authlogics forefront tmg and uag agent integration guide · authlogics forefront tmg and uag agent...
TRANSCRIPT
Authlogics, 12th Floor, Ocean House, The Ring, Bracknell, Berkshire, RG12 1AX, United Kingdom UK Tel: +44 1344 568 900 US Tel: +1 857 214 2174 email: [email protected] web: http://authlogics.com/
Authlogics Forefront TMG
and UAG Agent Integration
Guide With PINgrid, PINphrase & PINpass Technology
Product Version: 3.0.6230.0
Publication date: January 2017
Page 1
Information in this document, including URL and other Internet Web site references, is subject to change without notice.
Unless otherwise noted, the example companies, organisations, products, domain names, e-mail addresses, logos, people,
places and events depicted herein are fictitious, and no association with any real company, organisation, product, domain
name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user.
Authlogics may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written licence agreement from Authlogics, the
furnishing of this document does not give you any licence to these patents, trademarks, copyrights, or other intellectual
property.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
The information contained in this document represents the current view of Authlogics on the issues discussed as of the
date of publication. Because Authlogics must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Authlogics, and Authlogics cannot guarantee the accuracy of any information presented after
the date of publication.
This document is for informational purposes only. AUTHLOGICS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
Document.
Copyright © 2017 Authlogics. All rights reserved.
Page 2
Table of Contents Introduction ............................................................................................................................................ 3
Considerations .................................................................................................................................... 3
Requirements .................................................................................................................................. 3
Language Requirements ................................................................................................................. 3
Licensing .............................................................................................................................................. 4
Design and Deployment Scenarios ......................................................................................................... 5
TMG High Availability .......................................................................................................................... 5
UAG High Availability .......................................................................................................................... 5
Deployment ............................................................................................................................................ 6
Overview ............................................................................................................................................. 6
Installing/Removing the Authlogics Windows Desktop Logon Agent................................................. 6
Running an installation ................................................................................................................... 6
Running a removal .......................................................................................................................... 8
Authlogics Configuration on UAG 2010 ................................................................................................ 10
Add an AuthCentral Authentication repository ................................................................................ 10
Configure a UAG Trunk to use AuthCentral ...................................................................................... 12
Adding the Authlogics Services to a UAG Trunk ............................................................................... 18
Active Directory KCD Configuration .............................................................................................. 18
Publishing the Self Service Portal .................................................................................................. 20
Configure the UAG Login page for 2FA only ..................................................................................... 26
Authlogics Configuration on TMG 2010 ................................................................................................ 27
Configuring RADIUS........................................................................................................................... 27
Configure a Web Listener for AuthCentral ....................................................................................... 30
Web Publish the AuthCentral Token Providers ................................................................................ 31
Adding strong authentication to a publishing rule ........................................................................... 36
Active Directory KCD Configuration .............................................................................................. 37
Page 3
Introduction Authlogics Authentication Server is a multi-factor authentication system which provides:
Token and token-less multi-factor authentication. Award winning transaction signing / verification technology. Self-service password reset and unlocking. Web Service API and RADIUS interfaces for connectivity. Authentication technologies:
o PINgrid Pattern Based Authentication. o PINphrase Random Character Authentication o PINpass OATH (TOTP) Compliant Authentication
Integrating Authlogics with Forefront TMG 2010 or UAG 2010 is an ideal way to add strong
authentication at the gateway level to VPN connection and published web applications such as
Exchange Outlook Web Access and SharePoint. The Authlogics Forefront TMG and UAG Agent
includes pre-customised logon forms for Outlook Web Access and generic web sites.
Considerations
Requirements
An Authlogics 3.0 server must be deployed and functional prior to installing the Authlogics Forefront
TMG and UAG Agent.
Language Requirements
Authlogics Forefront TMG and UAG Agent is only available in English. Product support and
documentation is only available in English.
Page 4
Licensing Authlogics Forefront TMG and UAG Agent is free of charge however may only be used with a
correctly licenced Authlogics Authentication Server.
Note
For detailed information on the licence types please refer to the licence
agreement document embedded within the installation package.
Page 5
Design and Deployment Scenarios The Authlogics Forefront TMG Agent has been designed to communicate with the Authlogics
Authentication Server via RADIUS. 1.5 factor challenges are reverse proxied over HTTPS via TMG to
the Authlogics Authentication Server.
