ADS Integration Guide

ADS Integration Guide

IMPORTANT NOTICE

Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice.

USER’S LICENSE

The Appliance described in this document is furnished under the terms of Elitecore’s End User license agreement. Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused Appliance and manual (with proof of payment) to the place of purchase for a full refund.

LIMITED WARRANTY

Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service center’s option, repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate the software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky Labs and the performance thereof is under warranty provided by Kaspersky Labs. It is specified that Kaspersky Lab does not warrant that the Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that virus.

Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electrical components will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware.

DISCLAIMER OF WARRANTY

Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law.

In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In the event shall Elitecore’s or its supplier’s liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose. In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or its suppliers have been advised of the possibility of such damages.

RESTRICTED RIGHTS

Copyright 2000 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Elitecore Technologies Ltd. Information supplies by Elitecore Technologies Ltd. Is believed to be accurate and reliable at the time of printing, but Elitecore Technologies assumes no responsibility for any errors that may appear in this documents. Elitecore Technologies reserves the right, without notice, to make changes in product design or specifications. Information is subject to change without notice

CORPORATE HEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad – 380015, INDIA Phone: +91-79-26405600 Fax: +91-79-26407640

Guide Sets

Guide Describes

User Guide

Console Guide Console Management

Windows Client Guide Installation & configuration of Cyberoam Windows Client

Linux Client Guide Installation & configuration of Cyberoam Linux Client

HTTP Client Guide Installation & configuration of Cyberoam HTTP Client

Analytical Tool Guide Using the Analytical tool for diagnosing and troubleshooting common problems

LDAP Integration Guide Configuration for integrating LDAP with Cyberoam for external authentication ADS Integration Guide Configuration for integrating ADS with

Cyberoam for external authentication PDC Integration Guide Configuration for integrating PDC with

Cyberoam for authentication

RADIUS Integration Guide Configuration for integrating RADIUS with Cyberoam for external authentication High Availability Configuration

Guide

Configuration of High Availability (HA)

Data transfer Management Guide Configuration and Management of user based data transfer policy

Multi Link Manager User Guide Configuration of Multiple Gateways, load balancing and failover

VPN Management Implementing and managing VPN Cyberoam IDP Implementation

Guide

Configuring, implementing and managing Intrusion Detection and Prevention Cyberoam Anti Virus

Implementation Guide

Configuring and implementing anti virus solution Cyberoam Anti Spam

Implementation Guide

Technical Support

You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address: Corporate Office eLitecore Technologies Ltd. 904, Silicon Tower Off C.G. Road Ahmedabad 380015 Gujarat, India. Phone: +91-79-26405600 Fax: +91-79-26407640 Web site: www.elitecore.com

Cyberoam contact:

Technical support (Corporate Office): +91-79-26400707 Email: [email protected]

Web site: www.cyberoam.com

Typographic Conventions

Material in this manual is presented in text, screen displays, or command-line notation.

Item Convention Example

Server Machine where Cyberoam Software - Server component is installed

Client Machine where Cyberoam Software - Client component is installed

User The end user

Username Username uniquely identifies the user of the system Part titles Bold and

shaded font

typefaces

Report

Topic titles Shaded font typefaces

Introduction

typefaces

Notation conventions

Navigation link Bold typeface Group Management → Groups → Create it means, to open the required page click on Group management then on Groups and finally click Create tab Name of a particular parameter / field / command button text Lowercase italic type

Enter policy name, replace policy name with the specific name of a policy

Or

Click Name to select where Name denotes command button text which is to be clicked

Cross references

Hyperlink in different color

refer to Customizing User database Clicking on the link will open the particular topic

Notes & points to remember

Bold typeface between the black borders

Note

Prerequisites Bold typefaces between the black borders

Overview

Welcome to the Cyberoam’s - ADS Integration Guide.

Cyberoam is an Identity-based UTM Appliance. Cyberoam’s solution is purpose-built to meet the security needs of corporates, government organizations, and educational institutions.

Cyberoam’s perfect blend of best-of-breed solutions includes User based Firewall, Content filtering, Anti Virus, Anti Spam, Intrusion Detection and Prevention (IDP), and VPN.

Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection.

Once you have installed and placed Cyberoam, default policy is automatically applied which will allow complete network traffic to pass through Cyberoam. This will allow you to monitor user activity in your Network based on default policy.

As Cyberoam monitors and logs user activity based on IP address, all the reports are generated based on IP address. To monitor and log user activities based on User names or logon names, you have to configure Cyberoam for integrating user information and authentication process. Integration will identify access request based on User names and generate reports based on Usernames.

