StoneBlog.stonesoft.com

Ten different opinions or interpretation about same concepts by different people  convinced me that it is time to shed some light on two very important concepts for StoneGate SSL VPN:
Directory Service and User Storage.

These two terms might be often related to the same backend technologies (like an OpenLDAP server for example), hence generating confusion and misunderstanding.

I will try now to give a clear explanation of usage and purpose of both, to blow fog away.

Let’s start with a dogma: StoneGate SSL VPN cannot work without having a Directory Service defined. This is used to store information about user profiles, which authentication they are allowed to use, which properties they have and several other information.

Although an Internal LDAP is provided with every version of StoneGate SSL VPN, this should be used for system testing purposes. As soon as the system is put in production environment, more proper directory service should be defined.

Several are supported, such as Microsoft Active Directory, OpenLDAP, Sun/Oracle Java System Directory Server, Novell eDirectory and in general every system compliant with LDAP V3 specification should work smoothly.

It is important to remember that admin user profile is not stored in Directory Service, to allow the system administration interface to be accessed even in case the configured Directory Service is not reachable.

Directory Service can be configured in Administrator Interface clicking on Manage System – Directory Service.

Below I report a screenshot showing an example configuration, with option to define a secondary host and secure communication with LDAPS.

A handy Test connection option is also present to immediately verify correctness of the configuration.

Once Directory Service is defined, we can use Administrator Interface to create users, groups, properties, enable authentication methods for a given user or groups, etc.

The relevant part of these information are stored in Directory Service location DN configured above in hashed format.

What is a User Storage then, and why is it important?

Let’s now assume that in our corporate we have several users defined in one or more user repositories and we are thinking to enable access to SSL VPN for some of them, without having to recreate them in SSL VPN.

Still, we know SSL VPN has some cool features like SMS or MobileID based authentication and we would like to enable this method for these user profiles.

Also, users are already grouped and we would like to benefit from this categorization in some way to differentiate access to relevant corporate applications.

These are some reasons to define backend User Storages, meaning places where user information we are interested in are stored. Once a User Storage is defined, we can fetch several information about a given user such as the username, mail, password, mobile phone number, group memberships and other information.

These information can be used to create SSL VPN User Profiles easily, without the need to copy paste details which will be instead dynamically linked.
This process is called User Linking and it can be even automated to create the following sample scenario: user Marco, who has a profile stored in a Microsoft Active Directory server defined as a User Storage, tries to login to SSL VPN.

This triggers the following operations:

• user Marco is defined in SSL VPN Directory Service
• Marco’s mobile phone number is retrieved (and linked) from User Storage
• Marco’s mail address is retrieved (and linked) from User Storage
• StoneGate Mobile Text authentication is activated for user Marco in SSL VPN, using a password from User Storage
• The successful result of the user linking process, together with related passwords and/or PIN are communicated to the user via different channels (like mail, SMS) in separate messages for security reasons
• Since Marco is part of some groups in the User Storage, when he logs in he will meet some security criteria (like using a specific authentication method and be part of some groups, so he will see only corporate applications available to him in the dynamically populated Application Portal

The picture below shows flexibility of the SSL VPN solution regarding interface with multiple user storages:

There are other cool uses of a User Storage, mentioned in previous articles.

Hopefully this article clarified differences between a Directory Service and a User Storage for StoneGate SSL VPN.

Identity and Access Management. Simplified.

written by RoarinPenguin - 1,643 views \\ tags: difference, directory service, SSL VPN, user storage