SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab...

26
SR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection At the end of this lab, you should be able to Technically present and answer questions from your customer’s on Symantec’s Validation and ID Protection services Deliver and customize customer demos for VIP services Deliver and manage customer VIP POCs Develop VIP solutions to meet your customer’s needs Notes A brief presentation will introduce this lab session and discuss key concepts. The lab will be directed and provide you with step-by-step walkthroughs of key features. Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace. Be sure to ask your instructor any questions you may have. Thank you for coming to our lab session.

Transcript of SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab...

Page 1: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

SR L15 Hands-On Lab

Description Protecting Corporate Networks with Symantec Validation and ID Protection

At the end of this lab, you should be able to

Technically present and answer questions from your customer’s on Symantec’s Validation and ID Protection services

Deliver and customize customer demos for VIP services

Deliver and manage customer VIP POCs

Develop VIP solutions to meet your customer’s needs

Notes A brief presentation will introduce this lab session and discuss key concepts.

The lab will be directed and provide you with step-by-step walkthroughs of key features.

Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace.

Be sure to ask your instructor any questions you may have.

Thank you for coming to our lab session.

Page 2: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

VIP Lab Architecture VM Image 1: Win2008r2 AD (192.168.64.10) VM Image 2: VIP Enterprise Gateway_Win2008 server (192.168.64.133) VM Image 3: XP Client (192.168.64.128) VM Image 4: Juniper SSL (192.168.64.100)

PART 1 Lab Deployment and Configuration Lab Guide Lab AD Accounts – Defined on Image 1: Win2008r2 AD Server Passwords set to ‘symc4now’ vip user – used to self enroll VIP credential and authentication to Juniper SSL portal vip srv – vip service account running the VIP services vipadmins – VIP Security Group for Administrative functions helpdesk admin – used to show VIP Helpdesk Administrator functions helpdesk user – used as the Helpdesk Administrators user account

Modify AD User Accounts

From Image 1 – Win2008r2-AD.TFE.NET (Log in as Administrator with password ‘symc4now’.) 1. Modify AD vip and helpdesk administrator accounts a. Open and launch MMC from Desktop. Expand AD user and computers.

Page 3: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

c. Right click on vip user and select properties.

c. Update email vipuserxx where xx is your lab station number. d. Update telephone with your mobile number. Include 1 preceding the number. e. Click on Telephones tab. Add your mobile number here also. d. Repeat steps for helpdesk admin user to update email and phone number.

VIP Enterprise Gateway 9.01 Install

Log into Image 2 Windows2008r2VIP (Log in as tfe/Administrator with password ‘symc4now’)

1. Open windows file explorer. Navigate to c:/VIP 9.0. Launch setup.exe. 2. For console administrator use ‘VIPAdmin’ with password of ‘symc4now’. 3. Take default AD user store settings.

4. Complete install. No need to launch configuration console at this point. Power on and log into the Win XP-Admin Pro VMWare image

Page 4: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

(SE for user name with password ‘symc4now)

VIP Enterprise Gateway Preparation

1. Acquire VIP Certificate to prepare for configuration and setup a. Log into VIP Manager (using VIPM master account supplied in lab) b. On Right side panel under VIP Account Management select Manage VIP Certificates c. On next screen select Request a certificate and follow prompts. d. For certificate name enter UALabX where X is your lab workstation number.

e. Select PKCS 12, enter download password and select download certificate and save to the Z:/labshare/certificates folder.

Configuration of VIP Enterprise Gateway

1. Lauch VIP Configuration Console from favorites. 2. Enter Configuration Administrator Username 'VIPAdmin' with password of 'symc4now' and sign in. 3. Add your VIP Certificate by selecting Add a VIP Certificate. 4. Browse to your certificate file 'UALabX' (Z:/labshare/certificates) - enter password and submit 5. Click on Optional tab and select User Store to configure local AD as the authentication store. 6. Configure User Store settings as follows. For Port use 389. Vipsrv will be used as a service account to bind to AD. For the vip user distinguished name use: -------> CN=vip srv,CN=Users,DC=tfe,DC=net Use your test VIP User account ‘vipuser’ to test the bind when you submit the configuration.

