Implementation Guide for protecting Microsoft Internet ... · PDF fileBlackShield ID Implementation Guide for Microsoft ISA Server 2006 and OWA 2007 1 Overview This documentation presents

Copyright © 2009 CRYPTOCard Inc. http:// www.cryptocard.com

Implementation Guide for protecting

Microsoft Internet Security 2006 and

Microsoft OWA 2007

with

BlackShield ID

BlackShield ID Implementation Guide for Microsoft ISA Server 2006 and OWA 2007 i

Copyright

Copyright © 2009, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard.

Trademarks

BlackShield ID and BlackShield ID Pro are either registered trademarks or trademarks of CRYPTOCard Inc. All other trademarks and registered trademarks are the property of their owners.

Additional Information, Assistance, or Comments

CRYPTOCard’s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your partner directly for support needs. To contact CRYPTOCard directly: International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042 [email protected] For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com.

Related Documentation

Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation and interoperability guides: http://www.cryptocard.com.

Publication History

Date Changes Version November 11, 2009 Document created 1.0

BlackShield ID implementation guide for Microsoft ISA Server 2006 ii

Table of Contents

Overview................................................................................................................ 1 Applicability ........................................................................................................... 2 Assumptions .......................................................................................................... 2 Operation ............................................................................................................... 2 Preparation and Prerequisites................................................................................ 2 Configuration ......................................................................................................... 3

Configuring ISA Server 2006 for Two-Factor authentication........................................ 3 Troubleshooting ................................................................................................... 11

Logging ............................................................................................................ 11 Failed Logons .................................................................................................... 11

Additional information ......................................................................................... 12

BlackShield ID Implementation Guide for Microsoft ISA Server 2006 and OWA 2007 1

Overview This documentation presents an overview and necessary steps to configure Internet Security and Acceleration (ISA) Server 2006. It is to be used in conjunction with Outlook Web Access (OWA) 2007 to view e-mail via web browser authenticating against BlackShield, using CRYPTOCard tokens. With BlackShield acting as the authentication server for an enabled resource, an authenticated connection sequence would be as follows:

1. The Microsoft ISA 2006 server publishing the Microsoft Exchange Outlook Web Access 2007 site receives an incoming authentication request.

2. The Username and Microsoft Password are sent to Active Directory for verification.

3. The Username and CRYPTOCard Password are sent to BlackShield for verification.

4. User is presented to their Outlook Web Access 2007 email.

BlackShield ID implementation guide for Microsoft ISA Server 2006 2

Applicability This integration guide is applicable to:

Security Partner Information

Security Partner Microsoft

Product Name and Version

Microsoft Internet Security & Acceleration Server 2006

Microsoft Outlook Web Access 2007

Unsupported authentication methods using ISA 2006 in RADIUS authentication mode

Inner and Outer Window Authentication

Challenge-Response

PIN Change Request

BlackShield Static Password Change

CRYPTOCard Server

Authentication Server BlackShield ID

Version Professional Edition 2.3+

Assumptions BlackShield ID has been installed and configured and a “Test” user account exists within BlackShield ID.

Operation A RADIUS server is specified within the general server ISA 2006 configuration section. The VPN connections are then configured to send authentication requests to the BlackShield ID NPS/IAS RADIUS server. The BlackShield ID server then authenticates the provided credentials (User name and OTP), and either grants the user access or rejects the user access.

Preparation and Prerequisites 1. BlackShield ID agent for Microsoft Internet Authentication Service server (IAS) or

Network Policy Server has been installed. 2. The Microsoft ISA 2006 server must be a valid RADIUS client within the Microsoft

Internet Authentication Service server (IAS) or Network Policy Server (NPS). This will allow RADIUS requests to be sent from Microsoft ISA 2006 to the RADIUS server.


Configuration

Configuring ISA Server 2006 for Two-Factor authentication

1. On the ISA 2006 server, launch the ISA Server Management tool. 2. Select the Firewall Policy (ISA) Section.

3. Enter in a name for the new Exchange

Publishing rule. 4. Click “Next” to continue.

5. In “Exchange version”, click the dropdown

menu and select “Exchange Server 2007”. 6. Place a checkmark in “Outlook Web Access”. 7. Click “Next” to continue.


8. Select “Publish a single Web site or load balancer”.

9. Click “Next” to continue.

10. Select “Use SSL to connect to the published

Web server or server farm”. 11. Click “Next” to continue.

12. In the “Internal Site Name” section, enter in

the internal FQDN name of Exchange/OWA Server.

If ISA cannot resolve the FQDN name of the Exchange/OWA Server, place a checkmark in “Use a computer name or IP address to connect to the published server”, then enter in the hostname or IP address of the Exchange/OWA Server.


