Application Note
Preface
ii
All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto’s information.
This document can be used for informational, non-commercial, internal and personal use only provided that:
• The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies.
• This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy.
© Copyright 2008 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners.
GEMALTO, B.P. 100, 13881 GEMENOS CEDEX, FRANCE. Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90
Printed in France. Document Reference:
Contents
Preface ... vi
Who Should Read This Book ... vi
For More Information... vi
Conventions ... vii
Contact Our Hotline... vii
Overview ... 1
Main steps ... 1
Architecture ... 2
Elements description... 3
Authentication process... 4
Configure the Domain Controller Server... 5
Configure Citrix Web Interface ... 8
Configure the Internet Authentication Service ... 17
IAS RADIUS prerequisites ... 17
Add a RADIUS Client ... 18
Configure Access Policies ... 19
Install and configure SA Server agent for IAS... 24
Restart IAS ... 26
Configure the Gemalto Strong Authentication Server... 28
Configure the ISA Server 2006 ... 29
Rule creation ... 29
Authentication server configuration ... 42
Saving the rule changes and restarting the firewall service ... 46
GXO/OSG SMS Layer Connector ...Error! Bookmark not defined. Modifying the CLASSPATH ... Error! Bookmark not defined. OTACS Size Allocation ... Error! Bookmark not defined.
Terminology ...Error! Bookmark not defined. Abbreviations ... Error! Bookmark not defined. Glossary ... Error! Bookmark not defined.
Preface
iv
Web Site Addresses... Error! Bookmark not defined. Other Gemalto Documentation ... Error! Bookmark not defined.
Index...Error! Bookmark not defined.
List of Figures
Figure 1 - Architecture ... 2
Figure 2 - Authentication process... 4
Figure 3 - Allowing authentication delegation to the ISA 2006 Server ... 5
Figure 4 - Selecting authentication protocol ... 6
Figure 5 - Select Users or Computers ... 6
Figure 6 - Add Services ... 7
Figure 7 - ISA 2006 Server Properties ... 7
Figure 8 – Access Management Console... 8
Figure 9 – Create Site... 9
Figure 10 - Specify IIS Location ... 9
Figure 11 - Specify Configuration Source... 10
Figure 12 - Specify Authentication Settings... 10
Figure 13 - Confirm Settings For New Site... 11
Figure 14 - Creating Site... 11
Figure 15 - Welcome to the Specify Initial Configuration Wizard ... 12
Figure 16 – Specify Server Farm... 13
Figure 17 - Select Application Type... 14
Figure 18 - Confirm Settings... 15
Figure 19 - Access Management Console ... 15
Figure 20 - Configure Authentication Methods ... 16
Figure 21 - Properties ... 16
Figure 22 - IAS RADIUS Server ... 18
Figure 23 - New RADIUS Client 1 ... 18
Figure 24 - New RADIUS Client 2 ... 19
Figure 25 - Policy Configuration Method ... 19
Figure 26 - Policy Conditions... 20
Figure 27 - Attribute type ... 20
Figure 28 - Client IP Address ... 20
Figure 29 - Policy Conditions... 21
Figure 30 - Selecting Permissions... 21
Figure 31 - Editing Dial-In Profile... 22
Figure 32 - Encryption Type ... 22
Figure 33 - Connection Request Authentication... 23
Figure 34 - Connection Request Policies ... 24
Figure 35 - SA Server Agent install Shield Wizard ... 24
Figure 36 - License Agreement ... 25
Figure 37 - Configuring SA Server URL ... 25
Figure 38 - Installing the SA IAS Agent ... 26
Figure 39 - Finishing the Installation... 26
Figure 40 - Stopping the IAS Service ... 27
Figure 41 - Starting the IAS Service ... 27
Figure 42 - Firewall Policy ... 29
Figure 43 - Create Access Rule ... 30
v
Figure 45 - Publishing Type... 31
Figure 46 - Server Connection Security ... 32
Figure 47 - Internal Publishing Details... 33
Figure 48 - Setting Public Name Details... 33
Figure 49 - Selecting Web Listener ... 34
Figure 50 - Web Listener Name ... 35
Figure 51 - Client Connection Security... 35
Figure 52 - Web Listener IP Addresses... 36
Figure 53 - Listener SSL Certificates... 36
Figure 54 - Select Certificate ... 37
Figure 55 - Listener SSL Certificates... 38
Figure 56 - Authentication Settings ... 38
Figure 57 - Single Sign On Settings ... 39
Figure 58 - Completing the New Web Listener Wizard ... 40
Figure 59 - Select Web Listener ... 40
Figure 60 - Authentication Delegation ... 41
Figure 61- User Sets... 41
Figure 62 - Completing the New Web Publishing Rule Wizard ... 42
Figure 63 - Kerberos Constrained Delegation ... 42
Figure 64 - Web Listener properties ... 43
Figure 65 - Authentication Properties ... 43
Figure 66 - Authentication Servers ... 44
Figure 67 - Adding RADIUS Server ... 44
Figure 68 - Shared Secret ... 45
Figure 69 - IAS server... 45
Figure 71 - Applying changes ... 46
Figure 72 - Saving Configuration Changes ... 46
Figure 73 - Monitoring... 46
Figure 74 - Stopping the Firewall service ... 47
Preface
vi
Preface
The Gemalto two-factor authentication solution provides strong authentication based on smart cards for the enterprise, banking, and internet service provider (ISP) markets.
