SR L15 Hands-On Lab - L15.pdf SR L15 Hands-On Lab Description Protecting Corporate Networks with...
Embed Size (px)
Transcript of SR L15 Hands-On Lab - L15.pdf SR L15 Hands-On Lab Description Protecting Corporate Networks with...
SR L15 Hands-On Lab
Description Protecting Corporate Networks with Symantec Validation and ID Protection
At the end of this lab, you should be able to
Technically present and answer questions from your customer’s on Symantec’s Validation and ID Protection services
Deliver and customize customer demos for VIP services
Deliver and manage customer VIP POCs
Develop VIP solutions to meet your customer’s needs
Notes A brief presentation will introduce this lab session and discuss key concepts.
The lab will be directed and provide you with step-by-step walkthroughs of key features.
Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace.
Be sure to ask your instructor any questions you may have.
Thank you for coming to our lab session.
VIP Lab Architecture VM Image 1: Win2008r2 AD (192.168.64.10) VM Image 2: VIP Enterprise Gateway_Win2008 server (192.168.64.133) VM Image 3: XP Client (192.168.64.128) VM Image 4: Juniper SSL (192.168.64.100)
PART 1 Lab Deployment and Configuration Lab Guide Lab AD Accounts – Defined on Image 1: Win2008r2 AD Server Passwords set to ‘symc4now’ vip user – used to self enroll VIP credential and authentication to Juniper SSL portal vip srv – vip service account running the VIP services vipadmins – VIP Security Group for Administrative functions helpdesk admin – used to show VIP Helpdesk Administrator functions helpdesk user – used as the Helpdesk Administrators user account
Modify AD User Accounts
From Image 1 – Win2008r2-AD.TFE.NET (Log in as Administrator with password ‘symc4now’.) 1. Modify AD vip and helpdesk administrator accounts a. Open and launch MMC from Desktop. Expand AD user and computers.
c. Right click on vip user and select properties.
c. Update email vipuserxx where xx is your lab station number. d. Update telephone with your mobile number. Include 1 preceding the number. e. Click on Telephones tab. Add your mobile number here also. d. Repeat steps for helpdesk admin user to update email and phone number.
VIP Enterprise Gateway 9.01 Install
Log into Image 2 Windows2008r2VIP (Log in as tfe/Administrator with password ‘symc4now’)
1. Open windows file explorer. Navigate to c:/VIP 9.0. Launch setup.exe. 2. For console administrator use ‘VIPAdmin’ with password of ‘symc4now’. 3. Take default AD user store settings.
4. Complete install. No need to launch configuration console at this point. Power on and log into the Win XP-Admin Pro VMWare image
(SE for user name with password ‘symc4now)
VIP Enterprise Gateway Preparation
1. Acquire VIP Certificate to prepare for configuration and setup a. Log into VIP Manager (using VIPM master account supplied in lab) b. On Right side panel under VIP Account Management select Manage VIP Certificates c. On next screen select Request a certificate and follow prompts. d. For certificate name enter UALabX where X is your lab workstation number.
e. Select PKCS 12, enter download password and select download certificate and save to the Z:/labshare/certificates folder.
Configuration of VIP Enterprise Gateway
1. Lauch VIP Configuration Console from favorites. 2. Enter Configuration Administrator Username 'VIPAdmin' with password of 'symc4now' and sign in. 3. Add your VIP Certificate by selecting Add a VIP Certificate. 4. Browse to your certificate file 'UALabX' (Z:/labshare/certificates) - enter password and submit 5. Click on Optional tab and select User Store to configure local AD as the authentication store. 6. Configure User Store settings as follows. For Port use 389. Vipsrv will be used as a service account to bind to AD. For the vip user distinguished name use: -------> CN=vip srv,CN=Users,DC=tfe,DC=net Use your test VIP User account ‘vipuser’ to test the bind when you submit the configuration.
7. Click on the self-service tab to enable VIP self credential activation. Click Yes to turn on Self Service portal. Click Yes to Enable Automatic Distribution of Security. Check all attributes (Email, Mobile, Phone) that you want to allow for OOB options with SSP. Click Start Service to start up the Self-Service page.
