Implementation Guide Microsoft TMG
DualShield
for
Microsoft TMG
Implementation Guide
(Version 5.2)
Copyright 2011
Deepnet Security Limited
Copyright 2011, Deepnet Security. All Rights Reserved. Page 1
Implementation Guide Microsoft TMG
Trademarks
DualShield Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID,
SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp
are trademarks of Deepnet Security Limited. All other brand names and product names
are trademarks or registered trademarks of their respective owners.
Copyrights
Under the international copyright law, neither the Deepnet Security software or
documentation may be copied, reproduced, translated or reduced to any electronic
medium or machine readable form, in whole or in part, without the prior written consent
of Deepnet Security.
Licence Conditions
Please read your licence agreement with Deepnet carefully and make sure you
understand the exact terms of usage. In particular, for which projects, on which
platforms and at which sites, you are allowed to use the product. You are not allowed to
make any modifications to the product. If you feel the need for any modifications, please
contact Deepnet Security.
Disclaimer
This document is provided as is without warranty of any kind, either expressed or
implied, including, but not limited to, the implied warranties of merchantability, fitness
for a particular purpose, or non-infringement.
This document could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be incorporated in new
editions of the document. Deepnet Security may make improvements of and/or changes
to the product described in this document at any time.
Contact
If you wish to obtain further information on this product or any other Deepnet Security
products, you are always welcome to contact us.
Deepnet Security Limited
Northway House
1379 High Road
London N20 9LP
United Kingdom
Tel: +44(0)20 8343 9663
Fax: +44(0)20 8446 3182
Web: www.deepnetsecurity.com
Email: support@deepnetsecurity.com
Copyright 2011, Deepnet Security. All Rights Reserved. Page 2
Implementation Guide Microsoft TMG
Table of Contents
1. Overview ................................................................................. 4
2. Preparation .............................................................................. 5
3. Configuration ........................................................................... 6
4. Authentication ........................................................................ 12
5. On-Demand Password ............................................................. 14
5.1 Create a user-defined protocol for DPS ...............................................................................15
5.2 Create a access rule for DPS ..............................................................................................16
5.3 Create a listener for DPS ...................................................................................................19
5.4 Publish the DPS web site ...................................................................................................21
5.5 Install the DualShield TMG Agent .......................................................................................25
5.6 Change the OWA portal settings in TMG ..............................................................................26
5.7 Change the Provisioning Server settings in DualShield ..........................................................27
5.8 Test Authentication ..........................................................................................................28
Copyright 2011, Deepnet Security. All Rights Reserved. Page 3
Implementation Guide Microsoft TMG
1. Overview
This implementation guide describes how to protect Microsoft TMG with two-factor
authentication with the DualShield unified authentication platform. Microsoft TMG
supports external authentication servers including Active Directory and RADIUS OTP. By
leveraging those features in TMG, we can implement a two-factor authentication in TMG
system in which the first factor will be the users static password and second factor will
be a one-time password. The users static password will be authenticated by the
customers Active Directory server (domain controller) and the users one-time password
will be authenticated by the DualShield authentication server via RADIUS.
DualShield provides a wide selection of portable one-time password tokens in a variety
of form factors, ranging from hardware tokens, software tokens, mobile tokens to USB
tokens. These include:
Deepnet SafeID
Deepnet MobileID
Deepnet GridID
Deepnet CryptoKey
RSA SecurID
VASCO DigiPass Go
OATH-compliant OTP tokens
In addition to the support of one-time password, DualShield also supports on-demand
password for RADIUS authentication. The product that provides on-demand password in
the DualShield platform is Deepnet T-Pass. Deepnet T-Pass is an on-demand, token-less
strong authentication that delivers logon passwords via SMS texts, phone calls, twitter
direct messages or email messages.
