Winfrasoft HAS Installation and Configuration Guide...Winfrasoft UAG Appliance or a server running...

© 2006-2011 Winfrasoft Corporation. All rights reserved. This publication is for informational purposes only. Winfrasoft makes no warranties, express or implied, in this summary. Winfrasoft and Winfrasoft HAS are trademarks of Winfrasoft Corporation. All other trademarks are property of their respective owners.

Winfrasoft HAS

Installation and Configuration Guide

Installation and configuration guide

Winfrasoft HAS for Microsoft Forefront UAG 2010

Published: October 2011

Applies to: Winfrasoft HAS (Build 2.0.2300.4)

Web site: http://www.winfrasoft.com

Email: [email protected]

Information in this document, including URL and other Internet Web site references, is subject to

change without notice. Unless otherwise noted, the example companies, organisations, products,

domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious,

and no association with any real company, organisation, product, domain name, e-mail address,

logo, person, place or event is intended or should be inferred. Complying with all applicable

copyright laws is the responsibility of the user.

Winfrasoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written licence agreement from Winfrasoft, the furnishing of this document does not give you any

licence to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Active Directory, UAG 2010, Windows and Windows Server are either registered

trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their

respective owners.

Copyright © 2006-2011 Winfrasoft Corporation. All rights reserved.

Table of Contents 3

Table of Contents TABLE OF CONTENTS .............................................................................................................. 3

INTRODUCTION ......................................................................................................................... 4

CONSIDERATIONS ......................................................................................................................... 4 Server System Requirements ................................................................................................... 4 Language Requirements .......................................................................................................... 4

CONFIGURATION OVERVIEW ........................................................................................................ 4 LICENSING ................................................................................................................................... 5

Running a trial ........................................................................................................................ 5 Applying a new licence ............................................................................................................ 5

DESIGN AND DEPLOYMENT SCENARIOS .......................................................................... 6

SMARTCARD TECHNOLOGY ................................................................................................. 6

BACKGROUND .............................................................................................................................. 6

DEPLOYMENT ............................................................................................................................ 7

OVERVIEW ................................................................................................................................... 7 INSTALLING THE WINFRASOFT HAS SERVER ............................................................................... 8 INSTALLING THE WINFRASOFT HAS PLUG-IN FOR UAG 2010 ................................................... 12 INSTALLING THE WINFRASOFT HAS MANAGEMENT CONSOLE .................................................. 15 UNINSTALLING WINFRASOFT HAS ............................................................................................ 18

HAS CONFIGURATION ON UAG 2010 ................................................................................. 20

CONFIGURE IIS MIME TYPES (INTERNET ONLY) ....................................................................... 20 ADD A HAS AUTHENTICATION REPOSITORY (INTERNET) .......................................................... 22 ADD A HAS AUTHENTICATION REPOSITORY (N3) ..................................................................... 24 CONFIGURE A UAG TRUNK TO USE HAS (INTERNET) ............................................................... 26 CONFIGURE A UAG TRUNK TO USE HAS (N3) .......................................................................... 35 CONFIGURE USER AUTO PROVISIONING WITHOUT SELF SERVICE PASSWORD RESET ................ 42 CONFIGURE USER AUTO PROVISIONING WITH SELF SERVICE PASSWORD RESET ....................... 50

Active Directory Configuration ............................................................................................. 50 UAG 2010 Configuration ...................................................................................................... 52

CONFIGURE THE TMG FIREWALL (N3 ONLY) ............................................................................ 59

CERTIFICATE CONFIGURATION ....................................................................................... 60

CERTIFICATE TRUST LIST CONFIGURATION ............................................................................... 60

WINFRASOFT HAS MANAGEMENT.................................................................................... 62

ADVANCED CONFIGURATION ............................................................................................ 63

HAS REGISTRY KEYS ................................................................................................................ 63 HAS Server / Appliance keys ................................................................................................. 63 UAG Server / Appliance keys ................................................................................................ 64

4 Winfrasoft HAS

Introduction Winfrasoft HAS is a two-factor authentication and provisioning application that integrates

with Microsoft Forefront UAG 2010 to:-

Provide smart card two-factor authentication for NHS CRS cards.

