Authenticate SecureNAT Users on ISA/TMG
[SIZE=2]با سلام
امروزه یکی از رایج ترین فایروالهایی که در شبکه های کوچک ، متوسط و حتی بزرگ استفاده میشود ، آیزا سرور می باشد . البته اکثرا با این فایروال آشنایی کامل دارند پس بدون مقدمه میرم سر اصل مطلب .[/SIZE];)
پیشنیاز : [URL]http://forum.persiannetworks.com/f80/t35724.html[/URL]
[SIZE=2]
یکی از محدودیت ها یا مشکلاتی که آیزا داره اینه که زمانی که قصد داشته باشید اینترنت رو از طریق User,Pass در اختیار کاربران قرار بدید ، میبایست روی Browser هایی که کلاینت ها استفاده میکنند تنظیمات Proxy رو انجام بدید . این امر با توجه به تعداد کاربران (در صورت نداشتن دامین) ، استفاده کاربران از Browser های مختلف ، عدم پشتیبانی کلاینت های Web Proxy از پروتکل های غیر از HTTP,HTTPS و ... کاری دشوار و زمان بر میباشد . اگر هم از کلاینت ها ی SecurNAT در شبکه استفاده کنید که این کلاینت ها قابلیت تشخیص هویت را ندارند و نمیتوان اینترنت رو از طریق User,Pass در اختیار آنها قرار داد .
حتی شما شرایطی رو در نظر بگیرید که مهمانهایی به شرکت/سازمان/هتل/... شما در رفت و آمد هستند که نیازمند استفاده از اینترنت میباشند ، حالا برای دادن اینترنت از طریق User,Pass به این کاربران چه باید کرد ؟ آیا باید برای آنها هم Proxy ست کرد ؟!! یا از کانکشن های اختصاصی استفاده کرد ؟ یا بدون محدودیت (از طریق کلاینت های SecureNAT ) اینترنت رو در اختیار آنها قرار داد ؟! که هر کدوم از این موارد مشکلات و درد سرهای خودش رو داره ، که معمولا هم برخی از ادمین ها برای اینکه خودشون رو درگیر این موارد نکنند آیزا رو رها میکنن و به جای اون از Hotspot استفاده میکنند .
در حالیکه این کار با آیزا هم امکان پذیر میباشد که حتی در برخی موارد هم قابلیت های بیشتری نسبت به hotspot در اختیارمان میگذارد . البته آیزا به تنهایی این قابلیت رو نداره - همانطور که قابلیت کنترل پهنای باند رو بدون BWS نداره - اما با استفاده از نرم افزار [URL="http://www.collectivesoftware.com/Products/Captivate"]Collective Software’s Captivate[/URL] این قابلیت به آیزا افزوده خواهد شد . البته این قابلیت یکی از قابلیت هایی است که این نرم افزار در اختیار شما قرار میدهد که برای مطالعه قابلیت های دیگر آن میتوانید به لینکی که در بالا قرار دادم مراجعه کنید . همچنین در سایت این نرم افزار، نرم افزار های مفید دیگری هم وجود داره از جمله LogHostName که این قابلیت هم بسیار مفید و موثر در گزارشگیری از آیزا میباشد که اگه زنده بودم در آینده توضیحاتی هم راجع به اون خواهم داد .البته تو خود سایت PDF های آموزش رو یرای هر قسمت قرار داده که تمام مطالب مورد نیاز در اون به طور تصویری وجود داره .پیشنهاد میکنم حتما این لینک رو به طور کامل مطالعه کنید .
بعد از نصب این برنامه روی سرور آیزا ، یک ماژول به آیزا در بخش Application Filter ها ، و یک tab برای انجام تنظیمات مورد نیاز روی Access Rule ها اضافه خواهد شد . بعد از انجام تنظیمات مورد نیاز (که در ادامه به آن خواهیم پرداخت) کلاینتهای SecurNAT هم قادر خواهند بود تا عملیات تشخیص هویت رو انجام دهند . به اینصورت که این کلاینت ها بعد از باز کردن هر کدام از Browser های خود و بدون انجام هیچ گونه تنظیمات Proxy ، با صفحه لاگین آیزا (نه صفحه لاگین خود Browser) روبه رو خواهند شد که در صورت لاگین کردن میتوانند از اینترنت استفاده نمایند ، دقیقا مانند hotspot
در ادامه ، خلاصه آموزش استفاده از نرم افزار رو براتون قرار دادم . برای نصب نرم افزار هم هر چی اومد Next کنید [/SIZE];)[SIZE=2] .
