aXsGUARD Gatekeeper - VASCO · 4.7 Setting the Integration Level ... personnel and / or system...

aXsGUARD GatekeeperDirectory Services How To v1.2

Directory Services How To v1.2 Legal Notice

VASCO ProductsVASCO data Security, Inc. and/or VASCO data Security International GmbH are referred to in this document as 'VASCO'. VASCO Products comprise Hardware, Software, Services and Documentation. This document addresses potential and existing VASCO customers and has been provided to you and your organization for the sole purpose of helping you to use and evaluate VASCO Products. As such, it does not constitute a license to use VASCO Software or a contractual agreement to use VASCO Products.

Disclaimer of Warranties and Limitations of Liabilities VASCO Products are provided ‘as is’ without warranty or conditions of any kind, whether implied, statutory, or related to trade use or dealership, including but not limited to implied warranties of satisfactory quality, merchantability, title, non-infringement or fitness for a particular purpose.VASCO, VASCO DISTRIBUTORS, RESELLERS AND SUPPLIERS HAVE NO LIABILITY UNDER ANY CIRCUMSTANCES FOR ANY LOSS, DAMAGE OR EXPENSE INCURRED BY YOU, YOUR ORGANIZATION OR ANY THIRD PARTY (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF data) ARISING DIRECTLY OR INDIRECTLY FROM THE USE, OR INABILITY TO USE VASCO SOFTWARE, HARDWARE, SERVICES OR DOCUMENTATION, REGARDLESS OF THE CAUSE OF THE LOSS, INCLUDING NEGLIGENCE, EVEN IF VASCO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR IF THEY WERE FORESEEABLE. OUR MAXIMUM AGGREGATE LIABILITY TO YOU, AND THAT OF OUR DISTRIBUTORS, RESELLERS AND SUPPLIERS SHALL NOT EXCEED THE AMOUNT PAID BY YOU FOR THE PRODUCT. THE LIMITATIONS IN THIS SECTION SHALL APPLY WHETHER OR NOT THE ALLEGED BREACH OR DEFAULT IS A BREACH OF A FUNDAMENTAL CONDITION OR TERM, OR A FUNDAMENTAL BREACH. THIS SECTION WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW SPECIFICALLY REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND LIMITATIONS.

Intellectual Property and CopyrightVASCO Products contain proprietary and confidential information. VASCO data Security, Inc. and/or VASCO data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights. No part of these Products may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or otherwise, for any purpose, except as expressly permitted by VASCO or its authorized licensee in writing.This document is protected under US and international copyright law as an unpublished work of authorship. No part of it may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or otherwise, for any purpose, except as expressly permitted in writing by VASCO or its authorized licensee.

TrademarksVASCO®, VACMAN®, IDENTIKEY®, aXsGUARD®, DIGIPASS®, and ® are registered or unregistered trademarks of VASCO data Security, Inc. and/or VASCO data Security International GmbH in the U.S. and other countries. Other company brand or product names or other designations, denominations, labels and/or other tags, titles, as well as all URLs (Internet addresses) linked to such designations or communications (irrespective of whether protected by intellectual property law or not), mentioned in VASCO Products may be the trademarks or registered trademarks or be part of any other entitlement of their respective owners.

Radius DisclaimerInformation on the RADIUS server provided in this document relates to its operation in the aXsGUARDGatekeeper environment. We recommend that you contact your NAS/RAS vendor for further information.

Copyright © 2009 VASCO data Security, Inc, VASCO data Security International GmbH All rights reserved.

© 2009 - VASCO Data Security. 2

Directory Services How To v1.2 Table of Contents

Table of Contents

1 Introduction...............................................................................................................................................7

1.1 Audience and Purpose of this document.............................................................................................7

1.2 What is the aXsGUARD Gatekeeper?...................................................................................................9

1.3 About VASCO....................................................................................................................................9

2 Directory Servers and LDAP.....................................................................................................................10

2.1 Overview.........................................................................................................................................10

2.2 What is a Directory Server?..............................................................................................................10

2.3 The Lightweight Directory Access Protocol........................................................................................102.3.1 Definition...................................................................................................................................102.3.2 LDAP Objects.............................................................................................................................102.3.3 LDAP Binding Strings..................................................................................................................12

2.4 Directory Servers and the aXsGUARD Gatekeeper..............................................................................13

2.5 Supported Directory Servers.............................................................................................................13

3 Directory Services Concept......................................................................................................................14

3.1 Overview.........................................................................................................................................14

3.2 Directory Services Authentication......................................................................................................14

3.3 Directory Services Synchronization....................................................................................................153.3.1 Synchronization Disabled............................................................................................................153.3.2 Synchronization Enabled.............................................................................................................153.3.3 Modifying Synchronized Parameters............................................................................................163.3.4 Existing Users and Groups and Synchronization............................................................................16

3.4 Single Sign-On (SSO) and Directory Services.....................................................................................16

3.5 Group Concepts..............................................................................................................................173.5.1 aXsGUARD Gatekeeper Groups....................................................................................................173.5.2 Active Directory Groups...............................................................................................................17

4 Directory Services Configuration..............................................................................................................18

4.1 Overview.........................................................................................................................................18

4.2 Feature Activation............................................................................................................................18

4.3 Enabling DS Lookups.......................................................................................................................19

4.4 Selecting the Directory Server Type..................................................................................................19

4.5 Adding the Directory Server..............................................................................................................20

4.6 Specifying the Directory Base...........................................................................................................20

4.7 Setting the Integration Level.............................................................................................................21



4.8 Group Filters (Group Selection).........................................................................................................234.8.1 Path-based Group Selection........................................................................................................234.8.2 Membership-based Group Selection............................................................................................24

