Wednesday, September 2, 2009

RSA SecurID Ready Implementation Guide Exchange 2007 ISA Server 2006

I spend guide a bit to get this working (-: and figured out the official published guide needs serious updates which I addressed all previous articles and putting summary together……

Anyway, if you are planning to implement RSA on your environment reading previous articles will save you tons of headache, trust me (-:, I learned the hard way and as always don’t want anyone to go trough the same path hence sharing with you guys the missing parts on this document, OWA is already standard for most of the government places and two factor authentication is way to go for most of the remote access scenarios, fisrt download the official RSA implementation guide fro here

image 

Now you will need click here to get it

image

Now you are ready to move on , pay attention to below steps

  • After downloading SDTEST.exe make sure you get this make it work !!!!! before start messing with ISA server or Exchange server, if the SDTES wont succeed you will waste your time!!!
  • Ask RSA Guy to fallow the steps on the RSA guide and make sure you have sdconfig.rec file

image

Once you get this file copy  the file on the ISA servers below directories

  • Windows\System32 folder
  • C:\Program Files\Microsoft ISA Server\sdconfig directories

On the ISA server , if you have two legs as below

image

make sure you add static route so that the test utility is able to talk to RSA servers.

issue route print

  • 172.26.7.197  gateway for internal network
  • 172.26.114.202 ISA server IP
route add 172.26.114.202 mask 255.255.255.255 172.26.7.197 –p

image 

  • Add the following String Value registry entry on each ISA Array Member restart “wspsrv.exe”

 

  • PrimaryInterfaceIP
  • HKEY_LOCAL_MACHINE\Software\SDTI\AceClient
  • Where the string value of PrimaryInterfaceIP is the IP address assigned to the interface that communicates with the RSA Server

image

 

image

  • After restarting firewall service test once more , bingo it works

 

image

  • before we move on  copy the local secret SecureID file from system32 into SDConfig folder.
  • SECURID from <windir>\system32 to …\Microsoft ISA Server\sdconfig
  • On each ISA Server, run the SDTEST.EXE utility.  This utility allows you test user authentication from an Agent Host to the RSA Authentication Manager Server.  Upon a successful user authentication, the Node Secret file (SECURID) will be created in the <windir>\system32 folde

image

  • Read this to understand why you just did above (-:
  • The SDTEST Authentication Utility is used to verify that a computer running ISA Server can authenticate to a computer running RSA Authentication Manager.  Note the following:   SDTEST.EXE requires the SDCONF.REC to be located in the …\system32 folder to run and test authentication successfully.  However, for ISA server to successfully authenticate to the RSA server, SDCONF.REC must be located in the ..\Microsoft ISA Server\sdconfig folder.  Also note that SDTEST.EXE does not require a Node Secret to authenticate, but the ISA Server does require a Node Secret to authenticate.

Now move on the ISA Server

  • Backup ISA Configuration
  • Configure CAS Listener
  • Configure client authentication on the listener

here is the link click on the picture

image

Configure Exchange default website, click on the picture for details

 

image

Now time to test it

image

I hope this saves time and headache to some of you out there

Cheers,

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.worldpress.com (Blog

image

1 comment:

Anonymous said...

Excellent article. I have this setup for OWA and it is working well. I wanted to allow external OWA users to be able to change their passords through the ISA FBA page but when I went to make this change on the listener propertys, the setting was dimmed. Is there any way to allow users to change passwords with this configuration