[KB3562] How do I configure my Microsoft Forefront Threat Management Gateway for use with ESET Secure Authentication

Details

You can add a second factor to your Microsoft® TMG Server for published web resources or VPN connections using ESET Secure Authentication.

Solution

Introduction

This article describes how to configure a Microsoft® Forefront Threat Management Gateway server to authenticate users against an ESA Server. Before proceeding, verify that you've installed the RADIUS Server component of ESET Secure Authentication and can access the RADIUS service that allows external systems to authenticate users.

Before your TMG Server can use the ESA Server to authenticate users via RADIUS, it must be set up as a RADIUS client on the ESA Server. Next, your server running the ESA RADIUS service must be setup as a RADIUS Server on the TMG Server Once these configurations have been specified, you can start logging into your TMG VPN or Web Resource using ESA OTPs.

NOTE:

This integration guide utilizes Client does not validate user name and password Client type for this particular VPN appliance. If you wish to utilize other Client type, refer to generic description of Client types and verify with the vendor if the VPN appliance supports it.

 

Step I - RADIUS client configuration



The RADIUS protocol requires that access requests to RADIUS servers include the IP address for the RADIUS client (for example, your Microsoft® TMG Sever).

To allow the Microsoft® TMG Server to communicate with your ESA Server, you must configure the TMG Server as a RADIUS client on your ESA RADIUS Server:

  1. Log in to ESA Web Console.
  2. Navigate to Components > RADIUS and locate the hostname of the server running the ESA RADIUS service.
  3. Click the hostname, then click Create New Radius Client.
  4. In the Basic Settings section:
    1. Give the RADIUS client a memorable name for easy reference.
    2. Configure the IP Address and Shared Secret for the Client so that they correspond to the configuration of your VPN appliance. The IP address is the internal IP address of your appliance. If your appliance communicates via IPv6, use that IP address along with the related scope ID (interface ID).
    3. The shared secret is the RADIUS shared secret for the external authenticator that you will configure on your appliance.
  5. In the Authentication section apply the settings shown in Figure 1-1 below.

Configuring your RADIUS client

  • To prevent locking any existing, non-2FA enabled AD users out of your VPN we recommend that you allow Non-2FA users during the transitioning phase. It is also recommended that you limit VPN access to a security group in the Users section.
  • Make sure that the check box next to Mobile Application is selected. 

Figure 1-1

ESA has now been configured to communicate with the Microsoft® Forefront TMG Server. You must now either configure a Microsoft® TMG Server Web Listener to communicate with the ESA Server, or you must configure the Microsoft® TMG Server VPN Client Access to communicate with the ESA Server.

For instructions on configuring a web listener, see Step II below.

For instructions on configuring VPN client access, see Step III below.


 

Step II - Configure a Web Listener

To configure your Web Listener, follow the steps below:

  1. Launch the Forefront TMG Manager.
  2. Expand Forefront TMG and navigate to Firewall Policy.
  3. Right-click the relevant firewall rule (the rule associated with this Web Listener) and select Properties from the context menu.
  4. Navigate to the Listener tab, select this Web Listener from the drop-down menu and click Properties.
  5. Navigate to the Authentication tab and select HTML Form Authentication from the drop-down in the Client Authentication Method section.
  6. Select the RADIUS radio button in the Authentication Validation Method section and then click "Configure Validation Servers..."
  7. Click Add to configure your ESA RADIUS Server as per the following:

    Server name: the hostname or IP address of your ESA RADIUS Server
    Server description: a friendly name for your server
    Shared secret: the shared secret that you configured during Step I
    Authentication port: 1812
    Time-out: 30 seconds
  8. Click OK and then click OK again to save your changes.
  9. Click Apply to update your server configuration (see Figure 2-1)

Figure 2-1

Navigate to the URL that you use to log in and enter your test credentials to verify that the listner has been configured:

  • Ensure that you are using a user that has been enabled for Mobile Application 2FA using ESA.
  • In the password field, append the OTP generated by the Mobile Application to your AD password. For example, if the user has an AD password of "ABCD" and an OTP of 111999, type in ABCD111999.

 

Step III - Configure your VPN Client Access

To configure your VPN Client Access, follow the steps below:

  1. Launch the Forefront TMG Manager
  2. Expand Forefront TMG and navigate to Remote Access Policy (VPN)
  3. Click on Select Authentication Methods in the right-most pane
  4. Navigate to the Authentication tab. Select either PAP or MS-CHAPv2, as per Figure 3-1.
  5. Navigate to the RADIUS tab, and ensure that the Use RADIUS for authentication check box is enabled, as per Figure 3-2

    Figure 3-1

  6. Click RADIUS Servers... and select your ESA RADIUS server configured previously or click Add.. to configure your ESA RADIUS server as per the following:

    Server name: the hostname or IP address of your ESA RADIUS Server
    Server description: a friendly name for your server
    Shared secret: the shared secret that you configured during Step I
    Authentication port: 1812
    Time-out: 30 seconds
  7. Click OK and click OK again.

Once all changes have been saved click Apply again to update the server's configuration (see Figure 3-3)

Figure 3-2

Test the setup by launching the VPN client that you normally use for connecting to TMG. Enter the credentials of your test user:

  • Ensure that you are using a user that has been enabled for Mobile Application 2FA using ESA.
  • In the password field, append the OTP generated by the Mobile Application to your AD password. For example, if the user has an AD password of "ABCD" and an OTP of 111999, type in ABCD111999.

 

Troubleshooting

If you are unable to authenticate via the ESA RADIUS server, ensure you have performed the following steps:

  1. Run a smoke test against your RADIUS server, as per Verifying ESA RADIUS Functionality.
  2. If no faults were fixed and you are still unable to connect, revert to an existing sign-in configuration (that does not use 2FA) and verify that you are able to connect
  3. If you are still able to connect using the old settings, restore the new settings and verify that there is no firewall blocking UDP 1812 between you VPN device and your RADIUS server
  4. If you are still unable to connect, contact ESET technical support.