4.9 User Filters (User Selection) .............................................................................................................244.9.1 Centralized Users (Single OU)......................................................................................................254.9.2 Decentralized Users (Multiple OUs)...............................................................................................26

4.10 Directory Services Name Restrictions................................................................................................27

4.11 Group and User Templates...............................................................................................................284.11.1 Editing the Group Template.........................................................................................................284.11.2 Editing the User Template...........................................................................................................30

4.12 Status, Tools and Logs....................................................................................................................32

5 Configuration Example.............................................................................................................................33

5.1 Overview.........................................................................................................................................33

5.2 Before you start: Configuring the User and Group Templates..............................................................33

5.3 Feature Activation............................................................................................................................33

5.4 Directory Services Main Screen........................................................................................................33

5.5 Checking the Directory Services Status.............................................................................................35

5.6 Directory Services Test Tool.............................................................................................................36

5.7 Directory Services Logs....................................................................................................................36

6 Troubleshooting.......................................................................................................................................37

7 Support....................................................................................................................................................39

7.1 Overview.........................................................................................................................................39

7.2 If you encounter a problem...............................................................................................................39

7.3 Return procedure if you have a hardware failure................................................................................39



Illustration IndexImage 1: adsiedit console........................................................................................................................................................................................11

Image 2: Active Directory Users................................................................................................................................................................................12

Image 3: Directory Services Concept.........................................................................................................................................................................14

Image 4: User and Group Modifications.....................................................................................................................................................................15

Image 5: SSO Concept.............................................................................................................................................................................................16

Image 6: aXsGUARD vs. Active Directory Groups........................................................................................................................................................17

Image 7: Directory Services Feature Activation...........................................................................................................................................................18

Image 8: Enabling DS Lookups.................................................................................................................................................................................19

Image 9: Available DS Server Types..........................................................................................................................................................................19

Image 10: Adding a Directory Server's IP Address......................................................................................................................................................20

Image 11: Entering DS user with Search Permission..................................................................................................................................................21

Image 12: Setting the Integration Level.....................................................................................................................................................................21

Image 13: Path-based Group Selection.....................................................................................................................................................................23

Image 14: Membership-based Group Selection..........................................................................................................................................................24

Image 15: User Filters.............................................................................................................................................................................................26

Image 16: Name Restrictions...................................................................................................................................................................................27

Image 17: Group Template Configuration Screen.......................................................................................................................................................29

Image 18: Example of a Group Template...................................................................................................................................................................29

Image 19: Application of a Group Template...............................................................................................................................................................29

Image 20: Synchronized Groups Icons.......................................................................................................................................................................30

Image 21: User Template Configuration Screen.........................................................................................................................................................30

Image 22: Example of a User Template.....................................................................................................................................................................31

Image 23: Syncrhonized User Icons..........................................................................................................................................................................31

Image 24: Directory Services Configuration Example..................................................................................................................................................34

Image 25: Directory Services Status..........................................................................................................................................................................35

Image 26: Directory Services Tools...........................................................................................................................................................................36

Image 27: Directory Services Logs............................................................................................................................................................................36



Index of TablesTable 1: Overview of LDAP Names........................................................................................................................................................11

Table 2: Overview of DS Integration Level Options..................................................................................................................................22

Table 3: Importing and Syncrhonizing Centralized Users.........................................................................................................................25

Table 4: Overview of Directory Services Naming Restrictions..................................................................................................................27


Directory Services How To v1.2 Introduction

1 Introduction

1.1 Audience and Purpose of this document

This aXsGUARD Gatekeeper Directory Services How To v1.2 guide serves as a reference source for technical personnel and / or system administrators.

This document covers the installation and configuration of the aXsGUARD Gatekeeper Directory Services Module. It is intended for system administrators or technical personnel with a thorough knowledge of Microsoft Active Directory and Directory Servers in general.

Although Novell eDirectory is fully supported by the aXsGUARD Gatekeeper Directory Services feature, the examples in this guide have been limited to Microsoft Active Directory.

In sections 1.2 and 1.3, we introduce the aXsGUARD Gatekeeper and VASCO.

In section 2, we explain some general terminology and required background knowledge, such as the the LDAP protocol and LDAP objects.

In section 3, we explain aXsGUARD Gatekeeper LDAP Authentication and Synchronization.

In section 4, we explain how to configure the aXsGUARD Gatekeeper using the LDAP syntax so that Directory Server users and groups can be successfully imported and synchronized.

In section 5, we provide a practical example of how to configure the aXsGUARD Gatekeeper with a Windows 2003 server.

In section 6, we provide some solutions to solve difficulties.

In section 7, we explain how to request support, and return hardware for replacement.



Other documents in the set of aXsGUARD Gatekeeper documentation include:

aXsGUARD Gatekeeper Installation Guide, which explains how to set up the aXsGUARD Gatekeeper, and is intended for technical personnel and / or system administrators.

'How to guides', which provide detailed information on configuration of each of the features available as 'add-on' modules (explained in the next section). These guides cover specific features such as:

aXsGUARD Gatekeeper Authentication

aXsGUARD Gatekeeper Firewall

aXsGUARD Gatekeeper Single Sign-On

aXsGUARD Gatekeeper VPN

aXsGUARD Gatekeeper Reverse Proxy

aXsGUARD Gatekeeper Directory Services

Access to aXsGUARD Gatekeeper guides is provided through the permanently on-screen Documentation button in the aXsGUARD Gatekeeper Administrator Tool.

Further resources available include:

Context-sensitive help, which is accessible in the Administrator Tool through the Help button. This button is permanently available and displays information related to the current screen.

