Integration Guide for eToken NG OTP with Check Point FW1 ™ R55
Transcription
Integration Guide for eToken NG OTP with Check Point FW1 ™ R55
Integration Guide for eToken OTP Authentication Module with Security Solutions February, 2005 Contact Information Support If you have any questions regarding this package, its documentation and content or how to obtain a valid software license you may contact your local reseller or Aladdin's technical support team: Country / Region Support Email Telephone USA [email protected] 1-212-329-6658 1-800-223-4277 EUROPE: Austria, Belgium, France, Germany, Netherlands, Spain, Switzerland, UK [email protected] 00800-22523346 Ireland [email protected] 0011800-22523346 Rest of the World [email protected] +972-3-6362266 ext 2 Website http://www.Aladdin.com/etoken i COPYRIGHTS AND TRADEMARKS The eToken system and its documentation are copyrighted © 1985 to present, by Aladdin Knowledge Systems Ltd. ™ All rights reserved. eToken is a trademark and ALADDIN KNOWLEDGE SYSTEMS LTD is a registered trademark of Aladdin Knowledge Systems Ltd. ™ All other trademarks, brands, and product names used in this guide are trademarks of their respective owners. This manual and the information contained herein are confidential and proprietary to Aladdin Knowledge Systems Ltd. (hereinafter “Aladdin”). All intellectual property rights (including, without limitation, copyrights, trade secrets, trademarks, etc.) evidenced by or embodied in and/or attached/connected/related to this manual, information contained herein and the Product, are and shall be owned solely by Aladdin. Aladdin does not convey to you an interest in or to this manual, information contained herein and the Product, but only a limited right of use. Any unauthorized use, disclosure or reproduction is a violation of the licenses and/or Aladdin's proprietary rights and will be prosecuted to the full extent of the Law. DISCLAIMER NEITHER ALADDIN NOR ANY OF ITS WORLDWIDE SUBSIDIARIES AND DISTRIBUTORS SHALL BE OBLIGATED IN ANY MANNER IN RESPECT OF BODILY INJURY AND/OR PROPERTY DAMAGE ARISING FROM THIS PRODUCT OR THE USE THEREOF. EXCEPT AS STATED IN THE ETOKEN END USER LICENSE AGREEMENT, THERE ARE NO OTHER WARRANTIES, EXPRESSED OR IMPLIED, REGARDING ALADDIN'S PRODUCTS, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The product must be used and maintained in strict compliance with instructions and safety precautions contained herein, in all supplements hereto and according to all terms of its End User License Agreement. This product must not be modified or changed without the written permission of the copyright holder. All attempts have been made to make the information in this document complete and accurate. Aladdin is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications in this document are subject to change without notice. ii ALADDIN KNOWLEDGE SYSTEMS LTD. eTOKEN ENTERPRISE END USER LICENSE AGREEMENT IMPORTANT INFORMATION - PLEASE READ THIS AGREEMENT CAREFULLY BEFORE OPENING THE PACKAGE AND/OR USING THE CONTENTS THEREOF AND/OR BEFORE DOWNLOADING OR INSTALLING THE SOFTWARE PROGRAM. ALL ORDERS FOR AND USE OF THE eTOKEN ENTERPRISE PRODUCTS (including without limitation, libraries, utilities, diskettes, CD-ROM, eToken™ keys and the accompanying technical documentation) (hereinafter “Product”) SUPPLIED BY ALADDIN KNOWLEDGE SYSTEMS LTD. (or any of its affiliates - either of them referred to as “ALADDIN”) ARE AND SHALL BE, SUBJECT TO THE TERMS AND CONDITIONS SET FORTH IN THIS AGREEMENT. BY OPENING THE PACKAGE CONTAINING THE PRODUCTS AND/OR BY DOWNLOADING THE SOFTWARE (as defined hereunder) AND/OR BY INSTALLING THE SOFTWARE ON YOUR COMPUTER AND/OR BY USING THE PRODUCT, YOU ARE ACCEPTING THIS AGREEMENT AND AGREEING TO BE BOUND BY ITS TERMS AND CONDITIONS. IF YOU DO NOT AGREE TO THIS AGREEMENT DO NOT OPEN THE PACKAGE AND/OR DOWNLOAD AND/OR INSTALL THE SOFTWARE AND PROMPTLY (within 7 days from the date you received this package) RETURN THE PRODUCTS WITH THE ORIGINAL PACKAGE AND THE PROOF OF PAYMENT TO ALADDIN, ERASE THE SOFTWARE, AND ANY PART THEREOF, FROM YOUR COMPUTER AND DO NOT USE IT IN ANY MANNER WHATSOEVER. 1. Title & Ownership. The object code version of the software component of Aladdin’s eToken Enterprise Product, including any revisions, corrections, modifications, enhancements, updates and/or upgrades thereto about to be installed by you, (hereinafter in whole or any part thereof defined as: "Software"), and the related documentation, ARE NOT FOR SALE and are and shall remain in Aladdin’s sole property. All intellectual property rights (including, without limitation, copyrights, trade secrets, trademarks, etc.) evidenced by or embodied in and/or attached/connected/related to the Product, are and shall be owned solely by Aladdin. This Agreement does not convey to you an interest in or to the Software, but only a limited right of use revocable in accordance with the terms of this Agreement. Nothing in this Agreement constitutes a waiver of Aladdin’s intellectual property rights under any law. 2. License. Subject to payment of applicable fees, Aladdin hereby grants to you, and you accept, a personal, nonexclusive and fully revocable limited License to use the Software, in executable form only, as described in the Software accompanying technical documentation and only according to the terms of this Agreement: (i) you may install the Software and use it on computers located in your place of business, as described in Aladdin’s related documentation; and (ii) you may merge and link the Software into your computer programs for the sole purpose described in the accompanying technical guide provided by Aladdin (“Technical Guide”). 3. Prohibited Uses. The Product must be used and maintained in strict compliance with the instruction and safety precautions of Aladdin contained herein, in all supplements thereto and in any other written documents of Aladdin. Except as specifically permitted in Sections 1 and 2 above, you agree not to (i) use, modify, merge or sub-license the Software or any other of Aladdin’s Products, except as expressly authorized in this Agreement and in the Technical Guide; and (ii) sell, license (or sub-license), lease, assign, transfer, pledge, or share your rights under this License with/to anyone else; and (iii) modify, disassemble, decompile, reverse engineer, revise or enhance the Software or attempt to discover the Software’s source code; and (iv) place the Software onto a server so that it is accessible via a public network; and (v) use any back-up or archival copies of the Software (or allow someone else to use such copies) for any purpose other that to replace an original copy if it is destroyed or becomes defective. If you are a member of the European Union, this agreement does not affect your rights under any legislation implementing the EC Council Directive on the Legal Protection of Computer Programs. If you seek any information within the meaning of that Directive you should initially approach Aladdin. iii 4. Maintenance and Support. Aladdin has no obligation to provide support, maintenance, upgrades, modifications, or new releases under this Agreement. 5. Limited Warranty. Aladdin warrants, for your benefit alone, that (i) the Software, when and as delivered to you, and for a period of three (3) months after the date of delivery to you, will perform in substantial compliance with the Technical Guide, provided that it is used on the computer hardware and with the operating system for which it was designed; and (ii) that the eToken™ key, for a period of twelve (12) months after the date of delivery to you, will be substantially free from significant defects in materials and workmanship. 6. Warranty Disclaimer. ALADDIN DOES NOT WARRANT THAT ANY OF ITS PRODUCT(S) WILL MEET YOUR REQUIREMENTS OR THAT ITS OPERATION WILL BE UNINTERRUPTED OR ERROR-FREE. TO THE EXTENT ALLOWED BY LAW, ALADDIN EXPRESSLY DISCLAIMS ALL EXPRESS WARRANTIES NOT STATED HEREIN AND ALL IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. NO ALADDIN’S DEALER, DISTRIBUTOR, RESELLER, AGENT OR EMPLOYEE IS AUTHORIZED TO MAKE ANY MODIFICATIONS, EXTENSIONS, OR ADDITIONS TO THIS WARRANTY. If any modifications are made to the Software or to any other part of the Product by you during the warranty period; if the media and the eToken™ key is subjected to accident, abuse, or improper use; the Product has not been properly installed, operated, repaired or maintained in accordance with the instructions supplied by Aladdin; the Product has been subjected to abnormal physical or electrical stress, negligence or accident; or if you violate any of the terms of this Agreement, then the warranty in Section 5 above, shall immediately be terminated. The warranty shall not apply if the Software is used on or in conjunction with hardware or program other than the unmodified version of hardware and program with which the Software was designed to be used as described in the Technical Guide. 7. Limitation of Remedies. In the event of a breach of this warranty, Aladdin's sole obligation shall be, at Aladdin's sole discretion: (i) to replace or repair the Product, or component thereof, that does not meet the foregoing limited warranty, free of charge; (ii) to refund the price paid by you for the Product, or component thereof. Any replacement or repaired component will be warranted for the remainder of the original warranty period or 30 days, whichever is longer. Warranty claims must be made in writing during the warranty period and within seven (7) days of the observation of the defect accompanied by evidence satisfactory to Aladdin. All Products should be returned to the distributor from which they were purchased (if not purchased directly from Aladdin) and shall be shipped by the returning party with freight and insurance paid. The Product or component thereof must be returned with a copy of your receipt. 8. Exclusion Of Consequential Damages. The parties acknowledge that Product is inherently complex and may not be completely free of errors. ALADDIN SHALL NOT BE LIABLE (WHETHER UNDER CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE) TO YOU, OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE (INCLUDING INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES), INCLUDING, WITHOUT LIMITATION, ANY LOSS OR DAMAGE TO BUSINESS EARNINGS, LOST PROFITS OR GOODWILL AND LOST OR DAMAGED DATA OR DOCUMENTATION, SUFFERED BY ANY PERSON, ARISING FROM AND/OR RELATED WITH AND/OR CONNECTED TO DELIVERY, INSTALLATION, USE OR PERFORMANCE OF THE PRODUCT AND/OR ANY COMPONENT OF THE PRODUCT, EVEN IF ALADDIN IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 9. Limitation Of Liability. IN THE EVENT THAT, NOTWITHSTANDING THE TERMS OF THIS AGREEMENT, ALADDIN IS FOUND LIABLE FOR DAMAGES BASED ON ANY DEFECT OR NONCONFORMITY OF ITS PRODUCT(S), ITS TOTAL LIABILITY FOR EACH DEFECTIVE PRODUCT SHALL NOT EXCEED THE PRICE PAID TO ALADDIN FOR SUCH PRODUCT. 10. Termination. Your failure to comply with the terms of this Agreement shall terminate your license and this Agreement. Upon termination of this Agreement: (i) the License granted to you in this Agreement shall expire and you, upon termination, shall discontinue all further iv use of the Software and other licensed Product(s); and (ii) you shall promptly return to Aladdin all tangible property representing Aladdin’s intellectual property rights and all copies thereof and/or shall erase/delete any such information held by it in electronic form. Sections 1, 3, 6-11 shall survive any termination of this Agreement. 11. Governing Law & Jurisdiction. This Agreement shall be construed and governed in accordance with the laws of Israel (except for conflict of law provisions) and only the courts in Israel shall have jurisdiction in any conflict or dispute arising out of this Agreement. The application of the United Nations Convention of Contracts for the International Sale of Goods is expressly excluded. The failure of either party to enforce any rights granted hereunder or to take action against the other party in the event of any breach hereunder shall not be deemed a waiver by that party as to subsequent enforcement of rights or subsequent actions in the event of future breaches. 