SSO SANGFOR IAM/IAG AUTH AD/LOCAL USER VIA SCRIPT LOGON

    Dalam Sebuah Perusahaan yg sudah banyak karyawannya, pasti menggunakan AD, Kenapa ? Ya untuk memanage users tentu akan memakan waktu jika harus setup satu persatu ke PC user. Terlebih jika kita tidak menngunakan Internet Access Management(IAM) atau Internet Access Gateway (IAG). Akan sangat sulit untuk memanage jika kita tidak mengetahui siapa dan apa saja  data yg sedang lewat dalam sebuah Jaringan. Seiring dengan Waktu maka bermunculan IAM/IAG dimana banyak feature yang disematkan, Diataranya :

- Bandwidth Management (tree, guaranted, pasif, dinamic, shared)

- Web Filter

- Application Filter (sampai Layer 7) Mobile or PC

- End Point Filter & limit

- Push Web atau iklan dalam jangka waktu yg telah disetup

- Quota limit

- Qos By AD (bisa dikelompokan perdivisi, per Level jabatan dan lain sebagainya)

- Proxy & Proxy filter

- LoadBalance

- Anti virus,

- Anti Ddos

- Custom Page Login

- Authentication Access (SSO, Radius server, dll)

- dan masih banyak lagi feature lainnya yg belum saya sebutkan

Pada kesempatan ini saya coba sharing salah satu feature pada sangfor IAM./IAG  yaitu Single Sign On (SSO). Dimana User Tidak perlu login sangfor untuk akses internet atau akses lainnya, Cukup sekali Login yaitu Login Windows, saat setelah PC baru dihidupkan, maka User sudah automatis Login ke sangfor.

Berikut saya coba Jabarkan Langkah-langkahnya yg perlu di konfigurasi, agar semua bisa berjalan :

1. Setup External Auth Server, Sesuaikan apakah mau menggunakan Radius server, database Third-Party.....Pada kesempatan ini kita bahas dengan Menggunakan AD (Active Directory) LDAP.

2. Beri Nama Server, kemudian isi IP address Server Ldap (AD), sesuaikan Portnya, isi Admin DN:"Nama Domain User Admin, atau boleh juga User biasa, disertai dengan Domainnya. Contohnya : supri@gmail.com) , Isi Admin Password : "passwordnya AD supri@gmail.com". Kemudian Lakukan uji coba dengan mengklik point 5 di bawah, jika di klik kelihatan Struktur OU AD maka sudah terkoneksi, atau lakukan Tes Validaty.

3. Setup Authentication Policy, ikuti langkah2 gambar di bawah kemudian, pada point nomor 5 masukkan Segmentasi IP yg akan  dilempar ke Portal Auth sangfor.

4. SSO yg kita gunakan disini adalah Domain SSO dengan Push Logon Script pada AD, Centang kemudian, Tentukan Shared Keynya (bebas), Point nomor 7 lakukan klik "Download Domain SSO Program". Setelah selesai terdownload, kemudian Extrack Zip file tersebut.

5. Setelah di Extrack akan kelihatan seperti gambar di bawah :

    Buka Folder SLogon Tools

    Pilih dan Buka English

    File Format doc dan pdf adalah Tutorial Setup Pada sisi server AD-nya, Sedangkan Isi Folder bin          adalah Aplikasi & script Logon-nya yg akan kita Push ke PC user lewat AD.  

6. Sebelum kita Lanjut ketahap berikutnya maka, kita lakukan penyesuaian pada Scriptnya point 3            gambar diatas, buka Gunakan Notepad atau sejenisnya, untuk melakukan proses editing script.

   - Isi Depict = ''nama AD atau bebas mau kasih nama apa"

           domainIP = "IP  address AD Server"
           sinforIP = "IP Adress sangfor"
           sharedkey="isi  sesuai yg diisi pada point nomor 4 diatas"
      Jika mempunyai 2 atau lebih AD server maka bisa di sesuaikan, jika hanya 1 hapus saja yg [1]              sampai sharedkey=123.

