NETASQ ACTIVE DIRECTORY INTEGRATION

(1)

1 T e c h n ic a l No te

NETASQ

A

CTIVE DIRECTORY INTEGRATION

NETASQ ACTIVE DIRECTORY INTEGRATION

1 RUNNING THE DIRECTORY CONFIGURATION WIZARD

2 VALIDATING LDAP CONNECTION

5 AUTHENTICATION SETTINGS

6

User authentication 6

Kerberos authentication method 7

Validating authentication 11

FILTER RULES BASED ON AUTHENTICATION

13

Redirecting unauthenticated users 13

User based rules 14

Example ruleset 14

ADVANCED LDAP CONFIGURATION

16

Backup domain controller 16

(2)

Running the directory configuration wizard

In this chapter you will learn how to connect NETASQ to Active Directory to perform user and group based authentication for your filter and VPN services.

You can start the wizard for connecting to Active Directory by selecting Users – Directory

Configuration in the web-based manegement site.

Select Connect to a Microsoft Active Directory on this page.

NOTE

If you have got a previosuly configured directory access (either Active Directory or LDAP), you won’t see the wizard. You have to press the small wizard icon in the top right corner.

WARNING

(3)

On the next page configure your connection settings for the domain controller.On this page you can’t change to LDAPS or add a secondary domain controller. You will have the oppurtunity to configure them after finishing the wizard.

Field Setting

Server Create a host object for the domain controller, with its internal IP.

Port Set it to 389 (ldap) now.

ID If you don’t want to allow write access for

your NETASQ firewall, you should choose a user with read-only access to the LDAP. For security reasons you are not supposed to connect with Administrator account. You have to use the DN of the user. If the user is in an Active Directory container, the right format is:

cn=Administrator,cn=Users

If the user is in an organizational unit, eg.:

(4)

NOTE

Before setting up the connection, make sure that Windows firewall on the Domain Controller doesn’t not block incoming LDAP access.

You can allow it in Windows Firewall with Advanced Security – Inbound rules – Active Directory Domain Controller – LDAP (TCP-In).

For Kerberos authentication, you should also check the firewall rules.

(5)

Validating LDAP connection

(6)

Authentication settings

You can set the properties of captive portal at Configuration – Users – Authentication.

User authentication

(7)

Kerberos authentication method

The wizard by default configures LDAP authentication. For security reasons you should use Kerberos authentication.

WARNING

For Kerberos authentication the time on the firewall and on the domain controlles must be synchronized. More than five minutes delay results in authentication failures.

Please make sure that the firewall’s clock and the domain controller’s clock is synchronized, and the same timezone is used on both devices.

(8)

You can enable Kerberos authentication in Configuration – Users – Authentication – Available

methods.

Please select Add an authentication method – Kerberos.

(9)

9 T e c h n ic a l No te Field Setting

Domain name (FQDN) The Kerberos realm name, usually equals to the Windows domain name. It must be in capital letters.

Access to server Please select the primary domain controller’s

host object and kerberos_udp port for communication.

(10)

1 0 T e c h n ic a l No te

(11)

Validating authentication

You can test authentication by going to the captive portal directly. You can access it on the internal IP address of the firewall via HTTPS.

https://ip_address/auth

Please enter your username without the domain prefix or postfix. Please select the authentication period. After pressing login you will be asked for your password.

NOTE

By default the maximum authentication period is 8 hours. You can modify it at Configuration –

Users – Authentication – Internal interfaces – Authentication periods allowed.

(12)

If you have any problems during authentication, please refer to the authentication logs. You can follow authentication logs by using the CLI on the web interface.

(13)

Filter rules based on authentication

You can create filter rules based on Active Directory users and groups. We will give a simple example for this way of using Active Directory integration.

Redirecting unauthenticated users

You can force your users to be authenticated. In a Filtering policy please select New rule –

Authentication rule.

(14)

User based rules

In the filtering and NAT rules you can configure users and group to be used as source. That way you can attach different security policies to different users or groups. Please double click on

Source column in Filtering configuration.

Example ruleset

In the ruleset below you can see an example configuration of user based filter policies.

 1st rule: redirect all unauthenticated users to the captive portal, if they start a HTTP request

on the internet

 2nd rule: Management has got full access to any web pages, without any restrictions.

Antivirus is applied for their connections.

 3th rule: Employees have restricted access during workhours to internet using

WorktimeURLs URL filtering list.

 4th rule: Employees out of work hours have different URL filtering slot, which is not so

(15)

NOTE

In the filtering rules we have created rules only for HTTP traffic. For HTTPS connections, you need to use SSL filtering rules.

(16)

Advanced LDAP configuration

Backup domain controller

If you want to configure a secondary domain controller to be used, you can do it by going back to Configuration – Users – Directory configuration and selecting Advanced properties.

(17)

LDAP access via SSL

NETASQ supports accessing Active Directory user database via SSL protocol. This is additional step, which can make your connection secure between the firewall and the domain controllers. Open the Configuration – Users – Directory configuration page, and select Secure Connection (SSL).

Check Enable SSL access.

In the Certificate authority field, please add the CA which issued the domain controller’s certificate. You need to import this CA certificate at Configuration – Objects – Certificates.