Training courses covering features in detail can be organized on demand. These courses address all levels of expertise. Please see www.vasco.com for further information.

Welcome to aXsGUARD Gatekeeper security.


http://www.vasco.com/


1.2 What is the aXsGUARD Gatekeeper?

The aXsGUARD Gatekeeper is an authentication appliance, intended for small and medium sized enterprises. In addition to strong authentication, the aXsGUARD Gatekeeper has the potential to manage all of your Internet security needs. Its modular design means that optional features can be purchased at any time to support, for example, e-mail, Web access and VPN management. The aXsGUARD Gatekeeper can easily be integrated into existing IT infrastructures as a stand-alone authentication appliance or as a gateway providing both authentication services and Internet Security.

Authentication and other features such as firewall, e-mail and Web access, are managed by security policies, which implement a combination of rules, for example, whether a user must use a Digipass One-Time Password in combination with a static password for authentication. Security Policies are applied to specific users or groups of users and can also be applied to specific computers and the entire system.

1.3 About VASCO

VASCO is a leading supplier of strong authentication and Electronic Signature solutions and services specializing in Internet Security applications and transactions. VASCO has positioned itself as a global software company for Internet Security serving customers in more than 100 countries, including many international financial institutions. VASCO’s prime markets are the financial sector, enterprise security, e-commerce and e-government.

Over 50 of VASCO’s client authentication technologies, products and services are based on the VASCO’s one and unique core authentication platform: VACMAN®. VASCO solutions comprise combinations of the VACMAN core authentication platform, IDENTIKEY® authentication server, aXsGUARD® authentication appliances, DIGIPASS® client Password and Electronic Signature software and DIGIPASS PLUS authentication services. For further information on these security solutions, please see www.vasco.com.


http://www.vasco.com/

Directory Services How To v1.2 Directory Servers and LDAP

2 Directory Servers and LDAP

2.1 Overview

This chapter provides some general information about Directory Servers and the Lightweight Directory Access Protocol (hereafter LDAP) and explains how the aXsGUARD Gatekeeper can be integrated into a network with a Directory Server. If you are already familiar with the LDAP concept, you may proceed to chapter 3 on page 14.

Topics covered in this chapter include:

A comprehensive definition of Directory Servers.

LDAP: Definition, objects and binding strings.

aXsGUARD Gatekeeper LDAP integration.

2.2 What is a Directory Server?

A Directory Server stores and centralizes information about the users, groups and resources in a database. This allows network administrators to easily manage users and their rights. The most commonly known Directory Servers are Microsoft Active Directory and Novell eDirectory.

Active Directory (hereafter AD) is an implementation of LDAP services by Microsoft, primarily used in Windows environments. The main purpose of AD is to provide central authentication and authorization services for Windows based computers. AD also allows administrators to assign policies to users and groups, delegate control, deploy software to client stations and to install system-critical updates on the entire corporate network. AD networks and their databases can vary from very small environments with a few hundred objects to very large setups with thousands of objects.

Novell eDirectory (formerly called Novell Directory Services or NDS) is an X.500 compatible directory service software product, which was released by Novell in 1993. Its purpose is similar to its Microsoft counterpart; to centrally manage users and control access to network resources. Its database can also be accessed with LDAP.

2.3 The Lightweight Directory Access Protocol

2.3.1 Definition

The Lightweight Directory Access Protocol or LDAP is an application protocol for querying and modifying directory services running over TCP/IP. For detailed information, consult RFC 2253 or the following website: http://www.ldapman.org/articles/intro_to_ldap.html

2.3.2 LDAP Objects

This section provides an overview of the most commonly used LDAP objects and their names. The object names are required to configure the aXsGUARD Gatekeeper Directory Services Module.


http://www.ldapman.org/articles/intro_to_ldap.html


Note

The list of provided object names is non exhaustive.

For detailed information about LDAP object naming conventions, please consult the related RFCs or the following Internet site: http://www.ldapman.org/articles/intro_to_ldap.html

To bind Microsoft Active Directory Server objects with LDAP, the following common abbreviations have to be used:

Table 1: Overview of LDAP Names

Abbreviations Description Microsoft Active Directory Symbol

DC Domain Component (part of domain name)

CN Common Name (group name)

CN Common Name (user name)

CN Common Name (Windows created)

OU Organizational Unit (user created)

Tip

In Windows 2003 and 2008 Server, the objects can be identified by opening a command prompt and executing the following command: adsiedit.msc.


Image 1: adsiedit console

http://www.ldapman.org/articles/intro_to_ldap.html


2.3.3 LDAP Binding Strings

CautionWhen pointing to a specific Windows 2003 / 2008 user on the aXsGUARD Gatekeeper, enter the CN as displayed in the Active Directory Users and Computers screen (as shown in Image 2). Do not use the SAM account name, as it may be different.

Based on the image above, you would have the following binding string:cn=axsguard,cn=users,dc=supdomain,dc=be

The aXsGUARD Gatekeeper Directory Services module requires that binding strings are entered without spaces, separated by a comma and starting with the lowest intended object in the Directory Tree (e.g. cn=axsguard), until the tree base (e.g. dc=supdomain,dc=be) has been reached.


Image 2: Active Directory Users


2.4 Directory Servers and the aXsGUARD Gatekeeper

The aXsGUARD Gatekeeper Directory Services Module (hereafter abbreviated as DS Module) relays the client authentication credentials to the Directory Server. If the authentication credentials are valid, the aXsGUARDGatekeeper services (i.e. Firewall, Web Access, etc.) become available to the authenticating user.This means that aXsGUARD Gatekeeper services can be made available to users with valid Directory Server (e.g. Active Directory, e-Directory) credentials.