   - Pada [AC1] isi sinforIP = "IP address sangfor yg terhubung dengan AD" sharekey  = "sama ya                pada poin nomor 4"

   - Kemudian lakukan save (simpan)
7. Buka File domain sso.....yg tadi terdownload pada poin nomor 5 diatas, didalamnya akan terlihat            seperti berikut, tutorial setup disisi AD servernya :

Domain SSO Logon Script

Configuration Guide

Overview

It introduces how to configure logon script on AD domain. With this script, user logs in to the IAM device automatically once he/she logs in to the domain.

Configuration Steps

[Note: We take Windows Server 2008 R2 enterprise edition as an example to illustrate configuration steps. For other domain servers, configuration steps are similar with the following.]

1.         Log in to AD domain. Go to Start > Administrative Tools > Group Policy Management, click it to enter Group Policy Management page and select Default Domain policy, as shown below:

   

Figure 1 Group Policy Management

2.         Click Scripts (Logon/Logoff) in User Configuration > Policies > Windows Settings, as shown below:

Figure 2  Scripts(Logon/Logoff) Window

3.         Double-click Logon, Logon Properties window pops up, as shown in Figure 3. Then click Show Files button and add logon.exe script into script list.

Figure 3  Logon Properties Window

If configuration file sinforIp is associated with logon.exe script, it is also required to be added into script list. Then close Logon Properties window after sinforIp file is added.

Figure 4  Logon Script and sinforIp File

Note: If current logon.exe script cannot be replaced by a new one, do the following: 

Check if logon.exe session exists, as shown in the following figure:

Figure 5  Unable to Replace Current logon.exe

If the session exists, delete current logon.exe script and then add the new logon.exe script.

Figure 6 Delete Current Logon.exe

4.         Go back to Logon Properties window, click Add to add logon.exe script into script list and specify script name and parameters. If Script Parameters field is null or configured with only one parameter, the configuration file sinforIp is required to be added to script list; otherwise, it is not required. The following introduces four formats of script parameters:

a)         Without parameter (recommended)

   Figure 7  Without Script Parameter

b)        With parameter -a

If the parameter is set to -a, user can use the configuration file pushed from the domain controller. -a indicates that number of attempts that login profile is sent is default. Therefore, login profile will be sent to the IAM device specified times without need to wait response packets from that device when user logs in to the domain.

Figure 8  With parameter -a

c)         With parameters in format of Value1 Value 2 Value 3 (separated with space).

Value 1: Indicates the IP address of IAM unit

Value 2: Indicates the listened port on IAM unit(1775, unchangeable)

Value 3: Indicates the communication key which should be the same as the shared key specified on Web admin console of the IAM unit, as shown in Figure 10.

       

Figure 9 Parameter in the third format

Figure 10  Shared Key on IAM Unit

d)        With parameters in format of Title1=value1 Title 2=value2… Title15=value15 (up to 15 parameters separated with space), as shown in Figure 11.

Figure 11  Parameters in the fouth format

The table below introduces the available parameters:

 

 

 

 