Provision smart card users into Microsoft Active Directory without AD schema

extensions and without an AD integrated PKI.

Integrated Self Service Password Reset capabilities to help reduce helpdesk costs

since users can securely prove who they are with their smart card.

Integrate with the NHS Identify Agent and Spine.

Considerations

Server System Requirements The minimum system requirements for Winfrasoft HAS are:

Winfrasoft UAG Appliance or a server running Forefront UAG 2010

o HAS supports UAG RTM, Update 1, Update 2, SP 1 & SP 1 Update 1.

Winfrasoft HAS Appliance or Windows Server 2003 (SP2) or 2008 running IIS

32bit / 64bit PC with Active Directory Users and Computers MMC

Microsoft Active Directory

Language Requirements

Server

The Winfrasoft HAS MMC Add-in is compatible with multi-lingual versions of Windows

Server 2003 / 2008, however is only available in English. Product support and

documentation is only available in English.

Configuration Overview Prior to installation, ensure you have the following:

Fully configured Winfrasoft Gateway Appliance running Forefront Unified Access

Gateway 2010, including networking and portal configuration information.

A Winfrasoft HAS Appliance or an available server running Windows Server 2003

(SP2) or Windows Server 2008 to install the HAS Web Services onto.

A valid Winfrasoft HAS Licence file with sufficient licences for the deployment

requirements. The installation includes 10 free licences.

Smart cards and their appropriate middle-ware smartcard reader software (e.g.

GemAuthenticate Client). This can be remotely installed via the login page.

Optional - NHS Identity Agent if accessing from N3.

A client test workstation on either the Internet, or N3 with a functioning NHS

Identity Agent installed.

Introduction 5

Licensing Winfrasoft HAS is licensed on a combination of a per server basis and client access licences.

A licence file must be installed onto each Microsoft UAG 2010 appliance otherwise the

application will not function.

Running a trial Winfrasoft HAS is available for trial. Fully functional time-limited trial licences can be

requested from Winfrasoft.

All installations of the Winfrasoft HAS server software include a non-expiring 10 user

licence.

Applying a new licence Once you receive a new licence from Winfrasoft, install the Winfrasoft HAS licence file onto

the server running the HAS Web Services by copying the new licence file into the Winfrasoft

HAS installation directory and rename it to licence.lic. Once the licence has been installed,

restart the IIS web server by running IISRESET for the new licence to take effect.

Note

For detailed information on the licence types please refer to the licence

agreement document embedded within the installation package.

6 Winfrasoft HAS

Design and Deployment Scenarios

Winfrasoft HAS is designed to operate with Microsoft Forefront UAG 2010 update 1. The

Winfrasoft HAS Management utility utilises Microsoft Management Console technology

which can be run remotely and installed on any 32bit or 64bit machine where Active

Directory Users and Computers is installed.

Winfrasoft HAS is a true Enterprise-class solution designed for highly availability multi-

master Active Directory integrated deployments. In high-availability deployments and

scenarios with numerous users, provisioned user information can be stored across multiple

domains in an Active Directory Forest with no schema extensions required.

There are two main deployment scenarios for Winfrasoft HAS:

(1) Access from the Internet:

This scenario makes use of public and private key (protected by the PIN) to verify

the card and user. The UID in the smart card is linked with an AD user account.

(2) Access from N3 using the Identity Agent:

This scenario makes use of the NHS Identity Agent and validates sessions against

Spine. The UID from Spine is linked with an AD user account.

When is a user is provisioned to use HAS they are able to make use of both authentication

methods, there is no need to provision a user twice.

Smartcard Technology

Background As the usage of Information Technology has increased exponentially, the need for security of

these systems has increased accordingly. Traditionally, authenticating users was solely done

by the user providing a valid username and password. This was known as single-factor

authentication as the user “knows” all parts of the authentication process. Over time,

additional user provided information wasn’t sufficient and additional factors were required.

