Celestix Federated Installation Guide
VA Series
A Secure Access Company
The information contained in this document represents the current view of Celestix Networks on the issues discussed as of the date of publication.
Because Celestix Networks must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Celestix Networks,
and Celestix Networks cannot guarantee the accuracy of any information presented after the date of publication.
These instructions are for informational purposes only. CELESTIX MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Celestix Networks.
Celestix Networks may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement from Celestix Networks, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
CelestixFederated VA Series Appliance Installation Guide
Document Number:VFED2000-120-002
Updated: November 13, 2015
Part Number: (CCD) 2102-30800005
Product version: A Series 2.0 © 2016 Celestix Networks, Inc. All rights reserved.
The example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious. No
association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.
HOTPin, Celestix and Celestix logo are either trademarks or registered trademarks of Celestix Networks, Inc.
Microsoft, Microsoft logo, Microsoft Windows Server, Microsoft Forefront, Threat Management Gateway, Unified Access Gateway, Active Directory,
Windows, Windows NT, Office 365, Azure, ActiveX, Internet Explorer, Windows Phone, and Zune are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
i
Table of Contents
Introduction
Guide Usage Notes
1
System Overview
2
The Next Step
5
Install the Application
6
Installation Notes
6
Install Instructions
9
The Next Step
9
Application Setup
10
Access the Web User Interface
10
Configure Federation
11
General Information
11
Federation Setup
13
The Next Step
21
Configure HA Secondary Server
ii
1
22
General Information
22
Quick Setup Wizard
23
The Next Step
27
Create a Backup
28
Update Software
29
Appendix
30
Web User Interface Content Overview
31
Glossary
32
Index
36
Resource Worksheet
38
Introduction
Celestix Networks delivers an exceptional combination of perimeter security features, scalability, and
simplicity in cost-efficient virtual and hardware appliances. Ready-to-deploy appliances offer easier
management that reduces the risk and cost of security solutions. The Celestix® line of security
appliances provides key security framework components: firewall, branch-office connectivity, web
cache/proxy, wireless policies/authentication, remote access, two-factor authentication, patch
management, and anti-spam/anti-virus gateway deployments. Celestix products provide the best
option for the emergent need to manage IT security for every level of infrastructure complexity.
The CelestixFederated VA Series Appliance provides simplified configuration for federated identity
management between on-premises Active Directory® and Office 365™ productivity software. The VA
Series delivers secure single sign-on (SSO) with Windows Server® 2012 R2 Active Directory Federation
Services (ADFS) from Microsoft®.
The foundation of your Celestix virtual appliance is the award-winning Comet engine. Comet provides a
web user interface (web UI) for convenient access to administration functions like setup, network
configuration, and server task management. For the VA Series, it also provides simplified installation
and configuration for identity federation and supporting technologies.
The product installs as a trial version. A license activation key must be purchased from Celestix and
uploaded to the virtual appliance before the 30-day trial period ends.
The Celestix VA Series is a hardened and secure virtual appliance platform that is optimized for secure
Windows deployment.
The 2.0 VA Series offers the following functionality:
l
Simplified wizard-driven identity management configuration for ADFS and Office 365.
l
Streamlined management interface.
l
Integrated NLB configuration for high availability deployments.
Guide Usage Notes
This guide will help system administrators to efficiently install and configure a new virtual appliance
with a base level setup. The instructions cover steps for some common deployment scenarios. They
usually offer one option to accomplish a task, though there may be other ways to achieve the same
thing. The guide does not provide extensive reference information. Online help in the web UI can
usually provide additional information.
1
VA Series Installation Guide
Document Conventions
l
Using a PDF viewer besides Adobe® Reader® XI or later may disable some of this document’s
functionality and may change how the content displays.
l
Instructions are generally intended for administrators to manage the server installation through
Comet’s web user interface administration tool, referred to as the web UI.
l
Instructions are presented in the best order to follow for setup.
l
The following text formats are used for clarification:
l
n
Web UI on-screen items are noted in this style.
n
File names are delineated as filename.xxx.
n
Titles are delineated as documentname.
n
Examples and code are delineated in this style.
When referring to subsections in this document, the hierarchy is delineated by the symbol for a
colon (:).
For example, the location of the section To find updates would be delineated as:
Update Software : To find updates.
l
Instructions assume the reader will navigate from the web UI main menu bar to access features.
For example, to access Software Updates, the navigation path from the menu bar would be
delineated as:
System|Software Updates.
l
Though network interface connections are commonly referred to as NICs, ports, and adapters,
documentation uses the term network adapters.
l
Documentation generally refers to the virtual appliance when discussing the VA Series Appliance.
Web User Interface
The web UI is a management tool to access the most common Celestix product features. Initially, use it
to quickly set up the server. Subsequently, use the web UI to access administrative features for both
Comet and identity federation management.
See the Appendix topic Web User Interface Content Overview for features included in the web UI. See
the online help topic Web User Interface Overview for more information about using the web UI
(Help|Web UI Overview).
System Overview
The CelestixFederated virtual appliance can be deployed in a variety of configurations. To provide a
frame of reference, the following diagrams show three options.
2
VA Series Installation Guide
Illustration 1: A Series Minimal Recommended Infrastructure Deployment
Illustration 2: A Series Infrastructure Recommendation with Proxy and Default Data Store
3
VA Series Installation Guide
Illustration 3: A Series Infrastructure Recommendation for Proxy and External Data Store
General Setup Information
The following lists network components that most commonly require configuration to support feature
deployments.
