https://kb.swivelsecure.com/w/index.php?title=Microsoft_Direct_Access_Integration&feed=atom&action=historyMicrosoft Direct Access Integration - Revision history2024-03-28T08:57:32ZRevision history for this page on the wikiMediaWiki 1.28.0https://kb.swivelsecure.com/w/index.php?title=Microsoft_Direct_Access_Integration&diff=2409&oldid=prevAdmin: 1 revision imported2017-05-11T12:52:15Z<p>1 revision imported</p>
<table class="diff diff-contentalign-left" data-mw="interface">
<tr style='vertical-align: top;' lang='en'>
<td colspan='1' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='1' style="background-color: white; color:black; text-align: center;">Revision as of 12:52, 11 May 2017</td>
</tr><tr><td colspan='2' style='text-align: center;' lang='en'><div class="mw-diff-empty">(No difference)</div>
</td></tr></table>Adminhttps://kb.swivelsecure.com/w/index.php?title=Microsoft_Direct_Access_Integration&diff=2408&oldid=prevRallen at 16:06, 20 August 20152015-08-20T16:06:15Z<p></p>
<p><b>New page</b></p><div>{{template:default}}<br />
<br />
[[Category:VPN]]<br />
[[Category:Integration]]<br />
[[Category:microsoft|D]]<br />
<br />
= Introduction =<br />
<br />
Microsoft Direct Access allows a VPN connection to be brought up when a user requires access to an organisations internal resources. PINsafe can authenticate a user accessing those internal resources using Dual channel authentication such as SMS, Mobile Phone Client and the Taskbar utility [[Taskbar_How_to_Guide | Taskbar How to Guide]] and [[Token]].<br />
<br />
<br />
= Prerequisites =<br />
<br />
Microsoft Direct Access fully configured<br />
<br />
Microsoft CA server for OTP authentication<br />
<br />
PINsafe 3.x<br />
<br />
<br />
= Baseline =<br />
<br />
Microsoft UAG SP1 with Direct access configured<br />
<br />
PINsafe 3.8<br />
<br />
<br />
= Architecture =<br />
<br />
When a Direct Access connection is made, a pop up appears for the user prompting them to enter their One Time Code. This is then checked by the UAG against PINsafe using RADIUS authentication.<br />
<br />
<br />
= Installation =<br />
<br />
==PINsafe Configuration==<br />
<br />
<br />
=== Configuring the RADIUS server===<br />
<br />
Configure the RADIUS settings using the RADIUS configuration page in the PINsafe Administration console. In this example (see diagram below) the RADIUS Mode is set to ‘Enabled’ and the HOST IP (the PINsafe server) is set to 0.0.0.0. (leaving the field empty has the same result). This means that the server will answer all RADIUS requests received by the server regardless of the IP address that they were sent to.<br />
<br />
Note: for appliances, the PINsafe VIP should not be used as the server IP address, see [[VIP on PINsafe Appliances]]<br />
<br />
<br />
[[Image:PINsafe36RADIUSserver.JPG]]<br />
<br />
<br />
=== Setting up the RADIUS NAS ===<br />
<br />
Set up the NAS using the Network Access Servers page in the PINsafe Administration console. Enter a name for the VPN server. The IP address has been set to the IP of the VPN appliance, and the secret ‘secret’ assigned that will be used on both the PINsafe server and VPN RADIUS configuration.<br />
<br />
<br />
[[Image:PINsafe 36 generic RADIUS NAS.JPG]]<br />
<br />
<br />
You can specify an EAP protocol if required, others CHAP, PAP and MSCHAP will be supported. All users will be able to authenticate via this NAS unless to restrict authentication to a specific repository group.<br />
<br />
<br />
=== Enabling Session creation with username ===<br />
<br />
PINsafe can be configured to use the Taskbar to present a TURing image to users when prompted for authentication by Direct Access. See [[Taskbar_How_to_Guide | Taskbar How to Guide]]<br />
<br />
To allow Single Channel authentication on PINsafe follow the below steps.<br />
<br />
