Upload
vanhanh
View
214
Download
0
Embed Size (px)
Citation preview
Copyright © 2009 CRYPTOCard Inc. http:// www.cryptocard.com
Implementation Guide for protecting
Microsoft Internet Security 2006 and
Microsoft OWA 2007
with
BlackShield ID
BlackShield ID Implementation Guide for Microsoft ISA Server 2006 and OWA 2007 i
Copyright
Copyright © 2009, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard.
Trademarks
BlackShield ID and BlackShield ID Pro are either registered trademarks or trademarks of CRYPTOCard Inc. All other trademarks and registered trademarks are the property of their owners.
Additional Information, Assistance, or Comments
CRYPTOCard’s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your partner directly for support needs. To contact CRYPTOCard directly: International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042 [email protected] For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com.
Related Documentation
Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation and interoperability guides: http://www.cryptocard.com.
Publication History
Date Changes Version November 11, 2009 Document created 1.0
BlackShield ID implementation guide for Microsoft ISA Server 2006 ii
Table of Contents
Overview................................................................................................................ 1 Applicability ........................................................................................................... 2 Assumptions .......................................................................................................... 2 Operation ............................................................................................................... 2 Preparation and Prerequisites................................................................................ 2 Configuration ......................................................................................................... 3
Configuring ISA Server 2006 for Two-Factor authentication........................................ 3 Troubleshooting ................................................................................................... 11
Logging ............................................................................................................ 11 Failed Logons .................................................................................................... 11
Additional information ......................................................................................... 12
BlackShield ID Implementation Guide for Microsoft ISA Server 2006 and OWA 2007 1
Overview This documentation presents an overview and necessary steps to configure Internet Security and Acceleration (ISA) Server 2006. It is to be used in conjunction with Outlook Web Access (OWA) 2007 to view e-mail via web browser authenticating against BlackShield, using CRYPTOCard tokens. With BlackShield acting as the authentication server for an enabled resource, an authenticated connection sequence would be as follows:
1. The Microsoft ISA 2006 server publishing the Microsoft Exchange Outlook Web Access 2007 site receives an incoming authentication request.
2. The Username and Microsoft Password are sent to Active Directory for verification.
3. The Username and CRYPTOCard Password are sent to BlackShield for verification.
4. User is presented to their Outlook Web Access 2007 email.
BlackShield ID implementation guide for Microsoft ISA Server 2006 2
Applicability This integration guide is applicable to:
Security Partner Information
Security Partner Microsoft
Product Name and Version
Microsoft Internet Security & Acceleration Server 2006
Microsoft Outlook Web Access 2007
Unsupported authentication methods using ISA 2006 in RADIUS authentication mode
Inner and Outer Window Authentication
Challenge-Response
PIN Change Request
BlackShield Static Password Change
CRYPTOCard Server
Authentication Server BlackShield ID
Version Professional Edition 2.3+
Assumptions BlackShield ID has been installed and configured and a “Test” user account exists within BlackShield ID.
Operation A RADIUS server is specified within the general server ISA 2006 configuration section. The VPN connections are then configured to send authentication requests to the BlackShield ID NPS/IAS RADIUS server. The BlackShield ID server then authenticates the provided credentials (User name and OTP), and either grants the user access or rejects the user access.
Preparation and Prerequisites 1. BlackShield ID agent for Microsoft Internet Authentication Service server (IAS) or
Network Policy Server has been installed. 2. The Microsoft ISA 2006 server must be a valid RADIUS client within the Microsoft
Internet Authentication Service server (IAS) or Network Policy Server (NPS). This will allow RADIUS requests to be sent from Microsoft ISA 2006 to the RADIUS server.
BlackShield ID implementation guide for Microsoft ISA Server 2006 3
Configuration
Configuring ISA Server 2006 for Two-Factor authentication
1. On the ISA 2006 server, launch the ISA Server Management tool. 2. Select the Firewall Policy (ISA) Section.
3. Enter in a name for the new Exchange
Publishing rule. 4. Click “Next” to continue.
5. In “Exchange version”, click the dropdown
menu and select “Exchange Server 2007”. 6. Place a checkmark in “Outlook Web Access”. 7. Click “Next” to continue.
BlackShield ID implementation guide for Microsoft ISA Server 2006 4
8. Select “Publish a single Web site or load balancer”.
9. Click “Next” to continue.
10. Select “Use SSL to connect to the published
Web server or server farm”. 11. Click “Next” to continue.
12. In the “Internal Site Name” section, enter in
the internal FQDN name of Exchange/OWA Server.
If ISA cannot resolve the FQDN name of the Exchange/OWA Server, place a checkmark in “Use a computer name or IP address to connect to the published server”, then enter in the hostname or IP address of the Exchange/OWA Server.
