HID Microsoft UAG and 4TRESS AS User Manual
ActivIdentity® 4TRESS™
and Microsoft® Forefront™
Unified Access Gateway
Integration Handbook
Document Version 1.0 | Draft | July 17, 2012
ActivIdentity 4TRESS and Microsoft Unified Access Gateway | Integration Handbook
P 2
External Use | July 17, 2012 | © 2012 ActivIdentity
Name
Department
William Häggqvist
Professional Services
Isabel Fernandez
Technical Publications
Milan Khan
Professional Services
Paul Jones
Professional Services
Name
Department
Paul Jones
Professional Services
Milan Khan
Professional Services
Name
Department
Document Control
Document Contributors (Includes Reviewers)
Document Approvers
Document Revision(s)
ActivIdentity 4TRESS and Microsoft Unified Access Gateway | Integration Handbook
P 3
External Use | July 17, 2012 | © 2012 ActivIdentity
Table of Contents
1.0 Introduction ....................................................................................................................................................... 4
1.1 Scope of Document .................................................................................................................................... 4
1.2 Prerequisites .............................................................................................................................................. 4
1.3 Document References ................................................................................................................................ 4
2.0 Configuring 4TRESS......................................................................................................................................... 6
2.1 Adding the User Repository ....................................................................................................................... 6
2.2 Assigning the Repository to a User Type ................................................................................................. 10
2.3 Assigning the Repository to an Administration Group ............................................................................. 13
2.4 Assigning a Static Password for a User ................................................................................................... 16
2.5 Activating a Soft Token ............................................................................................................................ 19
3.0 Configuring Microsoft Forefront TMG ............................................................................................................. 25
3.1 Configuring TMG to Allow RADIUS Communication ............................................................................... 25
4.0 Configuring Microsoft Forefront UAG ............................................................................................................. 33
4.1 Initial Configuration ................................................................................................................................... 33
4.2 Adding the 4TRESS Server to UAG ......................................................................................................... 37
4.3 Adding the Portal Trunk............................................................................................................................ 39
4.4 Activating the Portal Trunk ....................................................................................................................... 44
5.0 Testing the Installation .................................................................................................................................... 46
ActivIdentity 4TRESS and Microsoft Unified Access Gateway | Integration Handbook
P 4
External Use | July 17, 2012 | © 2012 ActivIdentity
1.0 Introduction
The Microsoft® Forefront™ Unified Access Gateway 2010 enables a secure remote access service for both
managed and unmanaged computers as well as mobile devices. The gateway may be used to enable corporate
network access over a virtual private network (VPN) and publish files and/or applications for remote users.
ActivIdentity® solutions may be integrated with Microsoft Forefront Unified Access Gateway 2010 to provide a
strong authentication method that is flexible, scalable, and simple to manage. ActivIdentity offers the following
solution:
ActivIdentity® 4TRESS™ Authentication Appliance—Offers easy implementation and support for
multiple authentication methods that are useful for diverse audiences over the RADIUS channel,
including user name and password, mobile and PC soft tokens, one-time passwords, and transparent
Web soft tokens.
This document explains how to set up ActivIdentity 4TRESS Authentication Appliance, version FT2011 SP1 with
Microsoft Forefront Unified Access Gateway (UAG). Use this handbook to enable authentication to Microsoft
Forefront UAG over the RADIUS protocol using the RADIUS Front End feature of ActivIdentity 4TRESS.
1.1 Scope of Document
The scope of this document is limited to setting up the integration between Microsoft Forefront UAG and
ActivIdentity 4TRESS for authentication and does not include instructions on publishing applications on a
Forefront UAG trunk.
1.2 Prerequisites
The following pre-requisites should be met:
ActivIdentity 4TRESS Authentication Appliance has been set up according to ActivIdentity 4TRESS
Authentication Appliance Setup Guide
The RADIUS Front End feature of 4TRESS has been configured according to ActivIdentity 4TRESS
Authentication Appliance RADIUS Front End Solution Guide
The Soft Token Activation Portal feature of 4TRESS has been set up according to ActivIdentity
4TRESS Authentication Appliance Soft Token Solution Guide
A Windows Server 2008 R2 Enterprise edition with two network adapters available is joined to a
domain with a domain controller
Microsoft Forefront UAG is installed on the Windows Server 2008 R2 Enterprise edition server
1.3 Document References
The following documents provide a relevant background to the solution:
ActivIdentity Document References
ActivIdentity 4TRESS Authentication Appliance Setup Guide
ActivIdentity 4TRESS Authentication Appliance RADIUS Front End Solution Guide
ActivIdentity 4TRESS and Microsoft Unified Access Gateway | Integration Handbook
P 5
External Use | July 17, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS Authentication Appliance Soft Token Solution Guide
External Document References
Microsoft Forefront UAG 2010 TechNet pages may be found at the following URL:
http://technet.microsoft.com/en-us/library/ff358694
ActivIdentity 4TRESS and Microsoft Unified Access Gateway | Integration Handbook
P 6
External Use | July 17, 2012 | © 2012 ActivIdentity
2.0 Configuring 4TRESS
This section describes the configuration steps required to be made to the 4TRESS server component. These
changes are performed using the 4TRESS Management Console web interface.