The complete solution consists of the following components:
Microsoft TMG
DualShield Radius Server
DualShield Authentication Server
Copyright 2011, Deepnet Security. All Rights Reserved. Page 4
Implementation Guide Microsoft TMG
2. Preparation
Prior to configuring TMG for two-factor authentication, you must have the DualShield
Authentication Server and DualShield Radius Server installed and operating. For the
installation, configuration and administration of DualShield Authentication and Radius
servers, please refer to the following documents:
DualShield Authentication Platform Installation Guide
DualShield Authentication Platform Quick Start Guide
DualShield Authentication Platform Administration Guide
DualShield Radius Server - Installation Guide
You also need to have a RADIUS application created in the DualShield authentication
server. The application will be used for the two-factor authentication in TMG. The
document below provides detailed instructions for RADIUS authentication with the
DualShield Radius Server:
VPN & RADIUS - Implementation Guide
As an example in this document, we are going to going to add two-factor authentication
to an OWA portal. Assuming that the OWA portal is already setup and operating.
Copyright 2011, Deepnet Security. All Rights Reserved. Page 5
Implementation Guide Microsoft TMG
3. Configuration
1. Edit the Properties of
the OWA listener and
select the
Authentication tab:
Select HTML Form
Authentication
Enable Collect
additional delegation
credentials in the form
Select RADIUS OTP
2. Click Configure
Validation Servers
Copyright 2011, Deepnet Security. All Rights Reserved. Page 6
Implementation Guide Microsoft TMG
3. Select the RADIUS
Servers tab
4. Click Add
5. Enter the server
name or IP address of
your DualShield
Radius server
Enter the shared
secret and the
Authentication port
Click OK to save
Copyright 2011, Deepnet Security. All Rights Reserved. Page 7
Implementation Guide Microsoft TMG
6. Select LDAP Servers tab
Click Add and add your
LDAP server settings
Click Apply and OK to
apply and save changes
Copyright 2011, Deepnet Security. All Rights Reserved. Page 8
Implementation Guide Microsoft TMG
Finally, click the Apply button on the top to save and activate the changes.
The third stage is to configure the DualShield server to add TMG as a Radius client and
to create a Radius application with a logon procedure.
Create a new logon procedure
1. Login to the DualShield management console
2. In the main menu, select Authentication | Logon Procedure
3. Click the Create button on the toolbar
4. Enter Name and select RADIUS as the Type
5. Click Save
6. Click the Context Menu icon of the newly create logon procedure, select Logon
Steps
7. In the popup windows, click the Create button on the toolbar
8. Select One-Time Password as the authenticator
9. Click Save
Copyright 2011, Deepnet Security. All Rights Reserved. Page 9
Implementation Guide Microsoft TMG
Create a new application
1. In the main menu, select Authentication | Applications
2. Click the Create button on the toolbar
3. Enter Name
4. Select Realm
5. Select the logon procedure that was just created
6. Click Save
Add TMG as a Radius client
1. In the main menu, select RADIUS | Clients
2. Click the Register button on the toolbar
3. Select the application that was created in the previous steps
4. Enter TMGs IP in the IP address
5. Enter the Shared Secret and make sure it is identical to the shared secret defined
in the Radius server settings in the TMG.
6. Click Save
Copyright 2011, Deepnet Security. All Rights Reserved. Page 10
Implementation Guide Microsoft TMG
We have now completed all necessary stages and steps in setting up two-factor
authentication in TMG with DualShield. In our example, we have added to a OWA portal
with two authentication factors, AD static password and DualShield one-time password.
Let us proceed to testing the authentication.
Copyright 2011, Deepnet Security. All Rights Reserved. Page 11
Implementation Guide Microsoft TMG
4. Authentication
Launch your web browser and connect to the OWA portal.
Users will now be asked to provide both Passcode and Password. Password is the
field where users will need to enter their AD password (Static Password), and Passcode
is the field where users will need to provide their one-time passwords (OTP).
The DualShield passcode is defined the logon procedure in your DualShield server. In our
example, we defined One-Time Password in the logon procedure. Which means that
users will be able to use any one-time password token supported by the DualShield to
authenticate to the OWA portal.