12. Government Regulation and Export Control. You agree that the Product will not be shipped, transferred, or exported into any country or used in any manner prohibited by applicable law. It is stipulated that the Product is subject to certain export control laws, rules, and/or regulations, including, without limiting the foregoing, to the United States and/or Israeli export control laws, rules, and/or regulations. You undertake to comply in all respects with the export and re-export restriction as set forth herein and any update made thereto from time to time. 13. Third Party Software. Product contains third party software, as set forth in Exhibit A. Such third party’s software is provided “As Is” and use of such software shall be governed by the terms and conditions as set forth in Exhibit A. If the Product contains any software provided by third parties other than the software noted in Exhibit A, such third party’s software are provided “As Is” and shall be subject to the terms of the provisions and condition set forth in the agreements contained/attached to such software. In the event such agreements are not available, such third party software shall be provided “As Is” without any warranty of any kind and Sections 2, 3, 6, 8, 9-12 of this Agreement shall apply to all such third party software providers and third party software as if they were Aladdin and the Product respectively. 14. Miscellaneous. This Agreement represents the complete agreement concerning this License and may be amended only by a written agreement executed by both parties. If any provision of this Agreement is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. I HAVE READ AND UNDERSTOOD THIS AGREEMENT AND AGREE TO BE BOUND BY ALL OF THE TERMS. v FCC Compliance eToken USB has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures: a.Reorient or relocate the receiving antenna. b.Increase the separation between the equipment and receiver. c. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. d.Consult the dealer or an experienced radio/TV technician. FCC Warning Modifications not expressly approved by the manufacturer could void the user authority to operate the equipment under FCC rules. All of the above applies also to the eToken USB. FCC authorities have determined that the rest of the eToken product line does not contain a Class B Computing Device Peripheral and therefore does not require FCC regulation. CE Compliance The eToken product line complies with the CE EMC Directive and related standards*. eToken products are marked with the CE logo and an eToken CE conformity card is included in every shipment or upon demand. *EMC directive 89/336/EEC and related standards EN 55022, EN 50082-1. UL Certification The eToken product line successfully completed UL 94 Tests for Flammability of Plastic Materials for Parts in Devices and Appliances. eToken products comply with UL 1950 Safety of Information Technology Equipment regulations. ISO 9002 Certification The eToken product line is designed and manufactured by Aladdin Knowledge Systems, an ISO 9002-certified company. Aladdin's quality assurance system is approved by the International Organization for Standardization (ISO), ensuring that Aladdin products and customer service standards consistently meet specifications in order to provide outstanding customer satisfaction. vi Certificate of Compliance Upon request, Aladdin Knowledge Systems will supply a Certificate of Compliance to any software developer who wishes to demonstrate that the eToken product line conforms to the specifications stated. Software developers can distribute this certificate to the end user along with their programs. vii Table of Contents Chapter 1........................................................................................ 1 Introduction ................................................................................................................1 The Challenge.............................................................................................................1 Solution.......................................................................................................................2 Prerequisites ..............................................................................................................2 OTP Authentication Modes .......................................................................................3 Chapter 2........................................................................................ 5 OTP Overview.............................................................................................................5 Chapter 3........................................................................................ 7 IAS Overview ..............................................................................................................7 Chapter 4........................................................................................ 9 VPN Environment Settings .......................................................................................9 Traditional VPN Overview .......................................................................................11 Clientless VPN Overview.........................................................................................13 Chapter 5...................................................................................... 15 Check Point ..............................................................................................................15 Check Point Traditional VPN Setup .......................................................................15 Server Configuration ..............................................................................................15 SecureClient Configuration with OTP ....................................................................30 Check Point Clientless VPN Setup.........................................................................47 Server Configuration ..............................................................................................48 Prerequisites ..........................................................................................................48 Check Point Connectra Setup ...............................................................................54 Chapter 6...................................................................................... 65 Cisco .........................................................................................................................65 Cisco Traditional VPN Setup ..................................................................................65 Server Configuration ..............................................................................................65 viii Prerequisites ......................................................................................................... 65 Cisco Clientless VPN Setup ................................................................................... 79 Server Configuration ............................................................................................. 79 Chapter 7 ...................................................................................... 97 Microsoft .................................................................................................................. 97 Microsoft Traditional VPN Setup ........................................................................... 97 Server Configuration ............................................................................................. 98 Create an Access Rule Allowing VPN Clients Access to the Internal Network .. 108 Create New User Set .......................................................................................... 116 Enabling Dial-in Access for the Administrator Account....................................... 120 Running the VPN Connection ............................................................................. 127 Chapter 8 .................................................................................... 129 OWA Settings ........................................................................................................ 129 Configuring SSL .................................................................................................... 129 Using a Certificate to Access OWA Securely ..................................................... 137 How to Configure Forms-Based Authentication OWA ........................................ 140 Chapter 9 .................................................................................... 145 IAS Settings ........................................................................................................... 145 Configuring RADIUS Clients in IAS..................................................................... 147 Configuring Remote Access Policies in IAS ....................................................... 150 Introduction CHAPTER 1 Chapter 1 Introduction The purpose of this document is to show how the eToken NG OTP offering, working together with various leading VPN vendors such as Cisco, Check Point, and Microsoft, can implement strong user authentication through the RADIUS protocol. This document focuses on both remote Clientless SSL-VPN based and IPSec VPN technologies to connect user communities, depending on their access environments and access requirements. The solutions in this document describe the principle steps in integrating Aladdin’s One Time Password authentication in front of an IAS Radius server extended with the eToken OTP plug-in. The Challenge In today’s world, most enterprise applications impose an access control mechanism and require user identification before access is permitted. Most applications use the old-fashioned username and password concept to allow access. However, using a password has several the disadvantages; Passwords are costly to administer, hard to remember and vulnerable to attacks. Static passwords can be copied, “sniffed” or cracked, if not secure enough. 1 2 Integration Guide for eToken NG OTP with Security Solutions Solution Traditional IPSec VPN and Clientless VPN SSL Web-based help businesses deliver applications to remote staff, mobile employees, business partners, suppliers and customers. Both Traditional and Clientless VPN allow remote users to securely access business applications, files and data on your network, from anywhere, with a VPN client or Web browser. eToken NG enables users to generate One-Time Passwords to ensure a higher security level when accessing e-business and e-banking applications and allow for more secure transactions. By using eToken NG OTP technology, you eliminate the weakest link in any security infrastructure; the use of static passwords that are easily stolen, guessed, reused, or shared. Prerequisites For full integration and successful implementation of the eToken Authentication Module, as described in this Integration Guide, verify that the following prerequisites are fulfilled: • Good knowledge and understanding of Microsoft technology, specifically: • Active Directory (AD) • Internet Authentication Server (IAS). • Good knowledge and understanding of Aladdin eToken solutions, specifically: • eToken PKI • eToken Token Management System (TMS). Knowledge and understanding of at least one of the following firewall solutions, Cisco, Check Point or Microsoft, is imperative. Introduction CHAPTER 1 OTP Authentication Modes The eToken OTP Authentication Module can be implemented in one of the following ways. • Using the OTP dynamic value instead of a static password. With this feature enabled, you can generate a One-Time Password (OTP), by entering your username and the OTP displayed value in the Password field on the URL for Clientless VPN or in the client login dialog when using traditional VPN. • Using two-factor authentication, that is, both the OTP number and the user network password in order to gain access to the network. Some kind of encryption should be used between the user machine and the RADIUS client (for example, RRAS), this encryption can be IPSEC on other method. Enter your username and the OTP +Network password in the Password field on the URL for Clientless VPN or in the client login dialog if using traditional VPN • Using two-factor authentication based on a second password (OTP PIN) that is managed through the OTP TMS connector. Enter your username and the OTP + OTP PIN in the Password field on the URL for Clientless VPN or in the client login dialog if using traditional VPN. In the scope of this Integration Guide, only the first mode is discussed in detail. For information or assistance concerning the additional methods, please contact the eToken technical Support Center. 