Note: Some items are optional. Details for feature configuration are discussed in the topic Resource
Worksheet.
Active Directory Federation Services
l
Active Directory Domain Services (AD DS)
l
SSL certificate
l
Service Account
l
DNS
l
NLB
l
SQL Server
l
Web Application Proxy
Version Information
Version information for virtual appliance components are noted on the main web UI page. Click the A
Series logo link from any page to access:
4
VA Series Installation Guide
The Next Step
The following sections cover general setup, which includes virtual appliance installation and
configuration, then feature installation.
5
VA Series Installation Guide
Install the Application
The guide provides a system administrator with concise instructions for a base deployment. The
document covers common installation requirements and is not intended to be comprehensive. Every
network environment is different, and some installations may require additional configuration.
Installation instructions first cover assumptions the guide takes into account for a common
deployment to help administrators plan for the skills and resources they may need. Assumptions are
followed by the Resource Worksheet. The worksheet helps to gather necessary information that will
aid in the installation process. Preparation steps are followed by instructions to rack, connect to the
network, and power the appliance.
Installation Notes
The following topics cover resources to prepare for installing the appliance on the network.
Server Requirements
The VA Series server specification are covered below.
Table: VA 3400 Server Specifications
Operating System
Windows Server® 2012 R2
CPU (Processor)
2.4 GHz or greater with 2 cores
RAM (Memory)
4 GB; 8 GB recommended
Network Card
1-2 virtual adapters
Available Disk Space
50 GB or greater
Table: VA 6400Server Specifications
Operating System
Windows Server® 2012 R2
CPU (Processor)
2.4 GHz or greater with 2 cores; 2.8 GHz recommended with 4 cores
recommended
RAM (Memory)
8 GB; 16 GB recommended
Network Card
1-2 virtual adapters
Available Disk Space
50 GB or greater
Assumptions
The following sections provide information about necessary skills and knowledge administrators
should have and the assumptions that cover application installation for a majority of network
environments.
Skills and Knowledge
System administrators should be familiar with:
6
VA Series Installation Guide
l
Networking technology
l
Windows Server management
l
Microsoft Active Directory®
l
Identity federation
l
Microsoft Office 365™
Network Settings
The following general conditions apply to the instructions contained in this guide. If alternatives apply,
they are noted. Again, every network is different and may require some adjustment to the general
information presented herein.
l
Active Directory is used for the domain controller.
l
Static IP addresses are reserved for network adapters as needed.
Resource Worksheet
It will expedite the process to gather and verify resource information in the Resource Worksheet below
before starting appliance installation and setup. An example of the worksheet is provided below with
descriptions for the information it includes. A blank copy of the worksheet, which can be printed, is
included in the Appendix.
Note: Incorrect network configuration could compromise or impede the appliance.
Table: Worksheet Form Example
Property
Network Information (example)
Computer name
Explanation
Used in: Configure the Appliance > Quick Setup Wizard
The server must be assigned a computer name. The
computer name must be 15 alphanumeric characters or
less.
The local administrator password is necessary to log in to
the web UI.
Administrator password
LAN information
IP address
Private or internal network interface Subnet mask
Default gateway
Primary/secondary DNS server(s)
Used in: Configure the Appliance > Quick Setup Wizard
Required for virtual appliance setup.
The LAN (private network interface) adapter of the
appliance is the interface assigned to internal network
traffic.
Static routes:
Network address
Gateway address
Active Directory Domain Services
IP address
Used in: Federation Configuration > Quick Setup Wizard >
(AD DS)
Hostname
Wizard Instructions > General Settings
ADFS
User account/password
The appliance needs to join the internal Active Directory
domain. AD DS information and credentials are used to
configure access for federation services.
ADFS FQDN
Used in: Federation Configuration > Quick Setup Wizard >
Display name
Wizard Instructions >
l
ADFS Services > Service Parameters > Service
Name
7
VA Series Installation Guide
Office 365 > Federated Domain > Domain
l
The ADFS FQDN will serve as the Service Name. It should
match the subject for the SSL certificate.
Note: A Series and AD DS should point to same DNS.
DNS
ADFS FQDN
Host/cluster IP
DNS must be updated to resolve the ADFS Service Name to
the IP address for the host or cluster.
Note: Cluster IP means the virtual IP address assigned to
the cluster of ADFS appliances deployed for HA.
Public domain registrar
Credentials
A DNS record will need to be added through the federated
domain's registrar to prove ownership and thus allow Office
365 to connect.
NLB
DNS entry
Used in:
Cluster Name
Configure Federation > Quick Setup Wizard > Wizard
Cluster IP address
Instructions > Clustering
Configure HA Secondary Server > Quick Setup Wizard >
Wizard Instructions > Clustering
NLB configuration is required for ADFS high availability.
SSL Certificate
Subject name
Used in: Configure Federation > Quick Setup Wizard >
Passphrase
Wizard Instructions > ADFS Services > Certificate
An SSL certificate will encrypt communication for
federation services. The subject must match the AD FS
FQDN.
SQL Server
Hostname
Used in: Configure Federation > Quick Setup Wizard >
Instance
Wizard Instructions > ADFS Services > Database
The hostname is needed if a SQL server is deployed on the
network and will be used for federation data. An instance
name only needs to be provided to create a new data store
on the SQL server.
