This article is the second part of a series to show how to integrate Symantec VIP with the Centrify Identity Platform. Part II will cover the following:
- Pre-requisites for setting up the test environment
- High-level architecture of the solution
- Configure Symantec VIP Manager hosted service
- Install Symantec Enterprise Gateway on our Windows Server
- Establish Trusted communications between the Enterprise Gateway and the Symantec VIP Manager service
- Configure a RADIUS validation server to listen to RADIUS requests
- Test the RADIUS validation server to ensure it was fulfilling the RADIUS requests sent to it.
The first part of this series discussed the value of this integration and walked through the end user experience at a high level. To review the first article in the series you can view it here.
Let's start configuring a test environment so you can try this out yourself.
- This posting is provided "AS IS" with no warranties and confers no rights.
- This is a lab entry. It is only meant to show the reader one method for this integration and to provide an informal how-to guide on setting it up.
- It's not meant for production design and does not address things like high availability and separation of duties.
- Production designs require planning for people, process and technology.
- Symantec VIP is a registered trademark of Symantec.
- The versions of software used in this guide are supported as of 2018. There is no guarantee that future versions of the software released by the vendors will be compatible for this integration. Its always best practice to validate new versions of the software through official support channels.
Now that the disclaimers are out of the way, let's get started.
- Obtain VIP Manager Account
- You need this to configure VIP Authentication, download Symantec Enterprise Gateway, and download documentation.
- Obtain Centrify tenant
- You need this to configure Centrify Identity Platform and download the Centrify Connector. You can obtain a free trial for Centrify Application Services or Centrify Infrastructure services here.
- A SmartPhone for Testing
- You need a smartphone to download the Symantec VIP Authenticator application and to register it with Symantec VIP.
- A Windows 2012 R2 Server
- You need this system to download and install the Symantec Enterprise Gateway and the Centrify Connector. This should be a domain joined server which will allow the Centrify connector to connect your on-premise Active Directory to perform user authentication services. The server will also need to allow outbound https traffic to the respective Symantec VIP and Centrify hosted services. Details of ports and settings can be found on each vendor's documentation.
- Microsoft Active Directory Environment
- You will need a test Active Directory environment to follow along with the example below. I am using domain functional level 2012 R2. Note that this process can be accomplished with any LDAP directory.
This article focuses on the configuration of Symantec VIP to provide MFA (multi-factor authentication) for the Centrify platform policies and assumes that you have familiarity with Symantec VIP Access manager and the Centrify Identity platform. The article does not go into detail on how to set up the Centrify platform or Symantec VIP because there is a lot of documentation publicly available that covers these topics.
The high-level flow diagram for this setup is as follows:
The diagram above shows the Centrify and Symantec SaaS-based identity platforms, the Centrify Connector, the Symantec Enterprise Gateway, and Active Directory as the main components used in this example. The flow for this use case is as follows:
- The end user logs into the Centrify Portal or Centrify protected application/resource.
- Centrify will determine via policy that the user needs to be challenged for MFA by the Symantec VIP platform.
- The Centrify connector will pass the authentication to the Symantec Enterprise Gateway using RADIUS.
- Symantec Enterprise Gateway will leverage the VIP cloud service to authenticate the user with her VIP soft token.
- The VIP service will authenticate the VIP token code and send the result to Symantec Enterprise Gateway.
- Symantec Enterprise Gateway will pass the result back to the Centrify Connector.
- If MFA is successful, the Centrify Connector will then authenticate the user's AD credentials as per authentication policy.
- Active Directory will verify the user's credentials and send the result to the Centrify connector.
- The Centrify connector will pass the result back to the web application or resource server.
- Centrify will confirm the result and redirect the user appropriately.
- This configuration does not take into account high availability.
- The Active Directory LDAP authentication can be performed by Symantec VIP or Centrify but I have configured Centrify to perform the AD authentication so that we can challenge for MFA first through Symantec VIP, and AD authentication second with Centrify.
