Trademarks
DualShield Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID, SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp are trademarks of Deepnet Security Limited. All other brand names and product names are trademarks or registered trademarks of their respective owners.
Copyrights
Under the international copyright law, neither the Deepnet Security software or documentation may be copied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole or in part, without the prior written consent of Deepnet Security.
Licence Conditions
Please read your licence agreement with Deepnet carefully and make sure you understand the exact terms of usage. In particular, for which projects, on which
platforms and at which sites, you are allowed to use the product. You are not allowed to make any modifications to the product. If you feel the need for any modifications, please contact Deepnet Security.
Disclaimer
This document is provided “as is” without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the document. Deepnet Security may make improvements of and/or changes to the product described in this document at any time.
Contact
If you wish to obtain further information on this product or any other Deepnet Security products, you are always welcome to contact us.
Table of Contents
1.
Overview ... 4
2.
Preparation ... 5
3.
Configuration ... 6
4.
Authentication ... 12
5.
On-Demand Password ... 14
5.1 Create a user-defined protocol for DPS ...15
5.2 Create a access rule for DPS ...16
5.3 Create a listener for DPS ...19
5.4 Publish the DPS web site ...21
5.5 Install the DualShield TMG Agent ...25
5.6 Change the OWA portal settings in TMG ...26
5.7 Change the Provisioning Server settings in DualShield ...27
1.
Overview
This implementation guide describes how to protect Microsoft TMG with two-factor authentication with the DualShield unified authentication platform. Microsoft TMG
supports external authentication servers including Active Directory and RADIUS OTP. By leveraging those features in TMG, we can implement a two-factor authentication in TMG system in which the first factor will be the user’s static password and second factor will be a one-time password. The user’s static password will be authenticated by the
customer’s Active Directory server (domain controller) and the user’s one-time password will be authenticated by the DualShield authentication server via RADIUS.
DualShield provides a wide selection of portable one-time password tokens in a variety of form factors, ranging from hardware tokens, software tokens, mobile tokens to USB tokens. These include:
• Deepnet SafeID • Deepnet MobileID • Deepnet GridID • Deepnet CryptoKey • RSA SecurID • VASCO DigiPass Go
• OATH-compliant OTP tokens
In addition to the support of one-time password, DualShield also supports on-demand password for RADIUS authentication. The product that provides on-demand password in the DualShield platform is Deepnet T-Pass. Deepnet T-Pass is an on-demand, token-less strong authentication that delivers logon passwords via SMS texts, phone calls, twitter direct messages or email messages.
The complete solution consists of the following components:
• Microsoft TMG
• DualShield Radius Server
2.
Preparation
Prior to configuring TMG for two-factor authentication, you must have the DualShield Authentication Server and DualShield Radius Server installed and operating. For the installation, configuration and administration of DualShield Authentication and Radius servers, please refer to the following documents:
• DualShield Authentication Platform – Installation Guide
• DualShield Authentication Platform – Quick Start Guide
• DualShield Authentication Platform – Administration Guide
• DualShield Radius Server - Installation Guide
You also need to have a RADIUS application created in the DualShield authentication server. The application will be used for the two-factor authentication in TMG. The document below provides detailed instructions for RADIUS authentication with the DualShield Radius Server:
• VPN & RADIUS - Implementation Guide
3.
Configuration
1. Edit the Properties of the OWA listener and select the Authentication tab: Select “HTML Form Authentication” Enable “Collect additional delegation credentials in the form”
Select “RADIUS OTP” 2. Click “Configure
3. Select the “RADIUS Servers” tab
4. Click “Add”
5. Enter the server name or IP address of your DualShield Radius server
Enter the shared secret and the Authentication port
6. Select “LDAP Servers” tab
Click “Add” and add your LDAP server settings
Finally, click the “Apply” button on the top to save and activate the changes.
The third stage is to configure the DualShield server to add TMG as a Radius client and to create a Radius application with a logon procedure.
Create a new logon procedure
1. Login to the DualShield management console
2. In the main menu, select “Authentication | Logon Procedure” 3. Click the “Create” button on the toolbar
4. Enter “Name” and select “RADIUS” as the Type
5. Click “Save”
6. Click the Context Menu icon of the newly create logon procedure, select “Logon Steps”
7. In the popup windows, click the “Create” button on the toolbar 8. Select “One-Time Password” as the authenticator
Create a new application
1. In the main menu, select “Authentication | Applications” 2. Click the “Create” button on the toolbar
3. Enter “Name” 4. Select “Realm”
5. Select the logon procedure that was just created
6. Click “Save”
Add TMG as a Radius client
1. In the main menu, select “RADIUS | Clients” 2. Click the “Register” button on the toolbar
3. Select the application that was created in the previous steps 4. Enter TMG’s IP in the IP address
5. Enter the Shared Secret and make sure it is identical to the shared secret defined in the Radius server settings in the TMG.
We have now completed all necessary stages and steps in setting up two-factor
4.
Authentication
Launch your web browser and connect to the OWA portal.
Users will now be asked to provide both “Passcode” and “Password”. Password is the field where users will need to enter their AD password (Static Password), and Passcode is the field where users will need to provide their one-time passwords (OTP).