3 4 Integration Guide for eToken NG OTP with Security Solutions OTP Overview CHAPTER 2 Chapter 2 OTP Overview The eToken NG OTP supports the One-Time Password (OTP) Algorithm submitted to the Internet Engineering Task Force (IETF) by the initiative for Open AuTHentication (OATH). OATH is an industry initiative with the mission to drive the ubiquity of strong authentication across all networks, applications and devices. The HOTP (HMAC-based One Time Password) algorithm is based on an increasing counter value and a static symmetric key, known only to the eToken NG OTP and the validation service which is the OTP plug-in on the IAS. The algorithm is event-based so that it can be embedded in high volume devices, such as Java smart cards, USB dongles and GSM SIM cards. The HOTP algorithm basic block function computes an HMACSHA-1 value and the truncation method to extract an HOTP value. HOTP (K, C) = Truncate (HMAC-SHA-1(K, C)) Where K= key and C=Moving Count Factor The key and moving factors are generated on the eToken NG OTP during the user enrollment with the TMS with the OTP connector. 5 6 Integration Guide for eToken NG OTP with Security Solutions During the enrollment of an OTP profile on an eToken NG, OTP parameters (key and moving factor) are generated on the eToken NG OTP and saved as a virtual token under the user object in Active Directory. The eToken OTP plug-in is implemented using the Internet Authentication Service Extensions (IASE) API, which enables software developers to write their own extensions to IAS. IASE allows the eToken plug in to implement the OATH authentication methods for remote access. When the VPN server (RADIUS Client) forwards authentication requests to the IAS RADIUS server, the OTP plug-in that is installed on the IAS server validates the OTP against the virtual token saved in the user object in AD. IAS Overview CHAPTER 3 Chapter 3 IAS Overview RADIUS is a client-server protocol that enables network access equipment (used as RADIUS clients) to submit authentication and accounting requests to a RADIUS server. The IAS RADIUS server has access to user account information in the Active Directory and can check network access authentication credentials. If your credentials are authentic and the connection attempt is authorized, the RADIUS server authorizes your access on the basis of specified conditions and logs the network access connection in an accounting log. A RADIUS client (typically a dial-up server, VPN server, or wireless access point) sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. The RADIUS server authenticates and authorizes the RADIUS client request, and sends back a RADIUS message response. RADIUS clients also send RADIUS accounting messages to RADIUS servers. Additionally, the RADIUS standards support the use of RADIUS proxies. A RADIUS proxy is a computer that forwards RADIUS messages between RADIUS-enabled computers. 7 8 Integration Guide for eToken NG OTP with Security Solutions IAS supports the Internet Engineering Task Force (IETF) standards for RADIUS described in RFCs 2865 and 2866. When an IAS server is a member of an Active Directory® domain, IAS uses the directory service as its user account database and is part of a single sign-on solution. The same set of credentials is used for network access control (authenticating and authorizing access to a network) and to log on to an Active Directory domain. When the eToken OTP plug-in extension is implemented with the RADIUS IAS, the OTP plug-in that is installed on the IAS server validates the OTP against the virtual token saved in the user object in AD. VPN Environment Settings CHAPTER 4 Chapter 4 VPN Environment Settings A typical company has a central site connected to the Internet through a router. A branch office exists and is also connected to the Internet. Some people travel a lot and can be considered remote users. Other people work from their home office. When at the central site, users have access to applications and files, printing and e-mail. For remote users, branch office or home office this tends to be more complicated and sometimes leads to problems. The VPN server is installed into the corporate network behind the broadband Internet access router. It connects to both the WAN and the LAN using two separate Ethernet ports. Remote users enter either the URL of the VPN sever in their Web browser for a Clientless VPN SSL encrypted session, or alternatively they enter their traditional VPN client site credentials for an IPSec encrypted tunnel. The VPN server uses External Authentication. Users are authenticated through an IAS RADIUS authentication server. While the VPN servers operate as RADIUS clients, they can pass credentials from the client to the RADIUS server for end-user OTP authentication. 9 10 Integration Guide for eToken NG OTP with Security Solutions By introducing eToken NG OTP at the user side, strong user authentication can be obtained. The eToken NG OTP generates a One-Time Password (OTP). The user enters a username in the User Name field and the OTP in the Password field on the URL for Clientless VPN or in the client login dialog if using traditional VPN. The VPN server (Radius Client) forwards the authentication request to the IAS RADIUS server. The IAS RADIUS server verifies the One-Time Password in Active Directory If the authentication is successful; you can access to the VPN server. VPN Environment Settings CHAPTER 4 Notes: 1. In this Integration Guide when using traditional VPN access, authentication is based on OTP only. In the clientless VPN solutions that are presented in the following chapters, after the SSL VPN tunnel is established, a second additional authentication, with username and password Is required in front of the specific internal resource (OWA-Outlook Web Access) in Order to provide an additional layer of security. 2. You may already have IAS installed to handle VPN access, and /or Outlook over the Web as well. If not, refer to Chapter 8, Configuring SSL for information about OWA configuration and Chapter 9, Configuring RADIUS Clients in IAS for information about IAS configuration. 3. In order to enable eToken NG with OTP capability, the assumption is made that the basic necessary configuration of the TMS and OTP connector has already been done. For more information on OTP configuration, refer to the eToken OTP Authentication Admin Guide. 4. In this document only the first OTP solution described in the OTP authentication modes section is presented. For more information about the OTP authentication modes, refer to the eToken OTP Authentication Admin Guide. Traditional VPN Overview The first scenario that is described in this Integration Guide is when a VPN server is installed into the corporate network behind the broadband Internet access router and responds to VPN clients wishing to access the protected internal resources. The NAS requires user authentication with a One Time Password during the IPSec tunnel establishment. Upon successful authentication, a remote user is granted access to the protected network and is able to access its OWA (Outlook Web Access) account. In this Integration Guide, you perform an additional authentication in front of OWA with username and password. The following prerequisites should be configured for supporting OTP authentication with security GW using VPN client software to support VPN tunnels. 11 12 Integration Guide for eToken NG OTP with Security Solutions • Define the NAS as Radius client to support user authentication with MS IAS. • Install TMS and configure OTP plug-in on IAS. • Enroll remote users with OTP profiles and configure VPN client software to access protected network by the NAS. When all configuration issues are completed, launch the VPN client software and enter your username and One Time Password in the authentication dialog. If the VPN tunnel is successfully established, you are granted access to the protected network. IPSec VPN gateways are usually implemented on the perimeter firewall and permit or deny remote access to entire private subnets. VPN Environment Settings CHAPTER 4 Clientless VPN Overview The second scenario that is described in this Integration Guide is when a SSL VPN server is installed into the corporate network behind the broadband Internet access router and responds to SSL VPN clients wishing to access the protected internal resources. SSL is better suited for scenarios where trust is limited or where installed certificates are impractical such as business partner desktops, public kiosk PCs and personal home computers. The Network Access Server (NAS), which acts as a Web proxy, responds to Https requests requiring access to protected Web resources. You are required to authenticate before accessing a Web resource. Upon successful authentication the remote user is granted access to the protected network and is able to access his OWA account after performing additional authentication in front of OWA. Basically in any of the described security solutions configurations the following perquisites should be configured in order to support OTP; • Setup NAS to support SSLVPN tunnels (clientless). • Define the NAS as Radius client to support user authentication with MS IAS. • Install TMS and configure OTP plug-in on IAS. • Enroll remote users with OTP profiles. When all configuration issues are completed, launch a browser and type the OWA URL link to port 443. During SSL tunnel establishment you are required to authenticate with a username and One Time Password in the authentication dialog. If the SSL tunnel is successfully established, the user is redirected to the OWA authentication form. At this point, you are authenticated once more with the domain username and password in front of OWA to access the user account. 13 14 Integration Guide for eToken NG OTP with Security Solutions Check Point CHAPTER 5 Chapter 5 Check Point Check Point Traditional VPN Setup In this section the Check Point SecureClient is configured to support user authentication with OTP to establish a VPN tunnel to the internal network and access to protected resources. In general, the following major steps should be configured as follows: • Configure FW-1 policy to support SecureClient encrypted connection requests to the GW. • Configure Check Point with Active Directory. • Configure FW-1 policy to support SecureClient encrypted connection requests to the GW. • Install SecureClient on the client machine and configure it with a username and password authentication. This solution was tested using the following software and hardware versions. • Check Point NG ™R55. Server Configuration • Domain controller on 2003 server with the following components: • eToken Management System (TMS) version 1.1 • eToken OTP connector • Microsoft IAS server with OTP plug-in version 1.0 • eToken NG with RTE 3.60 15 16 Integration Guide for eToken NG OTP with Security Solutions Prerequisites In the testing lab it is assumed that the following settings are configured: • IAS is configured as described in Chapter 9. • OTP plug-in is installed on top of the IAS server. For more information on how to install the OTP plug-in, refer to the eToken OTP Authentication Admin Guide. • An eToken NG OTP enrolled with OTP seed for a domain user. For details on how to enroll a user with eToken NG OTP capabilities, refer to the eToken OTP Authentication Admin Guide. Check Point Configuration with Active Directory ¾ To configure LDAP account unit: 1 Log in to the Check Point Policy Editor. 2 Go to Policy Menu > Global Properties. Check Point CHAPTER 5 3 From the LDAP Account Management branch, select Use LDAP Account Management as displayed: 4 Click OK. 5 In the SmartDashboard Manage menu select Servers. Right-click LDAP Account Unit and select New LDAP Account Unit from the displayed menu. 17 18 Integration Guide for eToken NG OTP with Security Solutions The LDAP Account Unit Properties dialog is displayed: 6 In the General tab, configure the following parameters: Name: Enter descriptive name. In the Account Unit usage area, select the both the CRL retrieval and User management checkboxes. Set the Profile type to Microsoft_AD. Check Point CHAPTER 5 7 Click the Servers tab. The following dialog is displayed: 8 Click Add to add your server. The LDAP Server Properties dialog is displayed. 