This solution enables organizations to deploy a strong authentication solution for their end-users, whether local or remote. The system can service a broad range of deployments, from small corporations with less than 100 users to ISPs with potentially millions of usersWho Should Read This Book
Who Should Read This Book
This guide is intended for system administrators responsible for configuring the ISA, SA Server and Citrix Web Interface in order to use Gemalto OTP devices to authenticate mobile users with ISA 2006.
Administrators should be familiar with:
• Citrix Web Interface.
• The Gemalto SA Server system architecture.
• Microsoft Internet Security and Acceleration Server 2006.
For More Information
For a complete list of the documentation for the Gemalto Strong Authentication (SA) Server, refer to the release notes (README.txt) on the Gemalto SA Server CD (or zip image of the CD).
vii
Conventions
The following conventions are used in this document:
In this manual, the following highlighting styles are used:
Bold – Instructions, commands, file names, folder names, key names, icons, menus, menu items, field names, buttons, check boxes, tabs, registry keys and values .
Italic – Variables that you must replace with a value, book titles, news or emphasized terms.
In this manual, hyperlinks are marked as described below
Internal Links – Displayed in quotation marks. When viewing this book online, click an internal link to jump to a different section of the book.
External Links – Displayed in blue, underlined text. When viewing this book online, click an external link to launch your default browser (or email program) to navigate to that Web address or compose an email.
In this manual, notes and cautions are marked like this:
Notes: Information that further explains a concept or instruction, tips, and tricks.
Caution: Information that alerts you to potentially severe problems that might result in loss of data or system failure.
Contact Our Hotline
If you do not find the information you need in this manual, or if you find errors, contact the Gemalto hotline at
http://support.gemalto.com/.
1
Overview
This document provides a deployment scenario to show you how it is possible to configure the Microsoft ISA 2006 Server to use Gemalto SA Server to authenticate Mobiles Users in order to get access to applications through Citrix Web Interface.
Caution: Consequently, this document should not be considered as an instruction manual on how to configure your system.
Main steps
The main steps are:1. SA Server installation
2. RADIUS Server configuration a. Installation
Preface
2
3
Elements description
To provide SA Server authentication for mobile users, your system requires the following pre-requisites: • A Microsoft Internet Security and Acceleration Server 2006 installed on a Microsoft Windows
2003 Server.
The server has got two physical interfaces and is able to act as a gateway from the Internal
Network to the External Network.
o <IP internal address> allows access to the Internal Network. This network is seen as a trusted network.
In our laboratory <IP internal address> was 10.10.180.69.
o <IP external address> represents the IP address of the physical interface visible from the External Network. This address will be set during the appliance configuration.
The External Network is seen as a not trusted network. In our laboratory <IP external address> was 192.168.83.128.
o We named the ISA Server isawi, this name will appear in the next screenshots. • An AD Domain machine hosting an Active Directory LDAP and acting as domain controller.
In our laboratory the domain hosted by AD Domain was “w2k3.gemsafe.gem”.
We will use the term Mobile Users to refer to users who have an account in AD Domain and who will access from the External Network to the Internal Network through the ISA 2006 Server. Their accounts must be configured to allow remote access control.
• A Microsoft Certification Authority used to issue web certificates to the web servers.
In our laboratory, the Certification Authority was installed on the server hosting the Domain Controller.
