Configuring Authentication Servers for Remote Access

Configuring new RADIUS servers

In the RADIUS Servers section, click Configure.

In the Primary tab, configure the Primary RADIUS server:

IP address - The IP address of the Primary RADIUS server.
Port - The number of the listening port on the Primary RADIUS server. The default is 1812.

Shared secret - The secret (pre-shared information used for message "encryption") between the Primary RADIUS server and the Quantum Spark Gateway.

Notes:

You cannot use these characters in a password or shared secret: { } [ ] ` ~ | ‘ " \ (maximum number of characters: 255)
Select Show to see the shared secret.

Timeout (seconds) - A timeout value in seconds for communication with the RADIUS server. The default timeout is 3 seconds.

Note - To remove all settings, click Clear.

Optional: In the Secondary tab, configure the Secondary RADIUS server:

IP address - The IP address of the Secondary RADIUS server.
Port - The number of the listening port on the Secondary RADIUS server. The default is 1812.

Shared secret - The secret (pre-shared information used for message "encryption") between the Secondary RADIUS server and the Quantum Spark Gateway.

Notes:

You cannot use these characters in a password or shared secret: { } [ ] ` ~ | ‘ " \ (maximum number of characters: 255)
Select Show to see the shared secret.

Timeout (seconds) - A timeout value in seconds for communication with the RADIUS server. The default timeout is 3 seconds.

Note - To remove all settings, click Clear.

Click Save.
Enable the Remote Access permissions for RADIUS users:
1. In the line Remote Access permissions for RADIUS users are disabled, click the link permissions for RADIUS users.
  
  The RADIUS Authentication window opens.
2. Select User Awareness, Remote Access and Hotspot.
3. Optional: Select For Remote Access use specific RADIUS groups only and enter the names of the applicable RADIUS groups.
4. Click Save.

Editing an existing RADIUS server

In the RADIUS Servers section, click the IP address link of the RADIUS server you want to edit.
Make the necessary changes.
Click Save.

Deleting an existing RADIUS server

In the RADIUS Servers section, click the Remove link next to the RADIUS server you want to delete

Configuring new Active Directory Domain

In the Active Directory section, click New.

Configure the Active Directory Domain settings:

Domain - The domain name.

You can configure this domain only one time.
IP address - The IPv4 address of one of the Active Directory domain controllers of your domain.
User name - The username to connect to the Active Directory domain controller. This user must have administrator privileges to ease the configuration process and create a user-based policy using the users defined in the Active Directory.

Password - The user's password to connect to the Active Directory domain controller.

Note - You cannot use these characters in a password or shared secret: { } [ ] ` ~ | ‘ " \ (maximum number of characters: 255)

User DN - The user's FQDN. Click Discover for automatic discovery of the DN of the object that represents that user or enter the user DN manually.

For example: CN=John James,OU=RnD,OU=Germany,O=Europe,DC=Acme,DC=com
Optional: Select Use user groups from specific branch only if you want to use only part of the user database defined in the Active Directory:
1. Click New.
2. Enter the full DN of the applicable Active Directory branch.
3. Click Save.

Click Save.

Configure how to synchronize Active Directory groups from the Active Directory domain controller:

In the Active Directory section, click Configure.

Select the applicable option:

Automatic synchronization (this is the default, runs every 24 hours)

Manual synchronization

Note - You can synchronize the user database in all locations in WebUI where this user database can be viewed.

For example:

The Users & Objects view > Users Management section > Users page.
The Access Policy view > Firewall section > Policy page.

In the Incoming, Internal and VPN Traffic section > the Source column > click [+].

Note - You cannot select a user from the Active Directory, only an Active Directory user group.

Click Save.

Enable the Remote Access permissions for Active Directory users:

In the line Remote Access permissions for Active Directory users are set in the Remote Access Users page, click the link permissions for Active Directory users.

The Active Directory Global Permissions window opens.

Select the applicable option:

All users in Active Directory

Note - Most Active Directory domains contain a large list of users. Consider limiting the Remote Access VPN permissions only to specific user groups.

Selected Active Directory user groups (this is the default)

Note - Requires additional configuration. FollowConfiguring Remote Access Users.

Click Save.

Editing an existing Active Directory Domain

In the Active Directory section, click the Active Directory Domain you want to edit.
Click Edit.

The Domain information is read-only and cannot be changed.
Make the necessary changes.
Click Save.

Deleting an existing Active Directory Domain

In the Active Directory section, click the Active Directory Domain you want to delete.
Click Delete.

Use Case

Remote Access VPN users enter their Microsoft Entra ID credentials to connect to the Quantum Spark Gateway and access the internal resources.

This is easier than using specific credentials only for the Quantum Spark Gateway.