Physical token technology came to the fore and smart cards have become a recognised

industry standard for authentication. The major benefit of smart cards is the versatility of the

solution as smart cards can not only prove the identity of holder and authenticate the user to a

network, but also be used for physical perimeter access. Furthermore, picture identification

can be printed on the card for additional verification and user identification.

Deployment 7

Deployment

Overview This deployment section assumes that the UAG 2010 Appliance has been installed and is

configured.

To fully deploy the Winfrasoft HAS solution the following steps must be performed:

(1) Deploy and configure UAG 2010, including any service packs or updates

(2) Install Winfrasoft HAS Web Services on a separate server to UAG 2010

(3) Install the Winfrasoft HAS Add-on for UAG 2010 on the UAG appliance

(4) Provision users with HAS tokens

Note

This guide does not detail how to install and configure UAG 2010.

8 Winfrasoft HAS

Installing the Winfrasoft HAS Server The Winfrasoft HAS Web Services must be installed onto a server running Windows Server

2008 R2 (x64), the HAS Server. The Winfrasoft HAS Server is also available as a

preconfigured appliance from Winfrasoft.

The HAS Web Services can NOT be installed on a server running UAG 2010 due to

restrictions placed on UAG 2010 by Microsoft. This is a change from the previous version of

HAS for IAG 2007 which was able to cater for this scenario.

(1) To start the Winfrasoft HAS installation, run the Winfrasoft HAS.exe installer.

(2) The setup wizard starts:

(3) Click Next to continue.

(4) After reading the licence agreement click I accept the terms in the terms in the License

Agreement if you agree to the terms, then click Next to continue.

Note

Ensure you are logged onto the HAS Server with Domain Admin rights to

allow for the Active Directory configuration to be performed.

Deployment 9

(5) Select the setup type. Click Custom and select Next to continue.


Note

The HAS Web Services can NOT be installed on a server running UAG 2010

due to restrictions placed on UAG 2010 by Microsoft. This is a change from

the previous version of HAS for IAG 2007 which was able to cater for this

scenario.

Note

The HAS Management Console option is automatically visible when installing

on the HAS Server if Active Directory Users and Computers snap-in is already

installed.

10 Winfrasoft HAS


The installation is being performed. During the install a balloon will popup displaying the

UAG version that was detected for the Plug-in.

Note

The Winfrasoft HAS Active Directory Initialisation wizard may show extra

information or warning messages if it has previously been run in the forest.

Existing groups will be reused for multiple box deployment scenarios.

Deployment 11

(8) Ensure no critical errors have occurred during the Winfrasoft HAS Active Directory

Initialisation, if so contact Winfrasoft for support.

Click Close to continue.

(9) All necessary Winfrasoft HAS files have been installed on your HAS Server.

Click Finish to complete the installation process.

Note

The HAS Server may require a restart in order for all changes to be applied.

Without a restart the HAS Server will not have the required rights to update

smart card details on AD user accounts. If HAS is being reinstalled or the

server is already a member of the Winfrasoft HAS Servers group then a

reboot is not required.

The Winfrasoft HAS Servers group is added to the Account Operators group

by default. This grants the HAS Server the rights required to update user

accounts with Smart Card information for auto provisioning. However,

Account Operators do not have rights to modify AD Administrator accounts.

As such administrator accounts cannot use auto provisioning by default. Add

the Winfrasoft HAS Servers group to the Domain Admin group to enable this

functionality.

12 Winfrasoft HAS

Installing the Winfrasoft HAS Plug-in for UAG

2010 The Winfrasoft HAS Plug-in for UAG 2010 enables UAG to communicate with the HAS

Server.






Deployment 13



(7) Enter the fully DNS name of the HAS appliance or the web server running the HAS

authentication web service.

Click Next to continue.

Note

The HAS Web Services can NOT be installed on a server running UAG 2010

due to restrictions placed on UAG 2010 by Microsoft. This is a change from

the previous version of HAS for IAG 2007 which was able to cater for this

scenario.

Note

The HAS Management Console option is automatically selected when

installing on the UAG server if Active Directory Users and Computers snap-in

is locally installed.

14 Winfrasoft HAS


The installation is being performed.

(9) All necessary Winfrasoft HAS files have been installed on your UAG appliance.

Click Finish to complete the installation process.

Deployment 15

Installing the Winfrasoft HAS Management

Console The Winfrasoft HAS Management Console can only be installed on any 32bit or 64bit

computer that has the Active Directory Users and Computers MMC snap-in installed.

Typically, this would be a Domain Controller.






16 Winfrasoft HAS


(6) Ensure that only the HAS Management Console is selected if other choices are

displayed.

Click Next to continue.

Note

If IIS is installed on the machine you want to install the HAS Management

Console on then the HAS Web Service will display as a selected installation

option.

Deployment 17

(7) Click Next to continue

The installation is being performed.

(8) Click Finish to complete the installation process.

18 Winfrasoft HAS

Uninstalling Winfrasoft HAS If you no longer require Winfrasoft HAS you can remove it from a server by doing the

following:

(1) To start the Winfrasoft HAS un-installation, run the

Winfrasoft HAS.exe installation. Alternatively use Add/Remove Programs in the Control

Panel, select Winfrasoft HAS application and click Remove.

(2) Running the EXE file starts the setup wizard.

(3) Select Uninstall. Click Next to continue.


Deployment 19

The Winfrasoft HAS uninstall will remove configured components.

(5) Click Finish to complete the uninstall process.

20 Winfrasoft HAS

HAS Configuration on UAG 2010

Configure IIS MIME Types (Internet only) (1) On the UAG 2010 server, open IIS Manager and select the Server.

(2) Double click MIME Types.

HAS Configuration on UAG 2010 21

(3) Click Add… and add each of the following MIME types:

Extension MIME type

.dat application/octet-stream

.vslp application/octet-stream

.cfg application/octet-stream

When done the MIME types will be listed as follows:

(4) Close IIS Manager when done.

Note

Do NOT add the MIME types to the default web site, they MUST be added to

the web server directly.

22 Winfrasoft HAS

Add a HAS Authentication repository (Internet)

(1) Start the Microsoft UAG 2010 Management Console.

(2) Click Admin- Authentication and Authorization Servers…

(3) Click Add…


(4) Select Other from the Server type drop down list. Enter “WinfrasoftHASInternet” (one

word) in the Server name box. Check the Use a different server for portal application

authorization box and select the existing Active Directory repository from the

dropdown list.

Click OK.

(5) Click Close

24 Winfrasoft HAS

Add a HAS Authentication repository (N3)


(2) Click Admin- Authentication and Authorization Servers…

(3) Click Add…


(4) Select Other from the Server type drop down list. Enter “WinfrasoftHASN3” (one

word) in the Server name box. Check the Use a different server for portal application

authorization box and select the existing Active Directory repository from the

dropdown list.

Click OK.

(5) Click Close

26 Winfrasoft HAS

Configure a UAG Trunk to use HAS (Internet) A Trunk can be configured for use from N3 or the Internet, but not both. If you require HAS

functionality from both locations then either use the Internet configuration only and do not

rely on Spine authentication, or setup two Trunks.


(2) Every Trunk on the UAG server must be configured separately to use HAS. Select the

trunk to configure for use with HAS Authentication.

Click Configure…

Note

The URLs used in this section are listed in the C:\Program

Files\Winfrasoft HAS\readme.txt file. It is highly recommended

that the URLs are copied and pasted from the readme.txt file instead of

manually typed for speed and accuracy.


(3) Select the Authentication tab.

(4) In the “Require users to authenticate as session logon” section:

a. Under Select authentication servers:

i. Add WinfrasoftHASInternet

28 Winfrasoft HAS

ii. Remove the existing Active Directory entry

b. Update the User login page entry with:

CustomUpdate/HASLoginInternet.asp

(5) Select the URL Set tab.