The Authlogics Forefront UAG Agent has been designed to communicate with the Authlogics
Authentication Server via Web Services only.
TMG High Availability In a high availability scenario, assuming at least 2 Authlogics Authentication Servers and 2 TMG
servers, the Authlogics Authentication Server can be configured to use Windows Network Load
Balancing and TMG should use the NLB virtual IP for the RADIUS server. When web publishing the
authentication challenge URL’s, TMG can also utilise Web Farm Load balancing instead of NLB,
however NLB is still required for the RADIUS traffic.
UAG High Availability In a high availability scenario, assuming at least 2 AuthCentral and 2 UAG servers, the Authlogics
Authentication Server can be configured to use Windows Network Load Balancing for TCP port
14000. A DNS entry should be created to resolve to the NLB IP address and UAG should use the DNS
name for the virtual IP. When publishing the Self Service Portal, UAG can also utilise Web Farm Load
balancing instead of NLB, however NLB is still required for the authentication traffic.
Page 6
Deployment The following deployment overview walks through the installation process for deploying the
Authlogics Forefront TMG and UAG Agent.
Overview This deployment section assumes that at least one Authlogics Authentication Server has already
been installed and is functional. See the Authlogics Authentication Server Installation and
Configuration guide for further information on setting up the Authlogics Authentication Server. In
addition, Authlogics user accounts should already be configured for users.
(1) Install the Authlogics Forefront TMG and UAG Agent on a TMG / UAG system.
(2) Configure Microsoft Forefront TMG / UAG 2010 to utilise Winfrasoft AuthCentral multi-factor authentication.
(3) Test user logins.
Installing/Removing the Authlogics Windows Desktop Logon Agent
Running an installation
(1) To start the Authlogics Forefront TMG and UAG Agent installation, run the Authlogics Forefront TMG and UAG Agent xxxxx.exe installer with elevated privileges.
(2) Click Next to continue.
Page 7
(3) After reading the licence agreement click I accept the terms in the terms in the Licence Agreement if you agree to the terms, then click Next to continue.
(4) Select the Complete setup type and select Next to continue.
(5) Click Next to continue.
The installation is being performed.
Page 8
(6) All necessary files have been installed. Click Finish to complete the installation process.
The Microsoft Forefront TMG Firewall service MUST be restarted after installation on a TMG
Server as TMG only reads custom logon forms into memory during the service start up.
Running a removal
Uninstalling the Authlogics Forefront TMG and UAG Agent does NOT remove the metadata from
user accounts in the Active Directory.
If you no longer require Authlogics Forefront TMG and UAG Agent on a server, you can remove it by
performing an uninstall as follows:
(1) To start the Authlogics Forefront TMG and UAG Agent un-installation, execute the Authlogics Forefront TMG and UAG Agent xxxxx.exe installer or use the Uninstall or
change a program option in Control Panel and click Remove.
(2) Select Uninstall. Click Next to continue.
(3) Click Next to continue.
Page 9
(4) The Authlogics uninstall will remove configured components.
(5) Click Finish to complete the uninstall process.
Page 10
Authlogics Configuration on UAG 2010 The Microsoft Forefront UAG 2010 server will require additional configuration for use with the
Authlogics Forefront UAG Agent. This section should only be followed after the Authlogics Forefront
UAG Agent has been installed on the UAG server.
Add an AuthCentral Authentication repository (1) Start the Microsoft UAG 2010 Management Console.
(2) Click Admin- Authentication and Authorization Servers…
(3) Click Add…
Page 11
(4) Select Other from the Server type drop down list. Enter either “PINgrid”, “PINphrase” or “PINpass” (one word) in the Server name box. Check the Use a different server for portal application authorization box and select the existing Active Directory repository from the dropdown list. Click OK.
(5) To add multiple authentication technologies repeat from step 3, otherwise Click Close.
Page 12
Configure a UAG Trunk to use AuthCentral Each trunk must be configured specifically for use with Authlogics.
(1) Start the Microsoft UAG 2010 Management Console.
(2) Select the trunk to configure for use with Authlogics. Click Configure…
(3) Select the Authentication tab.
Note
The URLs used in this section are listed in the C:\Program Files\
Authlogics Forefront TMG and UAG Agent\readmeUAG.txt
file. It is highly recommended that the URLs are copied and pasted from the
readmeUAG.txt file instead of manually typed for speed and accuracy.
