Software

Installation and Configuration Guide

Description
Installation and Configuration Guide VPN Authentication by BlackBerry Virtual Appliance Version Published: SWD Contents What is VPN Authentication by BlackBerry?... 5
Categories
Published
of 30
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
Installation and Configuration Guide VPN Authentication by BlackBerry Virtual Appliance Version 1.7.1 Published: SWD Contents What is VPN Authentication by BlackBerry?... 5 Architecture: VPN Authentication by BlackBerry... 5 VPN authentication options...6 Connecting to a VPN network... 7 Data flow: Connecting to a VPN network using a BlackBerry OS device as the second factor...8 Data flow: Connecting to a VPN network using a BlackBerry 10 device as the second factor... 9 Data flow: Connecting to a VPN network using an ios or Android device as the second factor...10 How second-factor authentication with VPN Authentication by BlackBerry works...11 Installing the VPN Authentication server Environment requirements...13 Hardware requirements Software requirements...14 Install the VPN Authentication server VPN Authentication server ports...15 Configuring VPN Authentication for the first time...17 Confirm virtual machine and networking setup Configure Samba for the VPN Authentication server Start the configuration tool...19 Turn off the configuration tool...20 Start the VPN Authentication server Turn off the VPN Authentication server Configuring VPN server connectivity Supported authentication protocols for each authentication option...21 Configuring connectivity to the VPN Authentication server on a Cisco ASA Series VPN gateway Configuring connectivity to the VPN Authentication server on Citrix NetScaler...23 Configuring connectivity to the VPN Authentication server on a strongswan server...23 Configure VPN gateway connectivity in the VPN Authentication server Connecting the VPN Authentication server to Microsoft Active Directory...27 Connect the VPN Authentication server to Microsoft Active Directory...27 Configuring the connection to an EMM solution from BlackBerry Configuring support for high availability of an EMM solution from BlackBerry...29 Prerequisites: Connecting the VPN Authentication server to BES Connect the VPN Authentication server to BES Prerequisites: Connecting the VPN Authentication server to BES Connect the VPN Authentication server to BES Prerequisites: Connecting the VPN Authentication server to BES Connect the VPN Authentication server to BES Configure the VPN Authentication server to listen for responses from devices Configure a TLS connection for responses from BlackBerry 10 devices Customize the VPN Authentication app...37 Sending the VPN Authentication app to devices Sending the VPN Authentication app to BlackBerry 10 devices using BES Sending the VPN Authentication app to BlackBerry 10 devices using BES Sending the VPN Authentication app to BlackBerry OS devices using BES Sending the VPN Authentication app to BlackBerry OS devices using BES Sending the VPN Authentication app to ios or Android devices using BES Architecture: VPN Authentication high availability...41 Configuring high availability...41 Logging and reporting...43 Auditing authentication transactions Centralize logging or auditing using syslog Product documentation...46 Glossary Legal notice...49 What is VPN Authentication by BlackBerry? What is VPN Authentication by BlackBerry? 1 A VPN is one of the key methods that your users use to access your organization s content when they re on the go. When you permit users to connect to your network from the outside, you must make sure that only authenticated users can access content freely. In the past, security conscious organizations implemented two-factor authentication using hardware tokens to strongly authenticate users. However, hardware tokens can be costly to implement, are difficult to use, and aren t well-aligned with mobility or cloud-based trends. VPN Authentication by BlackBerry takes a different approach to VPN authentication. It uses your users BlackBerry 10, BlackBerry OS (version 6.0 to 7.1), ios, or Android devices as the second-factor for authentication. By using the devices that users have already activated, VPN Authentication provides the following benefits: Strong security based on PKI authentication and, for BlackBerry 10 and BlackBerry OS devices, hardware root of trust Better user experience because users don't need a hardware token and don't need to remember additional shared secrets or passcodes Improved cost structure because you can use something users already have, reduced support costs, and you don't need to purchase or replace additional hardware For more information about VPN Authentication, visit Architecture: VPN Authentication by BlackBerry VPN Authentication by BlackBerry consists of two components: A server that you install on your network An app that runs on users' devices 5 What is VPN Authentication by BlackBerry? Component Computer VPN gateway VPN Authentication server Description The computer is any device (for example, tablet, desktop, or laptop) that has a VPN profile installed and that a user wants to connect to your organization s network. The VPN gateway is a computer that accepts VPN connections. The VPN gateway and devices connect to the VPN Authentication server to provide second-factor authentication. The VPN Authentication server connects to the EMM solutions from BlackBerry that are installed in your environment to find the devices associated with a user and to send authentication requests to the VPN Authentication app that's installed on devices. You can install multiple instances of the server to set up active-active high availability. BES5, BES10, or BES12 Devices with VPN Authentication app BES5, BES10, and BES12 are the EMM solutions from BlackBerry that allow you to manage devices. The EMM solutions from BlackBerry provide the connection to the devices that are used as the second factor for VPN authentication. The devices are the smartphones or tablets that include the VPN Authentication app and are the second factor for VPN authentication. The devices are associated with users and managed by BES5, BES10, or BES12. They can be BlackBerry 10, BlackBerry OS (version 6 to 7.1), ios, or Android devices. For ios and Android devices, the VPN Authentication app is part of the BES12 Client. Related information Architecture: VPN Authentication high availability, on page 41 Sending the VPN Authentication app to devices, on page 38 VPN authentication options VPN Authentication by BlackBerry offers the following three authentication options: Authentication option Description Useful when Normal device password When a user connects to the VPN, the user is prompted to accept the VPN connection on the device. If the device is locked, the user must provide the device password. Your organization places usability as its most important goal for any deployment. 6 What is VPN Authentication by BlackBerry? Authentication option Description Useful when For BlackBerry 10 devices, users must provide the work space password if the work space is locked. This option is supported on all devices. Forced device password Microsoft Active Directory password When a user connects to the VPN, the user is always prompted to provide the device password, even if the device is unlocked. For BlackBerry 10 devices, users must provide the work space password. Users can accept the VPN connection on the device after they log in. This option is supported for BlackBerry 10 and BlackBerry OS (version 6.0 to 7.1) devices only. When a user connects to the VPN, the user is always prompted for the Windows password. After users log in, they can accept the connection on the device. This option is supported on all devices. Your organization stresses usability but wants to guard against someone picking up an unlocked device and accepting the VPN challenge. Your organization places security as its most important goal for any deployment. If users forget their devices, VPN Authentication includes a bypass option that allows users to log in to your network using Microsoft Active Directory authentication only. VPN Authentication uses Microsoft Active Directory groups to determine which authentication option to use. For example, if you want to use the Forced device password option, you can create a Microsoft Active Directory group called ActiveDeviceAuthGroup and add the user account to that group. Related information Supported authentication protocols for each authentication option, on page 21 Connecting to a VPN network To authenticate users so that they can connect to a VPN network, VPN Authentication by BlackBerry completes the following tasks: Authenticates the user's device Acts as a proxy for password authentication 7 What is VPN Authentication by BlackBerry? Combines the two results to determine whether authentication is successful The connection between the VPN gateway and the VPN Authentication server is established using RADIUS. Data flow: Connecting to a VPN network using a BlackBerry OS device as the second factor Note: For authentication to work, the BlackBerry OS device must be connected to a mobile network. 1. A user opens the VPN client on a computer or tablet, selects the appropriate VPN profile, and provides their username and password. 2. The VPN client makes the connection request to the VPN gateway. 3. The VPN gateway forwards the request to the VPN Authentication server. 4. The VPN Authentication server connects to Microsoft Active Directory to determine which authentication group the user account is in. 5. The VPN Authentication server connects to BES5 or BES12 to find the devices that are associated with the user. 6. BES5 or BES12 returns information about the devices that are associated with the user to the VPN Authentication server. 7. For each device that is associated with the user, the VPN Authentication server creates and sends a device authentication request to BES5 or BES BES5 or BES12 encrypts the request using AES-256 encryption and forwards the request to the list of devices that are associated with the user. The request is a push request that the BlackBerry MDS Connection Service sends through the BlackBerry Infrastructure. 