[COLOR=#ff0000]هشدار :
قبل از تسلط و آشنایی کامل با این نرم افزار ، به هیچ عنوان اون روی در محیط های واقعی قرار ندهید و حتما قبل از اون از محیط های تست مجازی استفاده نمایید .
[/COLOR]
خب این سناریو به اینصورت هستش که دو شبکه وجود داره که قراره که کلاینت هایی که در شبکه Guest هستند و از DHCP آی پی میگیرند ، برای استفاده از اینترنت ، Authenticate بشن ، البته بدون تنظیمات Proxy
مطلب دیگر اینکه در این آموزش برای لاگین کردن از https استفاده شده که اجباری برای این کار نیست . کسانی که نیاز ندارند میتوانند از همون http استفاده کنند . که تنظیماتش خب کمی با لینک زیر فرق میکنه .
[/SIZE][LTR][LTR][LEFT][SIZE=2]
[/SIZE]
[LTR]
[URL="http://www.isaserver.org/img/upl/image0021217849737041.JPG"][IMG]http://www.isaserver.org/img/upl/image0021217849737041.JPG[/IMG][/URL]
In order to create a solution that will allow SecureNAT users to authenticate to the ISA firewall to be allowed access for the number of hours you when them to have access before authenticating again, you’ll need to do the following:
[/LTR]
[/LEFT][LTR]
[LIST][*][LEFT]Create the Guest Web Listener[/LEFT][*][LEFT]Create the Web Publishing Rule[/LEFT][*][LEFT]Configure Captivate for the Web Publishing Rule[/LEFT][*][LEFT]Create the Firewall Access Rule for Authenticated Clients[/LEFT][*][LEFT]Configure Captivate on the Firewall Access Rule[/LEFT][/LIST]
[LEFT][B]Create the Guest Web Listener[/B]
The first step is to create a Web Listener that uses forms-based authentication. This will allow us to collect credentials from the users on the Guest Network. After creating this Web Listener, we’ll create a Web Publishing Rule that uses this Web Listener.
In the ISA firewall console, click on the [B]Firewall Policy[/B] node in the left pane of the console and click the [B]Toolbox[/B] tab in the Task Pane. Click the [B]New[/B] menu and click [B]Web Listener[/B].
On the [B]Welcome to the New Web Listener Wizard[/B] page, enter a name for the Web Listener. Since this listener will only be used to collect credentials for the Guest Network, we’ll call it [B]Guest Listener[/B].
Click [B]Next[/B].
On the [B]Client Connection Security [/B]page, select the [B]Require SSL secured connection with clients[/B] option. This will force the client browsers on the Guest Network to use a secure connection when sending their user name and passwords over the wire.
Click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0031218456817459.jpg[/IMG]
On the [B]Web Listener IP Addresses[/B] page, put a checkmark in the [B]Guest[/B] checkbox. This allows connections only from the Guest Network to receive the log on form.
Click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0051218456817475.jpg[/IMG]
On the [B]Listener SSL Certificates[/B] page, select the [B]Use a single certificate for this Web Listener[/B] option, then click the [B]Select Certificates[/B] button.
In the [B]Select Certificate[/B] dialog box, select the certificate that the Web Listener will use. In this example, I used IIS 7 to generate a Web site certificate to use with the Web Listener. The common/subject name on the certificate is [B]guest.msfirewall.org[/B]. The clients on the Guest Network will need to be able to resolve this name to the IP address on the Guest Network interface on the ISA firewall. Recall that I used the DNS server on the default Internal Network to host the Host (A) record for [B]guest.msfirewall.org[/B].
Another thing to be aware of is that you should use a commercial certificate for this listener. Since the clients on the Guest Network are unmanaged clients, they aren’t going to trust your private CA. I suppose you could require them to install your private CAs certificate, but that’s probably not a good idea from a security viewpoint.