19 20 Integration Guide for eToken NG OTP with Security Solutions 9 Set all the necessary parameters, including: Host: Your LDAP server (If you have a separate A.D. server, create an object for that and select that as the host Login DN: cn=administrator,cn=users,dc=farida,dc=com 10 Enter the administrator’s password in the designated fields. 11 Set the relevant permissions (Read data and/or Write Data), as displayed. 12 Click the Encryption tab. The following dialog is displayed: 13 Select the Use SSL checkbox. Click Fetch and set Min/Max Encryption Strength to Strong for Min and Strong for Max as displayed. 14 Click OK. The Servers tab of the LDAP Account Unit Properties dialog is redisplayed. 15 Set the Early Version Compatibility (in the Servers tab). Check Point CHAPTER 5 16 Click the Objects Management tab. Select your A.D. object from the Mange objects on dropdown list and then click Fetch branches to fetch the active Directory branches. The branches should be seen in the Branches in use area as displayed. Note: Additional Branches should be added manually: If additional OUs were created on the A.D their LDAP names should be added manually in order to fetch their content to FW-1. For PKI authentication, it is recommended to add the LDAP name of the CRL for CRL checking during PKI authentication. 21 22 Integration Guide for eToken NG OTP with Security Solutions 17 Click on the Authentication tab. Select all the checkboxes in the Allowed authentication schemes area, and select the Use user template checkbox, as displayed: 18 In the Tree pane of Check Point SmartDashboard, click the Users tab and expand the objects tree. Double-click on the account name entry and verify that all AD accounts are fetched in the object list section as displayed: Check Point CHAPTER 5 Note: In the preceding screen shot, the first red rectangle represents the default branches that are fetched from the Active Directory. The CDP red rectangle is added manually to the account unit for CRL checking during PKI authentication between FW-1 and IIS. Define External Group To utilize Active Directory for authenticating your remote users, you must first create an External Group, as follows. 1 Launch the SmartDashboard GUI and click on the Users icon. To see the users, make sure you have the Objects Tree and Objects List open (these can be opened by clicking on the View Menu and selecting the corresponding options). 2 A branch entitled LDAP Groups is displayed in the Tree pane. 3 Right-click LDAP Groups and select New LDAP Group from the popup menu. Set the properties, as displayed: 23 24 Integration Guide for eToken NG OTP with Security Solutions 4 Enter a descriptive name (in this example MS_AD), select the relevant account unit, and select the group’s scope (this should be the Account Unit you already created). Note: Group Scope: Notice that in the above dialog, All Account-Unit’s Users is selected. This means that a user that exists anywhere in the Active Directory database can authenticate. 5 Click OK to save the new setting. Check Point CHAPTER 5 6 Open up your VPN-1 Gateway object. Click on the Authentication branch and enable the appropriate authentication schemes. Select the RADIUS checkbox as displayed: 7 Click OK to apply the setting. 8 Select the SmartDirectory (LDAP) branch, as displayed: 25 26 Integration Guide for eToken NG OTP with Security Solutions or In older versions of Check Point, click the LDAP Account Manager branch: 9 Select the Display list of distinguished names (DNs) for matching UIDs on login checkbox. In the Account Units Query group, select Selected Account Unit list A new dialog is displayed. 10 Click Add to add the predefined account unit, as displayed: Check Point CHAPTER 5 11 Click OK to save the new setting. RADIUS Object Configuration In order to enable user authentication using RADIUS protocol, a RADIUS object should be defined so that FW-1 is able to communicate with the IAS server located on the domain controller during the user authentication session. ¾ To configure a RADIUS object: 1 In the Tree pane of the SmartDashboard, expand Servers and OPSEC Applications and select the RADIUS branch. Right-click and select New RADIUS, as displayed: 27 28 Integration Guide for eToken NG OTP with Security Solutions 2 The RADIUS Server Properties dialog is displayed: 3 Enter a name for the RADIUS object, and select the host that represents the server or create a new object. 4 Enter the Shared Secret that was defined on the IAS and leave the other default parameters as displayed: 5 Click OK to save the settings. Template Adjustment to Support Radius Authentication It is important to set the properties for your template correctly. This template holds user properties such as encryption and password method. In this section, the default template is used (it is possible to have multiple templates). Check Point CHAPTER 5 This section describes some of the properties of the template and also the properties of a user linked to that template. In this example, the template was tied to the LDAP Account Unit. 1 In the Tree pane, expand Users and Templates, and then select Default as displayed: 2 Double-click Default to open the User Template Properties – Default dialog and select the Authentication tab as displayed: 29 30 Integration Guide for eToken NG OTP with Security Solutions 3 From the Authentication Schemes dropdown list, select RADIUS. Then, select the RADIUS server object from the Select a RADIUS Server or Group of Servers dropdown list as displayed: 4 Click OK to save the new settings. SecureClient Configuration with OTP This section describes how Check Point SecureClient is configured to support user authentication with OTP to establish a VPN tunnel to the internal network and access to protected resources. In general the following major steps should be performed as follows: • Install SecureClient on the client machine and configure it with a username and password authentication. • Configure FW-1 policy to support a SecureClient encryption connection to the GW and afterwards access to the internal network. • Configure an external user dB (Active Directory) with Radius authentication. (Those settings have already been configured, for more information refer to Chapter 3.) Check Point CHAPTER 5 ¾ To set FW-1 with SecureClient: 1 Log in to the Check Point Policy Editor. 2 Go to the Policy MenuÎGlobal Properties. 3 Expand the Remote Access branch and select VPN - Basic. In the IKE over TCP area, select the Gateways support IKE over TCP checkbox as displayed: 4 Click OK to save the new settings. 31 32 Integration Guide for eToken NG OTP with Security Solutions 5 In the Tree pane, expand the Check Point folder and select the gateway as displayed: 6 Double click on the gateway object. The Check Point Gateway Properties dialog is opened. Select General Properties in the Tree pane. In the right pane, in the Check Point Products area, select both the SecureClient Policy Server and VPN checkboxes as displayed: Check Point CHAPTER 5 Note: Policy Server should be installed. Secure Client requires installation of Policy server that manages desktop security policy. 7 In the Tree pane, click VPN. The VPN dialog is displayed: 8 Beneath the VPN communities list near the top of the dialog, click Add to add a community in which the gateway is to participate. The Add This Gateway To Community dialog is displayed: 33 34 Integration Guide for eToken NG OTP with Security Solutions 9 Select RemoteAccess and click OK. 10 In the VPN dialog, the community area is updated as displayed: Check Point CHAPTER 5 11 In the Tree pane, click Authentication. In the Policy Server area, select a user group from the Users dropdown list. By default All Users is displayed: 12 Click OK to update the settings of FW-1 object. 13 In the SmartDashboard, click the VPN Manager tab as displayed: 35 36 Integration Guide for eToken NG OTP with Security Solutions 14 Double click the RemoteAccess object. The Remote Access Community Properties dialog is displayed: 15 In the Tree pane, click Participating Gateways and verify that the FW-1 object is displayed on the right: Check Point CHAPTER 5 16 Select Participant User Groups. The following dialog is displayed: 17 Click Add. The Add Participant Users Groups dialog is displayed: 37 38 Integration Guide for eToken NG OTP with Security Solutions 18 Select one or more groups and click OK to update this section as displayed: 19 Click OK to update the Remote Access community. 20 Click on the Desktop Security tab and add inbound and outbound rules as displayed: 21 Click on the Security tab and define the following rule as displayed: Check Point CHAPTER 5 22 Double-click on the VPN cell. The VPN Match Condition dialog is opened. In the Match conditions area, select Only connections encrypted in specific VPN Communities as displayed: 23 Click Add. The Add Community to rule dialog is opened. Select the RemoteAccess community as displayed: 24 Click OK to update the match condition and then click OK again to update the VPN cell. 39 40 Integration Guide for eToken NG OTP with Security Solutions 25 Click the Install Policies button in the SmartDashboard toolbar to install the policy. The Install Policy dialog is displayed. In this case two policies are installed: one for the FW-1 policy and one for the desktop policy as displayed: 26 Click OK. ¾ To set up SecureClient for OTP: 1 Install SecuRemote/Client version R56 (AI) Use the default installation setting and click Next where required and reboot the computer. Check Point CHAPTER 5 2 After logging on to the computer, the SecureClient icon is displayed to the right of the System Tray: 3 Double click the SecureClient icon. The VPN-1 Secure Client dialog is displayed indicating that no site is defined and asks if you want to create a new site. 4 Click Yes. The Site Wizard dialog is displayed: 5 Type in the site name or IP address as displayed: 41 42 Integration Guide for eToken NG OTP with Security Solutions 6 Click Next. The Authentication Method dialog is displayed: 7 Leave the default authentication method setting for username and password, and click Next. 8 The User Details dialog is displayed. Enter the username and OTP password retrieved from the eToken NG as displayed: Check Point CHAPTER 5 9 Click Next. The Select Connectivity Setting dialog is displayed. Select the Advanced radio button as displayed: 10 Click Next. The Advanced Settings dialog is displayed. Select Perform IKE over TCP option as displayed: 43 44 Integration Guide for eToken NG OTP with Security Solutions 11 Click Next. A connection to the site is initiated. If the client is successfully connected to the site you are asked to approve the site certificate as displayed: 12 Click Next. Topology is updated on the client machine and the site is created. 13 Upon successful site creation, the Site Created Successfully dialog is displayed: Check Point CHAPTER 5 14 Click Finish. You are prompted to connect now if desired. Click Yes. The Check Point VPN-1 SecureClient Connection dialog is displayed: 15 Press the OTP Generation button on the eToken NG-OTP. The eToken displays a random one-time password 16 Enter the OTP password in the Password field and click Connect. 45 46 Integration Guide for eToken NG OTP with Security Solutions 17 A connection is initiated and the Check Point VPN-1 SecureClient Connect Progress dialog is shown as displayed: 18 A connection success notification is displayed in the Check Point VPN-1 SecureClient Connect Progress dialog at the end of VPN tunnel construction as displayed: Check Point CHAPTER 5 Check Point Clientless VPN Setup This next solution illustrates how to configure Check Point Connectra™ appliance with Aladdin OTP solution. Connectra™ is a Web Security Gateway that provides both SSL VPN and integrated Web security. Connectra provides both Web-based and network-level access over SSL. Connectra is a gateway used by remote users to access resources on a corporate network. Through an integrated Connectra Web portal, users can access Web applications and resources, file shares, and email. The appliance can be located at the front end where users can access it directly or located in the DMZ protected by a firewall. The last configuration is considered more secure and is detailed in the following solution. You must authenticate before you can be granted access to the Web portal. In the current integration, a remote user is required to authenticate using Aladdin’s OTP solution based on RADIUS protocol in order to access to the Connectra Web portal. On the Web portal, you are able to grant access resources based on the group permission to which each user belongs. The drawing below illustrates the network topology that was utilized for testing. This solution was tested using the following software and hardware versions below: • Check Point Connectra™ 1.0 build 603 support 50 concurrent connections. 