Server
2003 mixed mode, therefore you need to manually change the
dial-in settings on the domain user account.
¾ To enable Dial-in access for the Administrator account:
1 Click Start and point to Administrative Tools. Click Active
Directory Users and Computers.
2 In the Active Directory Users and Computers console, click
on the Users node in the left pane. Double click on the
Administrator account in the right pane of the console.
Microsoft
CHAPTER 7
3 Click on the Dial-in tab. In the Remote Access Permission
(Dial-in or VPN) frame, select the Allow access option. Click
Apply and click OK.
4 Close the Active Directory Users and Computers console.
Note:
If you receive a message prompting you to restart the PC in order for
these settings to take effect, you must restart the ISA Server
computer and then continue with the configuration.
The ISA Server 2004 VPN server is now ready to accept VPN
client connections.
¾ To test the VPN Server:
1 On the Windows 2000 external client machine, right-click the
My Network Places icon on the desktop and click
Properties.
2 Double-click the Make New Connection icon in the Network
and Dial-up Connections dialog.
121
122
3 Click Next on the Welcome to the Network Connection
Wizard dialog.
4 In the Network Connection Type dialog, select the Connect
to a private network through the Internet option and click
Next.
Microsoft
CHAPTER 7
5 Select Virtual Private Network connection and click Next.
6 Enter the Company Name and click Next.
123
124
7 In the Destination Address dialog, enter the IP address
192.168.1.70 in the Host name or IP address field. Click
Next.
8 In the Connection Availability dialog, select the For all
users option and click Next.
9 Make no changes to the Internet Connection Sharing dialog
and click Next.
10 In the Completing the Network Connection Wizard dialog,
enter a name for the VPN connection in the Type the name
you want to use for this connection field. In this example,
the connection is called Remote Access.
Microsoft
CHAPTER 7
11 Confirm that the Add a shortcut to my desktop checkbox is
selected. Click Finish.
12 In the Network Connects dialog, right-click the new defined
entry and select Properties. The following dialog is displayed:
125
126
13 Click the Security tab. The following dialog is displayed:
14 Select Advanced as the security option and click Settings. In
the Allow these Protocols area, select the Unencrypted
password (PAP) checkbox as displayed:
Microsoft
CHAPTER 7
15 Click OK and confirm the settings.
Running the VPN Connection
¾ To run the VPN connection:
1 In the Connect Remote Access dialog, enter the username
LAB\administrator and the eToken NG OTP value provided
by clicking on the eToken NG hardware for the administrator
user account.
2 Click Connect. The user is authenticated and connected as
displayed:
127
128
3 Click the Details tab.
OWA Settings
CHAPTER 8
Chapter 8
OWA Settings
Outlook Web Access (or OWA for short) is one of Exchange
Server's best features, allowing you to connect to your corporate
mailbox from virtually any spot on earth as long as you have an
Internet connection and a decent Web browser.
OWA transmits traffic to and from the Web browser in HTTP
(based upon TCP, port 80) and in clear text, meaning that anyone
could potentially "listen" to your talk and grab frames and
valuable information from the net.
To secure the transmission of information between Exchange
Server 2003 and Outlook Web Access clients, you can encrypt
the information being transmitted by using SSL (Secure Sockets
Layer).
Configuring SSL
You can configure SSL for Outlook Web Access on Exchange
Server 2003 in order to encrypt secure information.
Note:
Although the screenshots are made with Exchange 2003 on
Windows Server 2003, the same procedure applies for Exchange
2000 and Windows 2000.
Note:
If you already have valid certificates for your website, skip this phase
and continue at the next one.
129
130
¾ To configure SSL for OWA:
1 Click Start > All Programs > Administrative Tools, and
then click Internet Information Services (IIS) Manager.
2 In the Internet Services Manager console tree, expand
SERVERNAME (your local computer), and then expand Web
Sites.
3 In the console tree, right-click Default Web Site and select
Properties from the popup menu.
OWA Settings
CHAPTER 8
4 In the Default Web Site Properties dialog, click the
Directory Security tab to display the following dialog:
5 In the Directory Security tab, click Server Certificate.
6 In the Welcome to the Web Server Certificate Wizard
dialog, click Next.
131
132
7 In the Server Certificate dialog, select Create a new
certificate, and then click Next.