Office 365
Username
Used in: Configure Federation > Quick Setup Wizard >
Password
Wizard Instructions > Office 365 > Federated Domain
The wizard requires credentials to add federation
information to the Office 365 administration portal.
Important: To configure Office 365 for federation, global
administrator privileges are required.
Web Application Proxy (WAP)
ADFS FQDN
SSL certificate
This information would be needed to set up a proxy service
for federation HA.
Notes:
l
l
SMTP server
WAP cannot be located with ADFS.
Root certificate required.
IP address
May be needed in IG: Configure the Appliance > Quick
SMTP gateway name
Setup Wizard
Optional configuration; SMTP is required for Alert Email.
Workplace Join
AD DS FQDN
AD DS service account
This information would be used to extend functionality
needed to set up BYOD access.
AD FS IP address
AD FS FQDN
DRS DNS entry
Application server
IP address
This information would be used to extend functionality.
Hostname
Bold items are required
8
VA Series Installation Guide
Install Instructions
Complete the following:
1. Log in to the server using an administrator account.
2. Navigate to the installation file: vCelestixFederated-2000.exe
3. Right-click the file and select: Run as administrator.
4. Use the installation wizard to run through the setup process.
l
Accept the license agreement to proceed.
l
Select components prompt: leave the default options unless customization is necessary.
5. The wizard will inform when the process is complete.
The Next Step
Once the application is installed, next configure general network and appliance information.
9
VA Series Installation Guide
Application Setup
Virtual appliance management is through the web UI. The instructions in this section describe how to
access the web UI and set general server and network information, like IP address, administrator
password, and alert email.
Access the Web User Interface
Accessing the web UI is necessary to continue setup. The IP address for the internal network (LAN0)
adapter is used to access the web UI.
Web UI Login
From a client computer on the network, default access to the appliance web UI is through a web
browser at https://ServerName|IP address:8098.
For example, if the server LAN IP address is 192.168.30.4, the web UI URL would be
https://192.168.30.4:8098
Enter local administrator credentials when prompted.
Important: A certificate warning may display because the site uses a self-signed certificate. Accept
the certificate to access the web UI.
The next section, Configure Federation , explains the steps to setup identity management for Office
365 using AD FS.
10
VA Series Installation Guide
Configure Federation
Now that the appliance is up and running it's time to set up federation between AD and Office 365.
Instructions cover the minimum functionality common to most deployments for a CelestixFederated
VA Series Appliance; however, an individual organization may need different or additional
configuration.
The information below is required to set up the appliance as either a standalone server or a primary
server in a high availability (HA) deployment. The section General Information provides necessary
information about setup.
High Availability Notes
ADFS information configured for the primary server will be required for secondary servers. Keep track
of the following settings:
l
Federated domain
l
SSL certificate
l
Service account
l
External SQL Server hostname/instance (if deployed)
For instructions to set up an appliance as a secondary HA server, see the topic Configure HA
Secondary Server .
General Information
The following topics cover requirements, assumptions, and terminology used in the CelestixFederated
VA Series Appliance Installation Guide.
Domain Terminology Disambiguation
The following list explains how terms to describe components are used in documentation.
l
On-premises domains are sometimes referred to as AD domains, but documentation uses the
term internal domain.
l
Off-premises domains are sometimes qualified by the terms external or public, but documentation uses the term federated domain.
l
The federation service namespace is sometimes referred to as the ADFS or authentication
namespace, but documentation generally uses the shortened term federation namespace. It will
be used as the Service Principle Name (Service Name) for ADFS. The federation namespace is
based on the FQDN that represents the SSL certificate Subject (or Common Name).
11
VA Series Installation Guide
l
Servers configured with the role Active Directory Domain Services may be referred to as the
domain controller (DC) or designated by the acronym AD DS. The acronym AD is used as a general referent for the internal domain directory.
l
The Clustering feature configures Windows Network Load Balancing to distribute network
traffic in a high availability deployment.
Deployment Assumptions
Information presented in the A Series setup instructions is based on the following:
l
Office 365 subscription has been purchased from Microsoft.
l
Azure Active Directory Synchronization (AAD Sync) will be used to maintain accounts in Office
365.
l
Certificates for token signing and decryption will be generated automatically during setup.
l
NLB will be configured for high availability environments instead of an external load balancer.
Requirement Checklist
The following items will be required to set up the VA Series. Plan ahead so that items are available when
needed to complete configuration.
l
Office 365 subscription – the minimum requirement for integration with ADFS is an Office 365
Business plan. Education and Government subscription plans are also supported.
l
Office 365 global administrator account – the required level of administrator privileges to set up
ADFS/Office 365 federation. Also referred to as the super user in the Azure™ platform.
l
Publicly signed certificate – an SSL certificate is recommended for ADFS and required for Office
365; it must be a third-party certificate from a trusted vendor. The certificate subject is the same
as the federation service namespace. It will be used as the Service Principle Name for ADFS.
Note: There are two other required certificates (for token signing and decryption); they are
usually generated automatically during setup, but third-party certificates can be used.
l
Federation service namespace – a unique identifier is required to define the authentication environment; this name will serve as the Service Principle Name (Service Name) and is the same as
the SSL certificate Subject. The namespace must be different from the host name that will be
assigned to the VA Series.
l
Display name – a friendly identifier that is displayed to end users on the login page.
l
AD Credentials – an account that has administrator privileges for the internal AD.
l
Service account – an account is required to facilitate communication between AD and ADFS. A
new Group Managed Service Account (GMSA) can be added automatically to AD during setup, or
an existing account that has the necessary privileges can be designated.
l
Database – a database is required. If not using the Windows Internal Database, which is the
default, information for a SQL Server® instance is necessary.