• A Citrix Web Interface. You will have to create and configure a website. These steps will not be treated in the following document; we will mention only the creation of the website and the configuration steps taking part in the authentication process.
In our laboratory, the Citrix Web Interface server was named wi.w2k3.gemsafe.gem. <IP web
interface address> was 10.10.180.169.
• A Citrix Presentation Server. You will have to provide the applications for mobiles users. The provision of the applications will not be explained in this document. In our laboratory the Citrix Presentation Server is citrixpsonly.
• A Gemalto SA Server,
We have installed the server in a Mixed mode. It is supposed to be provisioned for devices and users.
<Base URL SA Server> will be used to refer to the URL that should be used to access SA Server. In our laboratory <Base URL SA Server> was http://saserver.w2k3.gemafe.gem.
• A RADIUS Server,
This server is the link between ISA 2006 Server and the Gemalto SA Server.
o IAS RADIUS for which <IP IAS address> will be used to refer to IAS RADIUS server IP address. In our laboratory, <IP IAS address> was 10.10.180.57.
o You will have to install the Gemalto IAS Agent. In order to demonstrate a successful authentication, we also need:
• VPN Client machines.
Preface
4
Users.
Authentication process
To allow mobile users getting access to the published applications, we use the Kerberos Constrained Delegation feature available on Microsoft ISA 2006. The following schema shows the authentication process based on the Kerberos Constrained Delegation feature.
Figure 2 - Authentication process
Step 1, receipt of client credentials: The client sends a request to connect to the applications in the internal network. The client provides the credentials in an HTML form.
Steps 2 and 3, sending credentials: ISA Server sends the credentials to the authentication provider. The authentication provider in our case is a RADIUS server, the Gemalto agent snaps the credentials and send them to the Strong Authentication Server. Once the credentials accepted, the RADIUS server sends an acknowledgment notifying that the user is authenticated. The ISA 2006 server generates a Kerberos ticket.
Step 4, authentication delegation: ISA Server forwards the client's request to the Citrix Web Interface, and authenticates itself to the Citrix Web Interface using the client's credentials.
Step 5, server response: The Citrix Web Interface sends a response to the client, which is intercepted by ISA Server.
2
Configure the Domain
Controller Server
Here is the main configuration steps needed to be accomplished on the Domain Controller.
Figure 3 - Allowing authentication delegation to the ISA 2006 Server
6 Configure the Domain Controller Server Figure 4 - Selecting authentication protocol
3. On Delegation tab, check Trust this computer for delegation to specified services only,
4. Check Use any authentication protocol. 5. Click on Add.
Figure 5 - Select Users or Computers
Configure the Domain Controller Server 7
Figure 6 - Add Services
8. Select the http as Service Type. 9. Click on OK.
Figure 7 - ISA 2006 Server Properties
3
Configure Citrix Web Interface
To configure Kerberos with Citrix Web Interface, you must launch Access Management Console. Figure 8 – Access Management Console
Configure Citrix Web Interface 9
Figure 9 – Create Site
2. Select Access Platform site and click on Next.
Figure 10 - Specify IIS Location
10 Configure Citrix Web Interface
Figure 11 - Specify Configuration Source
4. Select Local File(s) and click on Next.
Figure 12 - Specify Authentication Settings
Configure Citrix Web Interface 11
Figure 13 - Confirm Settings For New Site
6. Click on Next.
Figure 14 - Creating Site
12 Configure Citrix Web Interface
Figure 15 - Welcome to the Specify Initial Configuration Wizard
Configure Citrix Web Interface 13
Figure 16 – Specify Server Farm
9. In Farm name field, type your farm name, in our case we choice Farmgemsafe. Then in Server field
click on Add and type your Presentation Server. In our case, it’s citrixpsonly.w2k3.gemsafe.gem and in XML service port enter 8888.
14 Configure Citrix Web Interface
Figure 17 - Select Application Type
10. Select Remote and click on Next.
Configure Citrix Web Interface 15
Figure 18 - Confirm Settings
12. Click on Finish.
Figure 19 - Access Management Console
13. In Access Management Console, in Web Interface select
https://wi.w2k3.gemsafe.gem/Citrix/AccessPlatform. In Common Task, click on Configure
16 Configure Citrix Web Interface
Figure 20 - Configure Authentication Methods
14. Check Pass-through and click on Properties. Figure 21 - Properties
4
Configure the Internet
Authentication Service
We used the IAS server version embedded in Windows Server 2003 SP1.
