다음을 통해 공유

RSA Integration with ForeFront TMG/ ISA

  • 아티클

RSA Authentication with ForeFront 2010 (TMG) and ISA

Following is step by step doc for RSA configuration with TMG ( same applies to ISA)

We have  following servers under consideration

2 TMG servers in CAS array- TMG01 and TMG02

1 CAS server – CAS01

1 RSA server – RSA01

 

1)    Create an agent host record on the RSA server

  1. On the computer running RSA Authentication Manager, click Start, and then click RSA Authentication Manager Host Mode.
  2. On the Agent Host menu, click Add Agent Host.
  3. In the Name box, type the name of the computer running Forefront TMG. The name must resolve to an IP address on the local RSA Authentication Manager network.
  4. If required, in the Network address box, type the IP address of the computer running Forefront TMG.
  5. In the Agent type list, click Net OS Agent.
  6. If you want all users to be able to authenticate, select Open to All Locally Known Users.
  7. In Agent Host, click Generate Configuration Files. Click One Agent Host, click OK, double-click the name of the computer running Forefront TMG, and then save the Sdconf.rec file to the %windir%\system32 folder on the computer running Forefront TMG.
  8. Save the file as "sdconf. rec" on the appropriate location. It is important that the file name is just "sdconf." rec "
  9. Copy the files sdconf. rec and nodesecret. rec to C:\Windows\System32 directory on the TMG server if it is an x 86 system and to C:\Windows\SysWOW64 directory if it is a x 64 systems
  10. Generate nodesecret file with same method for second TMG server in array. Each TMG server have different nodesecret file.
  11. Copy agent_nsload from "RSA installation library" \prog to the same library as the other two files. You can use Agent_nsload file from RSA Agent Installation folder Node Secret Load Utility.

 

2)    Check Permission and Other things for TMG servers

sdconfig directories of the installation library for TMG/ISA Server are

 (C:\Program Files\Microsoft Forefront Threat Management Gateway)

(C:\Program Files (x 86) \Microsoft ISA Server \

Make sure  "Network Service" has modify rights on it. This is required for the TMG to write in the library.

Verify that the registry value "PrimaryInterfaceIP" is located under the keys "HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\AceClient\ (for x 86) and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SDTI\AceClient\ (for x 64). The value to TMG's internal IP address as the Value data:. Add the value in both places on x 64 machines for safety's sake. This value is necessary for the RSA agent will find the RSA server.

 

To allow traffic between TMG and RSA servers, go into the TMG Console (Forefront TMG Management) and right click on "Firewall Policy" and select "Edit System Policy ..." Select the "RSA SecurID Authentication" under "Services" and verify that "Enable this configuration group" is checked. Go to the tab "To" and verify that "Internal" or at least the RSA server is located there.

Verify routing between TMG and the RSA Server so that the traffic is going up.

Make sure you are able to telnet port 1812 from TMG01  and TMG02 server for RSA01

Download RSA tool 7.1 agent or Sdtest utility and install it on TMG01 and TMG02 server.

** 3)    Configure the TMG server for RSA –**

  1. Log on as a local admin on the TMG Server
  2. start a CMD (Command Prompt) window as administrator (right-click and choose "Run as Administrator")
  3. Change directory to the directory you put the files above (C:\Windows\System32 or C:\Windows\SysWOW64)
  4. Run the command Explorer.exe.

agent_nsload-f nodesecret.rec -p password

where you replace the password against the password you specified when you created the node secret file on the RSA Server.

  1. Now it should have created a file named "SECURID" without extension in the same library where you ran the command from. Verify that the files sdconf. rec and SECURID can be read by "Network Service".
  2. Go back to the TMG01 server and run SDTEST .exe as administrator (right-click and choose "Run as Administrator"), hopefully you now see some information about the server that you want to use. It is important to run as administrator, otherwise it does not work the next step.  You can use RSA agent 7.1 tools for testing also. 
  1. Click the [RSA ACE/Server Test Directly] and enter the name and passcode (pin + tokenCode) for a valid account that you know works. You should get "Authentication Successful" (if not, drove you really want as an administrator?)
  2. Verify in the RSA log on the RSA Server that you received "Passcode accepted"
  3. Restart the "Microsoft Firewall" service or the entire TMG server

Note: If you still face error (Access Denied) on authentication for RSA secure id  (SDTest) but you RSA 7.1 agent Authentication is successful.  Make sure you have proper version of sdmsg.dll and aclnt.dll . You need to replace this files in TMG Installation folder (C:\Program Files\Microsoft Forefront Threat Management Gateway) from files from RSA 7.1 agent installation folders (C:\Program Files\Common Files\RSA Shared\Auth API).

4)    Configuration for publishing rule to use the RSA-

  1. Go to the web listener (web listener) that you will use OWA. Go to the tab "Authentication" and verify that it says "HTML Form Authentication" method. Tick the box "Collect additional delegation ..." If you want the user to specify both RSA information and AD logon at the same place. Check "RSA SecurID".
  2. Go into the publishing rule for OWA. Go to the tab "Authentication Delegation" and select "NTLM authentication" or no Delegation required as per your need.
  3. Go to the tab "Users" and verify that only "All Authenticated Users" is in the list.
  4. Once done make sure you save changes with apply TAB.

5)    Testing the configuration through Webapp.

  1. Enter the external logon page for OWA and specify the name, PIN + tokenCode and AD password . you should get this page with AuthenticationDelegation with no Delegation selected and when you uncheck “Collect Additional Delegation”.

If you select AuthenticationDelegation with NTLM selected and when you check “Collect Additional Delegation” you get below page.

  1. Will load OWA now so everything is clear.
  2. It should also have created a file in the sdconfig library.
  3. Verify in the log on the RSA Server that you received "Passcode accepted" .
  4. You can even Customised Page with TMG\ISA installation directory CookieAuthTemplates Folder.

create new folder name it e.g. mycustom.

Now copy the xHTML folder from the ISA directory to your new folder. (Important: You’ll have to create the same folder with the same content on all Array Nodes if you’re running ISA 2006 Enterprise Edition ).Any changes made in this folder will only be applied when you restart the ISA Firewall services. If you want to use this custom form in the ISA configuration, you’ll have to restart the Firewall services first.

Configure the setting directly on the listener being used for the publishing rule:Open the listener properties and select the ‘Forms’ tab. Tick ‘Use customized HTML forms instead of default’.

Configure the setting in the publishing rule:

Open the publishing rule and select the ‘Application Settings’ Tab. Tick the checkbox and add ‘mycustom’ to the text field: