StoneGate How-To Using Microsoft Active Directory Server and IAS Authentication StoneGate Firewall/VPN 3.0.7 and Management Center 4.1
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
StoneGate How-To
Using Microsoft Active Directory Server and IAS Authentication
StoneGate Firewall/VPN 3.0.7 and Management Center 4.1
Table of Contents
Basic Scenario..................................................................................................page 3
Configuring a Windows 2003 Server for IAS Authentication ..................................page 3
Configuring Users in Active Directory ..................................................................page 8
Configuring an Active Directory Server Element in StoneGate................................page 9
Table of Contents 2
Basic ScenarioThis document describes a configuration that includes a Microsoft Active Directory with Internet Authentication Service (IAS) on a Windows 2003 server and Stonesoft�s StoneGate™ Firewall/VPN. The configuration uses the Remote Authentication Dial-in User Service (RADIUS) protocol for authentication.An external Active Directory Server that supports the RADIUS protocol can be used for user authentication in StoneGate. In this example, the user and password information is stored internally in an Active Directory and the users use Windows passwords for authentication. The StoneGate firewall requests the authentication information from the Active Directory server when the users authenticate to the firewall. The Active Directory information can be browsed and used in security policies in the StoneGate Management Client.
Note � The configuration details needed in your environment may differ from the example.
The following sections describe the steps needed for setting up IAS authentication with Microsoft Active Directory in StoneGate. There are three main steps:1. Configuring a Windows 2003 Server for IAS Authentication, on page 3.2. Configuring Users in Active Directory, on page 8.3. Configuring an Active Directory Server Element in StoneGate, on page 9.Start with Configuring a Windows 2003 Server for IAS Authentication.
Configuring a Windows 2003 Server for IAS AuthenticationAn Active Directory on a Windows 2003 server contains a list of users and their passwords which will be used with RADIUS to authenticate the users in StoneGate. To use IAS authentication, you must enable the Internet Authentication Service on the Windows 2003 server. Begin by Installing a Windows 2003 Server.
Installing a Windows 2003 Server
! To install a Windows 2003 server1. Open the Control Panel and double-click Add/Remove Programs.2. Click Add/Remove Windows Components. The Windows Components Wizard dialog opens.
Illustration 1.1 Enabling Networking Services
3. Click Networking Services, and then click Details. The Networking Services dialog opens.
Basic Scenario 3
Illustration 1.2 Networking Services Dialog
4. Select Internet Authentication Service and click OK.5. Click Next.6. If prompted, insert your Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition;
or Windows Server 2003, Datacenter Edition compact disc.7. After the Windows 2003 server is installed, click Finish, and then click Close.The Windows 2003 server is now installed and Internet Authentication Service should be included in the list of programs if you select Start→Programs→Administrative Tools.Proceed to Enabling the Windows 2003 Server to Read User Accounts in Active Directory.
Enabling the Windows 2003 Server to Read User Accounts in Active DirectoryOnce you have installed the Windows 2003 server, you must enable it to read the user accounts listed in the Active Directory.
! To enable the Windows 2003 server to read user accounts in Active Directory1. Select Start→Programs→Administrative Tools→Internet Authentication Service. The Internet
Authentication Service window opens.
Illustration 1.3 Registering Server in Active Directory
2. Right-click Internet Authentication Service and select Register Server in Active Directory from the menu. The Register Internet Authentication Service in Active Directory dialog opens.
3. Click OK.The Windows 2003 server is now registered. Proceed to Adding StoneGate Firewall as RADIUS Client for the Windows 2003 Server.
Configuring a Windows 2003 Server for IAS Authentication 4
Adding StoneGate Firewall as RADIUS Client for the Windows 2003 ServerYou must next define the StoneGate firewall as a RADIUS client for the Windows 2003 server.
! To add StoneGate Firewall as RADIUS Client for the Windows 2003 server1. Select Start→Programs→Administrative Tools→Internet Authentication Service. The Internet
Authentication Service window opens.2. Right-click RADIUS Clients and select New RADIUS Client from the menu. The New Radius Client dialog
opens.
Illustration 1.4 New RADIUS Client Properties
3. Enter the name and IP address of the StoneGate firewall node and click Next.4. As Additional Information, leave RADIUS Standard as the Client-Vendor and set a shared secret (see
Illustration 1.5).
Note � You must use the same shared secret also for the Active Directory Server element that you use in StoneGate. See Creating an Active Directory Server Element in StoneGate, on page 9.
Illustration 1.5 New RADIUS Client - Additional Information
5. Click Finish.6. If you have a clustered firewall, repeat steps 1-4 for the other firewall nodes.When you have added all the firewall nodes, they should be listed under RADIUS Clients in the Internet Authentication Service window.Proceed to Adding a Remote Access Policy in the Windows 2003 Server to Authorize Requests from Firewall Node(s).
Configuring a Windows 2003 Server for IAS Authentication 5
Adding a Remote Access Policy in the Windows 2003 Server to Authorize Requests from Firewall Node(s)You must create a remote access policy to authorize requests from the firewall node(s) to the Windows 2003 server.
