WIXLIB

VIP Enterprise Gateway Installation and Configuration Guide

VIP Enterprise Gateway Installation and Configuration GuideTable of ContentsAbout VIP Enterprise Gateway. 6Preinstallation steps. 6Hardware and software requirements. 8Prerequisites. 8Password and user information. 8VIP Enterprise Gateway Host. 8Windows platform.9Linux platform.9Browser requirements. 9User store.10Logging and syslog. 10Client applications.10Installing the VIP Enterprise Gateway software. 11Preparing for installation.11Installing VIP Enterprise Gateway on Windows. 12Installing VIP Enterprise Gateway on Linux. 17Updating VIP Enterprise Gateway. 19Configuring VIP Enterprise Gateway. 20Signing in to the Configuration Console. 20Securing communications with the VIP authentication service. 22Configuring SSL certificates in VIP Enterprise Gateway.23Restricting Transport Layer Security (TLS) protocols and weak ciphers.25Adding Trusted CA Certificates.25Configuring Console settings. 26Configuring HTTP proxy settings.27Configuring Health Check Settings.28Configuring Registration Email settings. 32Configuring SMTP Server settings.35Configuring Automatic Business Continuity. 36Viewing configuration summary.37Configuring user stores. 39Multiple user stores configured with VIP Enterprise Gateway. 39Searching for users in VIP Enterprise Gateway configured with multiple user stores.40Adding a user store. 41Advanced user store configurations. 44Managing connections. 452

VIP Enterprise Gateway Installation and Configuration GuideModifying search criteria. 45Configuring optional attributes. 48Managing user groups and administrator groups in VIP Enterprise Gateway.48Mapping users to VIP user groups. 49Resetting the expired Active Directory password.50Configuring the Validation Service. 52Validation Service Prerequisites.52Support for out-of-band authentication.52Authentication modes.53User ID - Security Code. 53User ID - Access PIN - Security Code.54User ID - LDAP Password - Security Code. 54User ID – LDAP Password – Security Code (RADIUS Access Challenge Mode). 55Authenticating users using VIP Access Push. 55Adding a Validation server.57Adding a Validation server from a pre-defined configuration template.58Customizing a RADIUS Validation server.59Setting the basic server information.61Configuring Radius Access Challenge. 61Enabling VIP Push authentication. 62Enabling first-factor authentication. 62Configuring the user store. 63Enabling Business Continuity. 64Enabling delegation.64Changing the password encoding format on Linux platform. 67About tunnel forwarders and receivers.68Adding tunnel forwarders. 68Adding tunnel receivers. 69Starting and stopping a tunnel forwarder or tunnel receiver. 71Health monitor for Validation server.71Configuring administrators in VIP Enterprise Gateway. 72Configuring VIP Administrators.72Allowing Console Administrators to sign in using their enterprise credentials. 75Configuring the Self-Service Portal IdP and My VIP IdP. 78Configuring the Self Service Portal IdP. 78Configuring out-of-band authentication. 81Supported languages.81Password management support for Self Service Portal. 81Out-of-band authentication for password management. 823

VIP Enterprise Gateway Installation and Configuration GuideReset your expired password. 82Enabling the My VIP IdP.82Alternative IdP to access the Self Service Portal and VIP Manager. 83Testing the Self Service Portal IdP. 84Self Service IdP Proxy.84Publishing Self Service IdP as a reverse proxy. 84Trusted Service Access settings.84Configuring VIP Manager IdP. 85Troubleshooting Self Service Portal. 86Configuring LDAP Directory Synchronization with VIP Enterprise Gateway. 88Using LDAP Directory Synchronization Service to synchronize user stores to the VIP Service. 88Configuring multiple instances of LDAP Directory Synchronization Service. 89Use Case 1: Supporting load-balancing and failover. 90Use Case 2: Synchronizing disparate user stores independently from different VIP EnterpriseGateway servers.91Use Case 3: Synchronizing users created through third-party Identity Provider for Self Service Portals.91Example configuration of multiple instances of the LDAP Directory Synchronization Service. 91Configuring the LDAP Synchronization Service from the Configuration Console. 92Recommended best practices for LDAP Directory synchronization.93Testing the VIP Enterprise Gateway installation. 95Verifying component installation.95Verifying the RADIUS client. 95Example vsradiusclient test commands. 96Verifying overall operation. 96Starting and stopping VIP Enterprise Gateway.97Automatically restarting VIP Enterprise Gateway services on Linux.97Configuring VIP Enterprise Gateway services for autostart at restart on Linux. 97Using a crontab to automatically restart VIP Enterprise Gateway services on Linux.98Example crontab file. 99Uninstalling VIP Enterprise Gateway 9.9.101Uninstalling on Windows.101Uninstalling on Linux.101Rolling back VIP Enterprise Gateway 9.9.102Configuring VIP Enterprise Gateway logging. 103Legacy log format. 103Messages. 104Logging detail levels. 105VIP Enterprise Gateway logging options. 106Logs tab.1074