8 In the Delayed or Immediate Request dialog, select Send
the request immediately to an online certification
authority, and then click Next.
OWA Settings
CHAPTER 8
Note:
If you don't have a Certificate Authority (CA) installed on your
server or on a different server on the network you can prepare
the request but you'll need to manually send it to the CA.
9 In the Name and Security Settings dialog, enter the relevant
domain name, for example,
yourservername.domainname.com in the Name field. (Use
your own registered domain name, the one you want people
to use when browsing to your site.) Then click Next.
Note:
Internet Use: You must make sure that either the Name or the
Common Name fields (one of them or both of them) exactly
match the external FQDN of the website. For example, if your
server's NetBIOS name is SERVER1, and it is located in the
MYINTERNALDOM.LOCAL domain, but it will host a website that
will require you to enter WWW.ALADDIN.COM to reach it, you
must then use WWW.ALADDIN.COM as the Name or Common
Name in the certificate request wizard, and DO NOT use
SERVER1.MYINTERNALDOM.LOCAL.
133
134
Note:
Intranet use: For Intranet-only purposes you can use the internal
FQDN of the server, or even just its NetBIOS name. For example,
if your server's NetBIOS name is SERVER1, and it is located in the
MYINTERNALDOM.LOCAL domain, you can use
SERVER1.MYINTERNALDOM.LOCAL or just SERVER1 for the Name
or the Common Name fields.
You can also optionally change the Bit Length for the
encryption key.
10 In the Organization Information dialog, enter your own
company name in the Organization field. In the
Organizational Unit field, enter a descriptive name and then
click Next.
OWA Settings
CHAPTER 8
11 In the Your Site’s Common Name dialog, enter
yourservername.domainname.com in the Common name
area and then click Next.
12 In the Geographical Information dialog, enter the required
information in the State/province field, and then click Next.
135
136
13 In the SSL Port dialog, verify that 443 is specified in the SSL
port this web site should use field, and then click Next.
14 In the Choose a Certification Authority dialog, verify that
your online CA is selected in the Certification Authorities
field, and then click Next.
OWA Settings
CHAPTER 8
15 In the Certificate Request Submission dialog, click Next to
submit the request, and then click Finish to complete the
wizard.
Using a Certificate to Access OWA
Securely
The OWA Web site supports SSL connections as soon as the
certificate is bound to the site. Perform the following steps to
force an SSL connection to the OWA Web site directory.
¾ To access OWA using a certificate:
1 In Internet Services Manager console tree, expand
SERVERNAME (your local computer), and then expand Web
Sites, then expand Default Web Site.
137
138
2 In the console tree, right-click the Exchange virtual directory,
and then click Properties.
3 In the Default Web Site Properties dialog, in the Directory
Security tab, click Edit in the Secure communications area.
Note:
If Edit is grayed out then you did not successfully install a
certificate for the Default Web Site.
OWA Settings
CHAPTER 8
4 In the Secure Communications dialog, select both the
Require secure channel (SSL) and Require 128-bit
encryption checkboxes, and then click OK to enable SSL.
You may want to restart the World Wide Web Publishing
service, although generally this is not required.
5 Close Internet Information Services (IIS) Manager.
139
140
How to Configure Forms-Based
Authentication OWA
Exchange Server 2003 has greatly improved the Outlook Web
Access experience when compared to older Exchange versions.
Besides the new GUI, spell-checking in different languages,
drag-and-drop features, S/MIME and more, Exchange Server
2003 has added a new logon method that can be used with OWA.
Instead of entering the username and password, OWA displays a
new, attractive logon dialog that enables you to select various
options, when configured with Forms-Based Authentication
(FBA).
Note:
Currently eToken OTP Authentication 1.0 does not support ISA FW
web publishing. This feature will only be supported in 2006 after
Microsoft release a hot fix to support OTP functionality in the Radius
protocol.
OWA Settings
CHAPTER 8
Configuring Forms-Based Authentication
After configuring SSL on the OWA site, you need to enable the
Forms-Based Authentication on the HTTP Virtual Server in
Exchange System Manager.
¾ To configure Forms-Based Authentication in OWA on
Exchange Server 2003:
1 Open the Exchange System Manager.
2 Navigate to your server object.
3 Expand your server object, and expand Protocols.
4 Expand HTTP.