Note

Do NOT place a “/” {slash} before “CustomUpdate/HASLoginInternet.asp”


(6) In this section, the appropriate access rules for the different custom files installed by

HAS must be created. Scroll through the URL List and select the URL

InternalSite_Rule2. Below the Parameter List Click Add to add a new parameter for

this URL Rule. Set the parameter values to the following:

Parameter List

Property Value

Name chall

Name Type String

Value {empty}

Value Type String

Length 0:350

Existence Optional

Occurrences Multiple

Max Total Length -1

Rejected values checking On

30 Winfrasoft HAS

(7) Scroll through the URL List and select the URL InternalSite_Rule20. Modify the URL

property so it contains the following new bold entries:

URL

/internalsite/scripts/customupdate/[0-9a-z]*(params|install|sslvpnpage|rds|jquery-1.3.2|format|scripts|vsapi)\.js

(8) Add the following Primary URLs. For each new URL set, click Add Primary.


URL List

Property Value

Name InternalSite_SC1

Action Accept

URL /internalsite/scripts/customupdate/api_gsl_p7/(vsappletlauncher|vsapinative)\.jar

Parameters Ignore

Note

Methods GET

Property Value


Action Accept

URL /internalsite/scripts/customupdate/api_gsl_p7/(vsapi)\.dat

Parameters Ignore

Note

Methods GET

Property Value


Action Accept

URL /internalsite/scripts/customupdate/api_gsl_p7/(vsapiapplet)\.vslp

Parameters Ignore

Note

Methods GET

Property Value


Action Accept

URL /internalsite/scripts/customupdate/api_gsl_p7/(vstapidll)\.cfg

Parameters Ignore

Note

Methods GET

32 Winfrasoft HAS

Property Value


Action Accept

URL /internalsite/scripts/customupdate/api_gsl_p7/META-

INF/services/javax.xml.parsers.SAXParserFactory

Parameters Ignore

Note

Methods GET

Property Value

Name InternalSite_UserLookup

Action Accept

URL /internalsite/customupdate/userlookup.asp

Parameters Handle

Note

Methods GET

Parameter list Heading Entry 1 Entry 2

Name authtype sessionid

Name Type String String

Value {empty} {empty}

Value Type String String

Length 1:10 1:2000

Existence Mandatory Mandatory

Occurrences Single Single

Max Total Length -1 -1

Rejected values checking On On


(9) Once complete and the appropriate modifications and new URL Set pages have been

successfully added, click OK to accept the changes.

(10) Open the following folder in Windows Explorer:

C:\Program Files\Microsoft Forefront Unified Access

Gateway\von\InternalSite\inc\CustomUpdate

Make a copy of the [PortalName]1PostPostValidate (Winfrasoft

HAS).inc file.

Rename the file by removing “ (Winfrasoft HAS)“ off of the end and replacing

“[PortalName]” with the actual name of the Trunk you are configuring. Do not remove

the “1”. e.g. InternetPortal1PostPostValidate.inc

(11) Click Activate Configuration to apply and save the changes.

34 Winfrasoft HAS

(12) Click Activate to apply the changes.

(13) Click Finish.


Configure a UAG Trunk to use HAS (N3) A Trunk can be configured for use from N3 or the Internet, but not both. If you require HAS

functionality from both locations then either use the Internet configuration only and do not

rely on Spine authentication, or setup two Trunks.


(2) Every Trunk on the UAG server must be configured separately to use HAS. Select the

trunk to configure for use with HAS Authentication.

Click Configure…

Note

The URLs used in this section are listed in the C:\Program

Files\Winfrasoft HAS\readme.txt file. It is highly recommended

that the URLs are copied and pasted from the readme.txt file instead of

manually typed for speed and accuracy.

36 Winfrasoft HAS



(4) In the “Require users to authenticate as session logon” section:

a. Under Select authentication servers:

i. Add WinfrasoftHASN3

ii. Remove the existing Active Directory entry

b. Update the User login page entry with:

CustomUpdate/HASLoginN3.asp

(5) Select the URL Set tab.