Table 1  Script Parameters

CMD Line Parameter	Parameters in Config File	Value	Unit	Default	Range	Remarks
en_runAl	EnableRunAlways	0, 1	---	1	0, 1	It it is set to 1, it indicates logon.exe program is always running after startup; otherwise, it will exit after  being executed once.
en_ckSign	EnableSignature	0, 1	---	0	0, 1	Decides whether to enable digital signature verification (for checking process).
en_repeatL	EnableRepeatLogon	0, 1	---	0	0, 1	Decides whether to send login profile repeatedly(if enabled, IAM unit will not log off user automatically when internal network connection error occurs).
en_copyStart	EnableCopyStartup	0, 1		1	0, 1	Decides whether to copy logon.exe program to Startup folder
baklogP	BaklogPath	Null or valid path	---	Null	Null or valid path	If default path %appdata% has no write permission, logs will be stored in given path (it can only have level-one folder). If specified path has no write permission, default path will be used to store logs.
en_heartB	EnableHeartBeat	0, 1	---	0	0, 1	Determines whether to send heartbeats to IAM unit(If enabled, IAM unit logs off user if no  heartbeat is received even though logoff script fails to be executed).
en_response	EnableResponse	0, 1, 2	---	2	0, 1, 2	Check if user logs in to IAM unit based on response packet.
en_logon_AIP	LogonALLIP	0, 1	---	0	0, 1	Decides whether to enable user to log in to IAM unit on different IP addresses (it applies to the situation that one PC owns multiple IP addresses).
en_logoff_OIP	LogoffOldIP	0, 1	---	0	0, 1	Decides whether to log off logon session from current IP address when user logs in to IAM unit on a new IP address.
ac_ip	sinforIP	Valid IP address	---	3.4.5.6	0.0.0.0~ 255.255.255.255	IP address of IAM unit
key	shareKey	ASCII characters	---	123	Up to 23 characters	Shared key (case-sensitive, special characters supported)
port	Port	1775	---	1775	1775	Port number(fixed value)
reLogon_I	RepeatLogonInterval	Positive integer	Sec	180	[10,1000]	Logon interval
heart_beatI	HeartBeatInterval	Positive integer	Sec	30	[10,50]	Interval that heartbeats  are sent again
checkIP_I	CheckIPInterval	Positive integer	Sec	10	[1,100]	Interval that IP address is checked again.
timeout	ResponseTimeOut	Positive integer	Sec	5	[1,50]	Timeout that logon.exe program waits response packets.
retry_times	RetryTimes	Positive integer	Times	3	[1,20]	Number of attempts that login profile is sent.
	Generally, process is verified through username, process name and signature. But Logon.exe signature becomes invalid if it is downloaded via Web browser, you can configure parameter en_ckSign to decide whether to enable digital signature verification (Default en_ckSign indicates that digital signature verification is not enabled) If Script Parameters field is set to -a, login profile will be sent to IAM device three times without need to wait response packets from that device; if that parameter is not -a and logon.exe program is configured to not check whether user logs in to IAM unit based on response packet, login profile will be sent to IAM device for given times based on the value of parameter RetryTimes. If parameter en_heartB is set to 1, login profile will be sent to IAM device repeatedly (en_repeatL=1). Note: If parameter en_heartB is set to 1, heartbeat detection feature should be enabled on IAM unit. To enable it, add the field bAutoHeartBeat = 1 under Option field in configuration file authoption.in of IAM unit. Restart the process authd after saving changes to that file. Value of parameter checkIP_I cannot be greater than that of parameter reLogon_I; otherwise, parameter checkIP_I will be set to the maximum of parameter reLogon_I minus 1 automatically.  Value of parameter heart_beatI cannot be greater than that of parameter reLogon_I; otherwise, parameter heart_beatI will be set to the maximum of parameter reLogon_I minus 1 automatically.

 

5.         It is required to refresh the domain policy if group policy is modified or logon.exe script is replaced. To refresh that policy, you can type the command gpupdate or gpupdate /force in command console (it applies to the situation that some changes cannot be updated).

 

Configuration Details

How to add configuration file and configure related script parameter is described in above section. In this section, it introduces how to use that configuration file and script parameters.

1.         The configuration file you add into scrip list will not take effect if script parameter is specified. To make it valid, do not configure script parameter when adding script (as shown in Figure 7).

2.         You cannot configure script parameter in formats of Value1 Value2 Value3 and Title1=value1 Title 2=value2...Title15=value15 together. As to the former format, the three parameters are required and each parameter has its own meaning (refer to above section), while number of the parameters is not fixed (maximum is 15) for the latter format (refer to table 1 for parameter details).

3.         The current version of logon.exe program supports configuration file in three formats in order to make it compatible with earlier version of configuration file. For details about configuration file format, refer to the following section.