IAS RADIUS prerequisites
The IAS RADIUS installation is not described in this document. It is presumed to be already done.
Check IAS RADIUS Server domain
The IAS RADIUS server must be part of the AD Domain as IAS RADIUS has to check that each Mobile User has an account in the directory.
Access to IAS administration You have to:
18 Configure the IAS
Figure 22 - IAS RADIUS Server
Add a RADIUS Client
You now have to add the ISA 2006 Server as a RADIUS client:
• Right click on RADIUS Clients and Select New RADIUS Client
Figure 23 - New RADIUS Client 1
• In Friendly name enter a name for Microsoft ISA Server 2006, • In Client address (IP or DNS) enter the <IP internal address>.
19
Figure 24 - New RADIUS Client 2
• Select RADIUS Standard for Client-Vendor:
Enter the chosen shared secret in Shared secret: and in Confirm shared secret:. This must be the same value as the one you entered when you configured the authentication type page 42)
• Click on [Finish] to validate those parameters.
Configure Access Policies
You have to add a new remote access policy:
• Right click on Remote Access Policies and Select New Remote Access Policy • Click on Next in the wizard windows
Figure 25 - Policy Configuration Method
• Select Set up a custom policy choice in How do you want to set up this policy and add a friendly name in Policy name.
20 Configure the IAS
Figure 26 - Policy Conditions
• Click on Add… in Policy Conditions window Figure 27 - Attribute type
• Select Client-IP-Address in Attribute types: and click on Add… Figure 28 - Client IP Address
21
Figure 29 - Policy Conditions
• Click on Next.
Figure 30 - Selecting Permissions
22 Configure the IAS
Figure 31 - Editing Dial-In Profile
• Click on Edit Profile… in the profile window
• Select Authentication tab and uncheck all boxes except Unencrypted authentication (PAP, SPAP)
• Select Encryption tab Figure 32 - Encryption Type
23
• In the Profile window, click on Next.
• In the New Remote Access Policy Wizard window, click on Finish.
The new policy is now available.
Configure Connection Request Policies
You have to add a new connection request policy:• In Connection Request Processing, right click on Connection Request and select New Connection Request Policy
• Click on Next in the wizard window
• Select A custom policy, enter a name in Policy name and click on Next • In the Policy conditions windows, click on Add…, select Client-IP-Address,
Click on Add…, enter <IP Internal Address>, click on OK and cick on Next. • In the Request Processing Method, click on Edit Profile.
Figure 33 - Connection Request Authentication
• In the Authentication tab, select Authenticate requests on this server and click on OK.
24 Configure the IAS
Figure 34 - Connection Request Policies
The new policy is now available.
Install and configure SA Server agent for IAS
You now have to install the SA Server IAS agent on the IAS RADIUS server. This component will forward all authentication requests received by IAS to SA Server.
• Double-click on “IAS_AgentSetup.exe” on the IAS RADIUS server, Figure 35 - SA Server Agent install Shield Wizard
25
Figure 36 - License Agreement
• Select I accept the terms in the license agreement and click on Next. Figure 37 - Configuring SA Server URL
• You now have to enter
<Base URL SA Server>/saserver/servlet/UserRequestServlet
in Protiva Authentication Servlet URL:
Caution: During the installation, you have to replace “localhost” by the real IP address of
SA Server. You also have to set the port if this is not the standard port 80.
Don’t forget to replace the proposed “protiva” path by “saserver” as it is now the default choice used during SA Server installation.
26 Configure the IAS
Figure 38 - Installing the SA IAS Agent
• Click on Install.
Figure 39 - Finishing the Installation
• Click on Finish.
Restart IAS
To launch the installed agent, you now have to re-start IAS.
27
Figure 40 - Stopping the IAS Service
• Then, click on the green arrow in the same toolbar to restart the server and take the changes into account.
28 Configure the IAS
5
Configure the Gemalto
Strong Authentication
Server
29
6
Configure the ISA Server
2006
As represented in the figure 1, we chose to install the Microsoft ISA Server 2006 as a front end firewall. This configuration devises space on two different networks: an internal one, which represents the corporation local area network, and an external network (Internet). We will now describe the access rules that must be created in order to manage mobile user’s access.