[IMG]http://www.isaserver.org/img/upl/image0071218456846475.jpg[/IMG]
After you select the certificate, click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0091218456846506.jpg[/IMG]
On the [B]Authentication Settings[/B] page, select the [B]HTML Form Authentication[/B] option from the [B]Select how clients will provide credentials to ISA Server[/B] drop down list. Select the [B]Windows (Active Directory) [/B]option from the [B]Select how ISA Server will validate client credentials[/B] options. This option allows the ISA firewall to authenticate using either Active Directory or local accounts configured on the firewall.
Click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0111218456846537.jpg[/IMG]
We’re not concerned with single sign-on in the example, so make no changes on this page and click [B]Next[/B].
Click [B]Finish[/B] on the [B]Completing the New Web Listener Wizard[/B] page.
[IMG]http://www.isaserver.org/img/upl/image0151218456872975.jpg[/IMG]
[h=2]Create the Web Publishing Rule[/h]Now that we have the Web Listener configured, we can use that Web Listener on the Web Publishing Rule that will intercept the users outbound connection and allow authentication using the form.
In the ISA firewall console, click the [B]Firewall Policy [/B]node in the left pane of the console and then click the [B]Tasks[/B] tab in the Task Pane. Click the [B]Publish Web Sites[/B] link.
On the [B]Welcome to the New Web Publishing Rule Wizard[/B] page, enter a name for the rule in the [B]Web publishing rule name[/B] text box. In this example, we’ll name the rule [B]Guest Auth Rule[/B] and click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0171218456872975.jpg[/IMG]
On the [B]Select Rule Action[/B] page, select the [B]Allow[/B] option and click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0191218456897459.jpg[/IMG]
On the [B]Publishing Type[/B] page, select the [B]Publish a single Web site or load balancer [/B]option and click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0211218456897459.jpg[/IMG]
On the [B]Server Connection Security [/B]page, select the [B]Use SSL to connect to the published Web server or server farm[/B] option and click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0231218456897475.jpg[/IMG]
Now here’s where things get interesting. On the [B]Internal Publishing Details[/B] page, put a bogus entry in the [B]Internal site name[/B] text box. The reason for this is that we’re not using this Web Publishing Rule to publish a real server. The purpose of this rule is to allow the form to be presented to the user on the Guest Network. After the user authenticates with the ISA firewall, the Captivate Filter will automatically redirect the user to the URL he requested.
In the [B]Internal site name[/B] text box we’ll enter [B]Don’t-Care[/B]. Then we’ll put a checkmark in the [B]Use a computer name or IP address to connect to the published server[/B] and enter the IP address of the NIC connected to the Guest Network. While this isn’t technically required, it will improve performance because the ISA firewall won’t waste time trying to resolve the name in the [B]Internal site name[/B] text box.
Click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0251218456922787.jpg[/IMG]
Make no changes on the [B]Internal Publishing Details[/B] page. Again, we don’t need to configuring anything here because we’re not actually publishing anything. We’re just making it possible for the form to be displayed.
[IMG]http://www.isaserver.org/img/upl/image0271218456922787.jpg[/IMG]
On the [B]Public Name Details[/B] page, make sure that the [B]This domain name (type below)[/B] option is selected from the [B]Accept requests for[/B] drop down list. In the [B]Public name[/B] text box, enter the name that is the common/subject name on the Web site certificate bound to the Web Listener.
In this example the common/subject name on the certificate is [B]guest.msfirewall.org[/B], so we’ll enter that into the [B]Public name[/B] text box.
Click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0291218456922787.jpg[/IMG]
On the [B]Select Web Listener[/B] page, select the [B]Guest Listener[/B] entry from the [B]Web listener[/B] drop down list. Click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0311218456947318.jpg[/IMG]
On the [B]Authentication Delegation[/B] page, select the [B]No delegation, and client cannot authenticate directly[/B]. Since we’re not actually publishing a Web site, there’s no reason to delegate or authenticate with the non-existent server.