This section must be repeated for every Trunk that will use Authlogics.
Page 13
(4) In the “Require users to authenticate as session logon” section:
a. Under Select authentication servers, add the required Authlogics technology repository, i.e. PINgrid, PINphrase or PINpass.
b. Optional: Remove the previous authentication server from the list to only use Authlogics for authentication.
c. Select “Users authenticate to each server”.
d. Update the User login page entry with appropriate login page: CustomUpdate/AuthlogicsPinGridLogin.asp
CustomUpdate/AuthlogicsPinPhraseLogin.asp
CustomUpdate/AuthlogicsPinPassLogin.asp
Note
Do NOT place a “/” {slash} before “CustomUpdate/AuthlogicsPinxxxxLogin.asp”
Page 14
(5) Select the URL Set tab.
(6) Update the “InternalSite_Rule24” to include “png” files as follows:
/internalsite/images/customupdate/[^/\\]+\.(gif|jpg|png)
Page 15
(7) In this section a new access rule for an Authlogics custom file must be created. To add the following Primary URL click Add Primary.
Property Value Name InternalSite_AuthlogicsTokenProxy
Action Accept
URL /internalsite/images/CustomUpdate/AuthlogicsTokenProxy.asp
Parameters Handle
Note
Methods GET
Parameter list Heading Entry 1 Entry 2
Name username authtype
Name Type String String
Value {empty} {empty}
Value Type String String
Length 0:250 0:20
Existence Optional Optional
Occurrences Single Single
Max Total Length -1 -1
Rejected values checking On On
Page 16
(8) Once the appropriate modifications and new URL Set pages have been added, click OK.
(9) Open the following folder in Windows Explorer: C:\Program Files\Microsoft Forefront Unified Access
Gateway\von\InternalSite\inc\CustomUpdate
Make a copy of the [TrunkName]1PostPostValidate Authlogics.inc file.
Rename the file by removing “ Authlogics“ off of the end and replacing “[TrunkName]” with the actual name of the Trunk you are configuring. Do not remove the “1”. e.g. Portal1PostPostValidate.inc
(10) Click Activate Configuration to apply and save the changes.
(11) Click Activate to apply the changes.
Page 17
(12) Click Finish.
Page 18
Adding the Authlogics Services to a UAG Trunk To enable users to reset their PINgrid MIPs, PINs and Active Directory passwords the Self Service
Portal application must be published in the trunk.
The Self Service Portal MUST be published even if the application is not made visible, this is
required so that UAG allows network access to the authentication web services on the AuthCentral
Authentication Server.
Active Directory KCD Configuration
This section describes the process to configure the Active Directory with Kerberos Constrained
Delegation to allow single sign-on to the Self Service Portal without the need to enter an Active
Directory password at any point.
To configure KCD the Active Directory must be set to Windows 2003 Native mode as a minimum, a
mixed mode domain will not support KCD. If KCD cannot be configured due to restrictions on the AD
domain mode then either the login page must request AD credentials or On-The-Fly login must be
used and the users will be prompted for their AD credentials to access the Self Service Portal.
(1) Open Active Directory Users and Computers (either on a DC or management station) and select the properties of the UAG 2010 computer account, then select the Delegation tab.
(2) Select Trust this computer for delegation to specific services only and Use any authentication protocol (if they are not already selected) then click Add…
Page 19
(3) Click Users or Computers… and locate the AuthCentral Server / Appliance computer account running the AuthCentral Services.
(4) Select the “http” service type and click OK.
(5) Click OK.
Page 20
Publishing the Self Service Portal
This section describes the process to publish the Authlogics Self Service Portal in UAG 2010.
(1) Start the Microsoft UAG 2010 Management Console.
(2) Select the appropriate trunk to add the User Self Service Portal application to. In the Applications section, click Add...
(3) The UAG Add Application Wizard will start.
(4) Click Next.
(5) Choose Other Web Application (portal hostname) from Web section. Click Next.
(6) Complete the values for the Application Values with the following:
Property Value Application Name Manage PINs and Passwords
Application Type GenericWeb
Note
This process must be repeated for every UAG trunk that will provide portal
access to provisioning and password resets.
Page 21
(7) Click Next.
(8) Click Next.
Page 22
(9) Click Next.
Complete the values for the Web Servers as follows:
Property Value Address Type IP/Host
Addresses {AuthCentral Server FQDN}
Paths /
HTTP ports 14000
HTTPS ports 443
(10) Click Next.