Rule creation
Launch the ISA Server Management,
Figure 42 - Firewall Policy
30 Configure the IAS
Figure 43 - Create Access Rule
• In the Tasks tab, click on Publish Web Sites, • The New Web Publishing Rule Wizard will appear,
Figure 44 - New Web Publishing Rule Wizard
31
Figure 45 - Publishing Type
• In the Publishing Type window, select the type that meet your enterprise infrastructure,
32 Configure the IAS
Figure 46 - Server Connection Security
33
Figure 47 - Internal Publishing Details
• In Internal Site name, enter the Web site name,
Note: In our laboratory, the web internal site name was wi.w2k3.gemsafe.gem.
34 Configure the IAS
• In Accept requests for, select Any domain name. • In Public name, enter the site name,
Note: In our laboratory, the web internal site name was wi.w2k3.gemsafe.gem.
Figure 49 - Selecting Web Listener
35
Figure 50 - Web Listener Name
• In Web listener name, enter a name,
Note: In our laboratory, we chose Web Interface listener as listener name.
Figure 51 - Client Connection Security
36 Configure the IAS
Figure 52 - Web Listener IP Addresses
• In Web Listener IP Addresses window, Check External,
• Check ISA Server will compress content sent to clients through this Web Listener[…],
• Click on Next.
37
• Check Use a single certificate for this Web Listener, • Click on Select Certificate…
Figure 54 - Select Certificate
• Select the valid web certificate that meets your configuration, • Click on Select.
38 Configure the IAS
Figure 55 - Listener SSL Certificates
• Click on Next.
Figure 56 - Authentication Settings
• In Select how clients will provide credentials to ISA Server, select HTML Form Authentication.
39
• Click on Next .
Figure 57 - Single Sign On Settings
• In the Single Sign On Setting window, check Enable SSO for Web sites published with this Web listener,
40 Configure the IAS
Figure 58 - Completing the New Web Listener Wizard
• Click on Finish. Figure 59 - Select Web Listener
41
Figure 60 - Authentication Delegation
• In Select the method used by ISA Server […], select Kerberos constrained delegation,
• In Type the Service Principal Name (SPN) […], enter your Web Interface. Note: In our laboratory, the SPN was http:/wi.w2k3.gemsafe.gem.
42 Configure the IAS
• In the User Sets window, make sure that the All Authenticated Users item is selected,
• Click on Next.
Figure 62 - Completing the New Web Publishing Rule Wizard
• Click on Finish.
Figure 63 - Kerberos Constrained Delegation
Note: This window refers to the Domain Controller configuration step. We must allow the Kerberos Constrained Delegation to ISA 2006 Server. Please refer to the Domain Controller Configuration part.
Authentication server configuration
After you create the Web publishing rule, you need to set up the authentication server. The Gemalto strong authentication solution is based on the RADIUS Protocol. This section describes the configuration steps that need to be done on the ISA 2006 Server.
43
Figure 64 - Web Listener properties
• On the Citrix Web Interface window, select Listener tab, • Click on Properties,
Figure 65 - Authentication Properties
44 Configure the IAS
• Click on Configure Validation Servers… Figure 66 - Authentication Servers
• On the Authentication Servers window, select RADIUS Servers tab, • Click on Add…
45
• In Server name, enter the IAS server name or <IP IAS address>, • In Server description, enter a description,
• In Shared secret Click on Change… Figure 68 - Shared Secret
• Enter the RADIUS shared secret, • Click on OK twice.
Figure 69 - IAS server
46 Configure the IAS
Saving the rule changes and restarting the firewall service
Figure 70 - Applying changes
• Click on Apply to save the changes. Figure 71 - Saving Configuration Changes
• Click on OK.
To restart the Microsoft ISA 2006 Server service proceed as follows,
Figure 72 - Monitoring
47
Figure 73 - Stopping the Firewall service
• Right-click on Microsoft Firewall, • Click on Stop.
Figure 74 - Starting the Firewall service
48 Configure the IAS
7
Client connection
On the client workstation, open your web browser and type the ISA Server external IP address or the DNS name associated to it,
Figure 75 - Security Alert
49
Figure 76 - User authentication web page
• In the User name, enter the user name,
Note: In our laboratory, we have created a user named sasadmin.
• In Passcode, enter the OTP given by the Gemalto token followed by the user password.
50 Configure the IAS
Figure 77 – Citrix Web Interface