In addition, the aXsGUARD Gatekeeper DS Module allow you to import and synchronize users and groups from a Directory Server, using LDAP (see section 2.3).

2.5 Supported Directory Servers

The following Directory Servers have been tested and are supported by the aXsGUARD Gatekeeper:

Windows Server 2003

Windows Server 2008

Novell eDirectory 8.8

Posix LDAP implementations


Directory Services How To v1.2 Directory Services Concept

3 Directory Services Concept

3.1 Overview

This chapter explains the general concept, main features, properties of the aXsGUARD Gatekeeper Directory Services Module (hereafter DS Module). If you are already familiar with the DS concept, please skip to chapter 4.

Topics covered in this chapter include:

DS Authentication

DS Synchronization

3.2 Directory Services Authentication

As mentioned in section 2.4, the aXsGUARD Gatekeeper can be used as a stand-alone authentication appliance. In such case, the aXsGUARD Gatekeeper queries a Directory Server in your network to verify the user credentials (of the clients). The aXsGUARD Gatekeeper verifies whether or not a user exists on the Directory Server. If the user exists, the user credentials are checked by the aXsGUARD Gatekeeper. If the credentials are valid, i.e. the user has successfully authenticated, the user is granted the applicable aXsGUARD Gatekeeper access rights (i.e. Firewall, Web Access, etc.).


Image 3: Directory Services Concept


3.3 Directory Services Synchronization

As mentioned in section 2.4, the aXsGUARD Gatekeeper DS Module allows you to synchronize users and groups from a Directory Server, using LDAP. LDAP is explained in section 2.3.

3.3.1 Synchronization Disabled

It is recommended to keep synchronization disabled while editing user and group templates (see sections 4.11.1 and 5.2).If synchronization remains disabled, each Directory Server group, user and the according credentials have to be manually entered on the aXsGUARD Gatekeeper, which is not only a cumbersome and time-consuming process, but also one prone to errors, especially in large networks with a great number of users.

3.3.2 Synchronization Enabled

If enabled, the aXsGUARD Gatekeeper automatically queries a specific Directory Server every minute, adding and removing (if enabled) Directory Server users, groups and their according profile information, e.g. their e-mail address(es). This process is fully transparent.

Notes

The initial synchronization takes longer than a minute.

The aXsGUARD Gatekeeper DS Module never adds or changes any user or group settings on the Directory Server, the user and group information is only imported and synchronized.


Image 4: User and Group Modifications


3.3.3 Modifying Synchronized Parameters

CautionDirectory Server-specific user or group settings should always be modified or updated on the Directory Server, not on the aXsGUARD Gatekeeper!

aXsGUARD Gatekeeper -specific vs. Directory Server-specific

It is important not to modify any user or group parameters which are Directory Server-specific on the aXsGUARD Gatekeeper. For example, a Firewall Policy is an aXsGUARD Gatekeeper-specific setting, while a synchronized user's full name is Directory Server-specific.

Modifying Directory-Specific parameters on the aXsGUARD Gatekeeper may cause undesired results, as after the modification some Directory Server information is synchronized, while other information is not. It is therefore crucial to change the specific settings on the correct host.

Always modify Directory Server-specific parameters on the Directory Server. These parameters are synchronized (imported to the aXsGUARD Gatekeeper).

Always modify aXsGUARD Gatekeeper-specific parameters on the aXsGUARD Gatekeeper. Modifications in aXsGUARD Gatekeeper-specific parameters are kept, regardless whether synchronization is enabled or not.

aXsGUARD Gatekeeper-specific settings can be applied to users and groups on the fly or with user and group templates (as explained in section 4.11).

3.3.4 Existing Users and Groups and Synchronization

When synchronization is enabled, existing aXsGUARD Gatekeeper users and groups with an identical name on the Directory Server, are upgraded to the Directory Server's user or group type.

3.4 Single Sign-On (SSO) and Directory Services

The aXsGUARD Gatekeeper Single Sign-On (SSO) Utility is an authentication tool which enables users who are stored in an LDAP database, such as Microsoft Windows AD, to provide only a single set of credentials to get access to predefined resources on multiple systems (see Image 5). For more information about the SSO utility, its installation and specifics, please consult the Single Sign-On Utility (SSO) guide, which can be accessed by clicking on the permanently available Documentation button in the Administrator Tool.


Image 5: SSO Concept


3.5 Group Concepts

The primary purpose of using groups is to simplify access control arrangements. There is a crucial difference between aXsGUARD Gatekeeper groups and groups in Active Directory.

3.5.1 aXsGUARD Gatekeeper Groups

On the aXsGUARD Gatekeeper, a user can only be assigned to a single group at a given time. There is no possibility to assign a user to multiple groups simultaneously (see Image 6).This could be compared to the Primary Group concept in Active Directory.

3.5.2 Active Directory Groups

In Active Directory, users can be assigned to multiple groups simultaneously, but only to one Primary Group (see Image 6).


Image 6: aXsGUARD vs. Active Directory Groups

Directory Services How To v1.2 Directory Services Configuration

4 Directory Services Configuration

4.1 Overview

This section provides a detailed overview of the aXsGUARD Gatekeeper DS configuration. Some configuration settings require LDAP syntax, as explained in chapter 2.

4.2 Feature Activation

Before you can use the aXsGUARD Gatekeeper Directory Services Module and synchronize users and groups, you need to enable the feature on the aXsGUARD Gatekeeper:

1. Log on to the aXsGUARD Gatekeeper, as explained in the aXsGUARD Gatekeeper System Administration How To, which can be accessed by clicking on the permanently on-screen Documentation button in the Administrator Tool.

