Microsoft TMG - Implementation Guide

Implementation Guide Microsoft TMG
DualShield
for
Microsoft TMG
Implementation Guide
(Version 5.2)
Copyright 2011
Deepnet Security Limited
Copyright 2011, Deepnet Security. All Rights Reserved. Page 1

Trademarks
DualShield Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID,

SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp
are trademarks of Deepnet Security Limited. All other brand names and product names
are trademarks or registered trademarks of their respective owners.
Copyrights
Under the international copyright law, neither the Deepnet Security software or
documentation may be copied, reproduced, translated or reduced to any electronic
medium or machine readable form, in whole or in part, without the prior written consent
of Deepnet Security.
Licence Conditions
Please read your licence agreement with Deepnet carefully and make sure you
understand the exact terms of usage. In particular, for which projects, on which
platforms and at which sites, you are allowed to use the product. You are not allowed to
make any modifications to the product. If you feel the need for any modifications, please
contact Deepnet Security.
Disclaimer
This document is provided as is without warranty of any kind, either expressed or

implied, including, but not limited to, the implied warranties of merchantability, fitness
for a particular purpose, or non-infringement.
This document could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be incorporated in new
editions of the document. Deepnet Security may make improvements of and/or changes
to the product described in this document at any time.
Contact
If you wish to obtain further information on this product or any other Deepnet Security
products, you are always welcome to contact us.
Deepnet Security Limited

Northway House
1379 High Road
London N20 9LP
United Kingdom
Tel: +44(0)20 8343 9663

Fax: +44(0)20 8446 3182
Web: www.deepnetsecurity.com
Email: support@deepnetsecurity.com

Table of Contents
1. Overview ................................................................................. 4
2. Preparation .............................................................................. 5
3. Configuration ........................................................................... 6
4. Authentication ........................................................................ 12
5. On-Demand Password ............................................................. 14
5.1 Create a user-defined protocol for DPS ...............................................................................15
5.2 Create a access rule for DPS ..............................................................................................16
5.3 Create a listener for DPS ...................................................................................................19
5.4 Publish the DPS web site ...................................................................................................21
5.5 Install the DualShield TMG Agent .......................................................................................25
5.6 Change the OWA portal settings in TMG ..............................................................................26
5.7 Change the Provisioning Server settings in DualShield ..........................................................27
5.8 Test Authentication ..........................................................................................................28

1. Overview
This implementation guide describes how to protect Microsoft TMG with two-factor
authentication with the DualShield unified authentication platform. Microsoft TMG
supports external authentication servers including Active Directory and RADIUS OTP. By
leveraging those features in TMG, we can implement a two-factor authentication in TMG
system in which the first factor will be the users static password and second factor will
be a one-time password. The users static password will be authenticated by the
customers Active Directory server (domain controller) and the users one-time password
will be authenticated by the DualShield authentication server via RADIUS.
DualShield provides a wide selection of portable one-time password tokens in a variety

of form factors, ranging from hardware tokens, software tokens, mobile tokens to USB
tokens. These include:
Deepnet SafeID
Deepnet MobileID
Deepnet GridID
Deepnet CryptoKey
RSA SecurID
VASCO DigiPass Go
OATH-compliant OTP tokens
In addition to the support of one-time password, DualShield also supports on-demand

password for RADIUS authentication. The product that provides on-demand password in
the DualShield platform is Deepnet T-Pass. Deepnet T-Pass is an on-demand, token-less
strong authentication that delivers logon passwords via SMS texts, phone calls, twitter
direct messages or email messages.
The complete solution consists of the following components:
Microsoft TMG
DualShield Radius Server
DualShield Authentication Server

2. Preparation
Prior to configuring TMG for two-factor authentication, you must have the DualShield
Authentication Server and DualShield Radius Server installed and operating. For the
installation, configuration and administration of DualShield Authentication and Radius
servers, please refer to the following documents:
DualShield Authentication Platform Installation Guide

DualShield Authentication Platform Quick Start Guide
DualShield Authentication Platform Administration Guide
DualShield Radius Server - Installation Guide
You also need to have a RADIUS application created in the DualShield authentication
server. The application will be used for the two-factor authentication in TMG. The
document below provides detailed instructions for RADIUS authentication with the
DualShield Radius Server:
VPN & RADIUS - Implementation Guide
As an example in this document, we are going to going to add two-factor authentication

to an OWA portal. Assuming that the OWA portal is already setup and operating.