2.1 Adding the User Repository
For this environment, the Microsoft Active Directory hosted on the domain controller will be used as the user
repository. This LDAP server must be added and configured within 4TRESS.
1. Log on to the 4TRESS Management Console and select Configuration > User Repositories and click
Add
2. Specify a name for the directory and select the Adapter for Microsoft Active Directory. Optionally, modify
the Code. When done, click Next
ActivIdentity 4TRESS and Microsoft Unified Access Gateway | Integration Handbook
P 7
External Use | July 17, 2012 | © 2012 ActivIdentity
Enter IP/hostname and port
Host—Provide the IP address of
the domain controller
Backup Host—Optionally enter a
backup host
Base Node—Provide the base
node to use when connecting to
the directory
Port—Specify the port used by the
LDAPS connection
Backup port—Optionally enter a
backup port
Enable LDAPs—Check the box to
enable LDAPS
Configure user attributes and group attributes mapping
User Class—Leave the default
value
User ID Attribute—Leave the
default value
Account Status Attribute—
Leave the default value
LDAP Group Class—Leave the
default value
Group Member Attribute—Leave
the default value
GUID Attribute Name—Leave the
default value
ActivIdentity 4TRESS and Microsoft Unified Access Gateway | Integration Handbook
P 8
External Use | July 17, 2012 | © 2012 ActivIdentity
Configure connection login credentials
User DN—Provide the Distinguished Name of the user account used to connect to the
LDAP directory
Password—Enter the password for the account
Confirm Password—Repeat the password
3. When having entered all values, click the link Import LDAPs Root CA certificate
4. Browse for the certificate and click Open
ActivIdentity 4TRESS and Microsoft Unified Access Gateway | Integration Handbook
P 9
External Use | July 17, 2012 | © 2012 ActivIdentity
6. If the test is successful, a message will be
displayed. After a successful test, press Save
to create the user repository
5. Click Connection Test to verify that the connection is correctly configured.
ActivIdentity 4TRESS and Microsoft Unified Access Gateway | Integration Handbook
P 10
External Use | July 17, 2012 | © 2012 ActivIdentity
2.2 Assigning the Repository to a User Type
The user repository added in section 2.1 Adding the User Repository must be associated with a User Type in
4TRESS, or the users will not be included when performing a user lookup. This section describes the steps
required to successfully assign the repository to a given User Type.
1. Log on to the 4TRESS Management Console and select Access Administration > User Types. Then,
click one of the pre-configured User Types. For this example, we will use Employees User Type
ActivIdentity 4TRESS and Microsoft Unified Access Gateway | Integration Handbook
P 11
External Use | July 17, 2012 | © 2012 ActivIdentity
2. Expand the section User Repositories and then expand the section Available. Next, click the repository
created in section 2.1 Adding the User Repository
3. Press Add to set up a Root Node in the pop-up window that appears
ActivIdentity 4TRESS and Microsoft Unified Access Gateway | Integration Handbook
P 12
External Use | July 17, 2012 | © 2012 ActivIdentity
5. Check the box and press OK to continue
6. Press Save to save the configuration
4. Specify the Root Node and click Add. It is possible to use the pre-defined value
ActivIdentity 4TRESS and Microsoft Unified Access Gateway | Integration Handbook
P 13
External Use | July 17, 2012 | © 2012 ActivIdentity
2.3 Assigning the Repository to an Administration Group
The user repository added in section 2.1 Adding the User Repository must also be associated with an
Administration Group. This section lists the operations required to perform this action.
1. Log on to the 4TRESS Management Console and select Access Administration > Administration
Groups. Then, click one of the pre-configured Administration Groups. For this example, we will use Full
Time Employees Administration Group
ActivIdentity 4TRESS and Microsoft Unified Access Gateway | Integration Handbook
P 14
External Use | July 17, 2012 | © 2012 ActivIdentity
2. Expand the section User Repositories and then expand the section Available. Next, click the repository
created in section 2.1 Adding the User Repository
3. Press Add to set up a Root Node in the pop-up window that appears
ActivIdentity 4TRESS and Microsoft Unified Access Gateway | Integration Handbook
P 15
External Use | July 17, 2012 | © 2012 ActivIdentity
5. Check the box and press OK to continue
6. Press Save to save the configuration
4. Specify the Root Node and click Add. It is possible to use the pre-defined value
Loading...