In this part of the series I will show you how to configure UAG to add RSA SecurID authentication to the UAG/OWA portal. First, I will assume that you already have an RSA ACE server or RSA Access Manager Server installed and configured in your environment. Second, I am assuming that your Active Directory username is the same as your RSA SecurID username. In my configuration I have used the RSA AM/ACE LDAP Integration with Active Directory which maps AD attributes to the RSA Database e.g. sAMAccountName -> Username, etc. The installation and configuration of these servers is out of the scope of this series but I will provide enough information for you to grasp the concepts if you are not familiar with the RSA AM/ACE system. Third, I will be demonstrating this on RSA Access Manager 7.1 SP2. The interface is now web based and different than the 6.x ACE server, but the concepts are the same.
So, let's configure the RSA Access Manager to accept authentication requests from our UAG server. Connect to the RSA AM Security Console and select Access, Authentication Agents, Add New.
Enter the hostname of the UAG server. When you select "Resolve IP" the internal IP address of the UAG server should resolve. If it does not, then you missed a step in the earlier parts of this series and didn't disable "Register this IP Address with DNS" on the External Interface of UAG. This is an important part with RSA since the IP Address is used to validate the agent during authentication.
After the agent has been added we need to generate the configuration file. Select Access, Authentication Agents, Generate Configuration File.
Click "Generate Config File" and save the .zip file to a location that you can access from the UAG server. This could be on the RSA AM server itself or, you might have to use a USB stick depending on your network topology.
Next, on the UAG server, unzip the AM_Config file and save the sdconf.rec file to the root of the C:\ drive.
Now we're ready to install the RSA Authentication Agent on the UAG server. Run the Installer and step through the prompts.
When prompted, browse to the location of the Config File (if you placed the file in the root of the C: drive then you can click next).
Note: I would not recommend checking the "Enable Challenge with exclusion of administrator" at this time. If you check this box then you will need to use your SecurID token to actually authenticate to Windows at the CTRL-ALT-DEL prompt UNLESS you logon as the loacal administrator.
After the installation has completed, click NO and restart later.
Next we need to add a firewall exception rule into the TMG configuration to allow RSA SecurID communication between UAG and the RSA AM/ACE server. Yes, this is another one of the exceptions to the rule "Don't play with the TMG firewall ruleset" that I stated earlier.
Right click on the Firewall Policy, select New, Access Rule.
Give your rule a name like "Allow Outbound RSA SecurID"
Set the rule action to "Allow".
Select "This rule applies to" Selected Protocols, and select Authentication>SecurID from the protocol list.
Select the localhost (the UAG server) as the source of this rule.
Select Internal Networks for the destination for this rule. If you wanted to be more secure you could create network objects for the specific RSA AM/ACE servers and specify them as the destination.
You should now see your allow rule in the TMG rule set.
Apply the rule in the TMG console.
Now we can reboot the UAG server.
While the UAG server is rebooting let's go back to the RSA Access Manager server and bring up the Authentication Activity Monitor.
After the UAG server reboots, launch the RSA Security Center application and click on Advanced Settings. Since the UAG server has multiple IP addresses, we want to ensure that the source IP address will be the internal interface. So let's override the automatic selection and specify that IP address. This MUST match the IP address that we specified in the RSA AM server when we created the Agent config.
Click ok, then Exit the RSA Security Center application. Then re-launch it and navigate to the Authentication Test section. Let's test the authentication with a user and tokencode.
After we click ok on the authentication test on UAG, navigate back over to the RSA AM server and view the log. We should see an Agent Node secret created and then a successful authentication.
Now that we've confirmed that the RSA Agent on the UAG server is "paired" with the RSA AM server we can configure UAG to use RSA as an authentication source. Launch the UAG Console and select Admin, Authentication and Authorization Servers.
Select RSA SecurID as the server type, enter "RSA SecurID" as the Server Name. This is the server name that will be prompted to the user in the UAG authentication portal. Enter the IP Address or FQDN of the RSA AM Server. Optionally you can add a backup RSA AM server. Selecting Enable PIN mode allows users to create a PIN if they are issued a new token. This is optional and depends on your Security Policy.
Now that we have the RSA Server setup as an authentication source in UAG, let's add it to the portal. Open the Exchange Portal Trunk and click on Trunk Configuration. Navigate to the Authentication tab. Click Add under the Authentication Servers option and add the RSA SecurID server.
Click ok and then Activate the UAG configuration. Once the Activation has completed, let's test by opening up the browser and navigating to the portal. Notice that we now have three authentication prompts: Username, Active Directory Password, and RSA SecurID Password. Let's enter all three:
Success! We now can require RSA SecurID Authentication to the UAG OWA experience!
Check back in for future parts to this series which will include Activesync publishing, Outlook Anywhere, and more!
Other parts of this series: