Configuring Authentication Servers for Remote Access
On the VPN view > Remote Access section > Authentication Servers page, you can configure and view different authentication servers for Remote Access VPN An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. users who connect to the Quantum Spark Gateway (with the Remote Access blade enabled - see Configuring the Remote Access Blade).
You can configure these authentication methods:
Authentication Method |
Description |
||
---|---|---|---|
RADIUS |
When a Remote Access VPN user connects, the Quantum Spark Gateway connects to the configured RADIUS servers to authenticate the user. You configure the RADIUS servers on the VPN view > Remote Access section > Remote Access Users page. |
||
Active Directory |
When a Remote Access VPN user connects, the Quantum Spark Gateway connects to the configured Active Directory servers to authenticate the user. You configure the Active Directory servers on the VPN view > Remote Access section > Remote Access Users page. |
||
SAML Identity Provider |
When a Remote Access VPN user connects, the Quantum Spark Gateway connects to the configured SAML Identity Provider to authenticate the user. You must configure the required settings in the SAML Identity Provider portal. |
Configuring RADIUS Authentication for Remote Access VPN
-
In the RADIUS Servers section, click Configure.
-
In the Primary tab, configure the Primary RADIUS server:
-
IP address - The IP address of the Primary RADIUS server.
-
Port - The number of the listening port on the Primary RADIUS server. The default is 1812.
-
Shared secret - The secret (pre-shared information used for message "encryption") between the Primary RADIUS server and the Quantum Spark Gateway.
Notes:
-
You cannot use these characters in a password or shared secret:
{ } [ ] ` ~ | ‘ " \
(maximum number of characters: 255) -
Select Show to see the shared secret.
-
-
Timeout (seconds) - A timeout value in seconds for communication with the RADIUS server. The default timeout is 3 seconds.
Note - To remove all settings, click Clear.
-
-
Optional: In the Secondary tab, configure the Secondary RADIUS server:
-
IP address - The IP address of the Secondary RADIUS server.
-
Port - The number of the listening port on the Secondary RADIUS server. The default is 1812.
-
Shared secret - The secret (pre-shared information used for message "encryption") between the Secondary RADIUS server and the Quantum Spark Gateway.
Notes:
-
You cannot use these characters in a password or shared secret:
{ } [ ] ` ~ | ‘ " \
(maximum number of characters: 255) -
Select Show to see the shared secret.
-
-
Timeout (seconds) - A timeout value in seconds for communication with the RADIUS server. The default timeout is 3 seconds.
Note - To remove all settings, click Clear.
-
-
Click Save.
-
Enable the Remote Access permissions for RADIUS users:
-
In the line Remote Access permissions for RADIUS users are disabled, click the link permissions for RADIUS users.
The RADIUS Authentication window opens.
-
Select User Awareness, Remote Access and Hotspot.
-
Optional: Select For Remote Access use specific RADIUS groups only and enter the names of the applicable RADIUS groups.
-
Click Save.
-
-
In the RADIUS Servers section, click the IP address link of the RADIUS server you want to edit.
-
Make the necessary changes.
-
Click Save.
In the RADIUS Servers section, click the Remove link next to the RADIUS server you want to delete
Configuring Active Directory Authentication for Remote Access VPN
-
In the Active Directory section, click New.
-
Configure the Active Directory Domain settings:
-
Domain - The domain name.
You can configure this domain only one time.
-
IP address - The IPv4 address of one of the Active Directory domain controllers of your domain.
-
User name - The username to connect to the Active Directory domain controller. This user must have administrator privileges to ease the configuration process and create a user-based policy using the users defined in the Active Directory.
-
Password - The user's password to connect to the Active Directory domain controller.
Note - You cannot use these characters in a password or shared secret:
{ } [ ] ` ~ | ‘ " \
(maximum number of characters: 255) -
User DN - The user's FQDN. Click Discover for automatic discovery of the DN of the object that represents that user or enter the user DN manually.
For example:
CN=John James,OU=RnD,OU=Germany,O=Europe,DC=Acme,DC=com
-
Optional: Select Use user groups from specific branch only if you want to use only part of the user database defined in the Active Directory:
-
Click New.
-
Enter the full DN of the applicable Active Directory branch.
-
Click Save.
-
-
-
Click Save.
-
Configure how to synchronize Active Directory groups from the Active Directory domain controller:
-
In the Active Directory section, click Configure.
-
Select the applicable option:
-
Automatic synchronization (this is the default, runs every 24 hours)
-
Manual synchronization
Note - You can synchronize the user database in all locations in WebUI where this user database can be viewed.
For example:
-
The Users & Objects view > Users Management section > Users page.