You can also add the On-Demand Password to the list of authenticator in your logon
procedure.
Copyright 2011, Deepnet Security. All Rights Reserved. Page 12
Implementation Guide Microsoft TMG
Your users will now be able to use Deepnet T-Pass as well to authenticate to OWA.
Copyright 2011, Deepnet Security. All Rights Reserved. Page 13
Implementation Guide Microsoft TMG
5. On-Demand Password
If you enable On-Demand Password in DualShield, then your users will be able to use
Deepnet T-Pass as their authentication method. A typical question with On-Demand
password is how can users request to have their password delivered in real time?
Using the configuration that we have set up in above steps, users cant request to have
their password delivered in real time. Users will need to have a password pre-delivered
before they can logon. The system administrator can push out on-demand passwords to
users, or users can use the self-service console to obtain an on-demand password. Once
a user has successfully logged in, the DualShield server will then automatically send out
a new password to be used by the user at next logon.
If the pre-delivery method described above is not a viable solution to you, then you need
to install the DualShield TMG Agent which will enable users to request on-demand
password in real time at logon.
The rest of this document describes how to configure TMG with the DualShield TMG
Agent. The diagram below illustrates the architecture of the solution:
As an example, we make the following assumptions:
1. The network domain is DeepnetTest32.com
2. The DualShield platform including its Authentication Server (DAS) and
Provisioning Server (DPS) is installed and operating in HTTP mode
3. The FQDN of the DualShield platform is DualShield.DeepnetTest32.com
4. The internal port number of the DualShield Provisioning Server (DPS) is 8072
5. The public host name of the DPS to be published is Mail.DeepnetSecurity.com
6. The public port number of the DPS is also 8072
7. The FQDN of the Exchange Server is Exchange.DeepNetTest32.com
8. The public host name of the OWA published is Mail.DeepnetTest32.com
The entire configuration process involves the following stages:
1. Create a user-defined protocol for DPS
2. Create a access rule for DPS
3. Create a listener for DPS
Copyright 2011, Deepnet Security. All Rights Reserved. Page 14
Implementation Guide Microsoft TMG
4. Publish the DPS web site
5. Install the DualShield TMG Agent
6. Change the OWA portal settings in TMG
The DualShield Provisioning Server is a web service that delivers on-demand passwords.
Therefore, it needs to the published as a web site on TMG. The process is similar to the
way OWA web portal is published but requires some extra settings due to the non-
standard HTTP port number being used for DPS (8072).
5.1 Create a user-defined protocol for DPS
As DPS works on a non-standard HTTP port, we have to define a new protocol. In the
Toolbox | Protocols, select New | Protocol from the menu
1. Enter the name for the new protocol to
be created
2. Add an inbound TCP protocol with IP
range of 8072
3. Click Finish
4. Click Apply on the top to save changes
Copyright 2011, Deepnet Security. All Rights Reserved. Page 15
Implementation Guide Microsoft TMG
5.2 Create a access rule for DPS
In the Tasks, click Create Access Rule
1. Enter the name for the new rule
2. Select Allow
3. Click Add
Copyright 2011, Deepnet Security. All Rights Reserved. Page 16
Implementation Guide Microsoft TMG
4. Select HTTP 8072 from the User-
Defined protocols
Click Add
5. Click Next
6. Click Add
Copyright 2011, Deepnet Security. All Rights Reserved. Page 17
Implementation Guide Microsoft TMG
7. Select External
Click Add
8. Click Next
9. Add Local Host in the Destinations
Copyright 2011, Deepnet Security. All Rights Reserved. Page 18
Implementation Guide Microsoft TMG
10. Click Finish
11. Click Apply on the top to save changes
5.3 Create a listener for DPS
In the Toolbox | Network Objects, select New | Web Listener from the menu
1. Enter the name for the new listener
Copyright 2011, Deepnet Security. All Rights Reserved. Page 19
Implementation Guide Microsoft TMG
2. Select Do not require SSL
3. Select External
4. Select No Authentication