The administrator can manage user groups and enforce authentication methods such as Single Sign-On (SSO) and Two-Factor Authentication (2FA) in the Microsoft Entra ID portal.

In the advanced use case, you can override the Route Internet traffic from connected clients through this Security Gateway global configuration for specific groups in Microsoft Entra ID. For more information about Route Internet traffic from connected clients through this Security Gateway, see Configuring Advanced Remote Access Options.

Workflow

A Remote Access VPN user tries to access internal resources located behind the Quantum Spark Gateway using Remote Access VPN.
The SAML portal of the Quantum Spark Gateway redirects the user to the SAML Identity Provider (IdP) for authentication.
The IdP asks the remote user for credentials according to the policy you configure in the IdP portal.

For example, you can configure Single Sign-On (SSO) to recognize that a user is already signed in, or require Two-Factor Authentication (2FA).
The IdP authenticates the user and sends a SAML assertion to the user's web browser.
The remote user's web browser sends the SAML assertion to the Quantum Spark Gateway.
The Quantum Spark Gateway validates the SAML assertion and allows the remote user to access internal resources.

Known Limitations

Only one IdP configuration is supported. For example, if your organization has two Microsoft Entra ID environments, you can use only one of them as a SAML Identity Provider
It is not supported to create Access Control Rules for users who authenticate with the SAML Identity Provider.
Microsoft Entra ID Identity Tags are not supported.

Basic Configuration

Keep the Azure Portal and the Quantum Spark Gateway WebUI open throughout this procedure.

In the Azure Portal, create a SAML application for the Quantum Spark Gateway:
1. Click Enterprise Application.
2. Click New application.
3. Click Create your own application.
  
  The Create your own application window opens.
4. Enter a name for the application.
5. Make sure this default option is selected:
  
  Integrate any other application you don't find in the gallery (Non-gallery)
6. Click Create.
In the Azure Portal, assign users or groups of users to the SAML application:
1. On the Overview page for the application, in the Getting Started section, click Assign users and groups.
2. Click add user/group.
3. Select users and groups.
4. Click Assign.
In the Azure Portal, navigate to the SAML-based Sign-on screen for your application:
1. In the left menu, expand Manage.
2. Click Single sign-on.
3. Select SAML.
4. In the Basic SAML Configuration section, click the edit (pencil) icon.
  
  The Basic SAML Configuration window opens.
In the Quantum Spark Gateway WebUI, from the left navigation panel, click the VPN view.
In the Remote Access section, click the Authentication Servers page.
In the Identity Provider section, click Configure.

The Configure Identity Provider window opens.

In the Data required by the SAML Identity Provider section, follow these steps:

Copy these values from the Quantum Spark Gateway WebUI and paste them in the Azure portal > Basic SAML Configuration window:

Copy the Unique identifier URL value from the Quantum Spark Gateway WebUI and paste it in the Azure portal in the Identifier (Entity ID) field.
Copy the Reply URL from the Quantum Spark Gateway WebUI and paste it in the Azure portal in the Reply URL (Assertion Consumer Service URL) field.

Note - By default, the WebUI generates these values based on the DDNS settings in the Device view > System section > DDNS & Device Access page. If you did not configure DDNS, these values are based on the appliance's public IP address. If you did not configure DDNS for a cluster, these values are based on the cluster's Virtual IP Address (VIP).

Optional: You can override the DDNS or IP address of the Identity Provider:
- To use a static IPv4 address instead of DDNS for the Identity Provider, select Override DDNS/IP and enter an IPv4 address.
  
  The Quantum Spark Gateway WebUI generates a new Unique identifier URL and Reply URL based on the IPv4 address.
- To use DDNS instead of a static public IP address for the Identity Provider, select Override DDNS/IP and enter a DDNS.
  
  The Quantum Spark Gateway WebUI generates a new Unique identifier URL and Reply URL based on the DDNS.
Example: You configured DDNS, but want to use an IP address for the Unique Identifier URL and the Reply URL. After you select the checkbox Override DDNS/IP and enter an IP address, the values of the Unique Identifier URL and the Reply URL change, because they are now based on the IP address, not the DDNS.
In the Azure portal > Basic SAML Configuration window, click Save.

In the Data received by the SAML Identity Provider section, select and configure the applicable option:
- Import Metadata File
  1. In the Azure Portal >SAML Certificates section, next to Federation Metadata XML, click Download.
    
    Your computer downloads the metadata file.
  2. In the Quantum Spark WebUI > Data received from SAML Identity Provider section, next to Metadata file, click Upload.
  3. On your computer, select the metadata file and click Open.
- Insert manually
  1. In the Azure portal > Set up [NAME OF YOUR APPLICATION] section, copy the Microsoft Entra Identifier.
  2. In the Quantum Spark Gateway WebUI > Data received from the SAML Identity Provider section, paste the Microsoft Entra Identifier you copied from the Azure portal.
  3. In the Azure portal > Set up [NAME OF YOUR APPLICATION] section, copy the Login URL.
  4. In the Quantum Spark Gateway WebUI > Data received from the SAML Identity Provider section, paste the Login URL you copied from the Azure portal.
  5. In the Azure portal >SAML Certificates section, next to Certificate (Base64), click Download.
    