The DualShield passcode is defined the logon procedure in your DualShield server. In our example, we defined One-Time Password in the logon procedure. Which means that users will be able to use any one-time password token supported by the DualShield to authenticate to the OWA portal.
5.
On-Demand Password
If you enable On-Demand Password in DualShield, then your users will be able to use Deepnet T-Pass as their authentication method. A typical question with On-Demand password is how can users request to have their password delivered in real time? Using the configuration that we have set up in above steps, users can’t request to have their password delivered in real time. Users will need to have a password pre-delivered before they can logon. The system administrator can push out on-demand passwords to users, or users can use the self-service console to obtain an on-demand password. Once a user has successfully logged in, the DualShield server will then automatically send out a new password to be used by the user at next logon.
If the pre-delivery method described above is not a viable solution to you, then you need to install the DualShield TMG Agent which will enable users to request on-demand
password in real time at logon.
The rest of this document describes how to configure TMG with the DualShield TMG Agent. The diagram below illustrates the architecture of the solution:
As an example, we make the following assumptions: 1. The network domain is “DeepnetTest32.com”
2. The DualShield platform including its Authentication Server (DAS) and Provisioning Server (DPS) is installed and operating in HTTP mode
3. The FQDN of the DualShield platform is “DualShield.DeepnetTest32.com” 4. The internal port number of the DualShield Provisioning Server (DPS) is 8072 5. The public host name of the DPS to be published is “Mail.DeepnetSecurity.com” 6. The public port number of the DPS is also 8072
7. The FQDN of the Exchange Server is “Exchange.DeepNetTest32.com” 8. The public host name of the OWA published is “Mail.DeepnetTest32.com” The entire configuration process involves the following stages:
4. Publish the DPS web site
5. Install the DualShield TMG Agent 6. Change the OWA portal settings in TMG
The DualShield Provisioning Server is a web service that delivers on-demand passwords. Therefore, it needs to the published as a web site on TMG. The process is similar to the way OWA web portal is published but requires some extra settings due to the non-standard HTTP port number being used for DPS (8072).
5.1
Create a user-defined protocol for DPS
As DPS works on a non-standard HTTP port, we have to define a new protocol. In the Toolbox | Protocols, select “New | Protocol” from the menu
1. Enter the name for the new protocol to be created
2. Add an inbound TCP protocol with IP range of 8072
3. Click “Finish”
5.2
Create a access rule for DPS
In the Tasks, click “Create Access Rule”
1. Enter the name for the new rule
2. Select “Allow”
7. Select “External”
Click “Add”
8. Click “Next”
10.Click “Finish”
11.Click “Apply” on the top to save changes
5.3
Create a listener for DPS
In the Toolbox | Network Objects, select “New | Web Listener” from the menu
2. Select “Do not require SSL…”
3. Select “External”
5. Click “Finish”
6. Click “Apply” on the top to save changes
5.4
Publish the DPS web site
In the Tasks, click “Publish Web Sites”
1. Enter the name for the web site
3. Select “Use non-secured connections…”
5. Enter “/dps/*” in the path
6. Enter the public host name of DPS
8. Click “Finish”
12.Enable “Redirect requests to HTTP port, and enter 8072
Click “Test Rule”
13.Click “OK” to save
14.Click “Apply” on the top to save changes
5.5
Install the DualShield TMG Agent
1. In Windows Explorer, navigate to:
C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates
2. Clone the entire folder 'Exchange' to a new folder named “ExchangeDualShield” 3. Unzip the DualShield TMG Agent package (DualShieldTMG.1.1.zip), extract the
content to the above newly created folder.
var DPS_Host = 'http://mail.deepnettest32.com:8072';
with the real URL of your DPS. Save the file 5. Open “usr_pwd_pcode.htm” in a text editor
Locate the following line of text in the file:
<link href="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=logon_style.css" type="text/css" rel="stylesheet">
Insert the following line of text underneath the above line:
<link href="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=dualshield.css" type="text/css" rel="stylesheet">
Append the following lines of text to the end of the file:
<script src="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=jquery-1.7.min.js" type="text/javascript"></script> <script src="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=jquery.json-2.3.min.js"
type="text/javascript"></script>
<script src="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=jquery.blockUI.js" type="text/javascript"></script> <script src="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=jquery.dps.js" type="text/javascript"></script>
Save the file.
6. Restart the 'Microsoft Forefront TMG Firewall' service
5.6
Change the OWA portal settings in TMG
Enable “Use customized HTML…” Enter “ExchangeDualShield” which is the folder name we created in the previous stage
Click “Test Rule” Click “OK
Click “Apply” on the top to save changes
5.7
Change the Provisioning Server settings in DualShield
In the DualShield Management Console, select “Authentication | Agents” in the main menu, click the context menu of the Provisioning Server and select “Applications”
We have now completed all stages and steps in configuring TMG with the DualShield Agent.
5.8
Test Authentication
Now, when users attempt to logon to the OWA portal
To request an on-demand password, users will firstly enter their “User Name” and
“Password” (AD Password), and then click one of the delivery icons (e.g. the Email icon). If the credentials provided are correct, DPS server will generate an on-demand one-time password (“Passcode”) and deliver it to the user in the defined delivery channel (e.g. email).