9. Configure Validation Server. Click Vallidation tab and then add server. 10. Take third option to enable Userid plus LDAP password plus OTP Security Code for our 2 Factor Authentication service. 11. Take default of No for Delegation option. 12. Configure Radius Service Validation. For password use 'symc4now'.
13. Click Start to launch the Validation Service in Listening mode. You should receive a success screen once started. 14. Log into Cloud VIP Manager and configure VIP Policy. From right control panel select VIP Policy Configuration and select 1st tab – VIP Account. Select desired credential types that can be registered. Click yes for Multi-user credentials.
15. Click on the VIP Components tab and click yes to enable temporary security codes for VIP SSP and select desired OOB options. Also, click yes to require second factor authentication for first-time access to SSP. OOB Authentication will be required for initial use when user registers VIP credential.
Juniper SSL VPN Gateway Radius Configuration
1. Launch the Juniper Web Admin Portal. Use admin for username and for password use 'symc4now'. 2. Once logged in click on Auth Servers from left control panel ---> Select New Radius Server then click New Server to add the VIP EGW as new radius server.
3. Define as a Radius VIP EGW Validation Server. For NAS-Identifier select SSL.
Define as below with IP of 192.168.64.133. Shared secret of ‘symc4now’ and leave default Auth Port of 1812. Check Users authentication with token or OTP.
4. Define User Authentication to use the VIP EGW Radius Server. Click on User Realms and then select Default ‘Users’ Realm. For the Authentication Server select the Radius VIPEGW server just created.
5. Point to standard Juniper SSL Logon Pages. From left control panel select Signing In – then Sign In – Policies. Select the standard Juniper SSL logon pages as seen below.
PART 2: VIP9.01 User Demo Script From XP Pro VM Image 3. (log on is SE with password ‘symc4now’)
End User Credential Self-Service Activation (with OOB for initial registration) 1. Log into the VIP Self-service portal using your AD username and password where Username is vipuser or other demo user account and password of 'symc4now'.
2. Select desired OOB method to receive security code for credential registration and click Continue. Email address and/or phone number must be configured in user’s account within AD for receipt of Security Code.
3. Check email to retrieve email from VIP service with temporary security code to complete credential registration. Go to www.yopmail.com if using their random email generator.
4. Copy temporary VIP security code and paste into registration window
5. Register VIP User VPN credential. Type in Credential friendly name, Credential Id, and Security Code.
6. A success screen appears when you have successfully registered your credential.
Test install of EGW and Configuration by Logging into secure Juniper User
1. Launch Juniper User Logon portal and type in test VIP user with password. Where password is ‘AD password plus OTP Security Code’
3. If successful you will be logged in.
PART 3: LAB Administrative Flows – (for HelpDesk Administrators)
1. Open IE and Launch Cloud VIP Manager from favorites a. Log in using your Master VIP Admin account 2. Create Enterprise Helpdesk Administrator a. On Right panel Select Create VIP Administrators under VIP Account Management Section
3. Create and/or modify Helpdesk Administrator AD user account . a. Type in Firstname and Last name which matches AD User’s First name and Last name. This Helpdesk admin user account was created for you in AD. a. Type in email which matches the AD email which you supplied in the deployment lab. The suggestion was to use email@example.com where xx is your workstation number. b. You can leave credential id blank. Define with customer support role. c. As a final reminder Helpdesk admin first name, last name, and email in VIP manager must match exactly with what is in AD Users.
4. Log in to VIP Manager as Helpdesk Administrator.
a. Locate email from VIP service and open. Click link to access webpage to activate your VIP Helpdesk VIPM account. Copy and Paste helpadesk admin email and then password from bottom of email message to log in to VIP Manager as Helpdesk Administrator.
b. Create new password of 'symc4now'. c. Click continue to access register your VIP credential page.
d. Select credential for Helpdesk admin and populate Credential ID and Security Code