RSA Security AG-600 User Manual

RSA ClearTrust Ready Implementation Guide
For Portal Servers and Web-Based Applications
Last Modified August 30, 2004
1. Partner Information
Partner Name AEP Systems Ltd. Web Site www.aepsystems.com Product Name AEP SureWare A-Gate Version & Platform AG-600 V3.0.2 Product Description AEP SureWare A-Gate, a suite of SSL VPN hardware appliances,
provides a high functionality, low-cost SSL VPN solution for small and medium enterprises (SMEs) that want to extend enterprise applications to employees, business partners and customers.
AEP SureWare A-Gate provides a full-featured solution that meets all the remote access needs of SMEs, from access to Web-enabled or Windows Terminal Services applications to full access to client-server applications. Now all remote access users - mobile employees, "road warriors", teleworkers, occasional travelers and business partners ­can have secure and authenticated access to internal applications and resources.
Product Category Remote access, Virtual Private Networking
RSA ClearTrust
Web Server
AEP SureWare A-Gate
1. User logs in to AEP SureWare A-Gate
2. SureWare A-Gate authenticates user against LDAP repository
3. SureWare A-Gate forwards credentials to requested web server
4. Requested web server passes credentials to ClearTrust server
5. ClearTrust server verifies credentials against LDAP repository
6. ClearTrust server authorises request
7. Web server sends requested page to SureWare A-Gate
8. SureWare A-Gate delivers requested page to user
Laptop
Active Directory
Page: 1
2. Contact Information
Sales contact Support Contact
Email sales@aepsystems.com support@aepsystems.com Phone
Web www.aepsystems.com www.aepsystems.com
US/Toll Free: 800.383.7716 US/California: 650.326.6748 US/Boston: 617.790.5825 Ireland: (+353 1) 204 1300 UK: (+44) 1442 458 600
US/Toll Free: 866.443.0370 EMEA: (+353 1) 204 1300
3. Solution Summary

Feature Details

Use UserID for SSO Yes

Use UserID for Personalization Yes

Recognize Authentication Type No

API-level Authorization Support
No
(RuntimeAPI)
User Management
Yes
(AdminAPI)

Via Shared User Repository (LDAP)

Page: 2
4. Integration Overview
AEP SureWare A-Gate provides Single-Sign-On via Authentication Forwarding Rules. These rules list the servers protected by RSA ClearTrust and ensure that when a user attempts to access a resource on one of these servers, their Basic credentials are automatically forwarded with the request.
5. Product Requirements

Hardware requirements

Component Name: SureWare A-Gate AG-600
Firmware level 3.0.2.5-ct1
Page: 3
6. Product Configuration
To enable SSO perform the following steps:
Add all ClearTrust protected servers to the ‘Anywhere Web Servers’ list via the A-Gate web administration interface.
Set the HTTPS default policy to Allow.
Configure the A-Gate to use the same LDAP repository as the RSA ClearTrust environment.
Active Directory User Management can be performed either by the RSA ClearTrust AdminGUI or directly in the LDAP directory server.
Enable LDAP Authentication.
Create Authentication Forwards.
1. Add ClearTrust protected servers to ‘Anywhere Web Servers’ list via the web administration interface, these configured servers.
https://<machine-fqdn>/_admin. A-Gate users can only access resources which reside on
Navigate to ‘Remote Access > Anywhere > Anywhere Web Servers’.
Enter the server name and click ‘Add’.
The new server will appear in the list at top of the page, where it can be tested for
connectivity or deleted. N.B. All ClearTrust protected servers must be added to this list.
Page: 4
2. Set HTTPS default policy to ‘Allow’. By default, HTTPS default access policy is set to ‘Deny’, which ensures the administrator starts
configuration with a secure, locked down A-Gate, where all HTTPS access requests are rejected. There are two ways to allow access to A-Gate’s back-end servers. The quickest way is to set the default HTTPS policy to ‘Allow’. The other, more controlled way is to create HTTPS ACLs. Please consult the reference manual for information on ACLs.
Navigate to ‘Remote Access > Group Policy > HTTPS Default Policy’.
Set Default Policy to ‘Allow’.
Click ‘Apply’.
Page: 5
3. Configure LDAP Repository

Navigate to ‘Network > LDAP Configuration’.

