Preview only show first 10 pages with watermark. For full document please download

Sa Series Ssl Vpn Appliances And Multifactor

Rating
Date

August 2018
Size

715.2KB
Views

6,266
Categories

computers & electronics networking VPN security equipment

Transcript

APPLICATION NOTE SA Series SSL VPN Appliances and MultiFactor SecureAuth Solution Secure Remote Access with Comprehensive Client Certificate Management Copyright © 2009, Juniper Networks, Inc. 1 APPLICATION NOTE - SA Series SSL VPN Appliances and MultiFactor SecureAuth Solution Table of Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Description and Deployment Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Initial Redirect Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Enrollment Automation Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Post Enrollment Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Certificate Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Dual-Authentication Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 About Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 Copyright © 2009, Juniper Networks, Inc. APPLICATION NOTE - SA Series SSL VPN Appliances and MultiFactor SecureAuth Solution Introduction Juniper Networks provides the industry’s leading SSL VPN solution for secure, anytime, anywhere remote access. Broad support for all clients, including mobile, with extensive support for public key infrastructure (PKI)-based authentication helps customers increase security and decrease risk. MultiFactor, the leader in Web application security solutions, provides SecureAuth, a comprehensive certificate management solution for client X.509 certificate authentication, including enrollment, backend directory integration, and complete X.509 certificate life cycle management. Together, these products enable customers to deploy client certificates with reduced total cost of ownership. By minimizing management costs and automating the provisioning and self-service costs, customers can deploy client certificates on a global scale, without impacting the bottom line. Scope This document provides the specific steps required to configure MultiFactor SecureAuth, which is a two-factor X.509-based authentication solution, with Juniper Networks® SA Series SSL VPN Appliances. Design Considerations Hardware Requirements • Juniper Networks SA Series SSL VPN Appliance • MultiFactor SecureAuth Appliance Software Requirements • None Description and Deployment Scenario The power of this solution begins when a user needs to access protected resources. In this scenario, the level of trust needs to be increased in order to adequately identify and “trust” this end user. First, enrollment is mandated, with the user going through a self-service enrollment process courtesy of MultiFactor’s SecureAuth appliance. Accessed through the SSL VPN proxy mode, this enrollment process begins by authenticating and identifying the user with a configured backend directory such as Active Directory. Next, SecureAuth invokes its component which comes down from the client side to do a certificate signing request (CSR) and private key generation. SecureAuth then takes the CSR, gets it signed with its configured certificate authority (CA), and installs the newly signed X.509 certificate into the user’s local certificate store. At this point, portals and VPN solutions like the SA Series can honor the certificate as authentication and identification for that user. This is done by using certificate-based authentication on the SA Series SSL VPN appliance. The SA Series can also enforce additional policies at this time, such as X.509 attribute checking (against a backend directory) or perhaps endpoint security posture interrogation via Host Checker. Secondary authentication can also be configured to require the X.509 certificate and also a domain password credential. The SecureAuth device also manages the X.509 certificate life cycle by issuing certificates with configurable life spans, re-issuing and automating the provisioning of new certificates as they are needed. SSL VPN SecureAuth User Directory (e.g. AD) Figure 1: SA Series SSL VPN and MultiFactor SecureAuth solution Copyright © 2009, Juniper Networks, Inc. 3 APPLICATION NOTE - SA Series SSL VPN Appliances and MultiFactor SecureAuth Solution Initial Redirect Setup In order to prompt unenrolled users to get them enrolled and issue a client certificate, SA Series SSL VPN Appliances can automatically detect this posture when a user attempts to log in and redirect them. This is done using two Instant Virtual Extranet (IVE) components. The first component uses the customizable sign-In page framework. By configuring a sign-in URL and a custom sign-in page, administrators can upload their own .zip file to the IVE to have it used for the pre-authentication login pages. In this case, the “SSL.thtml” (SSL error page) and “LoginPage.thtml” (standard login page for CA and more) are modified. Since the need here is to redirect the user upon failed CA, a refresh/redirect HTML tag must be added in the correct location for these files. The redirect HTML tag which needs to be added is: , where IVE.COM is the hostname/IP of the IVE and /anonymous corresponds to an anonymous sign-in URL (and realm) which also must be configured. The actual URL can be anything, but */anonymous seems to work nicely. Figure 2: LoginPage.thtml (based on IVE 6.2R1 sample.zip) 4 Copyright © 2009, Juniper Networks, Inc. APPLICATION NOTE - SA Series SSL VPN Appliances and MultiFactor SecureAuth Solution Figure 3: SSL.thtml (based on IVE 6.2R1 sample.zip) Once these files have been properly modified, they are put back into the .zip file and uploaded as the new custom sign-In page for that sign-in policy (e.g., the