Enforcing active directory authentication for inbound traffic to a specific server using standard and nonstandard protocols

Article:TECH84012  |  Created: 2005-01-15  |  Updated: 2012-03-27  |  Article URL http://www.symantec.com/docs/TECH84012
Article Type
Technical Solution


Issue



You have an internal server to which you need to provide access for external users. You need to authenticate those users against your Active Directory before they access services on the server. Your server provides many services, some of which require custom protocols.

 


Solution



You can use Out-of-band authentication (OOBA) to authenticate against your Active Directory.

To use OOBA for authentication against Active Directory, you must perform the following tasks:

  • Create a DNS record for your Active Directory server
  • Configure the authentication server record
  • Create the authentication scheme
  • Configure the user group
  • Configure a service group for standard protocols
  • Create custom protocols
  • Configure a service group for your custom protocols
  • Create the redirected service or redirected services
  • Enable the OOBA daemon



To create a DNS record for your Active Directory server

  1. In the SGMI, in the left pane, under Assets, click Network.
  2. In the right pane, on the DNS tab, click New > DNS Host Record.
  3. In the DNS Host Record Properties dialog box, on the General tab, configure the following properties:

    Property Value
    Enable Checked
    Host Name The fully qualified domain name of your Active Directory server
    Accessibility Private
    IP address The IP address of your Active Directory server
    Caption (Optional) A short description of this host record
       
  4. Click OK.
  5. In the SGMI, on the toolbar, click Activate.
    When you are asked to save your changes, click Yes.


Your host record is complete.


To configure the authentication server record

  1. In the SGMI, in the left pane, under Assets, click Authentication Servers.
  2. In the right pane, on the Authentication Servers tab, click New > Active Directory.
  3. In the Active Directory Properties dialog box, configure the following attributes:
    Attribute Value
    Name A unique name to identify this authentication server
    Primary Domain Controller The fully qualified domain name of your active directory controller
    Administrator user name The user name of the administrator of the server
    Administrator password The password of the administrator of the server
  4. Click Test Server.
  5. In the Active Directory Server Connection Wizard, in the Administrator user name text box, type the administrator user's name for the Active Directory.
  6. In the Administrator password text box, type the password for the administrator user.
  7. Click Next.
  8. On the Test Server panel, verify the information and then click Finish.
    The wizard attempts a number of tasks to verify connectivity and authentication. When all of the tasks complete, click Close.
    In some cases the Group Information test fails. This failure does not necessarily mean that you cannot pull group information from the Active Directory server. Follow the link in the References section of this page to help verify that you can get group information.
  9. In the Active Directory Properties dialog box, click OK.
  10. On the toolbar, click Activate.
    When you are asked to save your changes, click Yes.


The authentication server record is configured.


To create the authentication scheme

  1. In the Security Gateway Management Interface (SGMI), in the left pane, under Assets, click Authentication Servers.
  2. In the right pane, on the Schemes tab, click New.
  3. In the Scheme Properties dialog box, in the Scheme name text box, type dynamic
    The name is case sensitive. Type the word dynamic in all lower-case letters.
  4. Check the Reuse HTTP passwords box.
  5. In the list of authentication server records, in the Authentication column, check the box next to the Active Directory authentication record that you created.
  6. In the Group Information column, check the box next to the Active Directory authentication record that you created.
  7. Click OK.
  8. On the toolbar, click Activate.
    When you are asked to save your changes, click Yes.


Your Active Directory authentication server is now part of the dynamic authentication scheme.


To configure the user group

  1. In the SGMI, in the left pane, under Assets, click Users.
  2. In the right pane, on the User Groups tab, click New.
    This action creates a new user group and opens the Properties dialog box.
  3. In the User Group Properties dialog box, on the General tab, in the User group name text box, type the user group name in the following format:

    -

    Where is the name of the authentication record that you created and is the name of the group in the Active Directory, of which the user is a member. For example, if your server is "actived" and the user is a member of the "vpnuser" group, the name is "actived-vpnuser".
     
  4. Repeat steps 1-4 for each Active Directory server to which the users must authenticate.
  5. Click OK.
  6. On the toolbar, click the Activate.
    When you are asked to save your changes, click Yes.


Your user group is configured.