Go to the ‘Single Channel’ Admin page and set ‘Allow Session creation with Username:’ to YES.<br />
<br />
To test your configuration you can use the following URL using a valid PINsafe username: <br />
<br />
Appliance<br />
<br />
https://PINsafe_server_IP:8443/proxy/SCImage?username=testuser<br />
<br />
For a software only install see [[Software Only Installation]]<br />
<br />
<br />
== Microsoft Direct Access Integration ==<br />
<br />
Ensure that the Microsoft Direct Access is fully working and tested before startigng the PINsafe integration.<br />
<br />
<br />
=== Enable Two Factor Authentication ===<br />
<br />
<br />
On the Forefront UAG Direct Access configuration page select under Step 2 Optional Settings the link for ''Two-Factor Authentication''<br />
<br />
<br />
[[Image:1 Forefront UAG Direct Access.jpg]]<br />
<br />
<br />
Click on ''Require two-factor authentication<br />
<br />
<br />
[[Image:2 Forefront UAG Direct Access Two Factor Authentication Configuration.jpg]]<br />
<br />
<br />
Click on ''Clients will authenticate using a one-time password (OTP)<br />
<br />
<br />
[[Image:3 Forefront UAG Direct Access Two Factor Authentication Configuration Enable.jpg]]<br />
<br />
<br />
=== Configure OTP Authentication Server ===<br />
<br />
On the OTP Authentication tab click Add <br />
<br />
<br />
[[Image:4 Forefront UAG Direct Access Two Factor Authentication Configuration OTP Server.jpg]]<br />
<br />
<br />
Select Server Type RADIUS and enter the following information:<br />
<br />
*Server Name: A descriptive name for the RADIUS server<br />
*Port: RADIUS port used by the Swivel server, usually 1812<br />
*IP address/host: The Swivel RADIUS server<br />
*Alternate IP/host: A secondary Swivel RADIUS server<br />
*Alternate port: The port used by the secondary Swivel server, usually 1812<br />
*Secret Key: A shared secret entered on the Swivel servers.<br />
<br />
<br />
[[Image: 5 Forefront UAG Direct Access Two Factor Authentication Configuration Add Server.jpg]]<br />
<br />
<br />
Ensure that the new Swivel server is selected. Optionally select ''Require OTP user names to match Active Directory user names with this setting enabled, users log on in UPN format (username@domain).'' then the user name will be automatically populated at the direct access login.<br />
<br />
<br />
[[Image:6 Forefront UAG Direct Access Two Factor Authentication Configuration select Server.jpg]]<br />
<br />
<br />
=== CA Server Configuration ===<br />
<br />
<br />
Under OTP CA Servers click on Add and select the OTP CA Server.<br />
<br />
<br />
[[Image:7 Forefront UAG Direct Access Two Factor Authentication Configuration select CA Server.jpg]]<br />
<br />
<br />
This example is configured to use existing CA templates.<br />
<br />
<br />
[[Image:8 Forefront UAG Direct Access Two Factor Authentication Configuration CA selection.jpg]]<br />
<br />
<br />
Select the required templates<br />
<br />
<br />
[[Image:9 Forefront UAG Direct Access Two Factor Authentication Configuration CA Templates.jpg]]<br />
<br />
<br />
Validate the CA templates<br />
<br />
<br />
[[Image:10 Forefront UAG Direct Access Two Factor Authentication Configuration CA validation.jpg]]<br />
<br />
<br />
<br />
== Additional Installation Options ==<br />
<br />
<br />
= Verifying the Installation =<br />
<br />
Access with the Direct Access client entering username, AD password and One Time Code. If the option to ''Require OTP user names to match Active Directory user names'' then the user name will be automatically populated.<br />
<br />
Check the UAG and PINsafe logs for authentication messages.<br />
<br />
<br />
= Uninstalling the PINsafe Integration =<br />
<br />
<br />
= Troubleshooting =<br />
<br />
<br />
= Known Issues and Limitations =<br />
<br />
<br />
= Additional Information =<br />
<br />
Microsoft DirectAccess</div>Rallen