Click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0331218456947318.jpg[/IMG]
On the [B]User Sets[/B] page, accept the default of [B]All Authenticated Users[/B] and click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0351218456947318.jpg[/IMG]
Click [B]Finish[/B] on the [B]Completing the New Web Publishing Rule [/B]page. Note that we don’t need to use the [B]Test Rule[/B] button, since there isn’t a server, we know that the rule will fail.
[IMG]http://www.isaserver.org/img/upl/image0371218456988568.jpg[/IMG]
[h=2]Configure Captivate for the Web Publishing Rule[/h]Now we need to configure Captivate on this Web Publishing Rule. First, put checkmarks in the [B]Enforce Captivate policy on this rule[/B] and [B]Use different settings for this rule[/B] checkbox. Actually, you don’t need to put a checkmark in the [B]Use different settings for this rule[/B] checkbox if you want to use the default Captivate policy.
In this example I want all users to authenticate at least once a day, at 8AM or afterwards. In addition, after the first log on, I want them to reauthenticate every 8 hours. So I configure the Captivate settings as seen in the figure below to enable these settings.
The [B]Track user name instead of IP when known to ISA[/B] doesn’t apply to the SecureNAT scenario we’re using here, so we’ll leave that checkbox unchecked. And we’ll put a checkmark in the [B]Track Physical (MAC) address instead of IP address[/B] setting, so that we can use a short TTL on our DHCP addresses.
[IMG]http://www.isaserver.org/img/upl/image0381218456988584.gif[/IMG]
Now you need to put a checkmark in the [B]Change Advanced Settings [/B]checkbox and click the [B]Edit[/B] button to open the [B]Lua Script Editor[/B]. Find the [B]LogOdbc.lua[/B] script in the C:\Program Files\Microsoft ISA Server\Collective Software\Captivate\lua\examples folder and open it in Notepad. Copy the entire contents of the script to the clipboard and paste it into the [B]Lua Script Editor[/B]. This allows Captivate to log the user request in the Web Proxy log so that you can trace that user’s IP address and follow the user’s activity in the log file if you wish. It also can enable logging to a SQL database.
If you’re not logging to a SQL database, make sure to comment out the [B]LogAuthorization(originalUrl)[/B] line by putting two dashes in front of that line, as seen in the figure below.
[IMG]http://www.isaserver.org/img/upl/image0401218456988584.jpg[/IMG]
Click [B]Save[/B] in the script editor and click [B]OK[/B] in the Web Publishing Rule’s dialog box.
[h=2]Create the Firewall Access Rule for Authenticated Clients[/h]With the Web Listener in place to accept the credentials, the next step is to create an Access Rule that will allow the authenticated users outbound access for the protocols we want them to have access to.
However, if you want to allow access to protocol other than HTTP and HTTPS, then you’ll need to bind the Captivate filter to those protocols. To do that, click the [B]Toolbox[/B] tab in the Task Pane and then double click the protocol that you want Captivate to control. In this example, we’ll create a rule that allows HTTP/HTTPS/SMTP and POP3. So we need to enable the Captivate filter for these protocol. Click the [B]Parameters[/B] tab and then put a checkmark in the [B]Captivate for ISA Server[/B] checkbox and click [B]OK[/B]. Do that for both the protocols.
[IMG]http://www.isaserver.org/img/upl/image0421218457016193.jpg[/IMG]
[IMG]http://www.isaserver.org/img/upl/image0441218457016209.jpg[/IMG]
Note that binding the filter will not have any effect on Firewall and Web Proxy clients on other networks. The reason for this is that when the Captivate filter gets called for a new connection, it look at what the policy rule is matched. If it’s no a Captivate-enabled rule, then the connection immediately passes. On the other hand, if the request matches a rule with the Captivate filter enabled, then the IP address or MAC address information is checked to see if that address is authorized by Captivate, and if so, the connection is passed through the ISA firewall.
Now let’s create the Access Rule. Click the [B]Tasks[/B] tab in the Task Pane and then click the [B]Create Access Rule[/B] link. In the [B]Welcome to the New Access Rule Wizard[/B] page, enter a name for the rule in the [B]Access rule name[/B] text box. In this example we’ll name the rule [B]Guest POP3/SMTP/HTTP/HTTPS[/B].
