authlogics forefront tmg and uag agent integration guide · authlogics forefront tmg and uag agent...

Authlogics, 12th Floor, Ocean House, The Ring, Bracknell, Berkshire, RG12 1AX, United Kingdom UK Tel: +44 1344 568 900 US Tel: +1 857 214 2174 email: [email protected] web: http://authlogics.com/

Authlogics Forefront TMG

and UAG Agent Integration

Guide With PINgrid, PINphrase & PINpass Technology

Product Version: 3.0.6230.0

Publication date: January 2017

tel:+441344568900

tel:+18572142174

mailto:[email protected]

http://authlogics.com/

Information in this document, including URL and other Internet Web site references, is subject to change without notice.

Unless otherwise noted, the example companies, organisations, products, domain names, e-mail addresses, logos, people,

places and events depicted herein are fictitious, and no association with any real company, organisation, product, domain

name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable

copyright laws is the responsibility of the user.

Authlogics may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering

subject matter in this document. Except as expressly provided in any written licence agreement from Authlogics, the

furnishing of this document does not give you any licence to these patents, trademarks, copyrights, or other intellectual

property.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

The information contained in this document represents the current view of Authlogics on the issues discussed as of the

date of publication. Because Authlogics must respond to changing market conditions, it should not be interpreted to be a

commitment on the part of Authlogics, and Authlogics cannot guarantee the accuracy of any information presented after

the date of publication.

This document is for informational purposes only. AUTHLOGICS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS

Document.

Copyright © 2017 Authlogics. All rights reserved.

Table of Contents Introduction ............................................................................................................................................ 3

Considerations .................................................................................................................................... 3

Requirements .................................................................................................................................. 3

Language Requirements ................................................................................................................. 3

Licensing .............................................................................................................................................. 4

Design and Deployment Scenarios ......................................................................................................... 5

TMG High Availability .......................................................................................................................... 5

UAG High Availability .......................................................................................................................... 5

Deployment ............................................................................................................................................ 6

Overview ............................................................................................................................................. 6

Installing/Removing the Authlogics Windows Desktop Logon Agent................................................. 6

Running an installation ................................................................................................................... 6

Running a removal .......................................................................................................................... 8

Authlogics Configuration on UAG 2010 ................................................................................................ 10

Add an AuthCentral Authentication repository ................................................................................ 10

Configure a UAG Trunk to use AuthCentral ...................................................................................... 12

Adding the Authlogics Services to a UAG Trunk ............................................................................... 18

Active Directory KCD Configuration .............................................................................................. 18

Publishing the Self Service Portal .................................................................................................. 20

Configure the UAG Login page for 2FA only ..................................................................................... 26

Authlogics Configuration on TMG 2010 ................................................................................................ 27

Configuring RADIUS........................................................................................................................... 27

Configure a Web Listener for AuthCentral ....................................................................................... 30

Web Publish the AuthCentral Token Providers ................................................................................ 31

Adding strong authentication to a publishing rule ........................................................................... 36

Active Directory KCD Configuration .............................................................................................. 37

Introduction Authlogics Authentication Server is a multi-factor authentication system which provides:

Token and token-less multi-factor authentication. Award winning transaction signing / verification technology. Self-service password reset and unlocking. Web Service API and RADIUS interfaces for connectivity. Authentication technologies:

o PINgrid Pattern Based Authentication. o PINphrase Random Character Authentication o PINpass OATH (TOTP) Compliant Authentication

Integrating Authlogics with Forefront TMG 2010 or UAG 2010 is an ideal way to add strong

authentication at the gateway level to VPN connection and published web applications such as

Exchange Outlook Web Access and SharePoint. The Authlogics Forefront TMG and UAG Agent

includes pre-customised logon forms for Outlook Web Access and generic web sites.

Considerations

Requirements

An Authlogics 3.0 server must be deployed and functional prior to installing the Authlogics Forefront

TMG and UAG Agent.

Language Requirements

Authlogics Forefront TMG and UAG Agent is only available in English. Product support and

documentation is only available in English.

Licensing Authlogics Forefront TMG and UAG Agent is free of charge however may only be used with a

correctly licenced Authlogics Authentication Server.

Note

For detailed information on the licence types please refer to the licence

agreement document embedded within the installation package.