BlackShield ID implementation guide for Microsoft ISA Server 2006 5
13. Enter in the URL that users externally can browse to for access to the OWA webpage.
14. Click “Next” to continue.
15. A new “Web Listener” must be created. Click
on a “New” button. 16. A new Web Listener Wizard will pop up. 17. Enter in a name for the new Web Listener. 18. Click “Next” to continue.
19. Select “Require SSL secured connection with
clients”. 20. Click “Next” to continue.
BlackShield ID implementation guide for Microsoft ISA Server 2006 6
21. Select a network the web listener will listen on.
Note: For the purpose of testing, this documentation shows the internal interface has been chosen. 22. Click “Next” to continue
23. The Web Listener now requires a valid
certificate. 24. Click on “Select Certificate”. 25. Select a valid certificate from the list of
available certificates. 26. Click “Select” when a valid certificate has
been selected.
27. The new certificate is now displayed in the
“Use a single certificate for this Web Listener” section.
28. Click “Next” to continue.
BlackShield ID implementation guide for Microsoft ISA Server 2006 7
29. Ensure that “HTML Form Authentication” is selected under “Select how clients will provide credentials to ISA Server”.
30. Place a checkmark in “Collect additional
delegation credentials in the form”. 31. Select the RADIUS OTP radio button. 32. Click “Next” to continue.
33. Remove the checkmark in “Enable SSO for
Web sites published with this Web listener”. 34. Click “Next” to continue.
35. An external RADIUS Server must now be
added. Click the “Add” button. 36. Enter the DNS or IP address of the RADIUS
Server. This RADIUS Server will be the Microsoft NPS/IAS Server that has the BlackShield ID NPS IAS Agent installed.
Adding a “Server description” is optional, but is helpful if there is more than one RADIUS Server configured. 37. Click the “Change” button to set the shared
secret. 38. Click “OK” when finished. 39. Click “Next” to continue. 40. Click “Finish” to complete the Web Listener
Wizard.
BlackShield ID implementation guide for Microsoft ISA Server 2006 8
41. The newly created Web Listener should automatically be selected after the Web Listener Wizard has been completed.
The information entered in the Web Listener Wizard can be reviewed here.
42. Click “Next” to continue.
43. Select “NTLM authentication” in the
dropdown menu under “Select the method used by ISA Server to authenticate to the published Web server”.
44. Click “Next” to continue.
45. A new User Set will need to be added to allow
users to authenticate successfully via the ISA Published OWA page.
46. Click the “Add” button.
BlackShield ID implementation guide for Microsoft ISA Server 2006 9
47. By default, the built in User Set within ISA does not have any domain groups or users added.
48. Create a new User Set, and add the
appropriate domain groups that will be allowed to authenticate via the ISA Published OWA page.
49. Once the User Set has been created,
highlight it, and click “Add”. Close this dialog when finished.
50. The new user set has been added. 51. Click “Next” to continue.
52. The Exchange Publishing Rule Wizard is now
complete. 53. Before clicking finish, it is recommended to
click the “Test Rule” button to ensure the external web URL can connect to Exchange/OWA Server.
BlackShield ID implementation guide for Microsoft ISA Server 2006 10
54. If the test results succeed then the following will be displayed.
55. If the test results fail, please select the test
that it failed on.
Browse to the external URL to access OWA webpage: https://External_URL_to_OWA/owa Attempt to log into the new webpage. If authentication is successful, it will log into OWA, and display the authentication success in BlackShield ID.
If authentication is successful, it will log into OWA, and display the authentication success in BlackShield ID.
BlackShield ID implementation guide for Microsoft ISA Server 2006 11
Troubleshooting
Logging
By default, Microsoft ISA server 2006 has the ability to show live logging information from its reporting features. This should be used as a primary log source to determine authentication issues. Upon requiring more information, the BlackShield ID Snapshot tab should be used to determine authentication failure cause. The logging for the Microsoft Internet Authentication Service (IAS) or Network Policy Server (NPS) can be found in the Event Viewer. The BlackShield NPS/IAS agent logs can be found in the \Program Files\CRYPTOCard\BlackShield ID\IAS Agent\Log directory.
Failed Logons
Symptom: Authentication request is rejected by Outlook Web Access.
Indication: 11/19/2008 12:47:24 PM
User Name
Authentication
Failure 312212345
192.168.21.120
Invalid PIN
Possible Causes:
An incorrect server side PIN is being used.
Solution:
Reset the server side PIN within the BlackShield ID console
Symptom: Authentication request is rejected by Outlook Web Access.
Indication: 11/19/2008 12:47:24 PM
User Name
Authentication
Failure 312212345
192.168.21.120
Invalid authentication response
Possible Causes:
An invalid token code is being provided
Solution:
Verify the token code is being typed correctly. Verify the token code is being typed with all correct CaSiNg applied to all characters The token could be out of sync. Resync the token from within the console manager
BlackShield ID implementation guide for Microsoft ISA Server 2006 12
Additional information For additional information on configured BlackShield ID or the BlackShield NPS/IAS agent, please visit the support section of the http://www.cryptocard.com website.