Note

Do NOT place a “/” {slash} before “CustomUpdate/HASLoginN3.asp”

38 Winfrasoft HAS

(6) In this section, we now need to create the appropriate access rules for the different

custom files installed by HAS. Scroll through the URL List and select the URL

InternalSite_Rule20. Modify the URL property so it contains the following new bold

entries:

URL

/internalsite/scripts/customupdate/[0-9a-z]*(params|install|sslvpnpage|rds|jquery-1.3.2)\.js

(7) Scroll through the URL List and select the URL InternalSite_Rule27. Modify the URL

property so it contains the following new bold entries:

URL

/internalsite/applet/(detectjava|microsoftclient|oesislocal|runtimeelevator|agent_win_helper|agent_mac_helper|agent_li

n_helper|gettoken)\.jar


(8) Add the following Primary URL. For each new URL set, click Add Primary

URL List

Property Value

Name InternalSite_UserLookup

Action Accept

URL /internalsite/customupdate/userlookup.asp

Parameters Handle

Note

Methods GET

Parameter list Heading Entry 1 Entry 2

Name authtype sessionid

Name Type String String

Value {empty} {empty}

Value Type String String

Length 1:10 1:2000

Existence Mandatory Mandatory

Occurrences Single Single

Max Total Length -1 -1

Rejected values checking On On

40 Winfrasoft HAS

(9) Once complete and the appropriate modifications and new URL Set pages have been

successfully added, click OK to accept the changes.

(14) Open the following folder in Windows Explorer:

C:\Program Files\Microsoft Forefront Unified Access

Gateway\von\InternalSite\inc\CustomUpdate

Make a copy of the [PortalName]1PostPostValidate (Winfrasoft

HAS).inc

Rename the file by removing “ (Winfrasoft HAS)“ off of the end and replacing

“[PortalName]” with the actual name of the Trunk you are configuring. Do not remove

the “1”. e.g. N3Portal1PostPostValidate.inc




(12) Click Finish.

42 Winfrasoft HAS

Configure User Auto Provisioning without Self

Service Password Reset To enable users to access the self-provisioning functionality i.e. the ability for users to

associate smart cards with their Active Directory account, then the Winfrasoft HAS

Provisioning application must be published in the trunk.

This section describes the process to publish the Winfrasoft HAS Auto Provisioning and Self

Service Password Reset pages in UAG 2010.


(2) Select the appropriate trunk to add the Self Service Password Reset Application to. In

the Applications section, click Add...

Note

This process must be repeated for every UAG trunk that will provide portal

access to provisioning and password resets.


(3) The UAG Add Application Wizard will start. Click Next.

(4) Choose Other Web Application (portal hostname) from Web section. Click Next.

(5) Complete the values for the Application Values with the following and click Next:

Property Value

Application Name Winfrasoft HAS Auto Provisioning

Application Type GenericWeb

44 Winfrasoft HAS

(6) Click Next.

(7) Click Next.


(8) Click Next.

(9) Complete the values for the Web Servers as follows:

Property Value

Address Type IP/Host

Addresses {HAS Server FQDN}

Paths /

HTTP ports 12000

HTTPS ports 12443

Note

If multiple HAS servers are deployed in a high availability scenario then

publish both together as a server farm.

46 Winfrasoft HAS

(10) Click Next.

(11) Click Next.


(12) Untick the Add a portal and toolbar link box.

Click Next.

(13) Click Next.

48 Winfrasoft HAS

(14) Click Finish.




(17) Click Finish.

Your Trunk is now configured to use the Auto Provisioning functionality.

50 Winfrasoft HAS

Configure User Auto Provisioning with Self

Service Password Reset To enable users to reset their Active Directory passwords and to access the auto provisioning

functionality i.e. the ability for users to associate smart cards with their Active Directory

account, the Self Service Password Reset application must be published in the trunk. The

Self Service Password Reset facility shares the same published application configuration as

auto provisioning to simplify the configuration.