5 Right-click on the Exchange Virtual Server and select
Properties.
141
142
6 In the Settings tab of the Exchange Virtual Server
Properties dialog, select the Enable Forms Based
Authentication checkbox.
7 Click OK, and then click OK again to dismiss the warning
message that is displayed.
OWA Settings
CHAPTER 8
8 Restart the IIS services either from the Services snap-in or
from the IIS Admin snap-in.
Client-side Configuration
There is no client-side configuration required. Point your client's
Web browser to the same URL you used before, but instead of
using HTTP, use HTTPS.
143
144
Now that Forms-Based Authentication is enabled, you need to
enter your username and password in the provided fields on the
OWA Logon dialog.
Note:
You must enter your username in the format of DOMAIN\USERNAME
in order to log on.
IAS Settings
CHAPTER 9
Chapter 9
IAS Settings
If you have not already installed IAS to handle VPN access, you
must install the Internet Authentication Service on a Windows
server that will act as a RADIUS server. You can use domain
controllers for this function, or install IAS on more than one server
to act as a backup. Once you have decided which server or
servers will host IAS, open the Control Panel’s Add or Remove
Programs applet on that server and click on the Add/Remove
Windows Components icon.
Once the Windows Components Wizard is opened, scroll down
the list of components to select Network Services, and click
Options. Select the IAS component, click OK and click Next to
install (you will probably be asked for the installation CD).
145
146
The installation creates a shortcut in Administrative Tools to an
Internet Authentication Service console. Open this shortcut.
Following this, you must allow our new RADIUS server access to
user dial-up properties in the Active Directory. Click on Action,
then Register Server in Active Directory, and finish by clicking
OK in the dialogs that appear.
This process adds the server to the RAS and IAS Servers group
in the domain. If you installed IAS on a domain controller, this
step wasn’t strictly necessary, but does no harm. If you have
multiple domains, you should include your server in the RAS and
IAS Servers group of each domain for which it will need to
access user details.
IAS Settings
CHAPTER 9
Configuring RADIUS Clients in IAS
A RADIUS client is typically a dial-in server, VPN server or
wireless access point that sends user credentials and other
connection details to a RADIUS server. IAS needs to know what
RADIUS clients it is allowed to talk to. Therefore our IAS Server
needs to be included in the IAS Radius client section.
¾ To add a Radius Client:
1 Click Radius Clients in the Tree pane of the Internet
Authentication Service console. Then right-click in the right
pane (or the Action menu) and select New RADIUS Client.
147
148
The New RADIUS Client wizard is displayed.
2 In the Name and Address dialog, enter a friendly name
(Firewall has been used in this example) and the ISA
Server’s internal network IP address. Click Next.
The Additional Information dialog is displayed.
IAS Settings
CHAPTER 9
3 In the Additional Information dialog, select Microsoft from
the Client-Vendor dropdown list, and define the following
additional parameters:
Shared secret: Enter a password known to RADIUS client
and server. This is used in an encryption process to obscure
certain details in RADIUS messages such as user passwords.
Request must contain the Message Authenticator
attribute: Select this option to require the client to calculate a
‘hash’ of its RADIUS message contents using the shared
secret, and include it in that message. Our RADIUS/IAS
server can compare this hash with one it produces of the
same message to ensure the contents haven’t been tampered
with and came from a known source.
This security only applies to messages between RADIUS client
and RADIUS server. The communications across a public
network between Web client and NAS Server (our RADIUS client)
are, in this scenario, secured using SSL (HTTPS) or IPSec.
The configuration of the RADIUS clients in IAS is complete. If you
need to change any settings for this client, you can do so through
its properties.
149
150
Configuring Remote Access Policies in IAS
A Remote Access Policy determines who is granted access and
who is not. The policy conditions are best kept isolated within
each policy.
¾ To configure remote access policies:
1 In the IAS console, select Remote Access Policies in the
Tree pane. Some default deny rules are displayed (this
example is from Windows 2003).
2 Right-click the Action menu, and select the New Remote
Access Policy.
The New Remote Access Policy Wizard is displayed.
