Adding OTP AUthentication to the UAG DirectAccess Deployment

DirectAccess is a seamless way to connect to company resources without dialing or logging into any other server. The default configuration of the DirectAccess uses Kerberos and certificates to create IPsec tunnels for a secure connection. So, how does it work? Well, the user connects their Windows 7 machine to the internet and machine creates the first IPsec tunnel, called the “Infrastructure Tunnel,” with the DirectAccess server. When the user logs in with their domain credentials, the client machine receives a Kerberos ticket from the domain controller using the first IPsec tunnel and together with the computer certificate it creates a second IPsec tunnel called the “Intranet Tunnel.” For some companies the method of authenticating with certificates and Kerberos could be less secure than is recommended or ideal. Since the release of UAG SP1, you can optionally require authentication with smartcards or one-time passwords (OTP) along with the default Kerberos and certificate authentication. What’s new in SP1? Check http://technet.microsoft.com/en-us/library/gg295322.aspx to find out more.

How can you configure the UAG DirectAccess to use OTP authentication?

You may use a variety of OTP password authentication solutions that are available in the market, but one we have tested with our appliances and we highly recommend is the Gemalto Strong Authentication server. Gemalto is one of the largest manufacturers of smart cards and the OTP tokens. Their Gemalto SA server has been fully tested with our appliances. Please contact our sales for more information of Gemalto appliance or check http://www.nappliance.com/products/NetGateway-nGSA.asp for more details.

We aren’t including information on how to configure Gemalto in this post. Please contact our sales to book an appointment with our professional services personnel to help you configure Gemalto OTP with your existing DirectAccess solution.

Assuming that the Gemalto SA Server is configured and ready to be used, we will go ahead and configure the UAG DirectAccess server to use the OTP Server as the authentication server

On the Client Authentication page of the Forefront UAG DirectAccess Configuration Wizard, select whether you want to use two-factor authentication. You can require the use of OTP for access to the intranet. Forefront UAG DirectAccess OTP access control is based on the existence of user and workstation certificates on the DirectAccess client. The IPsec rules require that the DirectAccess client has a certificate from a designated CA server in order to gain access to the intranet.

A client acquires these certificates by supplying his OTP credentials via the DirectAccess Connectivity Assistant (DCA) client software, or by entering OTP credentials when prompted to an automatically created OTP web portal (trunk) for authentication. If the authentication succeeds, the Forefront UAG DirectAccess server enrolls two certificates from the designated CA server on behalf of the user and the workstation, returns them to the DCA, which then uses the DCA service to install them in the DirectAccess client’s computer.

In the two-factor authentication configuration menu select the method of authentication. In this case, it’s OTP authentication:

Add the Gemalto repository. It’s a simple RADIUS authentication.

Then, select a dedicated Enterprise Root CA to issue the required certificates to client machines on a successful authentication.

You may export the script or just click ‘Apply’ to configure the certificate authority with the required set of templates and settings.

Finish and re-apply the DirectAccess policies.

The OTP authentication provides a superior level of security as it makes it difficult for someone to get into the network and access resources without the OTP pin number. For example, if someone’s laptop is stolen, then the person who stole it will also have to steal the OTP token of the laptop user as well. Without the OTP token, the person can only access the local resources on the laptop, assuming they know the password.

For more information on how to engage professional services for deploying OTP authentication for your existing DirectAccess servers or you want to deploy a DirectAccess solution for your users, please contact us: http://nappliance.com/aboutus/contactus.asp.

Cheers
Inderjeet