Active Directory Configuration This section describes the process to configure the Active Directory with Kerberos

Constrained Delegation to support Self Service Password Reset.

(1) Open Active Directory Users and Computers (either on a DC or management station)

and select the properties of the UAG 2010 computer account, then select the

Delegation tab.

(2) Select Trust this computer for delegation to specific services only and Use any

authentication protocol (if they are not already selected) then click Add…


(3) Click Users or Computers… and locate the HAS Server computer account running the

HAS Web Services.

(4) Select the “http” service type and click OK.

(5) Click OK.

52 Winfrasoft HAS

UAG 2010 Configuration This section describes the process to publish the Winfrasoft HAS Auto Provisioning and Self

Service Password Reset pages in UAG 2010.


(2) Select the appropriate trunk to add the Self Service Password Reset Application to. In

the Applications section, click Add...

Note

This process must be repeated for every UAG trunk that will provide portal

access to provisioning and password resets.


(3) The UAG Add Application Wizard will start. Click Next.

(4) Choose Other Web Application (portal hostname) from Web section. Click Next.

(5) Complete the values for the Application Values with the following and click Next:

Property Value

Application Name Self Service Password Reset

Application Type GenericWeb

(6) Click Next.

54 Winfrasoft HAS

(7) Click Next.

(8) Click Next.

(9) Complete the values for the Web Servers as follows:

Property Value

Address Type IP/Host

Addresses {HAS Server FQDN}

Paths /

Note

If multiple HAS servers are deployed in a high availability scenario then

publish both together as a server farm.


HTTP ports 12000

HTTPS ports 12443

(10) Click Next.

(11) Click Next.

56 Winfrasoft HAS

(12) Click Next.

(13) Click Next.


(14) Click Finish.

(15) Double click the Self Service Password Reset application to edit it.


(17) Check Use single sign-on to send credentials to published applications, then select Use

Kerberos constrained delegation for single sign-on. Enter “http/*” or enter

“http/{your.server.and.domain.name}” in the Application field where

{your.server.and.domain.name} is the full DNS name of the HAS computer account in

AD.

58 Winfrasoft HAS

(18) Click OK.



(21) Click Finish.

Your Trunk is now configured to use Self Service Password Reset and Auto Provisioning

functionality.


Configure the TMG Firewall (N3 only) Microsoft UAG 2010 runs on top of TMG 2010 which provides security and protocol access

to the published portals on UAG via its firewall services. As such, a firewall rule needs to be

created allowing Winfrasoft HAS access to the N3 network.

To do this, create a Firewall rule in Microsoft TMG Management Console with the following

properties:

Property Value

Name Winfrasoft N3 Spine Access

Action Allow

Protocols HTTP

HTTPS

From Local Host

To External

Conditions All users

60 Winfrasoft HAS

Certificate Configuration Various certificate configurations must be performed on the UAG server depending on the

type of Smart Card authentication is being used.

Certificate Trust List Configuration In order for Winfrasoft HAS to “trust” the certificates, the public certificate of the issuer’s

root CA needs to be applied. Winfrasoft HAS makes use of the Operating System trust list to

validate SSL certificates.

Import the Root and Intermediate certificates required into the certificate store of the

Computer account.

The required certificate files are installed in the following folder:

C:\Program Files\Winfrasoft HAS\certs\

Note

Do NOT double click the certificate file to install it, this will install the

certificate into the currently logged on users certificate store.

Certificate Configuration 61

Note

HAS includes the Root and Intermediate certificates for the Live and NIS1

Spine implementations.

62 Winfrasoft HAS

Winfrasoft HAS Management Winfrasoft HAS must be configured and users need to be provisioned before they can use the

two-factor authentication technologies.

Users can be provisioned automatically via the auto-provisioning web page (if enabled), or

via the MMC Snap-In. All data is stored in the Active Directory (without the need for

schema extensions), not on the HAS or UAG server.