Page 5: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

7. Click on the self-service tab to enable VIP self credential activation. Click Yes to turn on Self Service portal. Click Yes to Enable Automatic Distribution of Security. Check all attributes (Email, Mobile, Phone) that you want to allow for OOB options with SSP. Click Start Service to start up the Self-Service page.

Page 6: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

9. Configure Validation Server. Click Vallidation tab and then add server. 10. Take third option to enable Userid plus LDAP password plus OTP Security Code for our 2 Factor Authentication service. 11. Take default of No for Delegation option. 12. Configure Radius Service Validation. For password use 'symc4now'.

13. Click Start to launch the Validation Service in Listening mode. You should receive a success screen once started. 14. Log into Cloud VIP Manager and configure VIP Policy. From right control panel select VIP Policy Configuration and select 1st tab – VIP Account. Select desired credential types that can be registered. Click yes for Multi-user credentials.

Page 7: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

15. Click on the VIP Components tab and click yes to enable temporary security codes for VIP SSP and select desired OOB options. Also, click yes to require second factor authentication for first-time access to SSP. OOB Authentication will be required for initial use when user registers VIP credential.

Page 8: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

Juniper SSL VPN Gateway Radius Configuration

1. Launch the Juniper Web Admin Portal. Use admin for username and for password use 'symc4now'. 2. Once logged in click on Auth Servers from left control panel ---> Select New Radius Server then click New Server to add the VIP EGW as new radius server.

3. Define as a Radius VIP EGW Validation Server. For NAS-Identifier select SSL.

Define as below with IP of 192.168.64.133. Shared secret of ‘symc4now’ and leave default Auth Port of 1812. Check Users authentication with token or OTP.

Page 9: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

4. Define User Authentication to use the VIP EGW Radius Server. Click on User Realms and then select Default ‘Users’ Realm. For the Authentication Server select the Radius VIPEGW server just created.

5. Point to standard Juniper SSL Logon Pages. From left control panel select Signing In – then Sign In – Policies. Select the standard Juniper SSL logon pages as seen below.

Page 10: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

PART 2: VIP9.01 User Demo Script From XP Pro VM Image 3. (log on is SE with password ‘symc4now’)

End User Credential Self-Service Activation (with OOB for initial registration) 1. Log into the VIP Self-service portal using your AD username and password where Username is vipuser or other demo user account and password of 'symc4now'.

2. Select desired OOB method to receive security code for credential registration and click Continue. Email address and/or phone number must be configured in user’s account within AD for receipt of Security Code.

3. Check email to retrieve email from VIP service with temporary security code to complete credential registration. Go to www.yopmail.com if using their random email generator.

Page 11: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

4. Copy temporary VIP security code and paste into registration window

5. Register VIP User VPN credential. Type in Credential friendly name, Credential Id, and Security Code.

6. A success screen appears when you have successfully registered your credential.

Test install of EGW and Configuration by Logging into secure Juniper User

Page 12: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

Logon Portal.

1. Launch Juniper User Logon portal and type in test VIP user with password. Where password is ‘AD password plus OTP Security Code’

2.

3. If successful you will be logged in.

PART 3: LAB Administrative Flows – (for HelpDesk Administrators)

1. Open IE and Launch Cloud VIP Manager from favorites a. Log in using your Master VIP Admin account 2. Create Enterprise Helpdesk Administrator a. On Right panel Select Create VIP Administrators under VIP Account Management Section

Page 13: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

3. Create and/or modify Helpdesk Administrator AD user account . a. Type in Firstname and Last name which matches AD User’s First name and Last name. This Helpdesk admin user account was created for you in AD. a. Type in email which matches the AD email which you supplied in the deployment lab. The suggestion was to use [email protected] where xx is your workstation number. b. You can leave credential id blank. Define with customer support role. c. As a final reminder Helpdesk admin first name, last name, and email in VIP manager must match exactly with what is in AD Users.