! To add a remote access policy in the Windows 2003 server1. Open Internet Authentication Service in the Start→Programs→Administrative Tools menu. The Internet
Authentication Service window opens.2. Right-click Remote Access Policies and select New Remote Access Policy from the menu. The New Remote
Access Policy Wizard opens.
Illustration 1.6 New Remote Access Policy
3. Click Next.4. As the Policy Configuration Method, select Set up a custom policy (see Illustration 1.7).5. Enter a name for the policy and click Next.
Illustration 1.7 Selecting Policy Configuration Method
6. As the In Policy Conditions, click Add to add a Policy Condition. The Select Attribute dialog opens.7. Select Client-Friendly-Name and click Add.8. Enter a client-friendly name for the StoneGate firewall node and click OK.
Note � The client-friendly name must be the same as the name you set for the firewall node in Adding StoneGate Firewall as RADIUS Client for the Windows 2003 Server, on page 5.
9. Click Add to add another Policy Condition.The Select Attribute dialog opens.10.Select Client-IP-Address and click Add.11.Enter the Authentication NDI address of the StoneGate firewall node and click OK. See Illustration 1.8 for an
example of Remote Access Policy conditions.
Note � If you use a firewall cluster, you must define a Remote Access Policy separately for each node.
Configuring a Windows 2003 Server for IAS Authentication 6
Illustration 1.8 Adding Policy Conditions - Example
12.Click Next.13.As Permissions, select Grant remote access permission and click Next.
Illustration 1.9 Remote Access Policy - Permissions
14.In the next dialog, click Edit Profile. The Edit Dial-in Profile dialog opens.15.Switch to the Authentication tab.16.Uncheck the MS-CHAP and CHAP options and check Unencrypted authentication (PAP, SPAP).
Illustration 1.10 Edit Dial-in Profile - Authentication Tab
17.Click OK.18.Click Next and then Finish.19.If you have a clustered firewall, repeat steps 1-13 to authorize access from all the firewall nodes.The Windows 2003 server configuration for IAS authentication is now complete. Proceed to Configuring Users in Active Directory.
Configuring a Windows 2003 Server for IAS Authentication 7
Configuring Users in Active DirectoryThe next step is to configure that the users listed in the Active Directory are allowed to authenticate with RADIUS.
Allowing a User in Active Directory to Authenticate with RADIUS
! To allow a user in Active Directory to authenticate with RADIUS1. Select Start→Programs→Administrative Tools→Active Directory Users and Computers on the Windows
2003 Server.2. Double-click the user who should be able to authenticate with RADIUS. The Properties dialog opens.3. Switch to the Dial-in tab.
Illustration 1.11 User Properties - Dial-in Tab
4. For Remote Access Permission (Dial-in or VPN), select Allow access.5. Switch to the Account tab and make sure that Store password using reversible encryption is selected in the
Account options.
Illustration 1.12 User Properties - Account Tab
Note � If this option was not already selected in the user�s Properties, you must save the user�s password again after selecting the Store password using reversible encryption setting. Right-click the user and select Reset password from the menu that opens.
Note � The Store password using reversible encryption setting must also be enabled for Password Policy in the Windows 2003 server�s Default Domain Controller Policy Settings. If this setting is not enabled for Password Policy, the Store password using reversible encryption setting in the user�s Account options will not have any effect.
6. Click OK.
Configuring Users in Active Directory 8
Configuring an Active Directory Server Element in StoneGateThe next step is to configure an Active Directory Server in StoneGate. Start by Creating an Active Directory Server Element in StoneGate.
Creating an Active Directory Server Element in StoneGateThe Active Directory Server element contains both the user directory and the authentication service options needed to use a Microsoft 2003 server for user authentication.
! To define an Active Directory Server element1. Click the Configuration button in the toolbar to switch to the Configuration view.2. Right-click the Network Elements category in the tree view and select New→Active Directory Server from
the menu that opens. The Active Directory Server Properties dialog opens.
Illustration 1.13 Active Directory Server Properties - General Tab
3. Specify a unique Name and IP Address for the server.4. In this example, leave the Location and Contact Addresses at default values. You need to modify their
values only if there is a NAT device between a firewall and the Active Directory server, so that the firewall cannot connect directly to the Active Directory Server�s IP address.
5. Define the Timeout for how long StoneGate waits for the server to reply.Continue by configuring the server�s LDAP settings as instructed in Configuring Active Directory Server�s LDAP Settings.
Configuring an Active Directory Server Element in StoneGate 9
Configuring Active Directory Server�s LDAP SettingsThe LDAP settings include user information and other settings that StoneGate uses to connect to the Active Directory server. Make sure there are matching definitions on the Active Directory server.
! To Configure LDAP User Services1. Switch to the LDAP tab of the Active Directory Server Properties dialog.
Illustration 1.14 Active Directory Server Properties - LDAP Tab
2. Define the domain used as the base for Distinguished Names (DN) in the Base DN field as it is defined on the Active Directory server (e.g., �dc=example, dc=com�).
