lundi 27 août 2012

[TMG] Publish Outlook Web App with RSA SecurID authentication


While deploying on Forefront TMG Outlook Web App with RSA SecurID authentication, I was surprised to see that the RSA Authentication manager was replaced by a Web interface on the new versions.

You will found on this article how to generate the required files on RSA, and the main steps on Forefront TMG. Follow the guide :)

1/ Generating the required file on RSA SecurID
The first step is to connect to the new Web interface named RSA Security Console, which replace the RSA Authentication Manager.

Then we go on the Access » Authentication Agents » Add New menu, in order to create an agent for our Forefront TMG (like RADIUS/NPS).

Then we use the following information:
  • Security Domain: setup on the RSA infrastructure
  • Hotsname: the full name of the Forefront TMG server (DNS/FQDN).
    Attention : one agent per Forefront TMG server if you want to build a server farm.
  • IP Address: if everything goes fine this field will be automatically fill when we click on the Resolve IP button.
  • Agent Type: Standard Agent.
  • Then we validate with the Save button.
Here nothing difficult: Yes, Save Agent :).

Then we build the configuration file used by our Forefront TMG server with the Access » Authentication Agents » Generate Configuration File menu.

Again nothing difficult we check that everything is ok and we confirm with Generate Config File.

We download the file with the Download Now link. We could now setup our Forefront TMG server.

2/ Forefront TMG configurations

On this chapter I will not focus on the setup, the getting started wizard and basics configuration of Forefront TMG. Furthermore I will focus on the main steps of publishing Outlook Web App. If you want to know how to do the others steps you could read the following white paper: Publishing Exchange Server 2010 with Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010.

First of all we copy the file generated by RSA (which one we rename sdconf.rec) at the following locations:
  1. C:\Program Files\Microsoft Forefront Threat Management Gateway\sdconfig
  2. %windir%\System32
Attention: all updates on the registry are critical, a backup of the registry before any modification is highly recommended.

Then on the registry we update or create the PrimaryInterfaceIP key with the internal IP of our Forefront TMG server as a value. We could found this key on HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\AceClient.

We also update the ACLs of the SDTI folder and his child for the NETWORK SERVICE account. Indeed this account must have the Full Control and Read rights.

In order to apply the previous changes we restart the Microsoft Forefront TMG Storage service. Sometimes a reboot of the server may be required.

3/ Publishing Outlook Web App

On the System Policy of Forefront TMG, on the Authentication Services » RSA SecurID node in order to authorize communication with our RSA servers we check Enable this configuration group option. For security reason on the To tab it's recommended to restrict only the destination to the RSA server(s) but I'm sure you're aware of it ;).

While publishing Outlook Web App on the Authentication Settings steps we use the following settings:
  • HTML Form Authentication
  • Collect additional delegation credentials in the form
  • RSA SecurID

Then we disable the SSO.

Finally on the Authentication Delegation step the authentication method to use will be Basic authentication.

4/ Authentication problems: common source

While trying to logon with the right user, password and token the following error could occur.

The 106: The Web server is busy mean:
  • The setting file of the RSA agent is missed on one or both location
    and / or
  • Some rights are missing on the registry
    and / or
  • The IP address providing on the registry is invalid

2 commentaires:

  1. can we have two rsa secureid servers going through the one tmg server

    RépondreSupprimer
    Réponses
    1. If it's a RSA SecurID farm yes, but in case if they're independent I don't think so. Indeed the information are stored on the configuration file used by TMG.

      Supprimer