Setting up Symantec VIP Manager:
The first step is to Setup up Cloud-based VIP Manager
- Login to VIP Manager with your credentials and VIP credential
- Download Enterprise Gateway installation bits and install guide.
- Download the Enterprise Gateway bits to the Windows Server where your Centrify connector is running, or on a server where it can communicate with the Centrify connector using RADIUS. We will come back to the Enterprise Gateway in a bit but for now, let's finish setup in the VIP manager.
Next, we're going to create a test user. Note that the user id is the email address because this is how we will later lookup the user for AD validation. Also, note that you need to download and register a Symantec VIP soft token credential for this user.
- Create a test user (RADIUS - email address) with an email address and register a VIP credential.
Next, you need to Create a VIP Certificate to establish a trusted connection between Enterprise Gateway and Symantec VIP.
- Click on the Account Tab at the top of the screen and then select “Manage VIP Certificates”
- Create a new Certificate by clicking on “Request a Certificate”. This certificate will be needed on the Enterprise Gateway in order to establish a secure connection with the VIP manager.
- Our next step is to Install Enterprise Gateway. Symantec provides detailed instructions on how to do this in this document. Its also relatively easy to click through without reading the documentation.
- Run the setup wizard to install the Enterprise Gateway software to run as a Windows Service.
- Next, you need to Login to Enterprise Gateway (once it is launched in a web browser).
- Once Enterprise Gateway is running, you need to configure the VIP certificate to secure communications to VIP manager.
- The screenshot below shows where you need to add the VIP certificate that you downloaded in Step 3. This will establish mutually authenticated (trusted) communication between your Enterprise Gateway and your Symantec VIP service.
Create a Radius Validation Server
- We need to create a RADIUS validation server object in Symantec Enterprise Gateway to accept RADIUS connections from a RADIUS client. This is a key step because the Symantec RADIUS validation server will be listening for authentication requests from the RADIUS client. The Centrify connector will be the RADIUS client we will set up in the next blog article. Refer back to the architecture document at the beginning to get a visual reminder of how this will work if you're getting lost.
- Create a Radius Validation Server object as shown below. You need to define where the RADIUS authentication requests will be coming from. This requires that you configure the server name that the RADIUS requests will be coming from, the server IP, an open port, and a shared secret. Note: We will use this information in the next blog article when we tell the RADIUS client where to send it's authentication requests. The rest of the options can be left default for this simple test.
- Once this is setup we need to test the Validation Server. Symantec includes a nice test tool to help you double check that your RADIUS connectivity is all setup.
- The Symantec RADIUS tool is located in the Enterprise Gateway files under the tools directory The syntax is shown below to test connectivity to the Enterprise Gateway acting as the RADIUS server.
- Note: You can also use NTRadPing which is a great tool to test RADIUS client-server communication.
Once the RADIUS validation test works, you are in good shape. We know that the Symantec Enterprise Gateway RADIUS validation server is listening, accepting authentication requests, and fulfilling those requests. Now the only thing left to do is to set up the Centrify Connector to act as the RADIUS client to the Enterprise Gateway.
Note: If the test above did not work, make sure you have ports correct, shared secrets correct, make sure firewalls are open on appropriate ports, and make sure you are testing with the right username/password and Symantec VIP credential.
This concludes part II of this blog. As a review, we completed the following:
- Covered the Pre-requisites for setting up the test environment
- Provided a High-level architecture of the solution
- Configured Symantec VIP Manager hosted service
- Installed Symantec Enterprise Gateway on our Windows Server
- Established Trusted communications between the Enterprise Gateway and the Symantec VIP Manager service
- Configured a RADIUS validation server to listen to RADIUS requests
- Tested the RADIUS validation server to ensure it was fulfilling the RADIUS requests sent to it.
In the next article, I will go through the setups on the Centrify Portal to complete the setup.
You can find the next article (part III) in this blog here.
To review part I of this article go here.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.