47 48 Integration Guide for eToken NG OTP with Security Solutions Server Configuration • Domain controller on 2003 server with the following components: • eToken Management System (TMS) version 1.1 • eToken OTP connector • MS IAS server with OTP Authentication Module plug-in version 1.0 • eToken NG OTP and PKI Client (RTE) 3.60 Prerequisites In the testing lab it is assumed that the following settings have been configured: 1 IAS is configured as described in chapter 9. 2 OTP plug-in is installed on top of the IAS server. For details on how to install the OTP plug-in, refer to the eToken OTP Authentication Admin Guide. 3 An eToken NG OTP enrolled with OTP seed for a domain user. For details on how to enroll a user with eToken NG OTP capabilities, refer to the eToken OTP Authentication Admin Guide. 4 OWA is installed and configured as described in Chapter 8. 5 Adjust on the IAS snap-in remote access policy with the ‘Class’ attribute that returns the name of the group to which the authenticated user belongs in the Active Directory. Note: This should be identical to the RADIUS group defined on the Connectra). 6 Adjust FW-1 policy to allow connection to/from Connectra according to the following table: Rule Source Destination Service Action Remarks Check Point CHAPTER 5 1 Admin Host Connectra HTTPS/ 4433 Accept Administrator access 2 Any Connectra HTTPS Accept End user Access to Connectra Portal 3 Connectra eXchange_Server HTTPS Accept Connectra access to OWA 2003 4 Connectra Radius_Server Radius Accept Enable User auth with Radius server 5 Connectra DNS_Server DNS Accept Name resolution by Connectra (Optional ) ¾ To set up a remote access policy: 1 Access the IAS snap-in. In the Tree pane, click Remote Access Policy in the Tree pane. In the right pane, select Connection to other access servers, as displayed: 49 50 Integration Guide for eToken NG OTP with Security Solutions 2 Double click on the policy. The <policy> Properties dialog is shown as displayed. Check Point CHAPTER 5 3 Select the Grant remote access permission radio button, Click Edit Profile …. The Edit Dial-in Profile dialog is shown as displayed. 4 Under the Authentication tab select only Unencrypted Authentication as displayed. 51 52 Integration Guide for eToken NG OTP with Security Solutions 5 Select the Advanced tab as displayed. 6 Click Add. Select the Class attribute as displayed and click Add. Check Point CHAPTER 5 7 In the Attribute Information dialog, type the name of the group as defined on the Connectra as displayed: 8 This attribute is returned by IAS within the access accept information to the Connectra. This value addresses the user to a certain group. 9 Click OK to add the attribute as displayed: 10 Click OK to approve the setting on the remote access policy. Click OK again and restart the IAS to update the setting. 53 54 Integration Guide for eToken NG OTP with Security Solutions Check Point Connectra Setup It is assumed that Connectra is configured using the built-in wizard. For more information on Connectra basic configuration, refer to Check Point formal documentation. In order to set up the Web portal for remote users, perform the following steps: • Define the authentication method on the Connectra as the Radius server. • Define external Radius group. • Define a link to a protected resource. OWA 2003 is defined as an example. To access Connectra as an administrator, enter the following URL: https://<Connectra_IP_Adress>:4433 and provide a username and a password. Radius Authentication Setup ¾ To set up RADIUS authentication: 1 Access the Connectra Device Status dialog as displayed: Check Point CHAPTER 5 2 In the Tree pane, expand User and Groups and then expand Authentication. Select Radius Server as displayed: 3 Enter the following details, as displayed: 4 Click Apply to save the setting 55 56 Integration Guide for eToken NG OTP with Security Solutions Setting a Connection to OWA ¾ To define a URL resource (OWA) for an authorized group: 1 In the Tree pane, expand Applications and click Mail servers as displayed: 2 Click New and select Outlook Web Access from the dropdown list. Check Point CHAPTER 5 The following dialog is displayed: 3 Enter a name for the URL resource host name or IP address and select the SSL Port radio button. This informs Connectra that contact the exchange server is SSL. 4 Click Apply to save the setting. The following dialog is displayed: 57 58 Integration Guide for eToken NG OTP with Security Solutions External Group Definition ¾ To define an external group: 1 In the Tree pane, expand Users and Groups and select User Groups as displayed: 2 Click New and select Radius Group from the dropdown list. 3 In the Group tab, enter the group name as displayed: Check Point CHAPTER 5 4 Click the Mail Server tab and select the predefined resource for that group by adding it to the right column as displayed: 5 Click Apply to save the setting as displayed: Running the Solution On the client station, you only need to start the HTTPS session to Connectra and authenticate twice: The first time you authenticate against the Connectra with a username and OTP password and the second time you authenticate against the OWA with username and network password. 59 60 Integration Guide for eToken NG OTP with Security Solutions ¾ To access authorized resources: 1 Start https or http session to the external interface of the Concentrator in one of the following forms: http(s)://<external_IP / <hostname >/ 2 You are prompted to enter your username and password in the WebVPN authentication form as displayed: 3 Press the OTP Generation button on the eToken NG-OTP. The eToken displays a random one-time password Check Point CHAPTER 5 4 Enter your username and the generated OTP and click Sign In as displayed: 5 Upon successful authentication, the Connectra Portal dialog is displayed: 61 62 Integration Guide for eToken NG OTP with Security Solutions 6 Click on the OWA 2003 link to redirect to OWA. The OWA Authentication form is displayed. Enter Domain\user name and domain Password. 7 Click Continue to access your account as displayed: Check Point CHAPTER 5 Troubleshooting Tips This section provides logging information that can be set up on Connectra when configuration problems occur during the integration. ¾ To access the log view on Connectra: 1 In the Tree pane, expand Status and Logs, and then select Traffic Logs. The following view is displayed: 63 64 Integration Guide for eToken NG OTP with Security Solutions 2 To adjust log details options, click Log Settings in the Tree pane, select the preferred log setting to be modified and click Apply as displayed: Cisco CHAPTER 6 Chapter 6 Cisco Cisco Traditional VPN Setup This chapter describes how to configure the Concentrator to accept VPN connections of users with OTP password authentication. This solution was tested using the following software and hardware versions: • Cisco Concentrator 3005 with software version 4.17. Server Configuration • Domain controller on 2003 server with the following components: • eToken Management System (TMS) version 1.1 • eToken OTP connector • Microsoft IAS server with OTP plug-in version 1.0 • eToken NG with RTE 3.6 Prerequisites In the testing lab it is assumed that the following settings have been configured as follows: • IAS is configured as described in chapter 9 • OTP plug-in is installed on top of the IAS server. For more information on how to install the OTP plug-in refer to the eToken OTP Authentication Admin Guide. 65 66 Integration Guide for eToken NG OTP with Security Solutions • An eToken NG OTP enrolled with OTP seed for a domain user. For details on how to enroll a user with eToken NG OTP capabilities, refer to the eToken OTP Authentication Admin Guide. The following basic steps are performed to configure Cisco IPSec VPN: 1 Configure IP addresses pool for VPN clients. 2 Configure an IKE Proposal. 3 Configure the SA. 4 Set up Tunnel Group to support IPSec. ¾ To configure IP addresses pool for VPN clients: 1 Expand Configuration | System | Address Management and select Assignment. In the main pane, select the Use Address Pools checkbox. 2 Click Apply. Cisco CHAPTER 6 3 The Address Management dialog is displayed. Click Pools to configure the VPN addresses pool. 4 Click Add to add an address pool. 67 68 Integration Guide for eToken NG OTP with Security Solutions 5 Enter the IP address pool and click Add. 6 Click Save needed on the upper right corner to save the changes 7 Click OK to close the Save Successful dialog. ¾ To configure IKE Proposal: 1 Expand Configuration > Tunneling and Security > IPSec and select IKE Proposals. 2 Select the predefined proposal CiscoVPNClient-3DES-MD5. Click Activate if it appears in the Inactive Proposals dialog. Cisco CHAPTER 6 3 Click Modify. 4 Make sure the Authentication Mode is configured to Preshared Keys (XAUTH) and click Apply. ¾ To configure the IPSec policy: 1 Expand Configuration > Policy Management > Traffic Management and select SAs. Select ESP-3DES-MD5. 69 70 Integration Guide for eToken NG OTP with Security Solutions 2 Click Modify. 3 In the IKE Parameters area, select None (Use Preshared Keys) from the Digital Certificate dropdown list and select CiscoVPNClient-3DES-MD5 from the IKE Proposal dropdown list. Click Apply to set the changes. 4 Click Save Needed in the upper right corner to save the changes. Cisco CHAPTER 6 5 Click OK to close the Save Successful dialog. ¾ To configure a tunnel group: 1 Expand Configuration > User Management and select Groups. Click Add Group to add a new group. 2 Enter the name OTP in the Group Name field and set a password (minimum 4 characters) in the Password field. 71 72 Integration Guide for eToken NG OTP with Security Solutions 3 Click the IPSec tab. 4 Verify that the following parameters are set as shown: IPSec SA attribute is set to ESP-3DES-MD5. Tunnel Type attribute is Remote Access. Authentication attribute is RADIUS. Scroll down and click Apply. Cisco CHAPTER 6 5 Click Save Needed in the upper right corner to save the changes. 6 Click OK to close the pop up Save Successful dialog. 73 74 Integration Guide for eToken NG OTP with Security Solutions Client Configuration ¾ To install and configure the VPN Client: 1 Open the Cisco VPN Client installation file. The Cisco Systems VPN Client Set-up dialog is shown as displayed. 2 Click Next. Cisco CHAPTER 6 3 Click Yes to accept the license agreement. 4 Click Next and accept the destination folder. 75 76 Integration Guide for eToken NG OTP with Security Solutions 5 Click Next and accept the name of the program folder. 6 Click Finish. The Computer restarts to apply the installation. Cisco Client Configurations ¾ To install and configure the Cisco Client: 1 After logon, click Start > Programs > Cisco Systems VPN Client and run VPN Client. 2 Click New to create a new site. Cisco CHAPTER 6 3 Enter the following details: • Enter the name Concentrator in the Connection Entry field. • Enter the IP address of the Concentrator in the Host field. • Enter the group name OTP in the Name field. • Enter the group password in the Password and the Confirm Password fields. 4 Click Save to save the VPN Connection Entry. 5 Run the Solution. 77 78 Integration Guide for eToken NG OTP with Security Solutions ¾ To initiate a VPN tunnel: 1 Double-click the Concentrator connection entry. 