Professional Documents
Culture Documents
DualShield
for
Microsoft TMG
Implementation Guide
(Version 5.2)
Copyright 2011
Deepnet Security Limited
Trademarks
Copyrights
Under the international copyright law, neither the Deepnet Security software or
documentation may be copied, reproduced, translated or reduced to any electronic
medium or machine readable form, in whole or in part, without the prior written consent
of Deepnet Security.
Licence Conditions
Please read your licence agreement with Deepnet carefully and make sure you
understand the exact terms of usage. In particular, for which projects, on which
platforms and at which sites, you are allowed to use the product. You are not allowed to
make any modifications to the product. If you feel the need for any modifications, please
contact Deepnet Security.
Disclaimer
This document could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be incorporated in new
editions of the document. Deepnet Security may make improvements of and/or changes
to the product described in this document at any time.
Contact
If you wish to obtain further information on this product or any other Deepnet Security
products, you are always welcome to contact us.
Table of Contents
1. Overview ................................................................................. 4
2. Preparation .............................................................................. 5
3. Configuration ........................................................................... 6
4. Authentication ........................................................................ 12
5. On-Demand Password ............................................................. 14
5.1 Create a user-defined protocol for DPS ...............................................................................15
5.2 Create a access rule for DPS ..............................................................................................16
1. Overview
This implementation guide describes how to protect Microsoft TMG with two-factor
authentication with the DualShield unified authentication platform. Microsoft TMG
supports external authentication servers including Active Directory and RADIUS OTP. By
leveraging those features in TMG, we can implement a two-factor authentication in TMG
system in which the first factor will be the users static password and second factor will
be a one-time password. The users static password will be authenticated by the
customers Active Directory server (domain controller) and the users one-time password
will be authenticated by the DualShield authentication server via RADIUS.
Deepnet SafeID
Deepnet MobileID
Deepnet GridID
Deepnet CryptoKey
RSA SecurID
VASCO DigiPass Go
OATH-compliant OTP tokens
Microsoft TMG
DualShield Radius Server
DualShield Authentication Server
2. Preparation
Prior to configuring TMG for two-factor authentication, you must have the DualShield
Authentication Server and DualShield Radius Server installed and operating. For the
installation, configuration and administration of DualShield Authentication and Radius
servers, please refer to the following documents:
You also need to have a RADIUS application created in the DualShield authentication
server. The application will be used for the two-factor authentication in TMG. The
document below provides detailed instructions for RADIUS authentication with the
DualShield Radius Server:
3. Configuration
1. Edit the Properties of
the OWA listener and
select the
Authentication tab:
Enable Collect
additional delegation
credentials in the form
2. Click Configure
Validation Servers
4. Click Add
Click OK to save
Finally, click the Apply button on the top to save and activate the changes.
The third stage is to configure the DualShield server to add TMG as a Radius client and
to create a Radius application with a logon procedure.
5. Click Save
6. Click the Context Menu icon of the newly create logon procedure, select Logon
Steps
7. In the popup windows, click the Create button on the toolbar
8. Select One-Time Password as the authenticator
9. Click Save
6. Click Save
We have now completed all necessary stages and steps in setting up two-factor
authentication in TMG with DualShield. In our example, we have added to a OWA portal
with two authentication factors, AD static password and DualShield one-time password.
Let us proceed to testing the authentication.
4. Authentication
Launch your web browser and connect to the OWA portal.
Users will now be asked to provide both Passcode and Password. Password is the
field where users will need to enter their AD password (Static Password), and Passcode
is the field where users will need to provide their one-time passwords (OTP).
The DualShield passcode is defined the logon procedure in your DualShield server. In our
example, we defined One-Time Password in the logon procedure. Which means that
users will be able to use any one-time password token supported by the DualShield to
authenticate to the OWA portal.
You can also add the On-Demand Password to the list of authenticator in your logon
procedure.
Your users will now be able to use Deepnet T-Pass as well to authenticate to OWA.
5. On-Demand Password
If you enable On-Demand Password in DualShield, then your users will be able to use
Deepnet T-Pass as their authentication method. A typical question with On-Demand
password is how can users request to have their password delivered in real time?
Using the configuration that we have set up in above steps, users cant request to have
their password delivered in real time. Users will need to have a password pre-delivered
before they can logon. The system administrator can push out on-demand passwords to
users, or users can use the self-service console to obtain an on-demand password. Once
a user has successfully logged in, the DualShield server will then automatically send out
a new password to be used by the user at next logon.
If the pre-delivery method described above is not a viable solution to you, then you need
to install the DualShield TMG Agent which will enable users to request on-demand
password in real time at logon.
The rest of this document describes how to configure TMG with the DualShield TMG
Agent. The diagram below illustrates the architecture of the solution:
The DualShield Provisioning Server is a web service that delivers on-demand passwords.
Therefore, it needs to the published as a web site on TMG. The process is similar to the
way OWA web portal is published but requires some extra settings due to the non-
standard HTTP port number being used for DPS (8072).
3. Click Finish
4. Click Apply on the top to save changes
2. Select Allow
3. Click Add
Click Add
5. Click Next
6. Click Add
7. Select External
Click Add
8. Click Next
3. Select External
4. Select No Authentication
5. Click Finish
6. Click Apply on the top to save changes
2. Select Allow
8. Click Finish
9. Click Apply on the top to save changes
10. Double click the newly published DPS web site
11. Select Bridging tab
In the list of the applications, select the application for TMG (e.g. radius in our example).
Click Save
We have now completed all stages and steps in configuring TMG with the DualShield
Agent.
To request an on-demand password, users will firstly enter their User Name and
Password (AD Password), and then click one of the delivery icons (e.g. the Email icon).
If the credentials provided are correct, DPS server will generate an on-demand one-time
password (Passcode) and deliver it to the user in the defined delivery channel (e.g.
email).