12
VA Series Installation Guide
IP address – at least one static address has been reserved; it will be assigned to the LAN net-
l
work adapter.
Important:
l
The appliance must be joined to a domain during the setup process.
l
Web Application Proxy cannot be installed on the VA Series.
Federation Setup
ADFS setup for Office 365 requires configuration in the following places:
l
The domain controller
l
The VA Series web UI
l
The registrar for the federated domain
l
The Office 365 administration portal
The topics below cover configuration for each of these components to deploy the appliance as either a
standalone server or an HA primary server. Complete the tasks in the order presented to deploy the A
Series efficiently.
Example Information
To help make the instructions clear, these examples are used to identify components.
Internal Domain
Federated Domain
ADFS Appliance
FQDN
ad01.intexample.com adfs.fedexample.com CelestixFed.intexample.com
Host Name
ad01
Domain Name intexample.com
adfs
CelestixFed
fedexample.com
intexample.com
DNS Configuration
ADFS requires DNS support to function. Clients must be able to resolve the ADFS Service Name to the
IP address assigned to the ADFS server or cluster. Configuration is described briefly and requires
familiarity with AD domain administration.
Split DNS
The tasks described below are only necessary in environments where the internal and the federated
namespaces are the same.
Split DNS Configuration
Complete the following:
13
VA Series Installation Guide
l
Open the DNS Manager.
n
Right-click the DNS zone and choose New Host (A or AAAA).
n
Add the ADFS Service Name (example: adfs.fedexample.com) and enter the IP address
of the ADFS server or the virtual IP for the ADFS cluster.
Note: Virtual IP addresses are only used when NLB or an external load balancer is used
to balance ADFS authentication network traffic.
Internal DNS The tasks described below are only necessary in environments where DNS namespaces are unique.
Internal DNS Configuration
Complete the following:
l
Open Active Directory.
n
In the Active Directory Domains and Trusts management console, right-click Active
Directory Domains and Trusts in the navigation tree and choose Properties. Designate
the federated domain name (example: fedexample.com) as an Alternative UPN suffix.
Important: Office 365 accounts require the federated namespace to be the primary UPN
suffix.
l
Open the DNS Manager.
n
Add the federated domain name (example: fedexample.com) as a Forward Lookup
Zone.
n
Add the hostname of the ADFS namespace (example: adfs) as a New Host (A Record)
name to the newly added zone.
n
Add the IP address for the ADFS server or the virtual IP for the ADFS cluster to the Host
(A Record).
The next step explains using the Quick Setup Wizard .
Quick Setup Wizard
The Quick Setup Wizard is a walk-through to join the appliance to the internal domain and then
configure ADFS and Office 365 components. Access the screen through the web UI at Start|Quick
Setup.
Wizard Instructions
While working through the wizard, the appliance may need to reboot to add configuration to identity
federation components.
14
VA Series Installation Guide
1. General Settings
Note: When possible, fields will be autopopulated with available settings if the virtual appliance
was joined to the domain previously, and the reboot mentioned below will be skipped.
a. Administrator Password – change the local administrator password if necessary. If not,
enter the current password.
n
User name – the Administrator Password feature only changes the local administrator password, which must be the logged in account.
n
Password – enter and confirm a new password. Complexity requirements are
noted on the screen.
b. Date and Time – use onscreen controls to set the date, time, and time zone, then configure for daylight savings if necessary.
c. Network Interfaces – select the LAN network adapter to set a static address. A static
address includes these settings:
n Internet Protocol (IP) address
n
Subnet mask
n
Gateway address
n
Automatic or preferred DNS server
d. Hostname and Domain
n
Hostname – specify a name for the virtual appliance; it must be unique.
For example: CelestixFed
n
Domain – enter the name for the internal domain the virtual appliance will join.
For example: intexample.com
n
Username – enter an account with domain administrator access to AD
(domain\username).
For example: intexample\adminuser
Password – provide the account password.
e. Reboot
n Click Next to apply changes and reboot the virtual appliance.
n
Note: Domain administrator credentials (example: intexample\adminuser)
will be required to access the web UI after the reboot.
f. Alerts Email – optional; general virtual appliance notifications can be sent to designated
recipients through a connection to a network SMTP server.
i. Select Enable alert email.
ii. Complete the following sections:
Alert Message settings
l
n To – enter one or multiple recipients. For multiple addresses, use a
comma delimiter.
n
15
From – enter a sending address that recipients will recognize.
VA Series Installation Guide
n
Select check boxes for the alert levels that will generate email.
o
Send error alert email – includes alert types where the level is
set to Error.
o
Send warning alert email – includes alert types where the level
is set to Warning.
o
l
Send informational alert email – includes types where the
level is set to Information.
SMTP server settings
l
Name – indicates the network SMTP server name or IP address.
l
Port – enter the number used for SMTP communication
l
Use SSL/TLS – select to require encryption.
l
SMTP settings – select and provide credentials with permission to
access the SMTP server.
l
Send Test Message – create a test email using the settings entered
above.