3. Configuration
1. Edit the Properties of
the OWA listener and
select the
Authentication tab:
Select HTML Form

Authentication
Enable Collect
additional delegation
credentials in the form
Select RADIUS OTP
2. Click Configure
Validation Servers

3. Select the RADIUS

Servers tab
4. Click Add
5. Enter the server

name or IP address of
your DualShield
Radius server
Enter the shared

secret and the
Authentication port
Click OK to save

6. Select LDAP Servers tab
Click Add and add your

LDAP server settings
Click Apply and OK to

apply and save changes

Finally, click the Apply button on the top to save and activate the changes.
The third stage is to configure the DualShield server to add TMG as a Radius client and
to create a Radius application with a logon procedure.
Create a new logon procedure
1. Login to the DualShield management console

2. In the main menu, select Authentication | Logon Procedure
3. Click the Create button on the toolbar
4. Enter Name and select RADIUS as the Type
5. Click Save
6. Click the Context Menu icon of the newly create logon procedure, select Logon
Steps
7. In the popup windows, click the Create button on the toolbar
8. Select One-Time Password as the authenticator
9. Click Save

Create a new application
1. In the main menu, select Authentication | Applications

2. Click the Create button on the toolbar
3. Enter Name
4. Select Realm
5. Select the logon procedure that was just created
6. Click Save
Add TMG as a Radius client
1. In the main menu, select RADIUS | Clients

2. Click the Register button on the toolbar
3. Select the application that was created in the previous steps

4. Enter TMGs IP in the IP address
5. Enter the Shared Secret and make sure it is identical to the shared secret defined
in the Radius server settings in the TMG.
6. Click Save

We have now completed all necessary stages and steps in setting up two-factor
authentication in TMG with DualShield. In our example, we have added to a OWA portal
with two authentication factors, AD static password and DualShield one-time password.
Let us proceed to testing the authentication.

4. Authentication
Launch your web browser and connect to the OWA portal.
Users will now be asked to provide both Passcode and Password. Password is the
field where users will need to enter their AD password (Static Password), and Passcode
is the field where users will need to provide their one-time passwords (OTP).
The DualShield passcode is defined the logon procedure in your DualShield server. In our
example, we defined One-Time Password in the logon procedure. Which means that
users will be able to use any one-time password token supported by the DualShield to
authenticate to the OWA portal.
You can also add the On-Demand Password to the list of authenticator in your logon
procedure.

Your users will now be able to use Deepnet T-Pass as well to authenticate to OWA.

5. On-Demand Password
If you enable On-Demand Password in DualShield, then your users will be able to use
Deepnet T-Pass as their authentication method. A typical question with On-Demand
password is how can users request to have their password delivered in real time?
Using the configuration that we have set up in above steps, users cant request to have
their password delivered in real time. Users will need to have a password pre-delivered
before they can logon. The system administrator can push out on-demand passwords to
users, or users can use the self-service console to obtain an on-demand password. Once
a user has successfully logged in, the DualShield server will then automatically send out
a new password to be used by the user at next logon.
If the pre-delivery method described above is not a viable solution to you, then you need
to install the DualShield TMG Agent which will enable users to request on-demand
password in real time at logon.
The rest of this document describes how to configure TMG with the DualShield TMG
Agent. The diagram below illustrates the architecture of the solution:
As an example, we make the following assumptions:
1. The network domain is DeepnetTest32.com