VIP Enterprise Gateway Installation and Configuration GuideVIP Enterprise Gateway components.107Validation server logging. 108Configuration Console logging for administrator events.108Configuration Console AUDIT log format to capture configuration changes.110IdP service.113LDAP Directory Synchronization.114Syslog logging.114Configuring syslog.115Exporting and importing configuration settings. 117Importing configuration settings. 117Limitations of importing the configuration settings. 119General import configuration settings. 120Default ports and protocols.121Restricted ports. 122VIP Enterprise Gateway Utilities. 123Using the packTrustCA utility.123Using the vipdiagnostic utility.124Troubleshooting.125Updating the IP Address or subnet for a VIP Enterprise Gateway computer.127Copyright Statement. 1285

VIP Enterprise Gateway Installation and Configuration GuideAbout VIP Enterprise GatewayThe VIP authentication service lets you authenticate any user on any network through a two-factor authentication process.In today's security-conscious environment, traditional user name and password approaches are increasingly recognizedas insufficient to address the needs of enterprises. With the VIP authentication service, users can access securedresources through a two-factor authentication process. This method of accessing resources eliminates the securityproblems that are associated with the use of passwords alone.While seemingly free, passwords impose hidden costs of insecurity and management. The users may forget orcompromise their passwords easily. Passwords can be compromised in a number of ways. The passwords can be sniffedon the network or recorded by keystroke loggers. They can be discovered as jotted on a notepad, or extracted fromunwary employees through social engineering scams or phishing email campaigns.Symantec VIP Enterprise Gateway enables your organization's employees and associates to use the strongauthentication capabilities that Symantec VIP Services provides. VIP also allows access to the enterprise directory ofauthentication credentials.VIP Enterprise Gateway provides RADIUS-based authentication servers (Validation servers) that you can use with most ofthe enterprise-level network infrastructures that provide Remote Access Services such as VPNs, firewalls, and applicationreverse proxies. Additionally, VIP Enterprise Gateway provides the plug-in options that you can use to integrate yourenterprise-level applications and access management software with VIP Authentication framework.VIP Enterprise Gateway provides Identity Providers (IdPs) for the My VIP portal, Self Service Portal (SSP), and VIPManager portal that the VIP Services host. VIP Manager Portal IdP enables your organization's IT Administrators toauthenticate to VIP Manager using their LDAP user name and password and manage the VIP Account. The SSP IdPenables employees and associates to register or un-register their VIP credentials by authenticating with their enterprisedirectory authentication credentials.Once VIP Enterprise Gateway is installed, you use the to configure VIP Enterprise Gateway and its components, and theValidation server.NOTEFor more information on VIP implementation, refer to the Symantec VIP Enterprise Authentication DeploymentGuide available online at the Broadcom TechDocs portal.Preinstallation stepsTo ensure a smooth installation of the VIP Enterprise Gateway, complete these preinstallation steps:Step 1: Confirm your VIP authentication service account information.After your representative sets up an account for you, your designated Technical Contact receives a VIP authenticationservice account activation email. This email is to confirm that your contact information is correct. If you are unsure whoyour technical contact is, contact Customer Support.After your purchase is processed, access VIP Manager to obtain the VIP Enterprise Gateway software and VIP certificate.Step 2: Acquire and install hardware and software.Acquire the hardware and associated software you need to work with VIP Enterprise Gateway. Ensure that your systemmeets the minimum hardware and software requirements.See Hardware and software requirements.Step 3: Review the Symantec VIP Enterprise Authentication Deployment Guide.6

VIP Enterprise Gateway Installation and Configuration GuideBefore you install and configure VIP Enterprise Gateway and its components, Symantec recommends that you read theSymantec VIP Enterprise Authentication Deployment Guide, available online at the Broadcom TechDocs portal. This guidehelps you understand the Symantec VIP authentication service.7

VIP Enterprise Gateway Installation and Configuration GuideHardware and software requirementsThis section lists the VIP Enterprise Gateway hardware and software requirements by component type. Before you beginthe installation, make sute that you meet the pre-requisites.See Prerequisites.You need to install the following on your servers: VIP Enterprise Gateway HostUser storeLogging and syslogClient applicationsPrerequisitesBefore you begin, you need to have the following: Configuration Console administrator passwords and appropriate user rights. See Password and user informationHardware and software, which meet the requirements.See Hardware and software requirementsDomain Naming System (DNS) that properly functions. This requirement is essential to configure Active Directory asuser store with VIP Enterprise Gateway.You should also identify the client applications to integrate with VIP Enterprise Gateway.See Client applications.Password and user informationYou need the following to complete the installation process: Sign in information for the administrator of the VIP Enterprise Gateway configuration. Your administrator needs a user name and password to access the VIP Enterprise Gateway .User rights. You need to have users with the rights to access the VIP Enterprise Gateway components described inUsers and rights.Table 1: Users and rightsComponentUser/RightUser store For AD-based user stores, the user must have domain user privileges. For LDAP-based user stores, the user must have search privileges on the sub tree for the given search base.VIP EnterpriseGateway hostRoot access on Linux and Local computer Administrator group access on Windows.VIP Enterprise Gateway HostVIP Enterprise Gateway is supported on the following hardware and software:8