To configure user’s Winfrasoft HAS credentials, on a machine that has the Winfrasoft HAS

Management Console Snap-In extension installed, open Active Directory Users and

Computers. Select the user you wish to manage. Open the account properties and select the

NHS Smart Card tab.

If a User ID exists, then this user has been configured for Winfrasoft HAS. Administrators

can manually configure users by entering the user’s UID in this field.

To remove a user from Winfrasoft HAS, click the Clear button. The certificate subject name

will be removed from the user account and the licence will be released for use for another

user.

The License Availability details displayed are solely for informational purposes and cannot

be modified manually. Should you require additional licences, please contact your local

Winfrasoft partner.

Note

There is a current known limitation that Smart Card information cannot be

modified on user account properties when the accounts are located via the

Find feature of Active Directory Users and Computers.

The Read Card feature is currently only available when using a 32bit MMC.

Advanced Configuration 63

Advanced Configuration Winfrasoft HAS advanced configuration is performed by modifying pre-existing registry

keys.

HAS Registry Keys These keys should NOT be renamed or removed; only the values can be changed. Not all

keys are available on all servers as some are specific to the UAG Server or Appliance and

others to the HAS Server or Appliance; however some are common to both.

The keys are located in the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Winfrasoft\Winfrasoft HAS

UAG Server / Appliance keys

Name Default Value Description

LicenceFolder C:\Program Files\ Winfrasoft HAS

The path on the server where the licence file is located. It is not recommended to change this location.

LoggingEnabled 0 Changing this setting to 1 enabled diagnostic logging. This should not be enabled for usual operation and is only required for troubleshooting or when instructed by Winfrasoft support.

HASWebServiceURL http://has.winfrasoftdemo.com:12000

The URL accessed by UAG 2010 then connecting to the HAS Server. This URL must be updated with the correct server name after installation. It is not supported to use a port other than 12000.

64 Winfrasoft HAS

HAS Server / Appliance keys

Name Default Value Description

AutoProvisionDisabled 0 Provides the ability to enable or disable the user auto provisioning functionality. The default of 0 indicates that auto provisioning is not disabled. To disabled auto provisioning set the value to 1.

AutoProvisionOverwriteEnabled 0 Changing this setting to 1 allows a user to overwrite an existing smart card link with a new card. When this value it set to 0 an administrator has to manually unlink the existing card before a user can link a new one.

This setting has no effect if auto provisioning has been disabled.

DisableSpineCertCheck 1 Disables checking the validity of the SSL certificate used on the Spine connection point. This is enabled by default to allow spine authentication to work in cases where the CRL or the root for the SSL certificate is not available.

GuestAccessEnabled 0 Changing this setting to 1 allows guest users to access the UAG portal. A guest user is a user with no AD users account. To allow a guest user access to internal resources create an AD user account called “PortalGuest” and assign any required rights to it.

When this setting is set to 0 guest logins are not possible.

LicenceFolder C:\Program Files\ Winfrasoft HAS

The path on the server where the licence file is located. It is not recommended to change this location.

LoggingEnabled 0 Changing this setting to 1 enabled diagnostic logging. This should not be enabled for usual operation and is only required for troubleshooting or when instructed by Winfrasoft support.

LoggingFolder C:\Program Files\ Winfrasoft HAS\Log

The path on the server where the diagnostic logging file are located. It is not recommended to change this location.

ProvisionTTL 3600 decimal Time in seconds that session information is kept in memory prior to a successful provisioning event.

SessionTTL 300 decimal Time in seconds that a session is kept active before a user must enter their smart card PIN.

SpineURL https://sbapi.national.ncrs.nhs.uk/saml/RoleAssertion?token={sso_ticket}

The URL accessed by the HAS Server when connecting to Spine. If testing against other Spine implementations this URL can be modified.

Winfrasoft HAS Installation and Configuration Guide...Winfrasoft UAG Appliance or a server running...

Documents

Transcript of Winfrasoft HAS Installation and Configuration Guide...Winfrasoft UAG Appliance or a server running...