13. Enter in the URL that users externally can browse to for access to the OWA webpage.


15. A new “Web Listener” must be created. Click

on a “New” button. 16. A new Web Listener Wizard will pop up. 17. Enter in a name for the new Web Listener. 18. Click “Next” to continue.

19. Select “Require SSL secured connection with

clients”. 20. Click “Next” to continue.


21. Select a network the web listener will listen on.

Note: For the purpose of testing, this documentation shows the internal interface has been chosen. 22. Click “Next” to continue

23. The Web Listener now requires a valid

certificate. 24. Click on “Select Certificate”. 25. Select a valid certificate from the list of

available certificates. 26. Click “Select” when a valid certificate has

been selected.

27. The new certificate is now displayed in the

“Use a single certificate for this Web Listener” section.



29. Ensure that “HTML Form Authentication” is selected under “Select how clients will provide credentials to ISA Server”.

30. Place a checkmark in “Collect additional

delegation credentials in the form”. 31. Select the RADIUS OTP radio button. 32. Click “Next” to continue.

33. Remove the checkmark in “Enable SSO for

Web sites published with this Web listener”. 34. Click “Next” to continue.

35. An external RADIUS Server must now be

added. Click the “Add” button. 36. Enter the DNS or IP address of the RADIUS

Server. This RADIUS Server will be the Microsoft NPS/IAS Server that has the BlackShield ID NPS IAS Agent installed.

Adding a “Server description” is optional, but is helpful if there is more than one RADIUS Server configured. 37. Click the “Change” button to set the shared

secret. 38. Click “OK” when finished. 39. Click “Next” to continue. 40. Click “Finish” to complete the Web Listener

Wizard.


41. The newly created Web Listener should automatically be selected after the Web Listener Wizard has been completed.

The information entered in the Web Listener Wizard can be reviewed here.


43. Select “NTLM authentication” in the

dropdown menu under “Select the method used by ISA Server to authenticate to the published Web server”.


45. A new User Set will need to be added to allow

users to authenticate successfully via the ISA Published OWA page.

46. Click the “Add” button.


47. By default, the built in User Set within ISA does not have any domain groups or users added.

48. Create a new User Set, and add the

appropriate domain groups that will be allowed to authenticate via the ISA Published OWA page.

49. Once the User Set has been created,

highlight it, and click “Add”. Close this dialog when finished.

50. The new user set has been added. 51. Click “Next” to continue.

52. The Exchange Publishing Rule Wizard is now

complete. 53. Before clicking finish, it is recommended to

click the “Test Rule” button to ensure the external web URL can connect to Exchange/OWA Server.


54. If the test results succeed then the following will be displayed.

55. If the test results fail, please select the test

that it failed on.

Browse to the external URL to access OWA webpage: https://External_URL_to_OWA/owa Attempt to log into the new webpage. If authentication is successful, it will log into OWA, and display the authentication success in BlackShield ID.

If authentication is successful, it will log into OWA, and display the authentication success in BlackShield ID.


Troubleshooting

Logging

By default, Microsoft ISA server 2006 has the ability to show live logging information from its reporting features. This should be used as a primary log source to determine authentication issues. Upon requiring more information, the BlackShield ID Snapshot tab should be used to determine authentication failure cause. The logging for the Microsoft Internet Authentication Service (IAS) or Network Policy Server (NPS) can be found in the Event Viewer. The BlackShield NPS/IAS agent logs can be found in the \Program Files\CRYPTOCard\BlackShield ID\IAS Agent\Log directory.

Failed Logons

Symptom: Authentication request is rejected by Outlook Web Access.

Indication: 11/19/2008 12:47:24 PM

User Name

Authentication

Failure 312212345

192.168.21.120

Invalid PIN

Possible Causes:

An incorrect server side PIN is being used.

Solution:

Reset the server side PIN within the BlackShield ID console

Symptom: Authentication request is rejected by Outlook Web Access.

Indication: 11/19/2008 12:47:24 PM

User Name

Authentication

Failure 312212345

192.168.21.120

Invalid authentication response

Possible Causes:

An invalid token code is being provided

Solution:

Verify the token code is being typed correctly. Verify the token code is being typed with all correct CaSiNg applied to all characters The token could be out of sync. Resync the token from within the console manager


Additional information For additional information on configured BlackShield ID or the BlackShield NPS/IAS agent, please visit the support section of the http://www.cryptocard.com website.

Documents

Implementation Guide for protecting Microsoft Internet ... · PDF fileBlackShield ID Implementation Guide for Microsoft ISA Server 2006 and OWA 2007 1 Overview This documentation presents