2. Navigate to System > Feature Activation.

3. In the left pane, expand the Directory Services Integration option.

4. Check the Do you use Directory Services Integration check box, as shown below.

5. Click on Update.


Image 7: Directory Services Feature Activation


4.3 Enabling DS Lookups

Before users and groups can be imported and synchronized, the DS lookups option should be enabled:


2. Navigate to Directory Services > General.

3. Check the Enable DS Lookups option.

4.4 Selecting the Directory Server Type

Specify the type of your Directory Server (eDirectory and Active Directory are both supported).

1. Follow steps 1 and 2 as explained above.

2. Select the type of Directory Server you wish to use for authentication and / or synchronization:

Active DirectoryNovell Directory ServicesPosix LDAP

Note

See section 2.5 for the supported types.


Image 8: Enabling DS Lookups

Image 9: Available DS Server Types


4.5 Adding the Directory Server

The DS feature offers the possibility to enter a Primary Directory Server and one or multiple backups for that server (see Image 9 on page 19). The entered servers should be each other's mirrors. In case of a problem with the Primary Directory Server, the aXsGUARD Gatekeeper automatically reverts to the backup(s) for user and group synchronization / authentication.

To add the Directory Server(s) IP addresses:



3. Enter the IP address of the Directory Server in the Server IP Address field.

4. Click on the Add button.

5. Follow the same procedure to add a Directory Services backup server (mirror).

4.6 Specifying the Directory Base

Enter the tree base of the Directory Server as shown below. Use LDAP syntax as explained in section 2:

1. Follow steps 1 and 2, as explained above.

2. Enter the Directory Base in the Directory Base field. Use LDAP syntax as explained in section 2. (see Image 11).

3. Enter a DS username with DS tree search permissions. Use LDAP syntax as explained in section 2. (see Image 11).

4. Enter the password of the DS user with DS tree search permissions.


Image 10: Adding a Directory Server's IP Address


Username with Search Permissions

CautionsIt is highly recommended to create a separate user on your Directory Server with limited access (read-only rights), as that user's password is transmitted over the LAN in cleartext during authentication. Do not use the Directory Server's administrator account. Consult your Directory Server's documentation, if necessary.

It is necessary to have at least one local administrator on the aXsGUARD Gatekeeper, in case the LDAP back-end authentication server fails (Back-end authentication is no longer possible, also see section 3.3.4). If no local administrator exists (all users are synced), the sysadmin account can be used to create a new administrator. See the aXsGUARD Gatekeeper System Administration How To and the Getting Started Guide for more information on the sysadmin user account.

4.7 Setting the Integration Level

The aXsGUARD Gatekeeper Integration Level, allows you to specify which options apply to your network. To set the Integration Level:



3. Select the options applicable to your network (see Image 12), as explained in Table 2.


Image 11: Entering DS user with Search Permission

Image 12: Setting the Integration Level


CautionUser and Group data which has been (automatically) deleted from the aXsGUARD Gatekeeper cannot be recovered, including mail boxes. The automatically delete users option should be used with care.

Renaming a user or group on the Directory Server causes the original user/group to be erased on the aXsGUARD Gatekeeper during the next synchronization. This means manually configured settings and critical user data (e-mail) of a specific group or user are irrevocably lost.

Table 2: Overview of DS Integration Level Options

Option Description

Synchronize group and user objects

Check this option to synchronize the aXsGUARD Gatekeeper with the Directory Server. Users and groups are synchronized every minute. Do not enable this option if you are creating user or group templates (see section 4.11).

Automatically delete users If this option is checked, deleted Directory Server users are also deleted from the aXsGUARD Gatekeeper during the next synchronization. If the option is unchecked, the synchronized user and group information remains on the aXsGUARD Gatekeeper and will be marked as such (see sections 4.11.1 and 4.11.2). Also see the caution above.

Add user mail addresses as aliases

If checked, the user's Directory Server mail address(es) is/are imported on the aXsGUARD Gatekeeper as an alias. This is useful when, for instance, there is no Exchange Server in your network and the aXsGUARD Gatekeeper is used as a mail server or when different mail access rights apply on the aXsGUARD Gatekeeper. (Please refer to the aXsGUARD Gatekeeper E-mail Relay How To, which is accessible by clicking on the permanently on-screen Documentation button in the administrator tool). E-mail aliases are synchronized as of the second synchronization, not during the initial synchronization.

If the e-mail alias is identical to the username, it is not imported on the aXsGUARD Gatekeeper, since the username constitutes an alias by itself.

Add SMTP Proxy Addresses as mail aliases (AD Specific)

The following option only applies to Microsoft Active Directory servers with a Microsoft Exchange Plugin. If checked, the SMTP addresses are synchronized. A user who wants to receive e-mail from outside the Exchange organization, needs an address which a foreign messaging system can understand. Microsoft calls this a proxy address because Exchange acts as a “proxy” for the foreign messaging system.Because Exchange uses SMTP for internal and external mail routing, all e-mail objects in Active Directory get an SMTP proxy address. Exchange also assigns an X.400 proxy address, just in case messages need routing to a legacy Exchange system. Legacy Exchange uses X.400 to route messages. E-mail aliases are synchronized as of the second synchronization, not during the initial synchronization.



4.8 Group Filters (Group Selection)

Group filters allow you to specify which groups should be imported and synchronized, based on the search path on the Directory Server. In order to assign a user to an aXsGUARD Gatekeeper group, the group should exist (be valid) before the user is created or imported. Groups are always synchronized before users.

CautionIf the Directory Base for Group search is limited to the domain tree (see section 2.3.3) and '*' is entered in the Add these groups only field, ALL groups of the Directory Server are imported and synchronized, cluttering the aXsGUARD Gatekeeper Groups database (Users&Groups > Groups).