To configure a service group for standard protocols

  1. In the SGMI, in the left pane, under Assets, click Protocols.
  2. In the right pane, on the Service Groups tab, click New.
  3. In the Service Group Properties dialog box, on the General tab, do the following:
    • In the Service Group Name text box, type a name for the service group.
    • In the Caption text box, type a brief description of the service group.
  4. On the Protocols tab, click Add.
  5. In the Select protocols dialog box, click the protocols that you want to include in the group.
    Include all protocols that the security gateway provides and that you need to communicate with the specific server to which you need to permit access.
  6. Click OK.
  7. On the Description tab, you can add a more detailed description of the service group than you typed on the General tab in the Caption text box.
  8. Click OK.
  9. On the toolbar click Activate.
    When you are asked to save your changes, click Yes.


Your service group is ready to use.


Create custom protocols
Create any custom protocols that you require. For instruction to create custom protocols, follow the link in the References section of this page. Make sure that you do not create custom protocols that use the same ports as the security gateway proxies. Do not use the "Use Native Service" option.


Create a service group for your custom protocols
Repeat the procedure that you used to create the service group for the standard protocols. Add only the custom protocols that you created. Do not use either service group for any rules except those that are specific to the server to which you are providing access.


To create the rule for the standard protocols

  1. In the Security Gateway Management Interface (SGMI), in the left pane, under Policy, click Firewall.
  2. In the right pane, on the Rules tab, click New Rule.
  3. In the Rule Properties dialog box, configure all of the following parameters:
    Parameter Value
    Rule Name Type a unique name for this rule
    Action Allow
    Arriving through Click the network interface through which the traffic arrives.
    Source
    Destination Click the network entity for your Active Directory server
    Leaving through Click the interface through which the traffic leaves your security gateway.
    Service Group Click the service group that you created for standard protocols.
    Time range
       
  4. On the Authentication tab, under Included User Group, click Add.
  5. In the Add User Group dialog box, click the user group that you created, and then click OK.
  6. In the New Rule Properties dialog box, click OK.
  7. In the SGMI, on the toolbar, click Activate.
    When you are asked to save your changes, click Yes.


The rule for the standard protocols is configured.


To create the rule for the custom protocols

  1. In the Security Gateway Management Interface (SGMI), in the left pane, under Policy, click Firewall.
  2. In the right pane, on the Rules tab, click New Rule.
  3. In the Rule Properties dialog box, configure all of the following parameters:
    Parameter Value
    Rule Name Type a unique name for this rule
    Action Allow
    Arriving through Click the network interface through which the traffic arrives.
    Source
    Destination Click the network entity for your Active Directory server
    Leaving through Click the interface through which the traffic leaves your security gateway.
    Service Group Click the service group that you created for custom protocols.
    Time range
       
  4. On the Authentication tab, under Included User Group, click Add.
  5. In the Add User Group dialog box, click the user group that you created, and then click OK.
  6. In the New Rule Properties dialog box, check Use Out-of-band Authentication.
  7. Click OK.
  8. In the SGMI, on the toolbar, click Activate.
    When you are asked to save your changes, click Yes.


The rule for the custom protocols is configured.


Create the redirected service or redirected services
If you already redirect some services that the server to which you are configuring this access provides, then you must create separate redirected services for this server. If you have a publicly routable IP address that you can use to redirect traffic to your internal server, you can use the All* group when you create your redirected service. If you do not have a publicly routable IP address that you can dedicate to redirected services for this server, then you must create a redirected service for each protocol that you need to pass to your internal server.


Enable the OOBA daemon

  1. In the SGMI, in the left pane, under System, click Configuration.
  2. In the right pane, on the Services tab, click the OOBA daemon, and then click Properties.
  3. In the OOBA Daemon Properties dialog box, on the General tab, check the Enable check box.
  4. Under Authentication Scheme, click dynamic.
  5. Click OK.
  6. In the SGMI, on the toolbar, click Activate.
    When you are asked to save your changes, click Yes.


The OOBA daemon is enabled and ready to use.

You can test access from an external computer. To do so, connect your Web browser to the following URL:

http://:888

When your Web browser makes the connection to port 888 for OOBA authentication, you see the OOBA login page. Provide your Active Directory user name and password and then check the appropriate protocols. Do not close the Web page. If you close the Web page, you end the session and you are no longer authenticated.

Your gateway may prompt you for authentication again if you access any protocols that are not authenticated through the OOBA daemon.


References
For instructions to create a custom protocol, read the following Symantec Knowledge Base article:






 



Legacy ID



2005121514561154


Article URL http://www.symantec.com/docs/TECH84012


Terms of use for this information are found in Legal Notices