StoneBlog.stonesoft.com

First post of this new 2011, together with my best wishes for a happy new year.

In a recent post I illustrated how to configure StoneGate SSL VPN to perform ticket-based Single-Sign-On to SalesForce.com.

The interesting benefit of the solution is to keep secure authentication at home while granting secure authenticated access to SalesForce application in the cloud.

The solution described in that post, although powerful and secure, lacks a little bit in usability because the user must first login to StoneGate SSL VPN application portal, click the SalesForce application icon and voilà, he’s in.

This post details how to use Device Definition in StoneGate SSL VPN to improve greatly the overall usability, to reach a quicker and smoother result while keeping the security at maximum level.

Device Definition allows to detect a specific type of connecting device based on patterns identified in HTTP request such as Agent, OS, URL requested, path, etc.
We can therefore define a device type in Manage System – Device Definition based on the URL requested as shown below:

This will ensure that URL request for https://salesforce.mydomain.tld are treated differently from others, according to configuration in Manage Resource Access – Global Resource Settings – Client Access.

We will configure the Device Definition to point to specific pages for authentication and, once authentication is successful, straight to SalesForce with ticket-based Single-Sign-On.

We can retrieve the needed links (Authentication Page and Welcome/Application Page) by looking at default login menu on StoneGate SSL VPN Access Point and “building” the application link as described below.

Open the StoneGate SSL VPN Access Point page and move mouse over the authentication method, then copy the links to authentication methods to retrieve the authentication page link you are interested in (in the example StoneGate Password).

About the application links, supposing that your Web Resource to access SalesForce with Ticket-SSO is called MySalesForce, then the direct link to application will be:

https://sslvpn.mydomain.tld/https/MySalesForce

To define the Client Access parameters for Device Definition, we just need to strip from URL above the host part. We will have therefore:

Authentication link (Default Page): /wa/auth?authmech=StoneGate%20Password

Application link (Welcome Page): /https/MySalesForce

We can finally configure Device Definition Client Access in Manage Resource Access - Global Resource Settings - Client Access - Add Device Settings… as shown below:

Click Add to finalize the configuration.

Last thing to do is to add a DNS A or C record to point to StoneGate SSL VPN system when this URL is requested, to route correctly the requests.

The resulting configuration is that StoneGate SSL VPN will intercept the URL and, because of the Device Definition configuration, it will first direct the user to the authentication page configured and once authentication is performed it will allow straight access to SalesForce using Ticket based Single-Sign-On.

Secured Access to the Cloud, keeping Authentication at Home

written by RoarinPenguin - 1,557 views \\ tags: authentication, cloud computing, salesforce.com, Single Sign-On, sslvpn, stonegate

Here’s another SSL VPN Tech Dive for you StoneBlog Readers, with the usual goal of stimulate your creativity and to allow you getting the most out of StoneGate SSL VPN.

A resource defined in Administrator interface can be protected by a very flexible and powerful set of criteria: Authentication method, User group membership, IP address of incoming client, Client Device, Date, day and/or time, User storage, Assessment, Trace removal, Access Point used and Identity Provider.

These criteria can be combined with logical OR and logical AND to create a real access strategy, enforcing maximum level of security and authentication strength.

Beside these options, a very powerful one is also available: custom access rules.

Custom access rules are XML files structured to extend the default capabilities offered by StoneGate SSL VPN to implement the desired level of filtering access to protected resources with innovative criteria defined by the Security Administrator.

This post will explain how to create and add them to the configuration.

Continue reading »

written by RoarinPenguin - 953 views \\ tags: access rule, access security, custom, SSL VPN

I was discussing today with a customer interested in verifying this option offered by StoneGate SSL VPN to protect a web resource… and I thought to document it here, especially describing the part related to Windows configuration.

The whole idea behind WIL is that a backend Internet Information Server (for example) protects a web path with this technique called Windows Integrated Login.

When a browser attempts to reach it, the web server sends back a challenge for authentication. These credentials are taken from the Windows environment, allowing authenticated users of a given domain to access smoothly.

Other users will have to insert credentials in a popup windows that will appear, getting a HTTP 401 – Unauthorized if validation fails.

Continue reading »

written by RoarinPenguin - 2,683 views \\ tags: SSL VPN, Windows Integrated Login

Welcome to a new techdive about StoneGate SSL VPN.

Today we’ll cover a very interesting topic in this new world of cloud computing and webservices: the Ticket Single-Sign On.

As most of you might guess, Single Sign-On is a technique to perform login to backend applications and systems without the need to retype user credentials, once the user is authenticated and access is granted on the main application portal.

StoneGate SSL VPN supports a wide variety of Single Sign-On techniques for legacy and web applications, ranging from static, adaptive, cookie based, ticket-based and form-based SSO.

I already defined Ticket-SSO as a splendid idea in a previous post, but today I will detail configuration steps to take to implement this technique with a very well known web app in the cloud: Salesforce.com.