When the user attempts to access, Cyberoam requests a user name and password and authenticates the user's credentials before giving access. User level authentication can be performed using the local user database on the Cyberoam, an External ADS server, Windows Domain Controller, or LDAP server.

To set up user database

1. Integrate ADS, Domain Controller or LDAP if external authentication is required.

If your Network uses Active Directory Services, configure Cyberoam to communicate your ADS. Refer to ADS Integration for more details.

If your Network uses Windows Domain Controller, configure for Cyberoam to communicate with Windows Domain Controller. Refer to PDC Integration for more details.

If your Network uses LDAP, configure for Cyberoam to communicate with LDAP server. Refer to LDAP Integration for more details.

If your Network uses RADIUS server, configure for Cyberoam to communicate with RADIUS server. Refer to RADIUS Integration Guide for more details.

2. Configure for local authentication. 3. Register user

Introduction to ADS

Cyberoam – ADS integration feature allows Cyberoam to map the users and groups from ADS for the purpose of authentication. This enables Cyberoam to transparently identify the network users. Cyberoam communicates with Windows Directory Services – Active directory (AD) to authenticate user based on groups, domains and origanizational units.

Whenever the exisiting user(s) in ADS logs on for the first time after configuration, user gets automatically created in Cyberoam and is assigned to the default group. If the Groups are already created in Cyberoam, User(s) will be created in the respective Groups i.e. the ADS User Groups will be mapped to Cyberoam User Groups. In case user is already created and there is change in expiry date or group name, user will be logged in with the changes.

Administrator’s task is just to configure Cyberoam to communicate with ADS.

ADS Authentication Process

User has to be authenticated by Cyberoam before accessing any resources controlled by Cyberoam.

This authentication mechanism allows Users to access using their Windows authentication tokens (login/user name and password) in the Windows-based directory services.

User sends the log on request/user authentication request to ADS and ADS authenticates user against the directory objects created in ADS. Once the user is authenticated, Cyberoam communicates with ADS to get the additional authorization data such as user name, password ,user groups and expiry date as per the configuration and is used to control the access.

Note

If the ADS is down then the authentication request will always return ‘Wrong username/password’ message

It is necessary to have shared NETLOGON directory on ADS with the following permissions: Read, Read & Execute, List Folder Contents

Note

Configuring for ADS Integration

For configuring Cyberoam to communicate with ADS, it is necessary to locate an Active Directory server (domain controller) for logging on to a domain and then finding the information that you need in Active Directory. Both processes use name resolution. Domain controller can be found by using DNS names or Network Basic Input/Output System (NetBIOS) names. When locating a domain controller, the Domain Name System (DNS) resolves a domain name or computer name to an Internet Protocol (IP) address.

Every domain controller registers two types of names at startup: 4. A DNS domain name with the DNS service and IP Address 5. A NetBIOS name

It is possible that registered DNS domain name and NetBIOS name are different. When a user logs on to a domain, the computer must do one of two things:

1. If the name of the logon domain is a DNS name, query is placed to DNS to find a domain controller with which to authenticate.

2. If the name of the logon domain is a NetBIOS name, the computer finds a domain controller for the specified domain.

For this ensure that Users can connect to domain controller in your network. Connections to the domain controllers are enabled automatically during the Active Directory setup. Verify the connection from User machine using ping or a similar utility.

Screen – ADS Integration

Screen Elements Description

Configure Authentication & Integration parameters

Integrate with Select Active directory as authentication server Cyberoam dynamically maps active directory groups to respective Cyberoam groups on each logon.

Default Group Allows to select default group for users Click Default Group list to select Update button Updates and saves the configuration Add button Allows to add ADS server

Add ADS Server

Screen – ADS Server configuration

Screen Elements Description

Add ADS Server Details

ADS Server IP Specify ADS Server IP Address

Port Specify Port number over which ADS Server will communicate

Default port is 389

NetBIOS Domain Specify NetBIOS Domain name ADS Username Specify Administrator Username

Password Specify Password of Administrator Username Test Connection button Allows to check the connectivity of Cyberoam with

ADS server Click to check

Add button Saves the server configuration and allows to add the Domain query for name resolution and authentication

Click Add to add the domain query

Refer to Add Domain Query for more details Cancel button Cancels the current operation

Add Domain Query

Screen Elements Description Domain Details

Domain Name Domain name to which the query is to be added Search DN Displays list of queries

List order indicates preference of query for the name resolution. If more than one query exists, query will be resolved according to the order specified.