9. If required by the authentication option that you chose or if the device is locked, the device prompts the user to log in. 10. The VPN Authentication app opens a dialog box on the device asking the user to accept or deny the request. 8 What is VPN Authentication by BlackBerry? 11. After the user accepts or denies the request, the device forwards the response to the VPN Authentication server. The response is protected with SHA-256 hashing and a digital signature. The response is sent through the BlackBerry Infrastructure directly to the VPN Authentication server on port The VPN Authentication server performs the following actions: Sends a notification to the device that it received the response. Informs the VPN gateway whether the device authentication process was successful. 13. If the user accepts the request and if required by the authentication option that you chose, the VPN Authentication server connects to Microsoft Active Directory to authenticate the user. User authentication can occur using PAP or MS-CHAP. 14. The VPN Authentication server notifies the VPN gateway whether the authentication process was successful. 15. If the authentication process was successful, the VPN gateway permits the user to access the network. Note: If you are using bypass authentication, steps 5 to 12 are not completed. Data flow: Connecting to a VPN network using a BlackBerry 10 device as the second factor 1. A user opens the VPN client on a computer or tablet, selects the appropriate VPN profile, and provides their username and password. 2. The VPN client makes the connection request to the VPN gateway. 3. The VPN gateway forwards the request to the VPN Authentication server. 4. The VPN Authentication server connects to Microsoft Active Directory to determine which authentication group the user account is in. 5. The VPN Authentication server connects to BES10 or BES12 to find the devices that are associated with the user. 6. BES10 or BES12 returns information about the devices that are associated with the user to the VPN Authentication server. 7. For each device that is associated with the user, the VPN Authentication server creates and sends a device authentication request to BES10 or BES12. 9 What is VPN Authentication by BlackBerry? 8. BES10 or BES12 encrypts the request using AES-256 encryption and forwards the request to the list of devices that are associated with the user. The request is a push request that the BlackBerry MDS Connection Service sends through the BlackBerry Infrastructure. 9. If required by the authentication option that you chose or if the device is locked, the device prompts the user to log in. 10. The VPN Authentication app opens a dialog box on the device asking the user to accept or deny the request. 11. After the user accepts or denies the request, the device forwards the response to the VPN Authentication server. The response is encrypted using AES-256 encryption and sent through the BlackBerry Infrastructure. 12. The VPN Authentication server performs the following actions: Sends a notification to the device that it received the response Informs the VPN gateway whether the authentication process was successful 13. If the user accepts the request and if required by the authentication option that you chose, the VPN Authentication server connects to Microsoft Active Directory to authenticate the user. User authentication can occur using PAP or MS-CHAP. 14. The VPN Authentication server notifies the VPN gateway whether the authentication process was successful. 15. If the authentication process was successful, the VPN gateway permits the user to access the network. Note: If you are using bypass authentication, steps 5 to 12 are not completed. Data flow: Connecting to a VPN network using an ios or Android device as the second factor 1. A user opens the VPN client on a computer or tablet, selects the appropriate VPN profile, and provides their username and password. 2. The VPN client makes the connection request to the VPN gateway. 3. The VPN gateway forwards the request to the VPN Authentication server. 4. The VPN Authentication server connects to Microsoft Active Directory to determine which authentication group the user account is in. 10 What is VPN Authentication by BlackBerry? 5. The VPN Authentication server connects to BES12 to find the devices that are associated with the user. 6. BES12 returns information about the devices that are associated with the user to the VPN Authentication server. 7. For each device that is associated with the user, the VPN Authentication server creates and sends a device authentication request to BES BES12 forwards the request to the list of devices that are associated with the user. BES12 protects the request using TLS. The request is sent through the BlackBerry Infrastructure and the BlackBerry Infrastructure uses the APNs or GCM to notify the device of the request. 