Design and Deployment Scenarios The Authlogics Forefront TMG Agent has been designed to communicate with the Authlogics

Authentication Server via RADIUS. 1.5 factor challenges are reverse proxied over HTTPS via TMG to

the Authlogics Authentication Server.

The Authlogics Forefront UAG Agent has been designed to communicate with the Authlogics

Authentication Server via Web Services only.

TMG High Availability In a high availability scenario, assuming at least 2 Authlogics Authentication Servers and 2 TMG

servers, the Authlogics Authentication Server can be configured to use Windows Network Load

Balancing and TMG should use the NLB virtual IP for the RADIUS server. When web publishing the

authentication challenge URL’s, TMG can also utilise Web Farm Load balancing instead of NLB,

however NLB is still required for the RADIUS traffic.

UAG High Availability In a high availability scenario, assuming at least 2 AuthCentral and 2 UAG servers, the Authlogics

Authentication Server can be configured to use Windows Network Load Balancing for TCP port

14000. A DNS entry should be created to resolve to the NLB IP address and UAG should use the DNS

name for the virtual IP. When publishing the Self Service Portal, UAG can also utilise Web Farm Load

balancing instead of NLB, however NLB is still required for the authentication traffic.

Deployment The following deployment overview walks through the installation process for deploying the

Authlogics Forefront TMG and UAG Agent.

Overview This deployment section assumes that at least one Authlogics Authentication Server has already

been installed and is functional. See the Authlogics Authentication Server Installation and

Configuration guide for further information on setting up the Authlogics Authentication Server. In

addition, Authlogics user accounts should already be configured for users.

(1) Install the Authlogics Forefront TMG and UAG Agent on a TMG / UAG system.

(2) Configure Microsoft Forefront TMG / UAG 2010 to utilise Winfrasoft AuthCentral multi-factor authentication.

(3) Test user logins.

Installing/Removing the Authlogics Windows Desktop Logon Agent

Running an installation

(1) To start the Authlogics Forefront TMG and UAG Agent installation, run the Authlogics Forefront TMG and UAG Agent xxxxx.exe installer with elevated privileges.

(2) Click Next to continue.

(3) After reading the licence agreement click I accept the terms in the terms in the Licence Agreement if you agree to the terms, then click Next to continue.

(4) Select the Complete setup type and select Next to continue.


The installation is being performed.

(6) All necessary files have been installed. Click Finish to complete the installation process.

The Microsoft Forefront TMG Firewall service MUST be restarted after installation on a TMG

Server as TMG only reads custom logon forms into memory during the service start up.

Running a removal

Uninstalling the Authlogics Forefront TMG and UAG Agent does NOT remove the metadata from

user accounts in the Active Directory.

If you no longer require Authlogics Forefront TMG and UAG Agent on a server, you can remove it by

performing an uninstall as follows:

(1) To start the Authlogics Forefront TMG and UAG Agent un-installation, execute the Authlogics Forefront TMG and UAG Agent xxxxx.exe installer or use the Uninstall or

change a program option in Control Panel and click Remove.

(2) Select Uninstall. Click Next to continue.


(4) The Authlogics uninstall will remove configured components.

(5) Click Finish to complete the uninstall process.

Authlogics Configuration on UAG 2010 The Microsoft Forefront UAG 2010 server will require additional configuration for use with the

Authlogics Forefront UAG Agent. This section should only be followed after the Authlogics Forefront

UAG Agent has been installed on the UAG server.

Add an AuthCentral Authentication repository (1) Start the Microsoft UAG 2010 Management Console.

(2) Click Admin- Authentication and Authorization Servers…

(3) Click Add…

(4) Select Other from the Server type drop down list. Enter either “PINgrid”, “PINphrase” or “PINpass” (one word) in the Server name box. Check the Use a different server for portal application authorization box and select the existing Active Directory repository from the dropdown list. Click OK.

(5) To add multiple authentication technologies repeat from step 3, otherwise Click Close.

Configure a UAG Trunk to use AuthCentral Each trunk must be configured specifically for use with Authlogics.

(1) Start the Microsoft UAG 2010 Management Console.

(2) Select the trunk to configure for use with Authlogics. Click Configure…

(3) Select the Authentication tab.

Note

The URLs used in this section are listed in the C:\Program Files\

Authlogics Forefront TMG and UAG Agent\readmeUAG.txt

file. It is highly recommended that the URLs are copied and pasted from the

readmeUAG.txt file instead of manually typed for speed and accuracy.

This section must be repeated for every Trunk that will use Authlogics.

(4) In the “Require users to authenticate as session logon” section:

a. Under Select authentication servers, add the required Authlogics technology repository, i.e. PINgrid, PINphrase or PINpass.

b. Optional: Remove the previous authentication server from the list to only use Authlogics for authentication.

c. Select “Users authenticate to each server”.

d. Update the User login page entry with appropriate login page: CustomUpdate/AuthlogicsPinGridLogin.asp

CustomUpdate/AuthlogicsPinPhraseLogin.asp

CustomUpdate/AuthlogicsPinPassLogin.asp

Note

Do NOT place a “/” {slash} before “CustomUpdate/AuthlogicsPinxxxxLogin.asp”

(5) Select the URL Set tab.

(6) Update the “InternalSite_Rule24” to include “png” files as follows:

/internalsite/images/customupdate/[^/\\]+\.(gif|jpg|png)

(7) In this section a new access rule for an Authlogics custom file must be created. To add the following Primary URL click Add Primary.

Property Value Name InternalSite_AuthlogicsTokenProxy

Action Accept

URL /internalsite/images/CustomUpdate/AuthlogicsTokenProxy.asp

Parameters Handle

Note

Methods GET

Parameter list Heading Entry 1 Entry 2

Name username authtype

Name Type String String

Value {empty} {empty}

Value Type String String

Length 0:250 0:20

Existence Optional Optional

Occurrences Single Single

Max Total Length -1 -1

Rejected values checking On On

(8) Once the appropriate modifications and new URL Set pages have been added, click OK.

(9) Open the following folder in Windows Explorer: C:\Program Files\Microsoft Forefront Unified Access

Gateway\von\InternalSite\inc\CustomUpdate

Make a copy of the [TrunkName]1PostPostValidate Authlogics.inc file.

Rename the file by removing “ Authlogics“ off of the end and replacing “[TrunkName]” with the actual name of the Trunk you are configuring. Do not remove the “1”. e.g. Portal1PostPostValidate.inc

(10) Click Activate Configuration to apply and save the changes.

(11) Click Activate to apply the changes.

(12) Click Finish.

Adding the Authlogics Services to a UAG Trunk To enable users to reset their PINgrid MIPs, PINs and Active Directory passwords the Self Service

Portal application must be published in the trunk.

The Self Service Portal MUST be published even if the application is not made visible, this is

required so that UAG allows network access to the authentication web services on the AuthCentral

Authentication Server.

Active Directory KCD Configuration

This section describes the process to configure the Active Directory with Kerberos Constrained

Delegation to allow single sign-on to the Self Service Portal without the need to enter an Active

Directory password at any point.

To configure KCD the Active Directory must be set to Windows 2003 Native mode as a minimum, a

mixed mode domain will not support KCD. If KCD cannot be configured due to restrictions on the AD

domain mode then either the login page must request AD credentials or On-The-Fly login must be

used and the users will be prompted for their AD credentials to access the Self Service Portal.

(1) Open Active Directory Users and Computers (either on a DC or management station) and select the properties of the UAG 2010 computer account, then select the Delegation tab.

(2) Select Trust this computer for delegation to specific services only and Use any authentication protocol (if they are not already selected) then click Add…

(3) Click Users or Computers… and locate the AuthCentral Server / Appliance computer account running the AuthCentral Services.

(4) Select the “http” service type and click OK.

(5) Click OK.

Publishing the Self Service Portal

This section describes the process to publish the Authlogics Self Service Portal in UAG 2010.

(1) Start the Microsoft UAG 2010 Management Console.

(2) Select the appropriate trunk to add the User Self Service Portal application to. In the Applications section, click Add...

(3) The UAG Add Application Wizard will start.

(4) Click Next.

(5) Choose Other Web Application (portal hostname) from Web section. Click Next.

(6) Complete the values for the Application Values with the following:

Property Value Application Name Manage PINs and Passwords

Application Type GenericWeb

Note

This process must be repeated for every UAG trunk that will provide portal

access to provisioning and password resets.

(7) Click Next.

(8) Click Next.

(9) Click Next.

Complete the values for the Web Servers as follows:

Property Value Address Type IP/Host

Addresses {AuthCentral Server FQDN}

Paths /

HTTP ports 14000

HTTPS ports 443

(10) Click Next.

(11) Click Next.

Note

If multiple AuthCentral Authentication servers are deployed in a high

availability scenario then publish them together as a server farm.

(12) If you do not want to allow users to use the Self Service Portal uncheck the “All a portal and toolbar link” box. Update the “Icon URL” with one of the following icons as appropriate to the chosen authentication technology: images/AppIcons/CustomUpdate/PINgrid.gif

images/AppIcons/CustomUpdate/PINphrase.gif

images/AppIcons/CustomUpdate/PINpass.gif

images/AppIcons/CustomUpdate/Authlogics.gif

(13) Click Next.

(14) Click Next.

(15) Click Finish.

(16) Double click the Manage Pins and Passwords application to edit it.

(17) Select the Authentication tab.

(18) Check Use SSO, then select Use Kerberos constrained delegation for single sign-on. Enter “http/*” or enter “http/{your.server.and.domain.name}” in the Application field where {your.server.and.domain.name} is the full DNS name of the AuthCentral Authentication Server computer account in AD.

(19) Click OK.

(20) Click Activate Configuration to apply and save the changes.

(21) Click Activate to apply the changes.

(22) Click Finish.

The Trunk is now configured to use Winfrasoft AuthCentral User Self Service Portal.

Configure the UAG Login page for 2FA only By default, the Authlogics Forefront UAG Agent login page will display a 1½ factor challenge (if

supported but the authentication technology). If you are only planning to deploy 2 Factor

Authentication you can disable the display of the 1½ factor challenge on the UAG server as follows:

Start the registry editor on the UAG 2010 server and edit the appropriate key are required.

HKLM\SOFTWARE\Winfrasoft\Winfrasoft AuthCentral\PinGrid2FAonly

HKLM\SOFTWARE\Winfrasoft\Winfrasoft AuthCentral\PinPhrase2FAonly

Accepted Values:

0 = Disabled (default)

1 = Enabled

No services need to restarted and the UAG configuration does not need to be activated for these

changes to take effect.

Authlogics Configuration on TMG 2010 The Microsoft Forefront TMG 2010 server will require additional configuration for use with

Authlogics Forefront TMG Agent. This section should only be followed after the Authlogics Forefront

TMG Agent has been installed on the TMG server.

Configuring RADIUS TMG 2010 will process authentication requests with the Authlogics Authentication Server via

RADIUS.

(1) Configure the TMG server as a RADIUS client on the Authlogics Authentication Server. See the Adding a RADIUS client section of the Authlogics Authentication Server Installation and Configuration Guide for further information.

(2) Configure the TMG server to use the Authlogics Authentication Server as a RADIUS server. Start the Microsoft TMG 2010 Management Console.

(3) Open the Remote Access Policy (VPN) section. Click RADIUS Server in step 2.

(4) Tick the Use RADIUS for authentication and Use RADIUS for accounting (logging) boxes, then click the RADIUS Servers… button.

(5) Click Add…

(6) Enter the name of the RADIUS / Authlogics Authentication Server and an optional description. Click change… to enter a shared secret.

(7) Enter the shared secret used when specifying the RADIUS client information at step 1, then click OK.

(8) Click OK.

(9) Click OK.

(10) Change to the Authentication tab and ensure that only Unencrypted password (PAP) is selected under Authentication Methods.

(11) Click OK.

(12) Click Apply at the top of the TMG MMC to apply the changes.

Configure a Web Listener for AuthCentral The TMG Web Listener must be configured to use Forms based authentication and validate credentials via RADIUS OTP.

(1) Start the Microsoft TMG 2010 Management Console.

(2) Double click the web listener, in this case Listener1 and change to the Authentication tab.

(3) Select HTML Form Authentication under Client Authentication Method and select RADIUS OTP under Authentication Validation Methods.

(4) Click Configure Validation Servers…

(5) Ensure that the Authlogics Authentication Server RADIUS created previously is at the top of the list and click OK.

(6) Click OK to close the Listener.

Web Publish the AuthCentral Token Providers The Authlogics Authentication Server hosts 3 Token Provider URL’s for processing token challenge

requests, one for each Authlogics authentication technology, as follows:

/Services/GetPinPhraseToken.ashx

/Services/GetPinPassToken.ashx

/Services/GetPinGridToken.ashx

These providers MUST be web published anonymously via each Web Listener with which you want to use Authlogics with. These providers enable the display of a 1.5 Factor Authentication challenge as well as initiate the sending of a Real-Time 2FA token.


(2) Create a new Web Publishing Rule called “{Web Listener} - AuthCentral Token Providers”.

(3) Click Next.

(4) Click Next.

(5) If the Authlogics Authentication Server is configured as a load balanced pair you can utilise the TMG web farm publishing, otherwise click Next.

(6) Select Use non-secured connections to connect the published Web server or server farm using HTTP. If a SSL certificate has been configured on the Authlogics Authentication Server then use the default selection.

(7) Click Next.

(8) Enter the name of the Authlogics Authentication Server.

(9) Click Next.

(10) Click Next.

(11) Select Any domain name in the Accept request for section. This enabled the use of Authlogics with multiple sites which share the web listener. Alternatively you can specify all the Public Names later.

(12) Click Next.

(13) Select the Web Listener you want to use with Authlogics, in this case Listener1.

(14) Click Next.

(15) Click Next.

(16) Remove All Authenticated Users and add All Users.

(17) Click Next.

(18) Click Finish.

(19) Double click the new rule to edit it. Change to the Bridging tab and change the HTTP port to 14000. If using SSL select “Redirect requests to SSL port” and change the SSL port to 14443.

(20) Change to the Paths tab. Remove the “/*” path. Add the 3 Token Provider URL’s:

/Services/GetPinPhraseToken.ashx

/Services/GetPinPassToken.ashx

/Services/GetPinGridToken.ashx

(21) Click Apply and then Test Rule. If issues are found in the test correct the problem and try again. Click OK when done.

(22) If the following warning is displayed click OK, it can be ignored.

Adding strong authentication to a publishing rule All existing web publishing rules which are linked to the web listener which has been configured for

Authlogics must be modified to use the Authlogics logon form pages.

Each Authlogics authentication technology has its own TMG form, this is then further broken down

into 1.5FA and 2FA, then again into Exchange and generic forms as follows:

Technology Factor Style Form Set name

PINgrid

1.5FA Exchange PinGrid1FAExchange

Generic PinGrid1FAISA

2FA Exchange PinGrid2FAExchange

Generic PinGrid2FAISA

PINpass 2FA Exchange PinPass2FAExchange

Generic PinPass2FAISA

PINphrase

1.5FA Exchange PinPhrase1FAExchange

Generic PinPhrase1FAISA

2FA Exchange PinPhrase2FAExchange

Generic PinPhrase2FAISA

Identify the Form Set name you wish to use with each web publishing rule and then repeat this

process for each rule.


(2) Double click the web publishing rule to edit it.

(3) Change to the Application Settings tab. Select Use customized HMTL forms instead of the default. Enter the name of the Form Set required from the table above.

(4) Change to the Users tab. If the rule was previously using a Windows group to restrict access add a new User Set to contain those RADIUS users or ensure that All Authenticated Users is selected.

(5) If the published web site utilises Windows Authentication (e.g. Exchange or SharePoint) then change to the Authentication Delegation tab and select Kerberos constrained delegation and configure the server SPN as needed.

(6) Click OK.

Active Directory KCD Configuration

This section describes the process to configure the Active Directory with Kerberos Constrained

Delegation to allow single sign-on to the published web sites without the need to enter an Active

Directory password at any point.

To configure KCD the Active Directory must be set to Windows 2003 Native mode as a minimum, a

mixed mode domain will not support KCD. If KCD cannot be configured due to restrictions on the AD

domain mode then either the users will be prompted for their AD credentials by the published

application.

(1) Open Active Directory Users and Computers (either on a DC or management station) and select the properties of the TMG 2010 computer account, then select the Delegation tab.

(2) Select Trust this computer for delegation to specific services only and Use any authentication protocol (if they are not already selected) then click Add…

(3) Click Users or Computers… and locate the computer account running the published web site.

(4) Select the “http” service type and click OK.

(5) Click OK.

authlogics forefront tmg and uag agent integration guide · authlogics forefront tmg and uag agent...

Documents