Click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0461218457016225.jpg[/IMG]
On the [B]Rule Action[/B] page, select the [B]Allow[/B] option and click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0481218457042772.jpg[/IMG]
On the [B]Protocols[/B] page, select the [B]Selected protocols[/B] option from the [B]This rule applies to [/B]drop down list. Then click the [B]Add[/B] button to add the [B]HTTP[/B], [B]HTTPS[/B], [B]POP3[/B] and [B]SMTP[/B] protocols.
Click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0501218457042772.jpg[/IMG]
On the [B]Access Rule Sources[/B] page, click the [B]Add[/B] button to add the [B]Guest[/B] Network.
Click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0521218457042787.jpg[/IMG]
On the [B]Access Rule Destinations[/B] page, click the [B]Add[/B] button and add the [B]External[/B] Network.
Click [B]Next[/B].
[IMG]http://www.isaserver.org/img/upl/image0541218457065490.jpg[/IMG]
On the [B]User Sets [/B]page, click the [B]Add[/B] button and add[B] All Users[/B].
[IMG]http://www.isaserver.org/img/upl/image0561218457065490.jpg[/IMG]
On the [B]Completing the New Access Rule Wizard[/B] page, click [B]Finish[/B].
[IMG]http://www.isaserver.org/img/upl/image0581218457065506.jpg[/IMG]
[h=2]Configure Captivate for the Firewall Rule[/h]
Now that we have our Access Rule, we need to configure Captivate for the rule so that the Captivate filter is invoked for connections that match the characteristics described in the rule.
Double click the new Access Rule and click the [B]Captivate [/B]tab. Put a checkmark in the [B]Enforce Captivate policy on this rule[/B]. Put a checkmark in the [B]Use different settings for this rule[/B] and change the parameters to those that you want for the rule. Put a checkmark in the [B]Track Physical (MAC) address instead of IP address[/B] checkbox to track the MAC addresses for your on-subnet wireless clients.
Put a checkmark in the [B]Change Advanced Settings[/B] checkbox and click the [B]Edit[/B] button to open the [B]Lua Script Editor[/B].
Now open Windows Explorer and go to the C:\Program Files\Microsoft ISA Server\Collective Software\Captivate\lua\examples folder and open the [B]Authenticate.lua[/B] file in Notepad. Copy the entire text of the file and paste it into the Lua script editor.
Click [B]Save[/B] in the [B]Lua Script Editor[/B] and click [B]OK[/B] in the [B]Properties[/B] dialog box for the rule.
[IMG]http://www.isaserver.org/img/upl/image0601218457088568.jpg[/IMG]
Click [B]Apply[/B] in the ISA firewall console to save the changes to the firewall configuration.
At this point our firewall policy should look like this:
[IMG]http://www.isaserver.org/img/upl/image0621218457088568.jpg[/IMG]
Now let’s see what happens. I open up the browser and instead of getting the browser’s home page, I’m redirected to the log on form, as seen in the figure below. I’ll enter my credentials and click [B]Log On[/B].
[IMG]http://www.isaserver.org/img/upl/image0641218457088568.jpg[/IMG]
After authenticating, you’ll see the dialog box informing you that you’re going to an unsecure page. That’s fine, since my home page isn’t to a secure site.
[IMG]http://www.isaserver.org/img/upl/image0661218457111178.jpg[/IMG]
Bam! I get to the log on page for my Hotmail account.
[IMG]http://www.isaserver.org/img/upl/image0681218457111178.jpg[/IMG]
[/LEFT][/LTR][LEFT][SIZE=2]
[/SIZE][/LEFT]
[/LTR][/LTR]
[LEFT][URL="http://www.isaserver.org/tutorials/Authenticate-Guest-Users-Collective-Softwares-Captivate-Part1.html"]Authenticate Guest Users With Collective Software’s Captivate (Part 1)[/URL]
[URL="http://www.isaserver.org/tutorials/Authenticate-Guest-Users-Collective-Softwares-Captivate-Part2.html"]Authenticate Guest Users With Collective Software’s Captivate (Part 2)[/URL]
[/LEFT]