2. The DualShield platform including its Authentication Server (DAS) and
Provisioning Server (DPS) is installed and operating in HTTP mode
3. The FQDN of the DualShield platform is DualShield.DeepnetTest32.com
4. The internal port number of the DualShield Provisioning Server (DPS) is 8072
5. The public host name of the DPS to be published is Mail.DeepnetSecurity.com
6. The public port number of the DPS is also 8072
7. The FQDN of the Exchange Server is Exchange.DeepNetTest32.com
8. The public host name of the OWA published is Mail.DeepnetTest32.com
The entire configuration process involves the following stages:
1. Create a user-defined protocol for DPS

2. Create a access rule for DPS
3. Create a listener for DPS

4. Publish the DPS web site

5. Install the DualShield TMG Agent
6. Change the OWA portal settings in TMG
The DualShield Provisioning Server is a web service that delivers on-demand passwords.
Therefore, it needs to the published as a web site on TMG. The process is similar to the
way OWA web portal is published but requires some extra settings due to the non-
standard HTTP port number being used for DPS (8072).
5.1 Create a user-defined protocol for DPS

As DPS works on a non-standard HTTP port, we have to define a new protocol. In the
Toolbox | Protocols, select New | Protocol from the menu
1. Enter the name for the new protocol to

be created
2. Add an inbound TCP protocol with IP

range of 8072
3. Click Finish
4. Click Apply on the top to save changes

5.2 Create a access rule for DPS

In the Tasks, click Create Access Rule
1. Enter the name for the new rule
2. Select Allow
3. Click Add

4. Select HTTP 8072 from the User-

Defined protocols
Click Add
5. Click Next
6. Click Add

7. Select External
Click Add
8. Click Next
9. Add Local Host in the Destinations

10. Click Finish

5.3 Create a listener for DPS

In the Toolbox | Network Objects, select New | Web Listener from the menu
1. Enter the name for the new listener

2. Select Do not require SSL
3. Select External
4. Select No Authentication

5. Click Finish
5.4 Publish the DPS web site

In the Tasks, click Publish Web Sites
1. Enter the name for the web site
2. Select Allow

3. Select Use non-secured

connections
4. Enter the host name of your

DualShield Provisioning Server

5. Enter /dps/* in the path
6. Enter the public host name of DPS
7. Select DPS Listener that was

created in the previous stage

8. Click Finish
10. Double click the newly published DPS web site
11. Select Bridging tab

12. Enable Redirect requests to HTTP

port, and enter 8072
Click Test Rule
13. Click OK to save

5.5 Install the DualShield TMG Agent

1. In Windows Explorer, navigate to:
C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates
2. Clone the entire folder 'Exchange' to a new folder named ExchangeDualShield
3. Unzip the DualShield TMG Agent package (DualShieldTMG.1.1.zip), extract the

content to the above newly created folder.
4. Open jquery.dps.js with a text editor, such as the Notepad
Replace the URL in the first line which reads:

var DPS_Host = 'http://mail.deepnettest32.com:8072';
with the real URL of your DPS. Save the file
5. Open usr_pwd_pcode.htm in a text editor
Locate the following line of text in the file:

<link href="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=logon_style.css" type="text/css" rel="stylesheet">
Insert the following line of text underneath the above line:

<link href="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=dualshield.css" type="text/css" rel="stylesheet">
Append the following lines of text to the end of the file:

<script src="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=jquery-1.7.min.js" type="text/javascript"></script>
<script src="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=jquery.json-2.3.min.js"
type="text/javascript"></script>
<script src="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=jquery.blockUI.js" type="text/javascript"></script>
<script src="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=jquery.dps.js" type="text/javascript"></script>
Save the file.
6. Restart the 'Microsoft Forefront TMG Firewall' service
5.6 Change the OWA portal settings in TMG

Double click the OWA portal that is already published, to bring up its properties. Click
Application Settings tab.