2 The User Authentication dialog is displayed. Enter a username in the Username field. Generate an OTP password and enter it in the Password field. Click OK to login. Cisco CHAPTER 6 3 VPN tunnel is successfully completed. Cisco Clientless VPN Setup The Cisco VPN Concentrator is a virtual private network (VPN) platform. The role of the Concentrator is to allow access to the internal network in a secure method. This solution was tested using the software and hardware versions below. • Cisco Concentrator 3005 with software version 4.17. Server Configuration Domain controller on 2003 server with the following components: • eToken Management System (TMS) version 1.1 • eToken OTP connector • Microsoft IAS server with OTP plug-in version 1.0 • eToken NG with RTE 3.6 • OWA is installed and configured as described in Chapter 8 Prerequisites In the testing lab is assumed that the following settings are configured as follows: • IAS is configured as described in Chapter 9. 79 80 Integration Guide for eToken NG OTP with Security Solutions • OTP plug-in is installed on top of the IAS server. For more information on how to install the OTP plug-in refer to the eToken OTP Authentication Admin Guide. • An eToken NG OTP enrolled with OTP seed for a domain user. For instruction how to enroll a user with eToken NG OTP capabilities refer to the eToken OTP Authentication Admin Guide. The Concentrator software version 4.1 introduces a feature called WebVPN. This feature allows clientless VPN connection through SSL tunnel. The WebVPN feature requires user authentication to establish an SSL tunnel that allows access to email accounts with the Outlook Web Access (OWA). The IAS server is used as a RADIUS server for centralized authentication of users. The following tasks are required for setup: • Configuration of SSL VPN on the External • Configuration of RADIUS server • RADIUS server authentication testing • SSL connection to the Concentrator • Running the Solution The setup requirements mentioned above are described in detail in the following sections. Note: OWA 2003 is supported by Cisco Concentrator release 4.1.7 Cisco CHAPTER 6 Configuring SSL VPN on the External Interface 1 Log in to Cisco Concentrator Web-based management. 2 The Main Menu dialog is displayed. 81 82 Integration Guide for eToken NG OTP with Security Solutions 3 In the Tree pane, expand Configuration and select Interfaces. 4 Click Ethernet 2 (Public), the Configuring Ethernet Interface 2 (Public) dialog is displayed. Cisco CHAPTER 6 5 Click the WebVPN tab. The WebVPN Parameters dialog is displayed. 6 Select the both the Allow WebVPN HTTPS sessions and Redirect HTTP to HTTPS checkboxes, and click Apply. 7 Click Save Needed in the upper right corner to save the changes. 83 84 Integration Guide for eToken NG OTP with Security Solutions 8 In the Tree pane, expand Configuration | Tunneling and Security | WebVPN, and select Servers and URLs. 9 Click Add and enter the URL of the OWA. Cisco CHAPTER 6 10 Click Add to add the URL of the Outlook Web Access in the end user homepage. 11 Expand Configuration | User Management | Base Group. The General Parameters dialog is displayed. 85 86 Integration Guide for eToken NG OTP with Security Solutions 12 Scroll down to the Tunneling Protocols attribute and select the WebVPN checkbox. 13 Scroll up and click the WebVPN tab. The WebVPN Parameters are displayed: Cisco CHAPTER 6 14 Select the Enable Outlook/Exchange Proxy checkbox, scroll down and click Apply. 15 Click Save needed on the upper right corner to save the changes. ¾ To configure SSL VPN on the external interface: 1 Expand Configuration | System | Servers and select Authentication. 87 88 Integration Guide for eToken NG OTP with Security Solutions 2 Click Add to add the IAS as a RADIUS server. 3 Select RADIUS from the Server Type dropdown list and enter the ISA server IP address in the Authentication Server field, and click Apply. 4 Click Save needed in the upper right corner to save the changes. Cisco CHAPTER 6 ¾ To test RADIUS server authentication: 1 Click on the RADIUS server and click Test. 2 Enter the username and OTP password, and click OK. 89 90 Integration Guide for eToken NG OTP with Security Solutions 3 The Success dialog is displayed. Click Continue. Note: If the test fails, the Concentrator and the IAS are not configured properly. Cisco CHAPTER 6 ¾ To enable SSL connection to the Concentrator: 1 Expand Administration | Certificate Management. The Certificate Management dialog is displayed: 2 Click Generate on the Public Interface to generate an SSL certificate. 91 92 Integration Guide for eToken NG OTP with Security Solutions 3 Select the size of the RSA Keysize and click Generate. Note: By default an n SSL certificate is generated automatically for the Concentrator interfaces. This certificate that is self-signed certificate. The only parameter that can be modified is the RSA Keysize. Running the WebVPN Solution On the client side, open a Web browser and initiate an HTTPS session to the Concentrator. After a successful login to the Concentrator, the user homepage displays the link to the Outlook Web Access. Cisco CHAPTER 6 ¾ To access to personal email account with OWA: 1 Open a Web browser and start an HTTPS or HTTP session to the external interface of the Concentrator. 2 Click Yes to trust the certificate of the Concentrator. The Concentrator Login dialog is displayed. 3 Enter the Username and OTP Password, and click Login. 93 94 Integration Guide for eToken NG OTP with Security Solutions 4 Click the Outlook Web Access link that you created. 5 Enter the Username and domain Password, and click Log On. Cisco CHAPTER 6 6 The Outlook Web Access is displayed: 95 96 Integration Guide for eToken NG OTP with Security Solutions Microsoft CHAPTER 7 Chapter 7 Microsoft Microsoft Traditional VPN Setup Microsoft Internet Security and Acceleration (ISA) Server 2004 is the advanced application-layer firewall, virtual private network (VPN), and Web cache solution that enables customers to easily maximize existing IT investments by improving network security and performance. To make Virtual Private Network (VPN) access to your internal network possible through Microsoft Internet Security and Acceleration Server 2004, you must configure the user accounts of the VPN clients, the access rules on the ISA Server computer, and a VPN connection on the client computer. To do so, you need to perform the following tasks: • Configure the ISA Server computer as a VPN server • Configure VPN client access • Create a VPN access rule • Verify the VPN network rule • Configure of a VPN connection The setup issues above are described in detail in the following sections (except for VPN connection configuration, which is described on the next chapter). 97 98 Integration Guide for eToken NG OTP with Security Solutions This chapter presents a solution in which the user authenticates to the ISA VPN server with username and password to get access to the OWA server. To do so, you should have an exchange server and IIS server in your domain. In this demonstrated solution, form-based authentication is implemented. This solution was tested using the following software and hardware versions below: • Microsoft ISA server 2004 4.0.2161.50. Server Configuration • Domain controller on 2003 server with the following components: • eToken Management System (TMS) version 1.1 • eToken OTP connector • Microsoft IAS server with OTP plug-in version 1.0 • eToken NG with RTE 3.6 Prerequisites In the testing lab is assumed that the following settings are configured as follows: • IAS is configured as described in Chapter 9. • OTP plug-in is installed on top of the IAS server. For more information on how to install the OTP plug-in refer to the eToken OTP Authentication Admin Guide. • An eToken NG OTP enrolled with OTP seed for a domain user. For instruction how to enroll a user with eToken NG OTP capabilities refer to the eToken OTP Authentication Admin Guide. Configure the ISA Server as a VPN Server By default, the VPN server component is disabled. The first step is to enable the VPN server feature and configure the VPN server components. Microsoft CHAPTER 7 Perform the following steps to enable and configure the ISA Server 2004 VPN Server: 1 Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click on the Virtual Private Networks (VPN) node. 2 Click on the Tasks tab in the Task pane. Click the Enable VPN Client Access link. 3 Click Apply to save the changes and update the firewall policy. 4 Click OK in the Apply New Configuration dialog. 5 Click the Configure VPN Client Access link. The VPN Clients Properties dialog is shown as displayed. 99 100 Integration Guide for eToken NG OTP with Security Solutions 6 In the General tab, change the value for the Maximum number of VPN clients allowed from 5 to 10. Click the Groups tab. The ISA firewall needs to be a member of the Active Directory domain to have access to domain groups. Since we do not want to make the ISA firewall a member of the domain in this scenario, we do not need to add any groups on the Groups tab. Microsoft CHAPTER 7 7 Click the Protocols tab. In the Protocols tab, select the Enable L2TP/IPSec checkbox. Note: You will need to issue a machine certificate to the ISA Server 2004 firewall/VPN server, and to the connecting VPN clients, before you can use L2TP/IPSec. Alternatively, you can use a pre-shared key for the IPSec security negotiations. 101 102 Integration Guide for eToken NG OTP with Security Solutions 8 Click the User Mapping tab. Select the Enable User Mapping checkbox. Select the When username does not contain a domain, use this domain checkbox. Enter LAB in the Domain Name field. Note: These settings will only apply when using RADIUS authentication. These settings are ignored when using Windows authentication (such as when the ISA Server 2004 firewall machine belongs to the domain and you explicitly enter domain credentials). 9 Click Apply and then click OK. You may see a Microsoft Internet Security and Acceleration Server 2004 dialog informing you that you need to restart the computer for the settings to take effect. If so, click OK in the dialog. Microsoft CHAPTER 7 10 In the console tree of the ISA Server Management, click Virtual Private Networks. On the Tasks tab, click the Select Access Networks link. 11 In the Virtual Private Networks (VPN) Properties dialog, click the Access Networks tab. Note that the External checkbox is selected. This indicates that the external interface is listening for incoming VPN client connections. You can choose other interfaces, such as DMZ or extranet interfaces, if you wish to provide dedicated VPN services to trusted hosts and networks. 12 Click the Address Assignment tab. Select Internal from the Use the following network to obtain DHCP, DNS and WINS services dropdown list. This is a critical setting, as it defines the network on which access to the DHCP is made. 103 104 Integration Guide for eToken NG OTP with Security Solutions Note: In this example a DHCP server is used on the internal network to assign addresses to VPN clients. The DHCP server will not assign DHCP options to the VPN clients unless you install the DHCP Relay Agent on the ISA Server 2004 firewall/VPN server machine. You have the option to create a static address pool of addresses to be assigned to the VPN clients. If you choose to use a static address pool, you will not be able to assign DHCP options to these hosts. Also, if you choose to use a static address pool, you should use an off-subnet network ID. 13 Click the Address Assignment tab, select the Static address pool option, as displayed: 14 In the Address Assignment tab, click Add. The IP Address Range Properties dialog is displayed. 15 Configure the IP address range as follows: In the Starting address field, enter the first IP address of the range of IP addresses that you want to assign to VPN clients. In the Ending address field, enter the last IP address of the range of IP addresses that you want to assign to VPN clients, and then click OK. Microsoft CHAPTER 7 16 Click Advanced, click Use the following DNS server addresses, and then type the IP addresses of an internal primary DNS server and an internal backup DNS server (if exist) in the corresponding boxes as displayed: 17 If you want to specify a Windows Internet Naming Service (WINS) server, click Use the following WINS server addresses, and then type the IP addresses of a primary WINS server and a backup WINS server in the corresponding boxes (not implemented in the current integration). 