(11) Click Next.
Note
If multiple AuthCentral Authentication servers are deployed in a high
availability scenario then publish them together as a server farm.
Page 23
(12) If you do not want to allow users to use the Self Service Portal uncheck the “All a portal and toolbar link” box. Update the “Icon URL” with one of the following icons as appropriate to the chosen authentication technology: images/AppIcons/CustomUpdate/PINgrid.gif
images/AppIcons/CustomUpdate/PINphrase.gif
images/AppIcons/CustomUpdate/PINpass.gif
images/AppIcons/CustomUpdate/Authlogics.gif
(13) Click Next.
(14) Click Next.
Page 24
(15) Click Finish.
(16) Double click the Manage Pins and Passwords application to edit it.
(17) Select the Authentication tab.
(18) Check Use SSO, then select Use Kerberos constrained delegation for single sign-on. Enter “http/*” or enter “http/{your.server.and.domain.name}” in the Application field where {your.server.and.domain.name} is the full DNS name of the AuthCentral Authentication Server computer account in AD.
Page 25
(19) Click OK.
(20) Click Activate Configuration to apply and save the changes.
(21) Click Activate to apply the changes.
(22) Click Finish.
The Trunk is now configured to use Winfrasoft AuthCentral User Self Service Portal.
Page 26
Configure the UAG Login page for 2FA only By default, the Authlogics Forefront UAG Agent login page will display a 1½ factor challenge (if
supported but the authentication technology). If you are only planning to deploy 2 Factor
Authentication you can disable the display of the 1½ factor challenge on the UAG server as follows:
Start the registry editor on the UAG 2010 server and edit the appropriate key are required.
HKLM\SOFTWARE\Winfrasoft\Winfrasoft AuthCentral\PinGrid2FAonly
HKLM\SOFTWARE\Winfrasoft\Winfrasoft AuthCentral\PinPhrase2FAonly
Accepted Values:
0 = Disabled (default)
1 = Enabled
No services need to restarted and the UAG configuration does not need to be activated for these
changes to take effect.
Page 27
Authlogics Configuration on TMG 2010 The Microsoft Forefront TMG 2010 server will require additional configuration for use with
Authlogics Forefront TMG Agent. This section should only be followed after the Authlogics Forefront
TMG Agent has been installed on the TMG server.
Configuring RADIUS TMG 2010 will process authentication requests with the Authlogics Authentication Server via
RADIUS.
(1) Configure the TMG server as a RADIUS client on the Authlogics Authentication Server. See the Adding a RADIUS client section of the Authlogics Authentication Server Installation and Configuration Guide for further information.
(2) Configure the TMG server to use the Authlogics Authentication Server as a RADIUS server. Start the Microsoft TMG 2010 Management Console.
(3) Open the Remote Access Policy (VPN) section. Click RADIUS Server in step 2.
Page 28
(4) Tick the Use RADIUS for authentication and Use RADIUS for accounting (logging) boxes, then click the RADIUS Servers… button.
(5) Click Add…
(6) Enter the name of the RADIUS / Authlogics Authentication Server and an optional description. Click change… to enter a shared secret.
(7) Enter the shared secret used when specifying the RADIUS client information at step 1, then click OK.
(8) Click OK.
(9) Click OK.
Page 29
(10) Change to the Authentication tab and ensure that only Unencrypted password (PAP) is selected under Authentication Methods.
(11) Click OK.
(12) Click Apply at the top of the TMG MMC to apply the changes.
Page 30
Configure a Web Listener for AuthCentral The TMG Web Listener must be configured to use Forms based authentication and validate credentials via RADIUS OTP.
(1) Start the Microsoft TMG 2010 Management Console.
(2) Double click the web listener, in this case Listener1 and change to the Authentication tab.
(3) Select HTML Form Authentication under Client Authentication Method and select RADIUS OTP under Authentication Validation Methods.
(4) Click Configure Validation Servers…
(5) Ensure that the Authlogics Authentication Server RADIUS created previously is at the top of the list and click OK.
(6) Click OK to close the Listener.