Enable Use customized HTML
Enter ExchangeDualShield which is

the folder name we created in the
previous stage
Click Test Rule

Click OK
Click Apply on the top to save changes
5.7 Change the Provisioning Server settings in DualShield

In the DualShield Management Console, select Authentication | Agents in the main
menu, click the context menu of the Provisioning Server and select Applications
In the list of the applications, select the application for TMG (e.g. radius in our example).
Click Save

We have now completed all stages and steps in configuring TMG with the DualShield
Agent.
5.8 Test Authentication

Now, when users attempt to logon to the OWA portal
To request an on-demand password, users will firstly enter their User Name and
Password (AD Password), and then click one of the delivery icons (e.g. the Email icon).
If the credentials provided are correct, DPS server will generate an on-demand one-time
password (Passcode) and deliver it to the user in the defined delivery channel (e.g.
email).
--- END ---

Microsoft TMG - Implementation Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Microsoft TMG - Implementation Guide

Uploaded by

Copyright:

Available Formats

Implementation Guide Microsoft TMG

Copyright 2011, Deepnet Security. All Rights Reserved. Page 1

DualShield Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID,

This document is provided as is without warranty of any kind, either expressed or

Deepnet Security Limited

Tel: +44(0)20 8343 9663

Copyright 2011, Deepnet Security. All Rights Reserved. Page 2

5.3 Create a listener for DPS ...................................................................................................19

5.4 Publish the DPS web site ...................................................................................................21

5.5 Install the DualShield TMG Agent .......................................................................................25

5.6 Change the OWA portal settings in TMG ..............................................................................26

5.7 Change the Provisioning Server settings in DualShield ..........................................................27

5.8 Test Authentication ..........................................................................................................28

Copyright 2011, Deepnet Security. All Rights Reserved. Page 3

DualShield provides a wide selection of portable one-time password tokens in a variety

In addition to the support of one-time password, DualShield also supports on-demand

Copyright 2011, Deepnet Security. All Rights Reserved. Page 4

DualShield Authentication Platform Installation Guide

VPN & RADIUS - Implementation Guide

As an example in this document, we are going to going to add two-factor authentication

Copyright 2011, Deepnet Security. All Rights Reserved. Page 5

Select HTML Form

Select RADIUS OTP

Copyright 2011, Deepnet Security. All Rights Reserved. Page 6

3. Select the RADIUS

5. Enter the server

Enter the shared

Copyright 2011, Deepnet Security. All Rights Reserved. Page 7

6. Select LDAP Servers tab

Click Add and add your

Click Apply and OK to

Copyright 2011, Deepnet Security. All Rights Reserved. Page 8

Create a new logon procedure

1. Login to the DualShield management console

Copyright 2011, Deepnet Security. All Rights Reserved. Page 9

Create a new application

1. In the main menu, select Authentication | Applications

Add TMG as a Radius client

1. In the main menu, select RADIUS | Clients

3. Select the application that was created in the previous steps

Copyright 2011, Deepnet Security. All Rights Reserved. Page 10

Copyright 2011, Deepnet Security. All Rights Reserved. Page 11

Copyright 2011, Deepnet Security. All Rights Reserved. Page 12

Copyright 2011, Deepnet Security. All Rights Reserved. Page 13

As an example, we make the following assumptions:

1. The network domain is DeepnetTest32.com

The entire configuration process involves the following stages:

1. Create a user-defined protocol for DPS

Copyright 2011, Deepnet Security. All Rights Reserved. Page 14

4. Publish the DPS web site

5.1 Create a user-defined protocol for DPS

1. Enter the name for the new protocol to

2. Add an inbound TCP protocol with IP

Copyright 2011, Deepnet Security. All Rights Reserved. Page 15

5.2 Create a access rule for DPS

1. Enter the name for the new rule

Copyright 2011, Deepnet Security. All Rights Reserved. Page 16

4. Select HTTP 8072 from the User-

Copyright 2011, Deepnet Security. All Rights Reserved. Page 17

9. Add Local Host in the Destinations

Copyright 2011, Deepnet Security. All Rights Reserved. Page 18

10. Click Finish

5.3 Create a listener for DPS

1. Enter the name for the new listener