9. If required by the authentication option that you chose or if the device is locked, the device prompts the user to log in. 10. The BES12 Client opens a dialog box on the device asking the user to accept or deny the request. 11. After the user accepts or denies the request, the device forwards the response to the VPN Authentication server. The response is protected using TLS and proxied through BES The VPN Authentication server performs the following actions: Sends a notification to BES12 that it received the response Informs the VPN gateway whether the authentication process was successful 13. If the user accepts the request and if required by the authentication option that you choose, the VPN Authentication server connects to Microsoft Active Directory to authenticate the user. User authentication can occur using PAP or MS-CHAP. 14. The VPN Authentication server notifies the VPN gateway whether the authentication process was successful. 15. If the authentication process was successful, the VPN gateway permits the user to access the network. Note: If you are using bypass authentication, steps 5 to 12 are not completed. How second-factor authentication with VPN Authentication by BlackBerry works The process that VPN Authentication by BlackBerry uses to verify the second-factor is different depending on the device. In all instances, trust is established because an EMM solution from BlackBerry manages the device. The activation process between the device and the EMM solution from BlackBerry sets up a trusted connection between the user and the device that the VPN Authentication can use. For information about the trust established during the activation process, see the BES12 Security content. To verify the response from BlackBerry OS, the following actions occur: The BlackBerry Infrastructure must authenticate the device and send the device ID to the VPN Authentication server. The VPN Authentication server must verify the device ID by validating that it came from the BlackBerry Infrastructure as a trusted source. The VPN Authentication server must verify that the device ID that the BlackBerry Infrastructure adds to the response matches the device ID that the server received from BES5 or BES12 when it requested information about the devices associated with the user. 11 What is VPN Authentication by BlackBerry? To verify the response from BlackBerry 10 devices, the following actions occur: The VPN Authentication server must verify that the response was signed by the device private key. The response includes the device certificate, which the server can verify was signed by the BlackBerry signing authority system. The VPN Authentication server must verify that the device ID that the device sends in its response matches the device ID that the server received from BES10 or BES12 when it requested information about the devices associated with the user. To verify the response from ios and Android devices, the following actions occur: BES12 must verify that the device signed the response with the private key of the device certificate. After verification, BES12 forwards the response to the VPN Authentication server over a mutually authenticated TLS connection. The VPN Authentication server must verify that the device ID included with the response matches the device ID that the server received from BES12 when it requested information about the devices associated with the user. 12 Installing the VPN Authentication server Installing the VPN Authentication server 2 For information about software requirements and supported mobile device operating systems, see the Compatibility Matrix content. You can install VPN Authentication on the same computer as an EMM solution from BlackBerry, but, for maintainance and availability reasons, this configuration is not recommended. Environment requirements Item VPN gateway EMM solution from BlackBerry Virtual environment Company directory Requirement Any of the VPN gateways listed in the Compatibility Matrix content. Any of the EMM solutions listed in the Compatibility Matrix content. VMware vsphere hypervisor Microsoft Active Directory and users with Microsoft Active Directory accounts and valid addresses. Hardware requirements Item RAM CPU Requirement 2 GB 2 cores Both the RAM and CPU requirements are designed to allow for a connection to one instance of BES5, BES10, or BES12 and a sustained rate of approximately 30 requests per minute. Virtual machines The VPN Authentication server is packaged inside a virtual appliance. Due to known issues generating random numbers on virtual machines, you must configure the 13 Installing the VPN Authentication server Item Requirement hypervisor to provide access to hardware sources of randomness to the guest virtual machine that runs the VPN Authentication server. Otherwise, you may see delays in secure transactions between the VPN Authentication server and the EMM solution from BlackBerry. Port to Internet To support BlackBerry OS (version 6.0 to 7.1) devices, a port must be accesible from the Internet to permit an inbound connection from the BlackBerry Inf
Search
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks