User Authentication

MOVEit DMZ provides the ability to authenticate users to external LDAP and/or RADIUS servers. Microsoft Active Directory (AD) operates as an LDAP server, so MOVEit DMZ can authenticate to it natively. MOVEit DMZ can also authenticate users against ODBC-compliant databases through the use of the optional RADIUS-ODBC authentication service. Both of these transports can be secured at the transport level (we encourage the use of LDAP over SSL) and related credentials are stored encrypted on MOVEit DMZ.

In addition to authenticating existing users against external sources, MOVEit DMZ has the ability to create new users, often as a clone of an existing template user. MOVEit DMZ also has the ability to split an organization's user base into External Users and Internal Users with one group using an external authentication source and the other using MOVEit DMZ's built-in user database. When accessing an LDAP server, MOVEit DMZ has the ability to replicate group membership information and information such as email address from that LDAP server as well.

Single Signon

In enterprise environments, an externally authenticated MOVEit DMZ site can participate in Single Signon (SSO) arrangements in two different ways:

• CA SiteMinder - MOVEit DMZ can accept preauthenticated credentials from CA SiteMinder. More information about this feature is available in the Advanced Topics - Service Integration - SiteMinder Integration documentation.
• Common Access Card (CAC) - MOVEit DMZ can authenticate users using hardware client certificates in CAC Smart Card environments. More information about this feature is available in the Advanced Topics - Service Integration - CAC Integration documentation.

Authentication Sources

An Authentication Source is any RADIUS or LDAP server the MOVEit DMZ queries. Multiple Authentication Sources may be configured within any particular organization, and each may be of a different type (e.g., 2 RADIUS sources and 3 LDAP sources) and each may reference a different template user so users already belong to the appropriate groups when they are automatically added.

The following Authentication Source types are currently supported:

• RADIUS (Authentication Only): Incoming usernames and passwords will be tried against a remote RADIUS server. If authentication is successful, a new user may be created on the fly as a clone of an existing template user.
• LDAP (Authentication Only): Incoming usernames and passwords will be tried against a remote LDAP server. If authentication is successful, a new user may be created on the fly as a clone of an existing template user.
• LDAP (Lookup and Authentication): Incoming usernames and passwords will be tried against a remote LDAP server. If authentication is successful, a new user may be created on the fly as a clone of an existing template user. However, user attributes such as email address and group memberships will be carried over from the LDAP server. (This is currently the most popular option.)

Complete documentation and examples for Active Directory, Novell eDirectory, IBM Domino and iPlanet LDAP servers are provided. Other LDAP servers (such as IBM Tivoli Access Manager - SecureWay) are also supported through the use of flexible connection and attribute templates. (RADIUS server configuration is relatively generic compared to LDAP server configuration.)

More Information

Connecting to external authentication resources often requires some additional firewall rules. The various rules associated with LDAP and RADIUS services are covered in MOVEit DMZ Firewall Configuration.

The settings which control how MOVEit DMZ accesses external authentication sources and how new user records are configured for external authentication users are covered in Authentication Method section of the Settings - Security - User Policy.

The settings which control how individual users access external authentication sources are covered in Authentication Method section of the Users - Profile.

Information about configuring individual authentication sources can be found in the Web Interface - Settings - Security Policies - External Authentication documentation.

Complete information about the optional RADIUS-ODBC authentication service can be found in Advanced Topics - RADIUS-ODBC Authentication. More information about SiteMinder SSO integration is available in Advanced Topics - SiteMinder Integration.

Securely Accessing Internal LDAP Servers (e.g., Active Directory)

There are two ways MOVEit DMZ can securely connect to internal LDAP sources from a DMZ segment. Both offer strong encryption of user credentials and information in transit, and neither requires anonymous access.

Direct, Authenticated SSL Connection to Internal LDAP Server

This scenario is quite common. First, an end user presents his or her credentials to MOVEit DMZ over an encrypted SSH (FTP/SSH) or SSL (FTP/SSL or HTTP/S) link. MOVEit DMZ turns around and passes those credentials to the LDAP server over an encrypted SSL (LDAP/SSL) link to figure out if that user may sign on to MOVEit DMZ at that time. MOVEit DMZ does not retain the credentials in its own store.

Depending how you have configured your system, MOVEit DMZ may sign on as an LDAP user with permission to browse the LDAP directory to replicate settings such as email and group membership. In this case, the credentials MOVEit DMZ uses to browse are encrypted on MOVEit DMZ using 256-bit AES.

To access an internal LDAP server directly from a DMZ-based MOVEit DMZ server, there are several steps to take:

• Set up your LDAP server to require authentication and SSL connections when receiving connections from the internal firewall's IP address, MOVEit DMZ server or DMZ segment.
• Set up an internal firewall rule to allow MOVEit DMZ to connect to the LDAP server on TCP port 636 (the standard port for LDAP over SSL)
• Set up an external authentication source on MOVEit DMZ. Fill in the appropriate credentials to access the LDAP server and specify LDAPS (LDAP over SSL) as the authentication protocol.

Authenticated SSL Connection to Internal LDAP Server via RADIUS

This scenario is less common but still popular in situations where LDAP (even encrypted with SSL) is a banned protocol. First, an end user presents his or her credentials to MOVEit DMZ over an encrypted SSH (FTP/SSH) or SSL (FTP/SSL or HTTP/S) link. MOVEit DMZ turns around and passes those credentials to a RADIUS server with encrypted RADIUS packets to figure out if that user may sign on to MOVEit DMZ at that time. MOVEit DMZ does not retain the credentials in its own store. The RADIUS server (often Microsoft Internet Authentication Service, a.k.a. IAS) doesn't really have a user store of its own, but instead is usually tied into a Windows Domain, Active Directory or other LDAP server.

The RADIUS protocol is UDP-based and all packets are encrypted with a key. This key is stored on MOVEit DMZ using 256-bit AES. MOVEit DMZ does not need to know anything about the LDAP server(s) that really hold the user information because the RADIUS server acts as a complete front end. (Some sites have commented that they enjoy the fact that RADIUS queries, by design, return less information about their users than a similar LDAP query would.)

To access an internal LDAP server securely via RADIUS from a DMZ-based MOVEit DMZ server, there are several steps to take:

Set up your RADIUS server to get authentication information from your LDAP server. (Often when using free add-on tools such as Microsoft's IAS server with Active Directory, this is your only option.)

Set up an internal firewall rule to allow MOVEit DMZ to connect to the LDAP server on UDP port 1645 (the standard port for RADIUS)

Set up an external authentication source on MOVEit DMZ. Fill in the appropriate key to encrypt RADIUS traffic for your particular RADIUS server.

Active Directory SSL Notes

People have reported that enabling SSL services on Active Directory LDAP services is harder than it ought to be. Specifically, implementing Microsoft's recommendation involving the deployment of an Enterprise Certificate Authority can take some time.

• #Q247078 - How To Enable Secure Socket Layer (SSL) Communication over LDAP for Windows 2000 Domain Controllers (External Link)

There is, however, an easier way to enable SSL on Active Directory - and it does not involve Enterprise Certificate Authority.

1. Get a CA-signed server certificate with the AD server's fully qualified domain name (FQDN) listed in as the certificate's common name (CN). For a server named ad.internal.mycorp.com, a server certificate named ad.internal.mycorp.com signed by any CA will do.
2. On the AD server, use the Certificates MMC plug-in (for Local Computer) to add the CA-signed server certificate into the Local Computer's Personal certificate store. Make sure the imported certificate has a private key listed on its property dialog.
3. On the AD server, use the Certificates MMC plug-in (for Local Computer) to add the CA certificate into the Local Computer's Trusted Root certificate store. The imported certificate should not have private key listed on its property dialog.
4. On the MOVEit DMZ server (or other LDAP client), use the Certificates MMC plug-in (for Local Computer) to add the CA certificate into the Local Computer's Trusted Root certificate store. The imported certificate should not have private key listed on its property dialog.
5. Restart the domain controller. AD will automatically find the current SSL server certificate to use based on its name and will make its LDAPS interface available accordingly.
6. At this point MOVEit DMZ (or other LDAP client) should be able to securely connect to Active Directory using LDAPS over TCP port 636.

There is more information about this procedure on Microsoft's site, but the primary difference between Microsoft's procedure and the one laid out here is that Microsoft's recommends the use of Microsoft's certreq add-on utility in place of OpenSSL.

• #Q321051 - How to enable LDAP over SSL with a third-party certification authority (External Link)

Finally, there are at least two alternatives to these procedures; both involve an SSL tunnel that adds SSL encryption to Active Directory's existing LDAP protocol.

• Configure your firewall to accept LDAP/SSL connections on TCP port 636 and forward them to Active Directory on port 389. In this case, an SSL certificate will be installed on your firewall. (Not all firewalls support this configuration.)
• Install a utility called STunnel (available from MOVEit support) on your Active Directory or any other internal machine that has access to Active Directory. Configure STunnel to accept LDAP/SSL connections on TCP port 636 and forward them to Active Directory on port 389. In this case, an SSL certificate will be installed on the machine which runs STunnel.

Contact our support staff for more information about any of these procedures.