Note: The alert email function will indicate whether a test email was
sent. If the test email is not received after the alert email feature
indicates that one was sent, the error is most likely due to SMTP
server settings. An error will occur if the SMTP service is not running
or if the virtual appliance is not correctly configured to see the SMTP
server. Confirm the SMTP server and network settings before trying
to test again.
iii. Click Save to add configuration.
2. ADFS Services
a. Deployment Type
n
Create the first federation server in a federation server farm – select to configure
a standalone or primary server.
Caution: Do not select the option Add a federation server to the federation server
farm.
b. Certificate
n Certificate – navigate to and select the third-party SSL certificate file.
o
Passphrase – enter the certificate password, also referred to as the private
key.
c. Service Parameters
n
Service Name – select the SSL certificate Subject; options will automatically be
read from the designated certificate. The Service Name defines the federation
namespace.
For example: adfs.fedexample.com
16
VA Series Installation Guide
Display Name – enter a friendly name for the Office 365 login page that end users
n
will recognize; the organization name is often used.
d. Service Account
Important: The following lists the available account options and restrictions.
l
Group Managed Service Account (GMSA) – requires a Windows Server 2012 or
later DC; automates security best practices like minimum rights required along
with secure password creation and life cycle management for multiple servers.
The wizard can automatically add a GMSA to AD.
l
Managed Service Account (MSA) – requires a Windows Server 2008 R2 or later
DC; automates security best practices like minimum rights required along with
secure password creation and life cycle management for a single server. Each
ADFS server requires a separate MSA account. Accounts must be manually added
to AD.
l
Domain user account – configured as a standalone service account, this option is
available for Windows Server 2003 and later; it can be configured for minimum
rights required, but requires manual password management. The account may
require configuration for the Service Principal Name and may need to be added to
the local administrator group on the virtual appliance.
Caution: A domain administrator account should not be used because it includes excess
privileges beyond service requirements. To conform with security best practices, use an
option with the minimum rights required for the task.
n
Create Service Account Automatically – select to create a GMSA in on-premises
AD.
o
Username – enter a name to use for the GMSA.
Note: Keep track of the Service Account name as it may be needed for
other configuration, like secondary servers.
n
Use an existing account – select to specify a current AD account that can serve as
a dedicated ADFS service account.
o
Username – enter the existing AD account (domain\user).
Password – provide the account password if necessary.
Database
e.
l
Local Database – select to use the Windows Internal Database.
o
l
SQL Server – select to designate an external data store:
n
Server – enter the SQL Server hostname.
n
Instance – leave blank to use the default database engine, or enter the name
if an instance has already been created on the SQL server for ADFS use.
17
VA Series Installation Guide
f. Finish
i. Review ADFS settings.
ii. Click Next.
3. Clustering – configure the NLB role on the server.
l
Disable – select if NLB will not be deployed.
l
Add to remote cluster – don't select on the primary server.
l
Create cluster – select to configure a server farm for ADFS authentication.
n
Cluster Name – create a unique name for to identify the NLB cluster.
n
Local Interface Name – select the interface assigned to the LAN network adapter.
n
Primary Cluster IP – enter a static IP or VIP address for the server farm.
Note: Browser session may need to restart; if so, log in to the web UI again to complete
the wizard.
4. Office 365
a. Pre-installation
n Install Office 365 integration – select to add tools that are required to connect
ADFS and Office 365.
n
Click Next to reboot the virtual appliance.
Note: The reboot may take some time; the screen should refresh once complete; if
not restart the browser and log in to the web UI again.
b. Federated Domain – this step adds domain information to Azure™.
n
Office 365 Credentials – enter a username and password for an account that has
global administrator privileges.
Important: Office 365 Business is the minimum subscription that can integrate
with ADFS. Global administrator permissions are required for service
configuration.
n
Domain – enter the federated domain name.
For example: fedexample.com.
c. Domain Verification
Important: A DNS record must be added to the registrar for the federated domain; Office
365 uses the record to validate domain ownership during the configuration process.
This step requires access to the hosting service management interface.
Note: The wizard will skip this section if the federated domain has previously been
verified by Office 365.
n
Verification string options are displayed on the screen. Select one to copy and then
paste into the domain registrar DNS.
18
VA Series Installation Guide
o
TXT Record – the easiest option if allowed by the domain registrar.
o
MX Record – mail exchange records will be used if TXT records are not
allowed.
Important: Depending on the hosting provider, the DNS update may take some
time. If ownership cannot be verified, the wizard will report an error. Before
proceeding, it may be more efficient to confirm the record has propagated to
public DNS using the command line tool Nslookup. For convenience, instructions
are provided in the section Check DNS Record .
n
After the DNS record has propagated, click Next so the wizard can complete Office
365 domain verification.
d. AAD Sync Configuration
Note: If ADD Sync has previously been configured for the internal domain, click Skip to
avoid changing the existing settings.
n
Active Directory Administrative Credentials
o
AD Username – enter an account with write access to internal AD.
For example: intexample\adminuser.
n
AD Password – provide the account password.
AAD Sync Options
o Enable Hybrid Deployment – select for environments where Exchange,
n
Lync, or SharePoint are deployed on premises.
Synchronization
o Synchronize Now – select to instigate account synchronization between the
o
internal domain and Azure once the wizard completes adding configuration.
Subsequent synchronization will occur automatically.
Check DNS Record
Before the wizard can complete Office 365 configuration, the DNS record added to the registrar for the
federated domain must finish propagating. It is recommended to use one of the Nslookup options
below before proceeding in the Domain Verification step above.
TXT Record
1. Open the command prompt.
2. Enter nslookup.
3. Change the server to a public DNS server, for example:
server: 8.8.8.8
4. Enter set type=txt.
5. Enter the federated domain name.
For example: fedexample.com.
19
VA Series Installation Guide
The result should display the TXT record that was configured in the domain registrar DNS.
MX Record
1. Open the command prompt.
2. Enter nslookup.
3. Change the server to a public DNS server, for example:
server: 8.8.8.8
4. Enter set q=MX.
5. Enter the federated domain name.
For example: fedexample.com.
The result should display the MX record that was configured in the domain registrar DNS.
Once the wizard is complete, configuration must be activated through the Office 365 administration
portal. The link portal.office.com opens the login page. Instructions for tasks that are required to
complete the ADFS/Office 365 setup are covered below in the topic Complete Office 365
Configuration .
Complete Office 365 Configuration
To finalize configuration for identity federation, there are a few tasks that need to be conducted on the
Office 365 management site. Configuration is described briefly and requires familiarity with Office 365
administration.
Office 365 Portal Configuration
Complete the following:
l
Log in to Office 365 admin center and navigate to the domains manager.
l
The federated domain should be listed with a link indicating that setup must be completed. The
link opens the Office 365 domain wizard which will provide guidance to finish up the configuration. See the following notes about using the wizard.
n
If AAD Sync was configured in the CelestixFederated virtual appliance setup wizard, then
steps to update or add users can be skipped.
n
Services that will use federated identity need to be identified.
n
To support the selected services, Office 365 will need to add several additional DNS
records to the registrar for the federated domain.
20
VA Series Installation Guide
The Next Step
If deploying identity federation in an HA environment, continue to the instructions for Configure HA
Secondary Server .
If deploying the VA Series as a standalone server, the next step is to save a copy of the system image in
the hypervisor to preserve initial configuration. Using the Windows backup feature is also
recommended.
21
VA Series Installation Guide
Configure HA Secondary Server
The information below covers the components required to set up a CelestixFederated VA Series
Appliance as a secondary server in a high availability (HA) deployment. An HA environment is
recommended to provide identity federation between Office 365™ and on-premises Active Directory®
(AD). Complete the tasks in the order presented to deploy the VA Series efficiently.
Instructions assume that primary server configuration is complete. Information covers the minimum
functionality common to most HA deployments; however, an individual organization may need
different or additional configuration.
Important:
l
Up to four secondary servers can be added to the federation farm.
l
The appliance must be joined to a domain during the setup process.
l
Web Application Proxy cannot be installed on the A Series Appliance.
General Information
The following topics cover setup requirements and example information.
Requirement Checklist
Use the notes below to plan ahead so that items are available when needed to complete configuration
for the secondary ADFS server.
l
The following settings from the ADFS primary server configuration are required for secondary
server settings:
n
Federated domain name
n
Cluster name and IP address
n
SSL certificate
n
Service Account
n
External SQL Server hostname/instance (if deployed)
Example Information
To help make the instructions clear, these examples are used to identify components.
Internal Domain
Federated Domain
CelestixFederated Appliance
CelestixFederated Appliance
Primary
Secondary
FQDN
ad01.intexample.com adfs.fedexample.com CelestixFed01.intexample.com CelestixFed02.intexample.com
Host
Name
ad01
adfs
CelestixFed01
CelestixFed02
Domain
Name
intexample.com
fedexample.com
intexample.com
intexample.com
22
VA Series Installation Guide
Federation Setup
AD FS setup for Office 365 in an HA deployment requires configuration in the CelestixFederated VA
Series Appliance web UI. Configuration for the domain controller, the registrar for the federated
domain, and the Office 365 administration portal should have been completed during primary server
setup.
Configure Internal Domain DNS
ADFS requires DNS support to function. During primary server setup. DNS should have been
configured so that clients can resolve the ADFS Service Name to the IP address assigned to the ADFS
cluster.
Important: If split DNS was configured during primary server setup for an NLB deployment, ensure
that a valid ADFS service name is associated with the NLB host record or the primary ADFS host
name.
Once the initial configuration is complete, the Quick Setup Wizard is the next step.
Quick Setup Wizard The Quick Setup Wizard is a walk-through to join the appliance to the domain and then configure it as
secondary federation server. Access the screen through the web UI at Start|Quick Setup.
Wizard Instructions
Complete the following steps. The appliance may need to reboot several times to add configuration to
identity federation components.
1. General Settings
Note: When possible, fields will be autopopulated with available settings if the virtual appliance
was joined to the domain previously, and the reboot mentioned below will be skipped.
a. Administrator Password – change the local administrator password if necessary. If not,
enter the current password.
n
User name – the Administrator Password feature only changes the local administrator password, which must be the logged in account.
n
Password – enter and confirm a new password. Complexity requirements are
noted on the screen.
b. Date and Time – use onscreen controls to set the date, time, and time zone, then configure for daylight savings if necessary.
c. Network Interfaces – select the LAN network adapter to set a static address. A static
address includes these settings:
23
VA Series Installation Guide
n
Internet Protocol (IP) address
n
Subnet mask
n
Gateway address
n
Automatic or preferred DNS server
d. Hostname and Domain
n
Hostname – specify a name for the virtual appliance; it must be unique.
For example: CelestixFed02
n
Domain – enter the name for the internal domain the virtual appliance will join.
For example: intexample.com
n
Username – enter an account with domain administrator access to AD
(domain\username).
For example: intexample\adminuser
Password – provide the account password.
e. Reboot
n Click Next to apply changes and reboot the virtual appliance.
n
Note: Domain administrator credentials (example: intexample\adminuser)
will be required to access the web UI after the reboot.
f. Alerts Email – optional; general virtual appliance notifications can be sent to designated
recipients through a connection to a network SMTP server.
i. Select Enable alert email.
ii. Complete the following sections:
Alert Message settings
l
n To – enter one or multiple recipients. For multiple addresses, use a
comma delimiter.
n
From – enter a sending address that recipients will recognize.
n
Select check boxes for the alert levels that will generate email.
o
Send error alert email – includes alert types where the level is
set to Error.
o
Send warning alert email – includes alert types where the level
is set to Warning.
o
l
Send informational alert email – includes types where the
level is set to Information.
SMTP server settings
l
Name – indicates the network SMTP server name or IP address.
l
Port – enter the number used for SMTP communication
l
Use SSL/TLS – select to require encryption.
l
SMTP settings – select and provide credentials with permission to
access the SMTP server.
l
24
Send Test Message – create a test email using the settings entered
VA Series Installation Guide
above.
Note: The alert email function will indicate whether a test email was
sent. If the test email is not received after the alert email feature
indicates that one was sent, the error is most likely due to SMTP
server settings. An error will occur if the SMTP service is not running
or if the virtual appliance is not correctly configured to see the SMTP
server. Confirm the SMTP server and network settings before trying
to test again.
iii. Click Save to add configuration.
2. ADFS Services
a. Deployment Type
Caution: Do not select the option Create the first federation server in a federation server
farm.
n
Add a federation server to the federation server farm – select to configure a sec-
ondary server.
b. Specify Farm
n Specify the primary federation server in an existing farm using Windows
Internal Database – select for ADFS deployments configured with the internal database option for the primary server setup.
o
ADFS Server – enter the primary server hostname.
For example: CelestixFed01
n
Specify the database location for an existing farm using SQL Server – select for
ADFS deployments configured with an external SQL Server for the primary server
setup.
o
Server – enter the SQL Server hostname.
o
Instance – if an instance was specified in primary server configuration, enter
the name.
c. Certificate
Caution: All servers in the federation farm must use the same SSL certificate as
designated for the primary server. Configure the same certificate used for the primary
server.
n
Certificate – navigate to and select the third-party SSL certificate file.
o
Passphrase – enter the certificate password, also referred to as the private
key.
d. Service Account
Caution: All servers in the federation farm must use the same AD account as the service
account designated for the primary server. Select the Use an existing account option.
25
VA Series Installation Guide
n
Use an existing service account – select for GMSA.
o
Username – enter the account name used for ADFS group management.
Note: Do not prepend the domain name.
n
Use an existing account – select to specify a current AD account that can serve as
a dedicated ADFS Service Account.
o
Username – enter the existing AD account (domain\user).
o
Password – provide the account password if necessary.
e. Finish
i. Review ADFS settings.
ii. Click Next.
3. Clustering – configure the NLB role on the server.
l
Disable – select if NLB will not be deployed.
l
Add to remote cluster – select to configure an additional server in the farm for ADFS
authentication.
n
Remote Host Name – create a unique name for to identify the NLB cluster.
n
Local Interface Name – select the interface assigned to the LAN network adapter.
Note: Browser session may need to restart; if so, log in to the web UI again to complete
the wizard.
Create cluster – don't select on a secondary server.
4. Office 365
a. Pre-installation
l
n
Install Office 365 integration – select to add tools that are required to connect
ADFS and Office 365.
Note: These tools are not normally needed for a secondary server. However, they
will be required if this server is promoted from a secondary to a primary. Installing
now may be more efficient than manually downloading the correct package and
installing it later if disaster remediation is required.
n
Click Next.
Note: If Office 365 integration is installed, clicking next will reboot the virtual
appliance. The reboot may take some time; the screen should refresh once
complete; if not restart the browser and log in to the web UI again.
b. AAD Sync Configuration
Note: If Office 365 components were not installed in the Pre-installation step, the AAD
Sync Configuration page will not display.
n
Active Directory Administrative Credentials
o
AD Username – enter an account with write access to internal AD.
For example: intexample\adminuser.
26
VA Series Installation Guide
n
AD Password – provide the account password.
AAD Sync Options
o Enable Hybrid Deployment – select for environments where Exchange,
n
Lync, or SharePoint are deployed on premises.
Synchronization
o Synchronize Now – select to instigate account synchronization between the
o
internal domain and Azure once the wizard completes adding configuration.
Subsequent synchronization will occur automatically.
The base level setup for the CelestixFederated VA Series Appliance as a secondary server in an HA
deployment is now complete.
The Next Step
Now that identity federation configuration is complete, save a copy of the system image in the
hypervisor to preserve initial configuration. Using the Windows backup feature is also recommended.
27
VA Series Installation Guide
Create a Backup
Once configuration is complete, creating a backup will provide another option to help remediate issues
that may result from future system updates or changes. Celestix recommends running the Windows
backup utility (System|Backup).