4.8.1 Path-based Group Selection

With path-based group selection, the aXsGUARD Gatekeeper queries and only imports groups from the specified location (path). The path should be entered using LDAP syntax (see section 2.3.3), e.g. ou=groups,ou=mycompany,dc=mycompany,dc=com.

The Directory Base for Group search field recursively points to the location on the Directory Server where the groups to be imported on and synchronized with the aXsGUARD Gatekeeper are stored. The aXsGUARDGatekeeper initiates the synchronization before any objects are imported.

To enter the search path:



3. Enter the group search path, using LDAP syntax (see section 2.3.3).

4. In order to import all groups of the entered base path, enter '*' (without quotes) as the group pattern (see Image 13).


Image 13: Path-based Group Selection


4.8.2 Membership-based Group Selection

Groups can be selected based on their full DS name or by using group patterns. (DOS wildcards), as shown below. Group names and / or patterns can be added by entering the group in the add these groups only field and by pressing enter or by clicking on the add button. Only the groups which have been specified will be imported and synchronized.

To specify the groups to be imported / synchronized:

1. Follow steps 1 and 2 as explained in section 4.8.1.

2. Enter the full DS group name or a group pattern (see Image 14).

3. Click on Add or press enter.

4.9 User Filters (User Selection)

Similar to group filters, explained in section 4.8, a path which recursively points to the users on the Directory Server must be configured (a user filter). The aXsGUARD Gatekeeper uses this path to import and synchronize the DS user information. There are 5 different methods to import and synchronize DS users.

Three methods exist to import centralized users and are explained in section 4.9.1.

Two methods exist to import decentralized users and are explained in section 4.9.2.

Note

Users which are selected to be imported / synchronized should be members of a valid group. A group should exist on the aXsGUARD Gatekeeper before a user(s) is / are created or imported. For this reason, groups are always synchronized before users.


Image 14: Membership-based Group Selection


4.9.1 Centralized Users (Single OU)

This section explains the three possible methods to import centralized users; users stored in a single organizational unit or OU on the Directory Server.

To import centralized users:



3. Enter the user search path, using LDAP syntax (see section 2.3.3).

4. Check the options as explained in Table 3.

Table 3: Importing and Syncrhonizing Centralized Users

Option Description

Adding users based on the Directory Base for User Search

If no option is checked, the aXsGUARD Gatekeeper only imports and synchronizes the users based on the entered search path. In the example shown on page 26 , the users from the organizational unit Users is imported and added to a user template on the aXsGUARD Gatekeeper. The group which is specified in the user template is used when no valid group is specified for the user on the Directory Server. If a valid group is specified for the user, item 3 of this table applies. Default user and group templates exist on the aXsGUARD Gatekeeper and can be customized as needed. User and group templates are explained in section 4.11.

Only add users with a Valid Primary Group If checked, the aXsGUARD Gatekeeper only imports and synchronizes users who are located in the specified DS search path and who are members of a valid Primary DS Group. For setting the Primary Group of a user in Windows 2003, consult the adequate Microsoft documentation.

Only add users which are members of a valid group

If checked, the aXsGUARD Gatekeeper only imports and synchronizes users who are located in the specified DS search path and are members of a valid DS group. When an AD user is a member of several valid groups and the Primary Group is set to a non-valid group, the group which appears first in that user's AD profile is imported on the aXsGUARD Gatekeeper. The user is then automatically assigned to this group on the aXsGUARDGatekeeper. AD uses the alphabetical order to organize group names. Priority is given to the Primary Group, if present in the user profile.



4.9.2 Decentralized Users (Multiple OUs)

This situation most probably occurs when your organization already has an installed and configured Directory Server and the users are spread out over the Directory tree (Multiple Organizational Units or OUs), rather than stored in a single organizational unit (see.section 4.9.1). It is therefore critical to set and verify the search parameters correctly, so that unneeded users and groups are not accidentally imported and synchronized. This also avoids extra license costs.

To import decentralized users:

1. Follow steps 1 and 2 as explained in section 4.9.1.

2. Enter the user search path, using LDAP syntax (see section 2.3.3).

3. Check the options as explained below (also see Table 3 on page 25).

Adding users assigned to a Valid Primary Group: the aXsGUARD Gatekeeper only imports and synchronizes users who are located in the specified Directory Base and who are members of a valid Primary Group on the Directory Server. This method is similar to the one described in section 4.9.1. The main distinction is that the Directory Base for Group search and the Directory Base for User search parameters should be modified accordingly, because the users are spread out over the AD tree and not centralized in a single organizational unit.

Adding users assigned to a Valid Group: Here as well, the Directory Base for Group search and the Directory Base for User search should be modified accordingly. If no valid primary group has been assigned to a DS user, the first valid group occurring in that user's profile is imported and synchronized. Priority is given to the Primary Group, if present. In an Active Directory user profile, groups are ordered alphabetically.


Image 15: User Filters


4.10 Directory Services Name Restrictions

Some group and user name restrictions apply when importing DS users and groups. If the restrictions aren't met, the Directory Services status displays a warning message (see Image 16). An overview of naming restrictions is provided in Table 4:

Table 4: Overview of Directory Services Naming Restrictions

Restriction Type Description

Group and User name restrictions User and group names may not exceed 25 characters.

User name-specific restrictions No special characters, such as French accents, may be used. Spaces are not allowed.

Group name-specific restrictions Special French characters are automatically converted (accents are removed). Other special characters such as (' , + ,....) are not allowed. Spaces are automatically converted to underscores. Upper cases are converted to lower cases.