Continue reading »

written by RoarinPenguin - 1,923 views \\ tags: SalesForce, SSL VPN, Ticket SSO

I’ve been silent for few weeks as I wanted to leave the StoneBlog stage to the beautiful series of posts Tero made about the great news of StoneGate 5.2.

But I’m braking this silence now since there is a very important test we have done and I want to share with you all.

I have been assisting a partner in a project to implement federated authentication with our StoneGate SSL VPN solution combined with Microsoft STS (Security Token Service).

For those of you who don’t know what Federated Authentication (aka Federated ID or Brokered Authentication) is, I’ll sum it up by saying that it is a technique to access applications “in the cloud” (private or public) while keeping authentication “at home”.

In short, the idea is to request the access to the application to an entity called Service Provider (SP), who will redirect the user to an Identity Provider (IdP) for authentication purposes. As soon as the identity has been validated, the user is automagically redirected back to the SP who will let the user in because of the trusted relationship created with IdP.

In this post I’ll describe the lab test made with a great guy, hoping that this information could be useful to replicate similar scenarios elsewhere.

Continue reading »

written by RoarinPenguin - 3,614 views \\ tags: ADFS 2.0, authentication, brokered authentication, Federated ID, identity provider, Microsoft, SAML, SAML 2.0, service provider, SSL VPN, StoneGate SSL VPN

Today I’m proposing you another tech dive in the beautiful world of Enterprise Single Sign-On, shortened with SSO or eSSO.

StoneGate SSL VPN supports SSO completely, allowing authenticated users to perform transparent login to web and legacy applications such as Remote Desktop, Telnet, SSH, File Share etc.

In a previous article we already mentioned the power of Adaptive SSO, while in this post I’ll cover another type of powerful and flexible SSO type: Form Based Single Sign On.

While adaptive SSO tries to recognize the structure of a form in a web page, attempting to automagically map fields such as username, password or domain, form based SSO allows complete customization of the way SSL VPN should interact with the back-end form to fulfill even the most complex and awkward situations.

Continue reading »

written by RoarinPenguin - 2,716 views \\ tags: eSSO, Form-Based SSO, Single Sign-On. SSL VPN, SSO

Few days ago I described a technique using certificate based authentication in StoneGate SSL VPN to match a certificate attribute to user attribute, in order to uniquely identify a user in Directory Service and allow login, perform Single Sign-On (SSO), etc.

In this article I’m taking it one step further, since StoneGate SSL VPN can authenticate a user presenting a valid certificate without even knowing who the user is, and use then whatever field of the certificate to perform SSO to protected resources.

Continue reading »

written by RoarinPenguin - 1,155 views \\ tags: authentication, certificate, SSL VPN

Time has come for a new tech dive for StoneGate SSL VPN, and today I’d like to share with you a nice tip concerning advanced techniques to manage the Single Sign On process with our splendid solution.

The idea is to allow an authentication based on certificate, then if a certificate attributes matches a user attribute in user profile we will pass that parameter for a Single Sign On operation.

Consider the following schema:

Continue reading »

written by RoarinPenguin - 2,619 views \\ tags: certificate, Single Sign-On, SSL VPN, SSO, user attribute

This last post of the disappearing 2009 is to share with you an interesting feature of StoneGate SSL VPN concerning definition of user groups.

The two possibilities offered by the solution allow to group users by User Location and by User Property.

While the first is pretty self explanatory, referencing a DN within a defined User Storage (e.g. OU=SSLVPN_Users,DC=example,DC=com), the second offers four possibilities:

• User Storage Location
• Custom Defined
• RADIUS Session
• SAML Session

Continue reading »

written by RoarinPenguin - 1,432 views \\ tags: group definition, SSL VPN, user storage

Finnish CERT (CERT-FI) recommends to pay special attention to certain address blocks.  They mention the DROP-list by the Spamhaus project as the most up-to-date list of malicious addresses.

It is always boring and time consuming to type long lists of addresses, so I made a quick-and-dirty script, which converts the DROP-list into StoneGate elements, and creates a group of them.  You can feed the DROP-list to this script, zip the result and import it into SMC.

Being an oldtimer, I wrote this with an ancient tool called awk, which you can find in most unix-based systems, including linux.  The most common variant is the GNU awk, gawk.  Someone would probably write this in 2 lines of Perl…

I provide this script as is, with no expressed or implied guarantees of any kind.  Use this at your own risk.  If you manage to break something with this, you have been warned and you assume full responsibility.  I have tested this on one system (Fedora Core 9) with one input, today’s DROP list from Spamhaus.org.

So, take a look at the code and decide yourself if you trust this.  Especially see the comment in the beginning.  Change the element naming convention to suit your needs and enjoy.

written by olli - 1,036 views \\ tags: DROP-list, script, Spamhaus