Page 31
Web Publish the AuthCentral Token Providers The Authlogics Authentication Server hosts 3 Token Provider URL’s for processing token challenge
requests, one for each Authlogics authentication technology, as follows:
/Services/GetPinPhraseToken.ashx
/Services/GetPinPassToken.ashx
/Services/GetPinGridToken.ashx
These providers MUST be web published anonymously via each Web Listener with which you want to use Authlogics with. These providers enable the display of a 1.5 Factor Authentication challenge as well as initiate the sending of a Real-Time 2FA token.
(1) Start the Microsoft TMG 2010 Management Console.
(2) Create a new Web Publishing Rule called “{Web Listener} - AuthCentral Token Providers”.
(3) Click Next.
(4) Click Next.
Page 32
(5) If the Authlogics Authentication Server is configured as a load balanced pair you can utilise the TMG web farm publishing, otherwise click Next.
(6) Select Use non-secured connections to connect the published Web server or server farm using HTTP. If a SSL certificate has been configured on the Authlogics Authentication Server then use the default selection.
(7) Click Next.
(8) Enter the name of the Authlogics Authentication Server.
(9) Click Next.
Page 33
(10) Click Next.
(11) Select Any domain name in the Accept request for section. This enabled the use of Authlogics with multiple sites which share the web listener. Alternatively you can specify all the Public Names later.
(12) Click Next.
(13) Select the Web Listener you want to use with Authlogics, in this case Listener1.
(14) Click Next.
Page 34
(15) Click Next.
(16) Remove All Authenticated Users and add All Users.
(17) Click Next.
(18) Click Finish.
(19) Double click the new rule to edit it. Change to the Bridging tab and change the HTTP port to 14000. If using SSL select “Redirect requests to SSL port” and change the SSL port to 14443.
Page 35
(20) Change to the Paths tab. Remove the “/*” path. Add the 3 Token Provider URL’s:
/Services/GetPinPhraseToken.ashx
/Services/GetPinPassToken.ashx
/Services/GetPinGridToken.ashx
(21) Click Apply and then Test Rule. If issues are found in the test correct the problem and try again. Click OK when done.
(22) If the following warning is displayed click OK, it can be ignored.
Page 36
Adding strong authentication to a publishing rule All existing web publishing rules which are linked to the web listener which has been configured for
Authlogics must be modified to use the Authlogics logon form pages.
Each Authlogics authentication technology has its own TMG form, this is then further broken down
into 1.5FA and 2FA, then again into Exchange and generic forms as follows:
Technology Factor Style Form Set name
PINgrid
1.5FA Exchange PinGrid1FAExchange
Generic PinGrid1FAISA
2FA Exchange PinGrid2FAExchange
Generic PinGrid2FAISA
PINpass 2FA Exchange PinPass2FAExchange
Generic PinPass2FAISA
PINphrase
1.5FA Exchange PinPhrase1FAExchange
Generic PinPhrase1FAISA
2FA Exchange PinPhrase2FAExchange
Generic PinPhrase2FAISA
Identify the Form Set name you wish to use with each web publishing rule and then repeat this
process for each rule.
(1) Start the Microsoft TMG 2010 Management Console.
(2) Double click the web publishing rule to edit it.
(3) Change to the Application Settings tab. Select Use customized HMTL forms instead of the default. Enter the name of the Form Set required from the table above.
(4) Change to the Users tab. If the rule was previously using a Windows group to restrict access add a new User Set to contain those RADIUS users or ensure that All Authenticated Users is selected.
Page 37
(5) If the published web site utilises Windows Authentication (e.g. Exchange or SharePoint) then change to the Authentication Delegation tab and select Kerberos constrained delegation and configure the server SPN as needed.
(6) Click OK.
Active Directory KCD Configuration
This section describes the process to configure the Active Directory with Kerberos Constrained
Delegation to allow single sign-on to the published web sites without the need to enter an Active
Directory password at any point.
To configure KCD the Active Directory must be set to Windows 2003 Native mode as a minimum, a
mixed mode domain will not support KCD. If KCD cannot be configured due to restrictions on the AD
domain mode then either the users will be prompted for their AD credentials by the published
application.
(1) Open Active Directory Users and Computers (either on a DC or management station) and select the properties of the TMG 2010 computer account, then select the Delegation tab.
Page 38
(2) Select Trust this computer for delegation to specific services only and Use any authentication protocol (if they are not already selected) then click Add…
(3) Click Users or Computers… and locate the computer account running the published web site.
(4) Select the “http” service type and click OK.
Page 39
(5) Click OK.