To review the first article in the series you can view it here.
- This posting is provided "AS IS" with no warranties, and confers no rights.
- This is a lab entry. It is only meant to show the reader one method for this integration and to provide a how to guide on setting it up.
- Its not meant for production design and does not address things like high availability and separation of duties.
- Production designs require planning for people, process and technology.
- Symantec VIP is a registered trademarks of Symantec.
- The versions of software used in this guide are supported as of 2018. There is no guarantee that future versions of the software released by the vendors will be compatible for this integration. Its always best practice to validate new versions of software.
Now that the disclaimers are out of the way, lets get started.
- Obtain VIP Manager Account
- You need this to configure VIP Authentication, download Symantec Enterprise Gateway, and download documentation.
- Obtain Centrify tenant
- You need this to configure Centrify Identity Platform and download the Centrify Connector. You can obtain a free trial for Centrify Application Services or Centrify Infrastructure services here.
- A SmartPhone for Testing
- You need this to download the Symantec VIP Authenticator application and to register it with Symantec VIP.
- A Windows 2012 R2 Server
- You need this to download and install the Symantec Enterprise Gateway and the Centrify Connector which will connect your on premise Active directory users with the respective SaaS identity platforms.
This article focuses on the configuration of Symantec VIP to take over "MFA" authentication for the Centrify platform policies and assumes that you have familiarity with Symantec VIP Access manager and the Centrify Identity platform. It does not go into detail on how to setup the Centrify platform or Symantec VIP because there are other blogs and documentation that cover these topics.
The high level architecture for this setup is as follows:
This article focuses on the configuration of Symantec VIP to provide authentication for the Centrify platform policies and assumes that you have familiarity with Symantec VIP Access manager and the Centrify Identity platform. It does not go into detail on how to setup the Centrify platform or Symantec VIP because there are other blogs and documentation that cover these topics.
The high level flow diagram for this setup is as follows:
The diagram above shows the Centrify and Symantec SaaS based identity platforms, the Centrify Connector, the Symantec Enterprise Gateway, and Active Directory as the main components used. The flow for this use case is as follows:
- The end user logs into the Centrify Portal or Centrify protected application/resource.
- Centrify will determine via policy that the user needs to be challenged for MFA by the Symantec VIP platform.
- The Centrify connector will pass the authentication to the Symantec Enterprise Gateway using RADIUS.
- Symantec Enterprise Gateway will leverage the VIP cloud service to authenticate the user with her VIP soft token.
- The VIP service will authenticate the VIP token code and send the result to Symantec Enterprise Gateway.
- Symantec Enterprise Gateway will pass the result back to the Centrify Connector.
- If MFA is successful, the Centrify Connector will then authenticate the user's AD credentials as per authentication policy.
- AD will verify the user's credentials and send the result to the Centrify connector.
- The Centrify connector will pass the result back to the web application or resource server.
- Centrify will confirm the result and redirect the user appropriately.
- This configuration does not take into account high availability.
- The Active Directory LDAP authentication can be performed by Symantec VIP or Centrify but I have configured Centrify to perform the AD authentication so that we can challenge for MFA first, AD authentication second.
Setting up Symantec VIP Manager:
The first step is to Setup up Cloud based VIP Manager
- Login to VIP Manager with your credentials and VIP credential
- Download Enterprise Gateway installation bits and install guide.
- Download the Enterprise Gateway to the Windows Server where your Centrify connector is running, or on a server where it can communicate with the Centrify connector using RADIUS. We will come back to the Enterprise Gateway in a bit but for now lets finish setup in the VIP manager.
Next we're going to create a test user. Note that the user id is the email address because this is how we will later lookup the user for AD validation. Also note that you need to download and register a Symantec VIP soft token credential for this user.
- Create a test user (RADIUS - email address) with email address. register a VIP credential.
- Next you need to Create a a VIP Certificate to establish a trusted connection between Enterprise Gateway and Symantec VIP.
- Click on the Account Tab at the top of the screen and then select “Manage VIP Certificates”
- Next create a new Certificate by clicking on “Request a Certificate”. This certificate will be needed on the Enterprise Gateway in order to establish a secure connection with the VIP manager.
- Our next step is to Install Enterprise Gateway. I wont specify the instructions here as they are covered by a couple blogs. Run the setup wizard to install the Enterprise Gateway software to run as a Windows Service.
- Next you need to Login to Enterprise Gateway (once it is launched in a web browser). Once Enterprise Gateway is running, you need to configure the VIP certificate to secure communications to VIP manager and you need to create a RADIUS validation server to accept RADIUS connections from (This will be the Centrify connector, and in this case, it will be running on the same server).
- The screenshot below shows where you need to add the VIP certificate that you downloaded in the last step:
- Create a Radius Validation Server
- We now create a Radius Validation Server (i.e. a RADIUS client). You can give it a server name, give it the server ip, make sure the port and shared secret is setup correctly. The rest of the options can be left default for this simple test.
- Once this is setup we need to Test Validation Server with VIP Radius tool. Symantec includes a nice test tool (NTRadping works too) to help you double check that your RADIUS connectivity is all setup.
- The Symantec RADIUS tool is located in the Enterprise Gateway files under the tools directory The syntax is shown below to test connectivity to the Enterprise Gateway acting as the RADIUS server.
Once this works, you are in good shape. The only thing left to do is to setup Centrify to act as the RADIUS client to the Enterprise Gateway. I will cover this in my next blog here.
If the test above did not work, make sure you have ports correct, shared secrets correct, make sure firewalls are open on appropriate ports, make sure you are testing with the right username/password and Symantec VIP credential.
This concludes part II of this blog. In the next article, I will go through the setups on the Centrify Portal to complete the setup.
To review part I of this article go here.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.