Copyright 2011, Deepnet Security. All Rights Reserved. Page 20
Implementation Guide Microsoft TMG
5. Click Finish
6. Click Apply on the top to save changes
5.4 Publish the DPS web site
In the Tasks, click Publish Web Sites
1. Enter the name for the web site
2. Select Allow
Copyright 2011, Deepnet Security. All Rights Reserved. Page 21
Implementation Guide Microsoft TMG
3. Select Use non-secured
connections
4. Enter the host name of your
DualShield Provisioning Server
Copyright 2011, Deepnet Security. All Rights Reserved. Page 22
Implementation Guide Microsoft TMG
5. Enter /dps/* in the path
6. Enter the public host name of DPS
7. Select DPS Listener that was
created in the previous stage
Copyright 2011, Deepnet Security. All Rights Reserved. Page 23
Implementation Guide Microsoft TMG
8. Click Finish
9. Click Apply on the top to save changes
10. Double click the newly published DPS web site
11. Select Bridging tab
Copyright 2011, Deepnet Security. All Rights Reserved. Page 24
Implementation Guide Microsoft TMG
12. Enable Redirect requests to HTTP
port, and enter 8072
Click Test Rule
13. Click OK to save
14. Click Apply on the top to save changes
5.5 Install the DualShield TMG Agent
1. In Windows Explorer, navigate to:
C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates
2. Clone the entire folder 'Exchange' to a new folder named ExchangeDualShield
3. Unzip the DualShield TMG Agent package (DualShieldTMG.1.1.zip), extract the
content to the above newly created folder.
4. Open jquery.dps.js with a text editor, such as the Notepad
Replace the URL in the first line which reads:
Copyright 2011, Deepnet Security. All Rights Reserved. Page 25
Implementation Guide Microsoft TMG
var DPS_Host = 'http://mail.deepnettest32.com:8072';
with the real URL of your DPS. Save the file
5. Open usr_pwd_pcode.htm in a text editor
Locate the following line of text in the file:
<link href="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=logon_style.css" type="text/css" rel="stylesheet">
Insert the following line of text underneath the above line:
<link href="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=dualshield.css" type="text/css" rel="stylesheet">
Append the following lines of text to the end of the file:
<script src="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=jquery-1.7.min.js" type="text/javascript"></script>
<script src="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=jquery.json-2.3.min.js"
type="text/javascript"></script>
<script src="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=jquery.blockUI.js" type="text/javascript"></script>
<script src="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=jquery.dps.js" type="text/javascript"></script>
Save the file.
6. Restart the 'Microsoft Forefront TMG Firewall' service
5.6 Change the OWA portal settings in TMG
Double click the OWA portal that is already published, to bring up its properties. Click
Application Settings tab.
Copyright 2011, Deepnet Security. All Rights Reserved. Page 26
Implementation Guide Microsoft TMG
Enable Use customized HTML
Enter ExchangeDualShield which is
the folder name we created in the
previous stage
Click Test Rule
Click OK
Click Apply on the top to save changes
5.7 Change the Provisioning Server settings in DualShield
In the DualShield Management Console, select Authentication | Agents in the main
menu, click the context menu of the Provisioning Server and select Applications
In the list of the applications, select the application for TMG (e.g. radius in our example).
Click Save
Copyright 2011, Deepnet Security. All Rights Reserved. Page 27
Implementation Guide Microsoft TMG
We have now completed all stages and steps in configuring TMG with the DualShield
Agent.
5.8 Test Authentication
Now, when users attempt to logon to the OWA portal
To request an on-demand password, users will firstly enter their User Name and
Password (AD Password), and then click one of the delivery icons (e.g. the Email icon).
If the credentials provided are correct, DPS server will generate an on-demand one-time
password (Passcode) and deliver it to the user in the defined delivery channel (e.g.
email).
--- END ---
Copyright 2011, Deepnet Security. All Rights Reserved. Page 28