4. Log in to VIP Manager as Helpdesk Administrator.

a. Locate email from VIP service and open. Click link to access webpage to activate your VIP Helpdesk VIPM account. Copy and Paste helpadesk admin email and then password from bottom of email message to log in to VIP Manager as Helpdesk Administrator.

Page 14: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

b. Create new password of 'symc4now'. c. Click continue to access register your VIP credential page.

d. Select credential for Helpdesk admin and populate Credential ID and Security Code fields.

e. Click register to register your credential. Example below shows use of VIP Access for Desktop as credential.

Page 15: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

j. Click Go the My Account to continue into the VIP Manger.

k. Notice the VIP Manager Dashboard has changed for the Helpdesk Admin as they are limited in admin functions to the customer support role primarily credential and user management.

3. Create the Helpdesk Admin VIP User account.

a. Under VIP End User Management click Create VIP End User.

Page 16: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

b. Create Helpdesk Administrator's user account. When creating Helpdesk Admin’s end user account this user also needs to match AD user. Helpdesk user represents the user account for the Helpdesk Administrator.

c. Add and register credential for Helpdesk Admin VIP User account. Copy and paste both the credential id and security code. For Credential Name put in a friendly name like iPhone. Optional Lab VIP has the option to use a local IDP SSP to log into the VIP Manager using AD credentials. To accomplish this we have created a AD security group ‘vip admins’. Helpdesk Administrator access is controlled through being part of this AD group. We have already added Helpdesk Admin AD user account to this group. 1. Open IE browser and log into the VIP Configuration console.

Page 17: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

2. Click on VIP Manager tab and click Yes to enable VIP Manager local access. 3. Add Group filter defined as follow

(memberOf=CN=vipadmins,CN=Users,DC=tfe,DC=net) 4. Insert test user id of ‘helpdeskadmin’ 5. Apply and Start Service.

6. Access URL to VIP Manager IDP is: http://192.168.64.133:8234/vipmgr Also located as a favorites tab labeled IDP VIP Manager 7. Log into IDP VIP Manager using helpdeskadmin account and AD password

‘symc4now’. You should already have a VIP credential registered for this user. 8. As a final lab exercise select find/modify credential under Credential Management.

Locate a credential and take note of the different credential management functions you have including setting temporary passcodes for lost/forgetten VIP tokens, changing credential status, etc….

Page 18: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

This guide is intended to assist in upgrading their VIP demo to support IA using VIP 9.01.

PART 1: IA Configuration and Setup Three steps are required to upgrade your VIP demo to support IA.

1. Configure IA Policy in VIP Manager 2. Configure Self-Service Portal Proxy within VIP Configuration Console 3. Update your VPN pages to include the IA JavaScript

I. Configure IA Policy in VIP Manager

a. Log into the VIP Manager and open the VIP Policy Configuration from left control panel located under VIP Account Management.

b. Click VIP Intelligent Authentication tab. c. i. Select Yes to enable the VIP IA policy.

ii. Select an appropriate threshold value for your users by estimating how likely IA will require additional authentication, based on end user risk. The default threshold value is 50, which is the Symantec-recommended setting. In general, the lower you set the risk threshold value, the more likely VIP IA will consider sign-in transactions suspicious. If an IA risk level for a user's authentication attempt is above the set threshold, IA will consider the attempt risky and recommend additional authentication before the user is granted sign-in access. It is recommended to leave at 50.

d. Enter the externally-accessible domain name(s) of the web applications that you plan to use with VIP IA. For the SE lab demo, use ‘bbtest.net’.

e. Define risky countries and Blocked / Accepted IP Addresses if applicable. Not

required for lab. f. Under Enable VIP IA Click Get Integration Code for VPN. g. Click Simplified.

h. Put in SSP IDP Proxy URL http://192.168.64.133:8080/dmzssp/DmzListener i. Click Generate Integration Code to product Javascript j. Copy and paste javascript integration code into a text file for later use. We will use in part 3 of

our IA setup to insert Javascript into Juniper SSL VPN Sign on page.

Page 19: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

II. Configure Self-Service Portal Proxy

a. Log into the VIP EGW Configuration console b. Select the Self-Service tab and scroll down and click edit c. Enable the SSP IDP Proxy by selecting Yes d. Encryption key should be set to ‘symc4now’ to match proxy server e. Apply Changes

III. Update VPN logon page with IA JavaScript

The SE VIP demo image needs to be updated with your specific Javascript produced in the VIP manager.

a. Log into the XP Admin Demo image b. Locate the Juniper Login Template HTML Page to modify – LoginPage.thtml

(Under Z:/labshare/JuniperSSL/VIPIAPageR1)

Page 20: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

c. Open file with wordpad to edit. d. Insert Javascript generated using VIP Manager policy configure. Insert between

opening <head> and closing </head> parameters. To make it easier you can also locate <% INSERT IA JAVASCRIPT HERE %> in the file and past immediately following. Example of my Javascript is below.

<!-- BEGIN VIP integration code --> <script type="text/javascript" src="https://vipuserservices.verisign.com/vipuserservices/resources/js/v_1_0/vip?appId=0314667621&idpURL=http://192.168.64.10:8080/dmzssp/DmzListener&autoIntegration=true"></script> <!-- END VIP integration code -->

e. Save and close the file. Scan through content of VIPIAPagesR1 folder to ensure no other zip files are present.

f. From windows explorer highlight VIPIAPageRA1 folder and select CTRL-A to select all contents of folder

g. Right click and select send to Compressed (zipped) Folder

Page 21: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

h. Log into the Juniper WebAdmin to Upload IA pages. i. From left control panel select Signing In -> Sign-in Pages j. Select Upload Custom Pages

k. Put in friendly name for IA Login Page such as ‘IA Juniper Secure Logon’ l. Browse to your IA Pages zipped folder (just created in step g) m. Click Upload Custom Pages

n. Configure Juniper Signing In Policies to use IA secure logon pages o. From the left panel select Signing in – Sign-in Polocies p. Scroll down to User URLs. Click the */ link to edit the default Sign-In Page

Page 22: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

q. Select the drop down arrow to pull up options for the Login Page. r. Select your IA Pages that you just uploaded. s. Save changes.

t. You can now log out and test your IA Login. Reminder that only first factor is used for logging in with IA.

PART 2: IA User Demo Script

Preparation Steps for Demo Script From Image 2: Windows 2008r2 Image

1. Start Tomcat web server running IA SSP Proxy Service a. Open command prompt. Run tomcat.bat file from User/Administrator folder.

Page 23: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

b. Do NOT close the command prompt window running start tomcat web server as this will stop the IA SSP Proxy Web Server

From Image 3: XP Image NOTE - The following IE settings MUST be set for the IA JavaScript to work properly for testing logon using IA services. Use Firefox if you can’t get IE to function properly. These should already be set for IE on Image 3.

1. Add Juniper’s IP to list of trusted sites. Tools -- Internet Options – Security – Trusted Sites. Click Add.

2. Set to Always Allow use of cookies from Juniper SSL VPN. Under Tool – Internet Options – Privacy -- Sites Add Juniper IP and set click Allow

Page 24: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

3. Make sure use of JavaScript is Enabled. Set under Browser Security Settings.

IA User Demo Script

1. Log onto XP User machine and open Juniper User Secure Logon Portal. Juniper should be pointing to your IA web logon pages. Instructions are in the IA Deployment Guide on how to switch to your IA logon pages.

NOTE - Make sure the your demo user (VIPUser in this example) does NOT have a credential bound to their userid in VIP Manager. This will prevent use of temporary OOB security code.

Page 25: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

2. Proper behavior of IA should produce the following UI. Click on Don’t have a Security Code to retrieve ticket for logging into Juniper SSL VPN.

3. Click on your desired method of obtaining OOB Security Code.

Page 26: SR L15 Hands-On Lab - VOXvox.veritas.com/legacyfs/online/veritasdata/SR L15.pdfSR L15 Hands-On Lab Description Protecting Corporate Networks with Symantec Validation and ID Protection

4. Retrieve Security Code from Email.

5. Copy and Past Security Code to IA for Confirm your Identity.

6. Once confirmed you will be securely logged in.