4.         Configuration file is required in the following scenarios:

a.     The local area network (LAN) is divided into several VLANs, and the IAM device is configured

   with multiple VLAN addresses. In this situation, the IP addresses accessible to the LAN users

   on different VLANs are not the same. It is unable to meet requirement to configure script 

   parameters.

b.     There are multiple AD domain servers deployed in users network and each domain is

   allocated with an IAM device, but domain server settings, including group policy, will be

   synchronized among domain servers. Therefore, you are unable to configure different logon

   scripts on different domain servers. In this situation, configuration file sinforIp is required.

Configuration File in Old Format  

The configuration file in old format is as shown in table 2:

Table 2 Configuration file in old format

[config] count=0   [0] depict=Beijing Operating Dept domainIP=202.96.134.133 sinforIP=10.2.100.68 shareKey=123   [1] depict=Shengyuan Operating Dept domainIP=10.68.1.108 sinforIP=10.68.4.68 shareKey=123

 

count field indicates the number of Domain-IAM Unit pairs.

[n]: Indicates the No. (n+1) Domain-IAM Unit pair

Parameters for one Domain-IAM Unit pair are described as shown in table 3:

Table 3  Parameter for Domain-IAM UniT Pair

Domain-IAM Unit	Required	Remarks
depict	No	Description
domainIP	Yes	IP address of domain server. Generally, it is the IP address of the DNS server configured on domain user’s computer
sinforIP	Yes	IP address of IAM unit
shareKey	Yes	Shared key

Configuration File in New Format

Configuration file in new format is designed to meet various scenarios and provide more complete configuration. Domain administrator can specify relevant parameters. The configuration file as described in table 4 is a simple example.

Table 4 Configuration file in new format

[LogonCtrl] EnableRunAlways = 1 EnableSignature = 0 EnableRepeatLogon = 0 RepeatLogonInterval = 180 BaklogPath = EnableCopyStartup = 1   [HeartBeat] EnableHeartBeat = 0 HeartBeatInterval = 30   [Response] EnableResponse = 2 ResponseTimeOut = 5 RetryTimes = 3   [CheckIP] LogonALLIP = 0 LogoffOldIP = 0 CheckIPInterval = 10   [AC] ACMax = 200 ACCount = 0   [AC1] sinforIP = 192.168.31.190 Port = 1775 shareKey = abc   [AC2] sinforIP = 192.168.31.198 Port = 1775 shareKey = 123

For parameter details, refer to table 1 and table 3 in the section above.

ACMax field specifies the maximum supported by configuration file. Default is 200. If number of IAM units exceeds the value of ACMax field, use the maximum specified in ACMax field.

Configuration File in Old and New Formats

To make current logon.exe compatible with earlier version, it supports the configuration file in old and new formats together. If configuration file in new format does not overlap with that in old format, the two configuration files will be used together. For relevant parameters details, refer to logon2.0 Configuration File.png

Table 5 Config file in old and new formats

[config] count=0   [0] depict=Beijing Operating Dept   domainIP=202.96.134.133 sinforIP=10.2.100.68 shareKey=123   [1] depict=Shengyuan Operating Dept domainIP=10.68.1.108 sinforIP=10.68.4.68 shareKey=123   [2] depict=Haikou Headquarter 01 domainIP=10.2.1.175 sinforIP=10.2.59.14 shareKey=123   [LogonCtrl] EnableRunAlways = 1 EnableSignature = 0 EnableRepeatLogon = 0 EnableCopyStartup = 1 RepeatLogonInterval = 180 BaklogPath =   [HeartBeat] EnableHeartBeat = 0 HeartBeatInterval = 30   [Response] EnableResponse = 2 ResponseTimeOut = 5 RetryTimes = 3   [CheckIP] LogonALLIP = 0 LogoffOldIP = 0 CheckIPInterval = 10   [AC] ACMax = 200 ACCount = 0   [AC1] sinforIP = 192.168.31.190 Port = 1775 shareKey = 123   [AC2] sinforIP = 192.168.31.198 Port = 1775 shareKey = 123

  

Belum kelar....