3. In the Bind User ID field, define the Distinguished Name of the User ID the StoneGate firewall uses when connecting to the Active Directory server (e.g., �uid=admin, ou=Administrators�).
4. In the Bind Password field, enter the password of the User ID the StoneGate firewall uses when connecting to the Active Directory server.
5. For Schema, leave the default value Standard.6. Leave the UserID Attribute and Group Member Attribute at the default values.7. Leave the default port (TCP port 389) as the Port Number.Proceed to Configuring Active Directory Server�s Authentication Settings.
Configuring Active Directory Server�s Authentication SettingsYou can use the Active Directory Server�s Internet Authentication Service to authenticate the users. The protocol used is RADIUS.
! To configure the authentication settings1. In the Active Directory Server Properties dialog, switch to the Authentication tab.
Illustration 1.15 Active Directory Server - Authentication Tab
2. Make sure that the Port Number is correct for your Active Directory Server�s IAS.
Configuring an Active Directory Server Element in StoneGate 10
3. Type or paste the Shared Secret. It is used to authenticate the connection from StoneGate to the Windows 2003 server.
Note � The shared secret must be the same as the one you entered for the firewall node(s) in Adding StoneGate Firewall as RADIUS Client for the Windows 2003 Server, on page 5.
4. Specify the Number of Retries. If StoneGate fails to connect to the Windows 2003 server, it tries to connect again the specified number of times before giving up on the authentication.
5. Click OK.Proceed to Defining Domains.
Defining DomainsEach Active Directory Server has its own domain in StoneGate. One domain can be selected as the default domain. Users who belong to the default domain need not specify the domain (for example: �username@domain�) when they are authenticating.
! To define a new domain1. Click the Configuration button in the toolbar to switch to the Configuration view.2. Right-click Firewall Configuration in the left panel and select New→Domain from the menu that opens. The
Domain Properties dialog opens.
Illustration 1.16 Domain Properties - General Tab
3. Enter the Name for the new domain.� If the domain you are creating is not to be the default domain, users must type in the domain name when
they authenticate.4. Select the checkbox Default Domain, if this domain will be used for all or most authentications.
� Naturally, only one domain can be the default domain, so the selection is automatically cleared from the previous domain when you select the option for some different domain.
5. The defined Active Directory Servers that have no domain yet are shown on the left. Select the correct server and click Add to bind the server to the domain.
6. Switch to the Default Authentication tab to select the authentication service.7. Click Select. A list of authentication services opens.8. Select IAS authentication and click Select.
Illustration 1.17 Domain Properties - Default Authentication Tab
9. Click OK.
Configuring an Active Directory Server Element in StoneGate 11
You have now completed all of the steps required in StoneGate for setting up the Windows 2003 server as an Active Directory Server. You can now browse the users listed in the Active Directory with the Management Client. Go to Users and then to the new domain you just created to browse the list of users (see Illustration 1.18).
Illustration 1.18 Browsing Users
Proceed to Modifying Firewall Policy to Allow IAS Authentication Connections to allow the connections needed for IAS authentication.
Modifying Firewall Policy to Allow IAS Authentication ConnectionsIf the Active Directory server is located in a different network than the Management Server, make sure that the servers are able to communicate using the LDAP protocol. This makes it possible to browse the user information from the Active Directory server.To use IAS authentication for mobile VPN users, the Firewall Policy must contain an Access Rule for mobile VPN traffic with the proper user and authentication parameters (see Illustration 1.19).
Illustration 1.19 Example of Access Rules Allowing Use of Active Directory
Note � The firewall allows its� own RADIUS connections to the Active Directory server by default. If the rules inherited from the default template are included in the policy, it is not necessary to add a rule for the RADIUS connections.
Tip: The Windows Event Viewer shows an event for each authentication attempt. The event is visible in the System category under Event Viewer with IAS as the source. This provides useful information for troubleshooting. Select Start→Programs→Administrative Tools→Event Viewer to open the Event Viewer.
The IAS authentication configuration in StoneGate is now complete. For information on configuring VPNs, see the StoneGate Administrator�s Guide.
Configuring an Active Directory Server Element in StoneGate 12
www
Trademarks and PatentsStonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-linktechnology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are pro-tected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarksare property of their respective owners.
Copyright and DisclaimerCopyright © 2000�2007 Stonesoft Corporation. All rights reserved.
These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treatiesand conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain withStonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respectiveowners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without writtenauthorization of Stonesoft Corporation.
Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not repre-sent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear inthese materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NICconfiguration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party productsdescribed herein.
THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMA-TION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY ORFITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS.
IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUD-ING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVENIF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES.
Revision: SGHT_20070905
Stonesoft Corp.Itälahdenkatu 22a
FIN-00210 Helsinki
Finland
tel. +358 9 4767 11
fax +358 9 4767 1234
Stonesoft Inc.1050 Crown Pointe Parkway
Suite 900
Atlanta, GA 30338 USA
tel. +1 770 668 1125
fax +1 770 668 1131.stonesoft.com
13
Related Documents