Image 16: Name Restrictions


4.11 Group and User Templates

Tip

It is recommended to disable synchronization until the user / group templates are properly configured, as groups and users are automatically synchronized after a minute (see section 3.3.1). Temporarily disabling synchronization prevents users and groups from being imported before the proper template(s) is / are in place.

aXsGUARD Gatekeeper user and group templates facilitate the organization and customization of aXsGUARDGatekeeper specific settings to be assigned groups or users.

Rather than creating individual aXsGUARD Gatekeeper settings per user, it is much more convenient and efficient to define templates in which certain user / group settings, such as Firewall access rights, Web access rights and Mail policies are predefined and combined. If you have a large amount of users within your organization, managing settings per user soon becomes cumbersome. Therefore, the administrator(s) will need to assess beforehand which group and user settings are the most widely used by the majority of the employees within their organization and define them in templates on the aXsGUARD Gatekeeper.

More simply put, the administrators need to ascertain the lowest common denominator for all users. If a certain user or group needs special access (or needs to be denied access) to a specific resource, it is easier to define and assign the exception(s) afterwards.

Note

Templates are only applied to users and groups which are initially imported on the aXsGUARDGatekeeper. Once a group or user is imported, template modification does not affect the existing user and / or group settings, even after a next synchronization with the Directory Server. This is to prevent the loss of any manual modifications.

4.11.1 Editing the Group Template

To edit a group template:


2. Navigate to Users & Groups > Groups

3. Click on Template. The Group template detail screen is displayed (see Image 17).



4. Navigate through the tabs and adjust the settings accordingly.

5. Click on Update to finish.

ExampleImage 17 shows three tabs: E-mail, Web Access and Firewall. The number of tabs varies according to the purchased software licenses. In this example, we configure a group template in which Web Access is forbidden.

Click on the Web Acces Tab and select No Access – Everything is blocked from the drop-down list. Click on Update to save the template settings (see Image 18).

After synchronization, all imported groups are denied Web Access as defined in the group template (see Image19).


Image 17: Group Template Configuration Screen

Image 18: Example of a Group Template

Image 19: Application of a Group Template


4.11.2 Editing the User Template

As for groups, templates can be created for new users:


2. Navigate to Users & Groups > Users

3. Click on Template. The User template detail screen is displayed.

4. Navigate through the tabs and adjust the settings accordingly.

5. Click on Update to finish.


Image 20: Synchronized Groups Icons

Image 21: User Template Configuration Screen


ExampleImage 21 shows several tabs. The number of tabs on your aXsGUARD Gatekeeper may vary, since they depend on the software options you purchased. Assuming you only wish to grant Web Access during working hours to all imported users, click on the Web Access tab. Check Overrule Group Web Access Filter and select Working Hours from the drop down menu. Click on Update to save the settings.

All newly imported users have web access during working hours, regardless of the group they are assigned to.

Note

Synchronized users only remain on the aXsGUARD Gatekeeper if the Automatically Delete Users option is disabled (see section 4.7).


Image 22: Example of a User Template

Image 23: Syncrhonized User Icons


4.12 Status, Tools and Logs

The Directory Services status, tools and logs are explained in chapter 5.


Directory Services How To v1.2 Configuration Example

5 Configuration Example

5.1 Overview

This chapter provides a configuration example of the aXsGUARD Gatekeeper Directory Services configuration as used with a Microsoft Active Directory Server. The Directory Services Status, Tools and Logs are explained afterwards.

5.2 Before you start: Configuring the User and Group Templates

Tip

It is recommended to disable synchronization until the user / group templates are properly modified, as groups and users are automatically synchronized after a minute. Temporarily disabling synchronization prevents users and groups from being imported before the proper template(s) is / are in place.

Before importing and/or synchronizing users and groups, make sure to configure the adequate user and group templates as explained in section 4.11 (if applicable).

5.3 Feature Activation

Make sure the Directory Services feature is enabled:


2. Navigate to System > Feature Activation.

3. Enable the Directory Services Integration.

4. Click on Update.

5.4 Directory Services Main Screen

To configure Directory Synchronization:

1. Make sure you have at least on local advanced administrator account on the aXsGUARD Gatekeeper (see section 3.3.4).



4. Configure the settings as explained in chapter 4 and shown in the example on the next page.




Image 24: Directory Services Configuration Example


1. Check the Enable DS lookups option.

2. Select Active Directory as the Service Type from the drop-down list.

3. Enter the IP address of the Active Directory Server and its back-up(s) (if applicable), e.g. 10.32.20.2.

4. Enter the Directory Base using the LDAP syntax (see section 2.3.3), e.g. dc=mycompany,dc=com.

5. Create a user whose access is limited to searching the Directory Tree (read-only access) on the Directory Server. Refer to the adequate Microsoft documentation if necessary.

6. Enter the search path to the newly created Active Directory user, using LDAP syntax (see section 2.3.3), e.g. cn=axsguard,cn=users,dc=mycompany,dc=com.

7. Enter that user's password twice.

8. Select the Integration Level as explained in section 4.7.

9. Enter the Directory Base for Group Search (see section 4.8), using LDAP syntax, e.g.ou=groups,ou=mycompany,dc=mycompany,dc=com.

10. Enter the group name(s) which should be imported from / synchronized with the Directory Server as explained in section 4.8, e.g. sales, accounting, legal* or '*' without the quotes, if all groups of the specified path should be imported / synchronized.

11. Enter the Directory Base for User Search (see section 4.9), using LDAP syntax, e.g.ou=users,ou=mycompany,dc=mycompany,dc=com.

12. Select the users which need to be imported / synchronized as explained in section 4.9 (Member of Primary Group / Member of Valid Group / Based on Directory Base User search path).