3 Click Next in the Welcome dialog.
IAS Settings
CHAPTER 9
4 In the Policy Configuration Method dialog, select Set up a
custom policy and enter a policy name. Then click Next.
5 In the Policy Conditions dialog, click Add. Select the
Authentication-Type Attribute type and click Add.
6 In the Authentication-Type dialog, select PAP in the
Available types list and click Add. PAP is moved to the
selected types list. Then click OK.
151
152
Note:
NAS only uses PAP and unencrypted RADIUS messages in its
RADIUS authentication method for Web access: This is not
recommended for any other form of RADIUS authentication,
therefore you isolate this policy. Apart from the small chance of
configuring a VPN that could potentially use this policy with dire
consequences, PAP is perfect for Web access authentication
because the remote client uses HTTP over SSL (HTTPS) to keep
passwords safe and data encrypted over the public network.
Note:
When using the third OTP mode (which is not described in this
integration guide) by using two-factor authentication based on
a second password (OTP PIN) that is managed through the OTP
TMS connector, enter your username in the User Name field
and the OTP + OTP PIN in the Password field on the URL for
Clientless VPN or in the client login dialog if using traditional
VPN. It is then possible to select MS- CHAP.
7 In the Policy Conditions dialog, click Add again. This time
select NAS-IP-Address from the list of attribute types and
click Add. Enter the IP address for the ISA Server as
displayed:
IAS Settings
CHAPTER 9
8 Repeat the step and select the Windows-Groups attribute
type. The dialog requires a Windows security group (add a
group using the Add button). In the displayed dialog, the
Domain Users group has been added, but you can use
another more restrictive group.
9 In the Policy Conditions dialog, the following conditions are
displayed:
153
154
The policy conditions previously configured should ensure
that only the ISA Server can send RADIUS authentication
requests that fit this policy; any other RADIUS client you may
configure will not match the IP address. However, as
previously mentioned, if the ISA Server is also a VPN or dialin server you must correctly configure it to avoid a VPN client
using PAP and plain text passwords across the public
network.
10 Click Next. In the Permissions dialog, select Grant remote
access permission and then click Next.
The wizard’s Profile dialog is displayed. The policy conditions
configured above determine the criteria for matching a
RADIUS authentication request with this policy. The profile
determines the connection parameters this policy enforces if
the policy conditions match.
Hint:
To view the attributes available for entering in policy conditions,
enable logging of authentication requests in the System Event
Log. This is done from the IAS property dialogs accessed by
right-clicking Internet Authentication Service (Local) in the IAS
console.
IAS Settings
CHAPTER 9
11 To enable the new Remote Access policy, in the IAS
Console, select Remote Access Policies in the Tree pane.
The new policy is available in the right pane
12 Right-click on the new policy and click on Properties
13 The Web access RADIUS authentication Properties dialog
is shown as displayed. Click Edit Profile to open the Edit
Dial-in Profile dialog.
155
156
14 To ensure that any matching rogue RADIUS requests
requiring encryption are rejected by this particular policy,
select the Authentication tab and clear all of the checkboxes
with the exception of the Unencrypted authentication (PAP,
SPAP) checkbox, which should remain selected. The policy
conditions specified PAP only, so additional checks are not
required here.
IAS Settings
CHAPTER 9
15 Select the Encryption tab. Clear all of the checkboxes with
the exception of the No Encryption checkbox, which should
remain selected. Click OK.
16 Click No in the pop-up window. When you return to the
Profile dialog of the wizard, click Next and click Finish in the
final dialog of the wizard.
Should you need to check or edit the policy you have just
created, all the options you have just configured are available
in the Properties dialog for the policy.
157
158

Integration Guide for eToken NG OTP with Check Point FW1 ™ R55

Transcription

Similar documents

Virtual card - AB Credit Card Portal Login

bank muscat online payment procedure

Log on to www.onlinesbi.com

1. - FOIS - Indian Railways

Secure Connect Columbitech Mobile VPN

The Safest Way to Surf

Instructions for installing and using the qualified digital

AlAhliToken

5th September 2013

Communication instrument which can be used in