Add the Active Directory server by entering the IP address or hostname in the ‘Server:’ field of
the ‘Add LDAP Server’ section.
Click ‘Add’.
Configure the LDAP search base (mandatory) and optionally the LDAP bind DN and
password.
Click ‘Apply’.
Page: 6
4. Enable LDAP Authentication
Navigate to ‘Remote Access > User Authentication > Authentication Mechanisms’ and select ‘Enable’ LDAP Authentication.
Ensure all other authentication mechanisms are disabled.
Click ‘Apply’.
Navigate to ‘Remote Access > User Authentication > Authentication Mechanisms > LDAP
Authentication.
Set the ‘LDAP Login Attribute’, this should be ‘sAMAccountName’ for Active Directory.
Click ‘Apply’.
Page: 7
5. Create Authentication Forwards Single-Sign-On is achieved in the SureWare A-Gate via Authentication Forwards. This is the process
whereby Basic credentials are automatically forwarded to back-end servers when requesting particular resources.
To enable this process, the administrator must create at least one Authentication Forward, consisting of a name, credentials and a list of forwarding rules which state what resources are governed by this Authentication Forward. Administrators can choose to forward the session credentials, which are the username and password entered by the user via the A-Gate Login screen, or a specific trusted username and password.
If Authentication Forwards exist, the A-Gate checks every incoming request against the list of forwarding rules. If a match occurs, the A-Gate appends an authorization header with the configured credentials to the original request and sends the request to the requested back-end server.
To create an authentication forward:
Navigate to ‘Remote Access > Anywhere > Authentication Forwards’ on the web administration interface.
Set credentials. ‘Forward Session Credentials’ determines whether or not the session credentials are forwarded to the back-end servers. If ‘No’ is selected, the administrator must enter a trusted username and password. To add this rule, click ‘Add’. The new rule will appear in the list at the
Page: 8
top of the page where it can be edited, deleted or re-ordered. Rule order is extremely important as the A-Gate always applies the first matching rule it encounters.
Page: 9
Click on the newly created Authentication Forward to add forwarding rules.
Each rule consists of a rule type, a match type and a match string. Rule Type indicates whether
authentication forwarding is allowed, denied or required for matching resources. Match Type indicates the comparison mechanism used for this rule. Possible values are ‘Compare’ which looks for an exact match, ‘RegEx’ which matches against a regular expression or ‘Any’, which matches everything. Match String must match the requested resource if this rule is to be applied.
Click ‘Add’ to add each rule.

Click ‘Save Changes’ to save these rules.

Page: 10
7. Certification Checklist for Portal Servers and Web-Based Apps
Date Tested: August 18, 2004
Product Tested Version
RSA ClearTrust 5.5 RSA ClearTrust Agent 4.5 IIS AEP SureWare A-Gate 3.0.2
Test Case Result
Product Characteristics for SSO Support
Application/Portal is web-based, and supports access by a standard HTTP-based browser Application/Portal runs on Web Server Platform supported by RSA ClearTrust N/A
Application/Portal login interface can be modified or replaced P Application/Portal can extract user information from RSA ClearTrust session cookie N/A Application/Portal can extract user information from HTTP Headers N/A Application/Portal can extract authentication type from RSA ClearTrust session cookie N/A
Application/Portal can extract authentication type from HTTP Headers P
Application/Portal can perform SSO with other RSA ClearTrust-supported Web Server P
Login – General
HTTP basic authentication P Forms based P Forms based w/ URI retention P
Login – Basic Authentication
Access Denied for unauthorized user P Successful login for authorized user P Successful recognition of identity/personalization in 3rd Party Product P Successful recognition of identity/personalization after SSO with other RSA ClearTrust­supported Web Server
Login –Graded Authentication
Access Denied for unauthorized user N/A Successful login for authorized user N/A Successful recognition of identity/personalization in 3rd Party Product N/A Successful recognition of identity/personalization after SSO with other RSA ClearTrust­supported Web Server
PAR/SWA *P=Pass or Yes F=Fail N/A=Non-available function
P
N/A
N/A
Page: 11
Loading...