default “*/” or some other customized URL/hostname). Back on the IVE, a new role (and corresponding role mapping rule) must be added for that realm to map anonymous users into. The role should be web-enabled, but needs nothing else. One bookmark should be created for the following URL, but more importantly, the role’s UI option should be set to use a “Custom Start Page” which points to the URL: https:///secureauthX/secureauth.aspx Ideally, this role will also have proper access control lists (ACLs) limiting what a user can access, and also reduced idle and maximum session timers. Note: See the SecureAuth Configuration Guide for more information on properly forming this link. Enrollment Automation Configuration SecureAuth enables simple, low maintenance certificate services by tying directly into your existing user data store and integrating tightly into the functions of the SA Series SSL VPN Appliances. Key components of the SecureAuth configuration are directory access and registration methods, and these are configured through the SecureAuth Administrative User Interface. Please see the SecureAuth Configuration Guide for details. Copyright © 2009, Juniper Networks, Inc. 5 APPLICATION NOTE - SA Series SSL VPN Appliances and MultiFactor SecureAuth Solution Post Enrollment Redirect The post enrollment redirect URL provides a pointer back to the SA Series SSL VPN appliance so that a newly enrolled system can resubmit credentials and map to an access policy. The URL is that of the IVE access policy, and is configured in the SecureAuth Administrative User Interface. Please see the SecureAuth Configuration Guide for details. Certificate Authentication Certificate-based authentication on the IVE is actually quite simple. First, the administrator creates a new Auth Server for certificate authentication. There is only one option here, which is how to identify the user once they are authenticated. Typically, the is used, as the CN commonly contains the username. This is ultimately the value which will be mapped into that user’s variable to track user sessions, and also can be used later for policy definition, if needed. Next, the certificate server is mapped to a realm which is mapped to the sign-in page (e.g., */, not */anonymous). A role or multiple roles are then set up as desired for remote access, and associated role mapping rules can be configured as well. Lastly, in order to trust client certificates for authentication, an issuing or root CA certification (or certifications) must be uploaded to the IVE, under Configuration > Certificates > Trusted Client CAs. These may be configured for client authentication (or not), and optionally, certificate revocation list (CRL) or Online Certificate Status Protocol (OCSP) checking may be enabled here as well. Figure 4: Configuration screen to upload certificates As you upload CA Certificates here, you will also see chains form if you have any separate intermediate/root CA configurations. Dual-Authentication Options In some cases, you may want to require a second form of authentication such as a domain password, in addition to the X.509 client certificate. This is done on the SA Series SSL VPN appliance by using Secondary Authentication. This is configured in the realm, and can be a variety of popular authentication services, for example Lightweight Directory Access Protocol (LDAP). The user name field can even be populated in advance for this scenario, and can include the certificate’s CN field by using the attribute variable . With secondary authentication enabled, the IVE can also now validate the user’s credentials (user name from the certificate and provided password) against the backend directory/store. Additional authorization can also occur here (e.g., group membership for role mapping). 6 Copyright © 2009, Juniper Networks, Inc. APPLICATION NOTE - SA Series SSL VPN Appliances and MultiFactor SecureAuth Solution Figure 5: Authentication screen on SA Series SSL VPN Summary Instant access to email, contacts, and the intranet are all critical elements of any successful company. Equally important are the flexibility, mobility, and security of these network-based communications. Juniper Networks SA Series SSL VPN Appliances have demonstrated support for the applications and access that enterprises require in today’s global business environment. With deep platform support for Mac OS, Linux, Windows, and beyond, the SA Series has become a critical foundation for securing many of today’s business critical technologies. Flexible solutions like the SA Series with SecureAuth help keep a mobile enterprise empowered, enabled, and working more efficiently. These are all key benefits that Juniper’s high-performance customers have grown to depend upon. About Juniper Networks Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at www.juniper.net. Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters To purchase Juniper Networks solutions, Juniper Networks, Inc. Juniper Networks (Hong Kong) Juniper Networks Ireland please contact your Juniper Networks 1194 North Mathilda Avenue 26/F, Cityplaza One Airside Business Park Sunnyvale, CA 94089 USA 1111 King’s Road Swords, County Dublin, Ireland representative at 1-866-298-6428 or Phone: 888.JUNIPER (888.586.4737) Taikoo Shing, Hong Kong Phone: 35.31.8903.600 or 408.745.2000 Phone: 852.2332.3636 EMEA Sales: 00800.4586.4737 Fax: 408.745.2100 Fax: 852.2574.7803 Fax: 35.31.8903.601 authorized reseller. www.juniper.net Copyright 2009 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 3500180-001-EN Dec 2009 Copyright © 2009, Juniper Networks, Inc. Printed on recycled paper 7

Sa Series Ssl Vpn Appliances And Multifactor

Rating

Date

Size

Views

Categories

Share

Transcript

Forgot your password?.