Now that the configuration steps, system image creation and backup are complete, check for software
updates.
28
VA Series Installation Guide
Update Software
The Software Update Service allows administrators to keep system software current through hotfixes,
service packs, and upgrades. They are necessary for the security and proper functioning of the virtual
appliance.
Access the update service through the web UI (System|Software Updates).
To find updates
1. Navigate to System|Software Updates|Appliance Updates.
2. Complete the following:
a.
– click the Check for Updates button.
b. Select an item.
c. Install – install selected update.
3. Confirm if prompted.
Once applicable updates are installed, Celestix recommends checking for Windows updates
(System|Windows Updates).
Thank you for choosing the CelestixFederated VA Series Appliance for your remote connectivity
solution. This completes the setup and configuration steps for base-level deployment.
Email questions to support@celestix.com
29
VA Series Installation Guide
Appendix
Use the links to jump to a topic:
30
l
Web User Interface Content Overview l
Additional Feature
l
Glossary
l
Index
l
Resource Worksheet VA Series Installation Guide
Web User Interface Content Overview
The menu structure for the web UI is outlined below. Use it to quickly find features.
31
VA Series Installation Guide
Glossary
A
AAD Sync
Abbreviation for Azure Active Directory Synchronization
Active Directory
Microsoft's directory service for Windows domains.
Active Directory Federation Services
The Microsoft implementation of single sign-on (SSO).
AD
Acronym for Active Directory
ADFS
Acronym for Active Directory Federation Services
Azure Active Directory Synchronization
A Microsoft tool that synchronizes users, groups, and attributes (like distribution groups or user phone numbers) to an Office365 instance.
C
Certificate
The tool that TLS/SSL uses to encrypt communication.
D
Device Registration Service
A feature of ADFS that facilitates Workplace Join, which allows users to
register unmanaged devices to be known entities to the domain.
DNS
Acronym for Domain Name System
32
VA Series Installation Guide
Domain Name System
A service that translates domain names into IP addresses.
DRS
Acronym for Device Registration Service
F
Failover
A part of high availability where switching from failed to redundant components occurs, usually automatically.
Federation
Federation refers to the mechanism that creates trust relationships for identity management. These trust relationships then allow single sign-on for
multiple independent systems.
H
HA
Acronym for high availability
High availability
A system implementation that minimizes downtime, meaning unavailability
to users.
I
Identity provider
An entity that authenticates a user to a service provider.
M
Multifactor authentication
Employs additional forms of user data for authentication. Two-factor
authentication using one-time passwords is a common example.
33
VA Series Installation Guide
N
namespace
A unique identifier for the authentication environment.
O
Office 365
The cloud implementation of the Microsoft Office productivity suite.
P
Password Sync
A component of the Microsoft Directory Synchronization tool that coordinates password hashes between internal Active Directory and Office365.
R
Redundancy
A part of high availability design that employs additional resources, like
extra servers, to carry out required functionality in the event one component
fails.
Relying party trust
Designates a service provider as a partner organization for ADFS. The service provider is a relying party that ADFS will trust authentication requests
from.
S
Service provider
An entity that trusts an identity provider for user authentication in a federated system.
Single sign-on
Allows login to muliple system using one set of credentials. In ADFS, once
users log in with their organization AD credentials, they can access
34
VA Series Installation Guide
federated resources without being prompted further for authentication.
SSO
Acronym for single sign-on
W
WID
Acronym for Windows Internal Database
Windows Internal Database
A version of SQL Server Express that is automatically included with Windows Server. It is the default data store option for ADFS.
Workplace Join
The function that allows users to register devices with the domain through
DRS; devices can then access application resources based on trust.
35
VA Series Installation Guide
Index
A
A Series version information 4
ADFS
Requirement Checklist 22
Appendix
Resource Worksheet 38
web UI navigation 31
appliance installation 6
network information worksheet examples 7
application setup 10
C
conventions
document usage 2
F
Federation Configuration 11
high availability 22
G
Glossary 32
H
High Availability
configuration 22
L
login
web UI 10
N
network settings
overview 7
36
VA Series Installation Guide
O
overview 2
Q
Quick Setup Wizard
secondary appliance 23
standalon or primary appliance 14
R
Requirement Checklist 22
S
Software
update 29
U
Update software 29
V
version information 4
W
web UI 2
access 10
navigation 31
web UI login 10
37
VA Series Installation Guide
Resource Worksheet
Table: Worksheet Form Example
Property
Detail
Computer name
Administrator password
Domain name
LAN information
IP address
Private or internal network interface
Subnet mask
Default gateway
Primary/secondary DNS server(s)
Static routes:
Network address
Gateway address
Active Directory Domain Services (AD DS)
IP address
Hostname
User account/password
ADFS
ADFS FQDN
Display name
DNS
ADFS FQDN
Host/cluster IP
Public domain registrar
Credentials
NLB
DNS entry
Cluster Name
Cluster IP address
SSL Certificate
Subject name
Passphrase
SQL Server
Hostname
Instance
Office 365
Username
Password
Web Application Proxy (WAP)
ADFS FQDN
SSL certificate
SMTP server
IP address
SMTP gateway name
Workplace Join
AD DS FQDN
AD DS service account
ADFS IP address
ADFS FQDN
DRS DNS entry
Application server
IP address
Hostname
Bold items are required
© 2016Celestix Networks, Inc.
Your Information
Download PDF
Similar pages