13. Click on Update when finished.

5.5 Checking the Directory Services Status

The Directory Services Status screen, allows you to verify if the synchronization was successful. Any problems will be reported. To check the status:


2. Navigate to Directory Services > Status.


Image 25: Directory Services Status


5.6 Directory Services Test Tool

The Directory Services Test Tool allows you to test settings on the fly. To test your settings:


2. Navigate to Directory Services > Tools.

3. Click on here to test your configuration settings (see Image 26).

5.7 Directory Services Logs

To access the Directory Services logs:


2. Navigate to Directory Services > Logs.

A list of log files is displayed. The most recent log file appears on top of the list. Click on a log file date to view its details. Clicking on the live button displays the details of the most recent log.


Image 26: Directory Services Tools

Image 27: Directory Services Logs

Directory Services How To v1.2 Troubleshooting

6 Troubleshooting

I have deleted a group on the Directory Server, but the group is not automatically removed / deleted from the aXsGUARD Gatekeeper after synchronization

A group cannot be deleted / removed on the aXsGUARD Gatekeeper as long as it contains users. This is to preserve the referential integrity. Under certain conditions, a group can be removed / deleted from the Directory Server (i.e. Active Directory), while still in use by the aXsGUARD Gatekeeper.

If the "automatically delete users" option is disabled (see section 4.7), the aXsGUARD Gatekeeper will keep a deleted AD user (and his/her according settings +-e-mail). The user is marked by a red cross in the aXsGUARDGatekeeper administrator tool (see section 4.11.2).

The group / user and according settings do no longer exist on the aXsGUARD Gatekeeper .

If the "automatically delete users" option is enabled (see section 4.7):

Renaming a user or group on the Directory Server causes the original user/group to be erased on the aXsGUARD Gatekeeper during the next synchronization. This means manually configured settings and critical user data (e-mail) of a specific group or user are irrevocably lost (see section 4.7).

This situation can be prevented by following this procedure:

Disable DS synchronization on the aXsGUARD Gatekeeper

Rename the synchronized group on the aXsGUARD Gatekeeper

Modify the synchronized group name on the Directory Server

Re-activate DS synchronization on the aXsGUARD Gatekeeper

I cannot access the aXsGUARD Gatekeeper Administrator Tool.

It is necessary to have at least one local advanced administrator on the aXsGUARD Gatekeeper, in case the LDAP back-end authentication server fails (Back-end authentication is no longer possible). Local aXsGUARDGatekeeper users and groups which have the same name on the Directory Server, are upgraded to DS users and group during synchronization (see section 3.3.4).

If no local administrator exists,(all users are synced) the sysadmin account can be used to create a new administrator. See the aXsGUARD Gatekeeper System Administration How To and the Getting Started Guide for more information on the sysadmin user account.

I receive an error when using special characters in user and / or group names

See section 4.10. The support for the use of special characters is on the aXsGUARD Gatekeeper development roadmap.

How can I view the LDAP objects in Active Directory?

In Windows 2003 and 2008, open a command prompt and execute adsiedit.msc (see section 2.3.2).

I get an error message in the Directory Service Test tool

Check the server settings under Directory Services > General.

Check the entered search paths (see sections 4.8 and 4.9).

Check the Directory Server's configuration.


Directory Services How To v1.2 Troubleshooting

When synchronizing a new user with AD, the user's e-mail alias is initially not synchronized

E-mail aliases are automatically synchronized as of the second synchronization with the Directory Server.


Directory Services How To v1.2 Support

7 Support

7.1 OverviewIn this section we provide instructions on what to do if you have a problem, or experience a hardware failure.

7.2 If you encounter a problemIf you encounter a problem with a VASCO product, please follow the steps below:

1. Check whether your problem has already been solved and reported in section 6 or in the Knowledge Base at the following URL: http://www.vasco.com/support.

2. If there is no solution in the Knowledge Base, please contact the company which supplied you with the VASCO product.

3. If your supplier is unable to solve your problem, they will automatically contact the appropriate VASCO expert. If necessary, VASCO experts can access your remotely to solve any problems.

7.3 Return procedure if you have a hardware failureIf you experience a hardware failure, please contact your VASCO supplier.


http://www.vasco.com/support

Directory Services How To v1.2 Support

Alphabetical IndexAccessing Documents...........................................................................8

Active Directory....................................................................10p., 19, 33

Authentication...........................................................................8, 14, 16

aXs GUARD Gatekeeper.........................................................................9

Binding strings....................................................................................12

DIGIPASS.............................................................................................2

Directory Base....................................................................................20

Directory Servers...........................................................................10, 13

Directory Services.................................................................................8

Documents...........................................................................................8

eDirectory...........................................................................................19

Firewall................................................................................................8

Group filters........................................................................................23

Integration Level...............................................................................21p.

LDAP.....................................................................................10, 13, 18

LDAP object........................................................................................11

Logs..................................................................................................36

Novell eDirectory.................................................................................10

Posix LDAP.........................................................................................19

Primary Group..................................................................................25p.

Return Procedure................................................................................39

Reverse Proxy.......................................................................................8

Single Sign-On......................................................................................8

SSO...................................................................................................16

Status................................................................................................35

Synchronization.............................................................................14, 15

Templates..........................................................................................28

Test Tool............................................................................................36

Training Courses...................................................................................8

User filter...........................................................................................24

Valid Group...................................................................................25, 26

VPN.....................................................................................................8


aXsGUARD Gatekeeper - VASCO · 4.7 Setting the Integration Level ... personnel and / or system...

Documents

Transcript of aXsGUARD Gatekeeper - VASCO · 4.7 Setting the Integration Level ... personnel and / or system...