    Your computer downloads the certificate file.
  6. In the Quantum Spark Gateway WebUI > Data received from SAML Identity Provider section, next to Certificate, click Upload.
  7. On your computer, select the certificate file and click Open.
In the Quantum Spark Gateway WebUI, click Save.
Tell users of the Remote Access VPN client to create a new VPN Site for the Quantum Spark Gateway and to select SAML User as the preferred login option.

For more information, see:
- Remote Access VPN Clients for Windows Administration Guide > "Getting Started with Remote Access Clients" > "Helping Users Create a Site"
- Endpoint Security VPN for macOS Administration Guide > "Helping Your Users" > "Helping Users Create a Site".

Advanced Configuration: Override the global "Route Internet traffic connected clients through this Security Gateway" configuration

In the basic configuration, the global setting of Route Internet traffic from connected clients through this Security Gateway applies to remote users who authenticate with Microsoft Entra ID.

In the advanced configuration, you can override the global setting of Route Internet traffic from connected clients through this Security Gateway for specific groups in Microsoft Entra ID.

For more information about Route Internet traffic from connected clients through this Security Gateway, see Configuring Advanced Remote Access Options.

Do this procedure for one or more groups in Microsoft Entra ID.

Step 1: In the Microsoft Azure portal, create an app registration

Put the relevant Microsoft Entra ID users into a group (example: VPN_Users) and assign this group to the SAML application you created for the Quantum Spark Gateway.
In the Azure Portal, click App registrations.

The App registrations homepage opens.
Click All applications.
Click the application you created for the Quantum Spark Gateway.

The App registrations page for the application opens.
From the left menu, expand Manage > click App roles.
Click Create app role.

The Create app role sliding window opens.
In the Display name field, enter a name for the app role. We recommend to make this the same as the name of the group (in our example: VPN_Users).
In the Value field, enter the name of the group (in our example: VPN_Users).
Enter a Description for the app role.
Select the checkbox below Do you want to enable this app role?
Click Apply.

Step 2: In the Microsoft Azure portal, assign a role to the group

In the upper left, click Home.
Click Enterprise Applications.
Click the name of the application you created for the Quantum Spark Gateway.
From the left menu, expand Manage > click Users and Groups.
Select the checkbox to the left of the name of the relevant group.
Click Edit assignment.
Select the group for which you created the app registration.
Click Select a role.
Select the role (in our example: VPN_Users) you assigned to the group.
Click Save.
Click Assign.

Step 3: In the Microsoft Azure portal, add a claim to the SAML application you created for the Quantum Spark Gateway

In the upper left, click Home.
Click Enterprise Applications.
Click the name of the application you created for the Quantum Spark Gateway.
From the left menu, expand Manage > click Single sign-on.
In the Attributes & Claims section, click Edit.
Click Add new claim.
For Name, enter group_attr.
For Source, select Attribute.
For Source attribute, select user.assignedroles.
Click Save.

Step 4: In the Quantum Spark Gateway WebUI, create a group for users who authenticate with Microsoft Entra ID

Go to the VPN view > Remote Access section > Remote Access Users page
Near the Add button, click the downward arrow > Active Directory > Azure AD Group.

In the Name field, enter the group name as configured in Microsoft Entra ID.

Important - On the Quantum Spark Gateway, this name must always start with the prefix "EXT_ID_".

Example:

If the Azure AD group is called "VPN_Users", then you must enter "EXT_ID_VPN_Users".

Click Save.

Step 5: In the Quantum Spark Gateway WebUI, edit the group to override the "Route Internet traffic connected clients through this Security Gateway" configuration

Go to the VPN view > Remote Access section > Advanced page
In the table, click the name of a group you selected for users who authenticate using Microsoft Entra ID.

The Edit [NAME OF THE GROUP] window opens.
Select Override global settings.
Do one:
- Select Route all traffic for this Azure AD group through VPN to override the global setting. For members of the group, all traffic goes through the VPN tunnel.
- Leave the Route all traffic for this Azure AD group through VPN blank to override the global setting. For members of the group, only traffic to resources behind the Quantum Spark Gateway goes through the VPN tunnel.
Click Save.

Configuring Authentication Servers for Remote Access

Configuring RADIUS Authentication for Remote Access VPN

Configuring Active Directory Authentication for Remote Access VPN

Configuring SAML Authentication for Remote Access VPN