External Authentication with SonicWALL SSL VPNAuthenticating Users Using SecurAccess Server bySecurEnvoyContact informationSecurEnvoyPhil Underwoodwww.securenvoy.com1210 ParkviewArlington Business ParkThealeReadingRG7 [email protected] 2600010

SonicWALL SSLVPN Integration GuideThis document describes how to integrate a SonicWALL SSL VPN installed withSecurEnvoy two-factor Authentication solution called ‘SecurAccess’.SonicWALL SSL VPN provides - Secure Application Access to the internal corporatenetwork.SecurAccess provides two-factor, strong authentication for remote Access solutions(such as SonicWALL ), without the complication of deploying hardware tokens orsmartcards.Two-Factor authentication is provided by the use of (your PIN and your Phone toreceive the one time passcode)SecurAccess is designed as an easy to deploy and use technology. It integratesdirectly into any LDAP directory server such as Microsoft’s Active Directory andnegates the need for additional User Security databases. SecurAccess authenticationserver is directly integrated with LDAP or Active Directory in real time.SecurEnvoy Security Server can be configured in such a way that it can use theexisting Microsoft password. Utilising the Windows password as the PIN, allows theUser to enter their UserID, Windows password and One Time Passcode receivedupon their mobile phone. This authentication request is passed to the SecurEnvoySecurity Server via the RADIUS protocol, where it carries out a Two-Factorauthentication. It provides a seemless login into the corporate network environmentby the remote User entering three pieces of information. SecurEnvoy utilises a webGUI for configuration, whereas the SonicWALL Server environment uses a GUIapplication. All notes within this integration guide refer to this type of approach.The equipment used for the integration process is listed below:SonicWALL SSL VPNSonicWALL software release v4Microsoft (for installation of SecurEnvoy Security Server)Windows 2003 serverIIS installed with SSL certificate (required for management and remote administration)Access to Active Directory with an Administrator AccountSecurEnvoySecurAccess software release v5.1.500 2005 SecurEnvoy Ltd. All rights reservedConfidentialPage 2

Index1.0 Pre Requisites. 32.0 Configuration of SonicWALL . 33.0 Configuration of SecurEnvoy . 74.0 Test Logon . 71.0Pre RequisitesIt is assumed that the SonicWALL is setup and operational. An existing Domain user canauthenticate using a Domain password and access applications. All communications are overHTTPS (port 443) for client browser and SonicWALL SSL VPN.Securenvoy Security Server has a suitable account created that has read and write privilegesto the Active Directory, if firewalls are between the SecurEnvoy Security server, ActiveDirectory servers, and the SonicWALL SSL VPN, additional open ports will be required.NOTE: SecurEnvoy requires LDAP connectivity either over port 389 or 636 to theActive Directory servers and port 1645 or 1812 for RADIUS communication fromthe SonicWALL SSL VPN.2.0Configuration of SonicWALLWithin the SonicWALL Aventail SSL VPN GUIa)b)c)d)e)Navigate to Authentication serversSelect NewEnter details for a Radius server (SecurEnvoy)Set credential type to Token/SecurIDClick “Continue” 2005 SecurEnvoy Ltd. All rights reservedConfidentialPage 3

Select Configure Authentication servera) Enter details for SecurEnvoy serverName, IP Address and Port, shared secretb) Set retry to 10 secondsc) Select “Advanced”d) Select “Customize authentication server prompts, with identity “Username” andProof “Enter SMS Passcode” 2005 SecurEnvoy Ltd. All rights reservedConfidentialPage 4

Navigate to User Access and select RealmsClick “New realm”a)b)c)d)e)Enter name information for the new realmSelect Active Directory as the authentication serverSelect AdvancedSelect SecurEnvoy for secondary authentication serverSelect “Combine authentication prompts on one screen” 2005 SecurEnvoy Ltd. All rights reservedConfidentialPage 5

The new realm will now be displayed3.0 Configuration of SecurEnvoyTo help facilitate an easy to use environment, SecurEnvoy can utilise the existing Microsoftpassword as the PIN. This allows the users to only remember their Domain password.SecurEnvoy supplies the second factor of authentication, which is the dynamic one timepasscode (OTP) which is sent to the user’s mobile phone.Launch the SecurEnvoy admin interface, by executing the Local Security ServerAdministration link on the SecurEnvoy Security Server.Click the “Radius” ButtonEnter IP address and Shared secret for each SonicWALL SSL VPN appliance that wishes touse SecurEnvoy Two-Factor authentication. 2005 SecurEnvoy Ltd. All rights reservedConfidentialPage 6

Click checkbox “Authenticate Passcode Only (PIN Not Required)Click “Update” to confirm settings.Click “Logout” when finished. This will log out of the Administrative session.4.0Test LogonOpen a browser and navigate to the logon page 2005 SecurEnvoy Ltd. All rights reservedConfidentialPage 7

It is assumed that the SonicWALL is setup and operational. An existing Domain user can authenticate using a Domain password and access applications. All communications are over HTTPS (port 443) for client browser