105 106 Integration Guide for eToken NG OTP with Security Solutions 18 Click on the Authentication tab. Note that the default setting is to enable only PAP. 19 Click the RADIUS tab to configure the ISA Server 2004 firewall VPN server to use RADIUS to authenticate the VPN users with the IAS server that is using OTP authentication. Microsoft CHAPTER 7 20 Select Use RADUIS for authentication checkbox and then click on the RADIUS Servers… to define MS-IAS as the RADIUS server as displayed: 21 Click Add… the Add RADIUS Server dialog is displayed. Enter the RADIUS server parameters as shown: 107 108 Integration Guide for eToken NG OTP with Security Solutions 22 Click OK. The RADIUS Server dialog is updated as displayed: 23 Click Apply in the Virtual Private Networks (VPN) Properties dialog and then click OK. 24 Click Apply to save the changes and update the firewall policy. 25 Click OK in the Apply New Configuration dialog. 26 Restart the ISA Server 2004 firewall machine. Create an Access Rule Allowing VPN Clients Access to the Internal Network The ISA Server 2004 firewall will be able to accept incoming VPN connections after the restart. However, the VPN clients cannot access any resources on the internal network because there are no Access Rules enabling this access. You must create an Access Rule that allows members of the VPN clients' network access to the internal network. In contrast to other combined firewall VPN server solutions, the ISA Server 2004 firewall VPN server applies access controls for network access to VPN clients. Microsoft CHAPTER 7 In this example, you will create an Access Rule allowing all traffic to pass from the VPN clients network to the internal network. In a production environment you would create more restrictive access rules so that users on the VPN clients' network have access only to resource they require. ¾ To create an Access Rule to allow VPN clients unrestricted access to the Internal network: 1 In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. Right click the Firewall Policy node, point to New and click Access Rule. 2 In the Welcome to the New Access Rule Wizard dialog, enter a name for the rule in the Access rule name field. In this example the rule is named Remote Access. Click Next. 109 110 Integration Guide for eToken NG OTP with Security Solutions 3 In the Rule Action dialog, select the Allow option and click Next. 4 In the Protocols dialog, select All outbound protocols from the This rule applies to dropdown list. Click Next. Microsoft CHAPTER 7 Note: You can control the protocols that the VPN clients use by modifying the access rule after you create it. 5 In the Access Rule Sources dialog, click Add. 6 In the Add Network Entities dialog, expand the Networks folder and double-click. VPN Clients and then click Close. 111 112 Integration Guide for eToken NG OTP with Security Solutions 7 In the Access Rule Sources dialog click Next. 8 In the Access Rule Destinations dialog, click Add, Microsoft CHAPTER 7 9 In the Add Network Entities dialog, expand the Networks folder and double-click Internal and then click Close. 10 In the Access Rule Destinations dialog click Next. 113 114 Integration Guide for eToken NG OTP with Security Solutions 11 In the User Sets dialog, accept the default setting, All Users, and click Next. Microsoft CHAPTER 7 12 In the Completing the New Access Rule Wizard dialog, click Finish. 13 The Microsoft Internet Security & Acceleration Server 2004 page is shown as displayed. 14 Click Apply to save the changes and update the firewall policy. 15 The Apply New Configuration dialog is shown as displayed. 115 116 Integration Guide for eToken NG OTP with Security Solutions 16 Click OK. The VPN client policy is now at the top of the Access Policy list. Create New User Set Note If you do not have a user set created, click New, and then follow the steps in the New User Set Wizard to create a user set for the individual VPN users or for a group that contains your VPN users. Microsoft CHAPTER 7 ¾ To create a user set: 1 In the New User Set Wizard, click Add. 2 Select RADIUS. The Add User dialog is displayed. 117 118 Integration Guide for eToken NG OTP with Security Solutions 3 Select the All Users in Namespace option and click OK. The Users dialog is updated as displayed: 4 Click Next, and then click Finish in the next dialog to close the New User Set Wizard. 5 The Add Users dialog is updated with the new group as displayed: Microsoft CHAPTER 7 6 Click Add to add the group for the access rule as displayed: 7 Click Next, and then click Finish to close the access rule wizard as displayed: 119 120 Integration Guide for eToken NG OTP with Security Solutions 8 Click Apply to update the firewall policy, and then click OK. Note You may have to modify the order in which your rules appear so that an earlier rule does not prevent this rule from being applied. To move this access rule up, right-click the rule, and then click Move Up. When you have finished changing the order of your firewall policy rules, click Apply to update the firewall policy, and then click OK. Enabling Dial-in Access for the Administrator Account In non-native mode Active Directory domains, all user accounts have dial-in access disabled by default. You must enable dial-in access on a per account basis for these non-Native mode Active Directory domains. In contrast, native mode Active Directory domains have dial-in access controlled by Remote Access Policy by default. In the example herein, the Active Directory is in Windows Server 2003 mixed mode, therefore you need to manually change the dial-in settings on the domain user account. ¾ To enable Dial-in access for the Administrator account: 1 Click Start and point to Administrative Tools. Click Active Directory Users and Computers. 2 In the Active Directory Users and Computers console, click on the Users node in the left pane. Double click on the Administrator account in the right pane of the console. Microsoft CHAPTER 7 3 Click on the Dial-in tab. In the Remote Access Permission (Dial-in or VPN) frame, select the Allow access option. Click Apply and click OK. 4 Close the Active Directory Users and Computers console. Note: If you receive a message prompting you to restart the PC in order for these settings to take effect, you must restart the ISA Server computer and then continue with the configuration. The ISA Server 2004 VPN server is now ready to accept VPN client connections. ¾ To test the VPN Server: 1 On the Windows 2000 external client machine, right-click the My Network Places icon on the desktop and click Properties. 2 Double-click the Make New Connection icon in the Network and Dial-up Connections dialog. 121 122 Integration Guide for eToken NG OTP with Security Solutions 3 Click Next on the Welcome to the Network Connection Wizard dialog. 4 In the Network Connection Type dialog, select the Connect to a private network through the Internet option and click Next. Microsoft CHAPTER 7 5 Select Virtual Private Network connection and click Next. 6 Enter the Company Name and click Next. 123 124 Integration Guide for eToken NG OTP with Security Solutions 7 In the Destination Address dialog, enter the IP address 192.168.1.70 in the Host name or IP address field. Click Next. 8 In the Connection Availability dialog, select the For all users option and click Next. 9 Make no changes to the Internet Connection Sharing dialog and click Next. 10 In the Completing the Network Connection Wizard dialog, enter a name for the VPN connection in the Type the name you want to use for this connection field. In this example, the connection is called Remote Access. Microsoft CHAPTER 7 11 Confirm that the Add a shortcut to my desktop checkbox is selected. Click Finish. 12 In the Network Connects dialog, right-click the new defined entry and select Properties. The following dialog is displayed: 125 126 Integration Guide for eToken NG OTP with Security Solutions 13 Click the Security tab. The following dialog is displayed: 14 Select Advanced as the security option and click Settings. In the Allow these Protocols area, select the Unencrypted password (PAP) checkbox as displayed: Microsoft CHAPTER 7 15 Click OK and confirm the settings. Running the VPN Connection ¾ To run the VPN connection: 1 In the Connect Remote Access dialog, enter the username LAB\administrator and the eToken NG OTP value provided by clicking on the eToken NG hardware for the administrator user account. 2 Click Connect. The user is authenticated and connected as displayed: 127 128 Integration Guide for eToken NG OTP with Security Solutions 3 Click the Details tab. OWA Settings CHAPTER 8 Chapter 8 OWA Settings Outlook Web Access (or OWA for short) is one of Exchange Server's best features, allowing you to connect to your corporate mailbox from virtually any spot on earth as long as you have an Internet connection and a decent Web browser. OWA transmits traffic to and from the Web browser in HTTP (based upon TCP, port 80) and in clear text, meaning that anyone could potentially "listen" to your talk and grab frames and valuable information from the net. To secure the transmission of information between Exchange Server 2003 and Outlook Web Access clients, you can encrypt the information being transmitted by using SSL (Secure Sockets Layer). Configuring SSL You can configure SSL for Outlook Web Access on Exchange Server 2003 in order to encrypt secure information. Note: Although the screenshots are made with Exchange 2003 on Windows Server 2003, the same procedure applies for Exchange 2000 and Windows 2000. Note: If you already have valid certificates for your website, skip this phase and continue at the next one. 129 130 Integration Guide for eToken NG OTP with Security Solutions ¾ To configure SSL for OWA: 1 Click Start > All Programs > Administrative Tools, and then click Internet Information Services (IIS) Manager. 2 In the Internet Services Manager console tree, expand SERVERNAME (your local computer), and then expand Web Sites. 3 In the console tree, right-click Default Web Site and select Properties from the popup menu. OWA Settings CHAPTER 8 4 In the Default Web Site Properties dialog, click the Directory Security tab to display the following dialog: 5 In the Directory Security tab, click Server Certificate. 6 In the Welcome to the Web Server Certificate Wizard dialog, click Next. 131 132 Integration Guide for eToken NG OTP with Security Solutions 7 In the Server Certificate dialog, select Create a new certificate, and then click Next. 8 In the Delayed or Immediate Request dialog, select Send the request immediately to an online certification authority, and then click Next. OWA Settings CHAPTER 8 Note: If you don't have a Certificate Authority (CA) installed on your server or on a different server on the network you can prepare the request but you'll need to manually send it to the CA. 9 In the Name and Security Settings dialog, enter the relevant domain name, for example, yourservername.domainname.com in the Name field. (Use your own registered domain name, the one you want people to use when browsing to your site.) Then click Next. Note: Internet Use: You must make sure that either the Name or the Common Name fields (one of them or both of them) exactly match the external FQDN of the website. For example, if your server's NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, but it will host a website that will require you to enter WWW.ALADDIN.COM to reach it, you must then use WWW.ALADDIN.COM as the Name or Common Name in the certificate request wizard, and DO NOT use SERVER1.MYINTERNALDOM.LOCAL. 133 134 Integration Guide for eToken NG OTP with Security Solutions Note: Intranet use: For Intranet-only purposes you can use the internal FQDN of the server, or even just its NetBIOS name. For example, if your server's NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, you can use SERVER1.MYINTERNALDOM.LOCAL or just SERVER1 for the Name or the Common Name fields. You can also optionally change the Bit Length for the encryption key. 10 In the Organization Information dialog, enter your own company name in the Organization field. In the Organizational Unit field, enter a descriptive name and then click Next. OWA Settings CHAPTER 8 11 In the Your Site’s Common Name dialog, enter yourservername.domainname.com in the Common name area and then click Next. 12 In the Geographical Information dialog, enter the required information in the State/province field, and then click Next. 135 136 Integration Guide for eToken NG OTP with Security Solutions 13 In the SSL Port dialog, verify that 443 is specified in the SSL port this web site should use field, and then click Next. 14 In the Choose a Certification Authority dialog, verify that your online CA is selected in the Certification Authorities field, and then click Next. OWA Settings CHAPTER 8 15 In the Certificate Request Submission dialog, click Next to submit the request, and then click Finish to complete the wizard. Using a Certificate to Access OWA Securely The OWA Web site supports SSL connections as soon as the certificate is bound to the site. Perform the following steps to force an SSL connection to the OWA Web site directory. ¾ To access OWA using a certificate: 1 In Internet Services Manager console tree, expand SERVERNAME (your local computer), and then expand Web Sites, then expand Default Web Site. 137 138 Integration Guide for eToken NG OTP with Security Solutions 2 In the console tree, right-click the Exchange virtual directory, and then click Properties. 3 In the Default Web Site Properties dialog, in the Directory Security tab, click Edit in the Secure communications area. Note: If Edit is grayed out then you did not successfully install a certificate for the Default Web Site. OWA Settings CHAPTER 8 4 In the Secure Communications dialog, select both the Require secure channel (SSL) and Require 128-bit encryption checkboxes, and then click OK to enable SSL. You may want to restart the World Wide Web Publishing service, although generally this is not required. 5 Close Internet Information Services (IIS) Manager. 139 140 Integration Guide for eToken NG OTP with Security Solutions How to Configure Forms-Based Authentication OWA Exchange Server 2003 has greatly improved the Outlook Web Access experience when compared to older Exchange versions. Besides the new GUI, spell-checking in different languages, drag-and-drop features, S/MIME and more, Exchange Server 2003 has added a new logon method that can be used with OWA. Instead of entering the username and password, OWA displays a new, attractive logon dialog that enables you to select various options, when configured with Forms-Based Authentication (FBA). Note: Currently eToken OTP Authentication 1.0 does not support ISA FW web publishing. This feature will only be supported in 2006 after Microsoft release a hot fix to support OTP functionality in the Radius protocol. OWA Settings CHAPTER 8 Configuring Forms-Based Authentication After configuring SSL on the OWA site, you need to enable the Forms-Based Authentication on the HTTP Virtual Server in Exchange System Manager. ¾ To configure Forms-Based Authentication in OWA on Exchange Server 2003: 1 Open the Exchange System Manager. 2 Navigate to your server object. 3 Expand your server object, and expand Protocols. 4 Expand HTTP. 5 Right-click on the Exchange Virtual Server and select Properties. 141 142 Integration Guide for eToken NG OTP with Security Solutions 6 In the Settings tab of the Exchange Virtual Server Properties dialog, select the Enable Forms Based Authentication checkbox. 7 Click OK, and then click OK again to dismiss the warning message that is displayed. OWA Settings CHAPTER 8 8 Restart the IIS services either from the Services snap-in or from the IIS Admin snap-in. Client-side Configuration There is no client-side configuration required. Point your client's Web browser to the same URL you used before, but instead of using HTTP, use HTTPS. 143 144 Integration Guide for eToken NG OTP with Security Solutions Now that Forms-Based Authentication is enabled, you need to enter your username and password in the provided fields on the OWA Logon dialog. Note: You must enter your username in the format of DOMAIN\USERNAME in order to log on. IAS Settings CHAPTER 9 Chapter 9 IAS Settings If you have not already installed IAS to handle VPN access, you must install the Internet Authentication Service on a Windows server that will act as a RADIUS server. You can use domain controllers for this function, or install IAS on more than one server to act as a backup. Once you have decided which server or servers will host IAS, open the Control Panel’s Add or Remove Programs applet on that server and click on the Add/Remove Windows Components icon. Once the Windows Components Wizard is opened, scroll down the list of components to select Network Services, and click Options. Select the IAS component, click OK and click Next to install (you will probably be asked for the installation CD). 145 146 Integration Guide for eToken NG OTP with Security Solutions The installation creates a shortcut in Administrative Tools to an Internet Authentication Service console. Open this shortcut. Following this, you must allow our new RADIUS server access to user dial-up properties in the Active Directory. Click on Action, then Register Server in Active Directory, and finish by clicking OK in the dialogs that appear. This process adds the server to the RAS and IAS Servers group in the domain. If you installed IAS on a domain controller, this step wasn’t strictly necessary, but does no harm. If you have multiple domains, you should include your server in the RAS and IAS Servers group of each domain for which it will need to access user details. IAS Settings CHAPTER 9 Configuring RADIUS Clients in IAS A RADIUS client is typically a dial-in server, VPN server or wireless access point that sends user credentials and other connection details to a RADIUS server. IAS needs to know what RADIUS clients it is allowed to talk to. Therefore our IAS Server needs to be included in the IAS Radius client section. ¾ To add a Radius Client: 1 Click Radius Clients in the Tree pane of the Internet Authentication Service console. Then right-click in the right pane (or the Action menu) and select New RADIUS Client. 147 148 Integration Guide for eToken NG OTP with Security Solutions The New RADIUS Client wizard is displayed. 2 In the Name and Address dialog, enter a friendly name (Firewall has been used in this example) and the ISA Server’s internal network IP address. Click Next. The Additional Information dialog is displayed. IAS Settings CHAPTER 9 3 In the Additional Information dialog, select Microsoft from the Client-Vendor dropdown list, and define the following additional parameters: Shared secret: Enter a password known to RADIUS client and server. This is used in an encryption process to obscure certain details in RADIUS messages such as user passwords. Request must contain the Message Authenticator attribute: Select this option to require the client to calculate a ‘hash’ of its RADIUS message contents using the shared secret, and include it in that message. Our RADIUS/IAS server can compare this hash with one it produces of the same message to ensure the contents haven’t been tampered with and came from a known source. This security only applies to messages between RADIUS client and RADIUS server. The communications across a public network between Web client and NAS Server (our RADIUS client) are, in this scenario, secured using SSL (HTTPS) or IPSec. The configuration of the RADIUS clients in IAS is complete. If you need to change any settings for this client, you can do so through its properties. 149 150 Integration Guide for eToken NG OTP with Security Solutions Configuring Remote Access Policies in IAS A Remote Access Policy determines who is granted access and who is not. The policy conditions are best kept isolated within each policy. ¾ To configure remote access policies: 1 In the IAS console, select Remote Access Policies in the Tree pane. Some default deny rules are displayed (this example is from Windows 2003). 2 Right-click the Action menu, and select the New Remote Access Policy. The New Remote Access Policy Wizard is displayed. 3 Click Next in the Welcome dialog. IAS Settings CHAPTER 9 4 In the Policy Configuration Method dialog, select Set up a custom policy and enter a policy name. Then click Next. 5 In the Policy Conditions dialog, click Add. Select the Authentication-Type Attribute type and click Add. 6 In the Authentication-Type dialog, select PAP in the Available types list and click Add. PAP is moved to the selected types list. Then click OK. 151 152 Integration Guide for eToken NG OTP with Security Solutions Note: NAS only uses PAP and unencrypted RADIUS messages in its RADIUS authentication method for Web access: This is not recommended for any other form of RADIUS authentication, therefore you isolate this policy. Apart from the small chance of configuring a VPN that could potentially use this policy with dire consequences, PAP is perfect for Web access authentication because the remote client uses HTTP over SSL (HTTPS) to keep passwords safe and data encrypted over the public network. Note: When using the third OTP mode (which is not described in this integration guide) by using two-factor authentication based on a second password (OTP PIN) that is managed through the OTP TMS connector, enter your username in the User Name field and the OTP + OTP PIN in the Password field on the URL for Clientless VPN or in the client login dialog if using traditional VPN. It is then possible to select MS- CHAP. 7 In the Policy Conditions dialog, click Add again. This time select NAS-IP-Address from the list of attribute types and click Add. Enter the IP address for the ISA Server as displayed: IAS Settings CHAPTER 9 8 Repeat the step and select the Windows-Groups attribute type. The dialog requires a Windows security group (add a group using the Add button). In the displayed dialog, the Domain Users group has been added, but you can use another more restrictive group. 9 In the Policy Conditions dialog, the following conditions are displayed: 153 154 Integration Guide for eToken NG OTP with Security Solutions The policy conditions previously configured should ensure that only the ISA Server can send RADIUS authentication requests that fit this policy; any other RADIUS client you may configure will not match the IP address. However, as previously mentioned, if the ISA Server is also a VPN or dialin server you must correctly configure it to avoid a VPN client using PAP and plain text passwords across the public network. 10 Click Next. In the Permissions dialog, select Grant remote access permission and then click Next. The wizard’s Profile dialog is displayed. The policy conditions configured above determine the criteria for matching a RADIUS authentication request with this policy. The profile determines the connection parameters this policy enforces if the policy conditions match. Hint: To view the attributes available for entering in policy conditions, enable logging of authentication requests in the System Event Log. This is done from the IAS property dialogs accessed by right-clicking Internet Authentication Service (Local) in the IAS console. IAS Settings CHAPTER 9 11 To enable the new Remote Access policy, in the IAS Console, select Remote Access Policies in the Tree pane. The new policy is available in the right pane 12 Right-click on the new policy and click on Properties 13 The Web access RADIUS authentication Properties dialog is shown as displayed. Click Edit Profile to open the Edit Dial-in Profile dialog. 155 156 Integration Guide for eToken NG OTP with Security Solutions 14 To ensure that any matching rogue RADIUS requests requiring encryption are rejected by this particular policy, select the Authentication tab and clear all of the checkboxes with the exception of the Unencrypted authentication (PAP, SPAP) checkbox, which should remain selected. The policy conditions specified PAP only, so additional checks are not required here. IAS Settings CHAPTER 9 15 Select the Encryption tab. Clear all of the checkboxes with the exception of the No Encryption checkbox, which should remain selected. Click OK. 16 Click No in the pop-up window. When you return to the Profile dialog of the wizard, click Next and click Finish in the final dialog of the wizard. Should you need to check or edit the policy you have just created, all the options you have just configured are available in the Properties dialog for the policy. 157 158 Integration Guide for eToken NG OTP with Security Solutions