Add button Allows to add the query Click to add

Opens a Search query dialog box and allows to enter the name resolution query

Refer to How to build a Search DN Query for details Click OK to save

Click Cancel to cancel the current operation Remove button Allows to remove the query

Click the query to be removed Click to remove

Move Up button Changes the order of query when more than one query is defined Moves the selected query one step up

Click query which is to be moved up Click MoveUp

Move down button Changes the order of query when more than one query is defined Moves the selected query one step down

Click query which is to be moved down Click MoveUp

Save button Saves the configuration Click to save

Cancel button Cancels the current operation

Table – Domain Query screen elements

How to build Search DN Query

To search for the user in Active Directory, DN Query is placed. Query contains 3 components: domain component (dc), organizational unit (ou), common name (cn). For example, when for fully qualified domain name cyberoam.elitecore.com, user is created under ou ‘support’ and cn ‘administrator’ the query is written as:

Connectivity check

Connection to ADS is enabled automatically during Active Directory setup, but as ADS server is used for authenticating users it is necessary to check whether Cyberoam is able to connect to ADS or not.

Connectivity can be checked:

1. At the time of adding ADS server details or 2. After adding ADS server details

Single Sign on Client Configuration

If user is configured for Single sign on, whenever User logs on to Windows, user is automatically logged to the Cyberoam also.

Single sign on provides password synchronization for Windows users using Active Directory services and Cyberoam. i.e. if the user is configured for Single sign on, whenever User logs on to Windows, user is automatically logged to Cyberoam also.

This will also enable Users to check their My Account using their windows password.

Follow the procedure to configure for Single Sign on login utility and ADS authentication.

Step 1 Download the Cyberoam Single Sign on client as shown in the below screen shot and save SSCyberoam.exe to the NETLOGON scripts directory on the domain controller or as per your configuration. The logon scripts contain the configuration parameters for the initial user environment.

The default location of NETLOGON directory is as given below: Server OS NETLOGON default location

Windows 2000 %SYSTEMROOT%/SYSVOL/sysvol/%USERDNSDOMAIN%/Scripts Windows 2003 %SYSTEMROOT%/SYSVOL/sysvol/%USERDNSDOMAIN%/Scripts

Screen - Download Single sign on Client

Go to step 2 if logon scripts for the Users are already created Go to step 3 if logon scripts for the Users are not created

Ok, Step 2 If the logon scripts are already created, then Update them. Edit the logon script using any of the available Editors like Notepad and add the following line in the script and save the script:

start \\ADS MachineName\netlogon\SSCyberoam.exe IP address of the Cyberoam Server

Domain

E.g., start \\adsmachinename\netlogon\SSCyberoam.exe 192.168.1.100 elitecore

Whenever the User tries to logon in Windows, the logon script will be executed. The above statement in logon script executes the Cyberoam logon program with the Windows Username and automatically logs in User to the Cyberoam.

Step 3 If the logon scripts are not created

Create a new script - “defaultlogonscript.bat” using any of the available Editor like Notepad Add line

start \\ADSMachineName\netlogon\SSCyberoam.exe IP address of the Cyberoam Server

Domain

E.g., start \\adsmachine\netlogon\SSCyberoam.exe 192.168.1.100 elitecore

Copy the script - “defaultlogonscript.bat” to NETLOGON scripts directory. Refer to step 1 to find location of the NETLOGON scripts directory

Download Logon Script Updation Utility as shown in the below screen shot and save the script as “updatelogonscript.bat” in the root directory of the server

Screen - Download User Logon Script Updation utility

Execute “updatelogonscript.bat” at the command prompt as follows: updatelogonscript.bat defaultlogonscript.bat

This will update/add the logon script of the Users in the domain to defaultlogonscript.bat Whenever the User tries to logon in Windows, the script “defaultlogonscript.bat” will be executed which in turn executes the Cyberoam logon program with the Windows Username and automatically logs in User to the Cyberoam.

If the User has logged in successfully using Single Sign on utility, then (S) will be shown next to the Username e.g. Joe (S) in the Live User list

Logging to Cyberoam using Client exe/http client

Diagram shows authentication process when user tries to log on to Cyberoam using Client exe or http client. Refer to Cyberoam User Guide for details on downloading the clients.

Note

1. If Cyberoam is configured for multiple Domains then at the time of login, user has to provide full username i.e <username>@<domainname>

2. If Cyberoam is configured for single Domain then at the time of login, user can provide only the username. Cyberoam will append the domain if not provided.

3. If the user is not found in ADS then the message ‘Not able to authenticate’ will be displayed

4. If user is already logged in at the time of updations of expiry date and/or group then the changes will be reflected only at the next login

Some Exception Conditions

1. Logon script will not execute if ADS is down and User will not be able to log on to Cyberoam and Internet access will not be available

Once ADS is up, Users will have to re-logon

2. If Cyberoam is down or not reachable, the Cyberoam Single Sign client will continuously try to logon, and as soon as it is up Internet access will be available