-
The Access Policy view > Firewall section > Policy page.
In the Incoming, Internal and VPN Traffic section > the Source column > click [+].
Note - You cannot select a user from the Active Directory, only an Active Directory user group.
-
-
-
Click Save.
-
-
Enable the Remote Access permissions for Active Directory users:
-
In the line Remote Access permissions for Active Directory users are set in the Remote Access Users page, click the link permissions for Active Directory users.
The Active Directory Global Permissions window opens.
-
Select the applicable option:
-
All users in Active Directory
Note - Most Active Directory domains contain a large list of users. Consider limiting the Remote Access VPN permissions only to specific user groups.
-
Selected Active Directory user groups (this is the default)
Note - Requires additional configuration. FollowConfiguring Remote Access Users.
-
-
Click Save.
-
-
In the Active Directory section, click the Active Directory Domain you want to edit.
-
Click Edit.
The Domain information is read-only and cannot be changed.
-
Make the necessary changes.
-
Click Save.
-
In the Active Directory section, click the Active Directory Domain you want to delete.
-
Click Delete.
Configuring SAML Authentication for Remote Access VPN
Starting from R81.10.15, you can configure a SAML Identity Provider (IdP) to authenticate Remote Access VPN users on a Quantum Spark Gateway.
|
Note - The R81.10.15 version supports only Microsoft Entra ID (formerly Azure AD). |
Remote Access VPN users enter their Microsoft Entra ID credentials to connect to the Quantum Spark Gateway and access the internal resources.
This is easier than using specific credentials only for the Quantum Spark Gateway.
The administrator can manage user groups and enforce authentication methods such as Single Sign-On (SSO) and Two-Factor Authentication (2FA) in the Microsoft Entra ID portal.
In the advanced use case, you can override the Route Internet traffic from connected clients through this Security Gateway global configuration for specific groups in Microsoft Entra ID. For more information about Route Internet traffic from connected clients through this Security Gateway, see Configuring Advanced Remote Access Options.
-
A Remote Access VPN user wants to access internal resources located behind the Quantum Spark Gateway using Remote Access VPN.
-
The SAML portal of the Quantum Spark Gateway redirects the user to the SAML Identity Provider (IdP) for authentication.
-
The IdP asks the remote user for credentials according to the policy you configure in the IdP portal.
For example, you can configure Single Sign-On (SSO) to recognize that a user is already signed in, or require Two-Factor Authentication (2FA).
-
The IdP authenticates the user and sends a SAML assertion to the user's web browser.
-
The remote user's web browser sends the SAML assertion to the Quantum Spark Gateway.
-
The Quantum Spark Gateway validates the SAML assertion and allows the remote user to access internal resources.
-
Only one IdP configuration is supported. For example, if your organization has two Microsoft Entra ID environments, you can use only one of them as a SAML Identity Provider
-
It is not supported to create Access Control Rules for users who authenticate with the SAML Identity Provider.
-
Microsoft Entra ID Identity Tags are not supported.
|
Important - The admin must notify Remote Access users to save the Azure credentials they receive. These credentials are required for their first login using the SAML User authentication method. |
Keep the Azure Portal and the Quantum Spark Gateway WebUI open throughout this procedure.
-
In the Azure Portal, create a SAML application for the Quantum Spark Gateway:
-
Click Enterprise Application.
-
Click New application.
-
Click Create your own application.
The Create your own application window opens.
-
Enter a name for the application.
-
Make sure this default option is selected:
Integrate any other application you don't find in the gallery (Non-gallery)
-
Click Create.
-
-
In the Azure Portal, assign users or groups of users to the SAML application:
-
On the Overview page for the application, in the Getting Started section, click Assign users and groups.
-
Click add user/group.
-
Select users and groups.
-
Click Assign.
-
-
In the Azure Portal, navigate to the SAML-based Sign-on screen for your application:
-
In the left menu, expand Manage.
-
Click Single sign-on.
-
Select SAML.
-
In the Basic SAML Configuration section, click the edit (pencil) icon.
The Basic SAML Configuration window opens.
-
-
In the Quantum Spark Gateway WebUI, from the left navigation panel, click the VPN view.
-
In the Remote Access section, click the Authentication Servers page.
-
In the Identity Provider section, click Configure.
The Configure Identity Provider window opens.
-
In the Data required by the SAML Identity Provider section, follow these steps:
-
Copy these values from the Quantum Spark Gateway WebUI and paste them in the Azure portal > Basic SAML Configuration window:
-
Copy the Unique identifier URL value from the Quantum Spark Gateway WebUI and paste it in the Azure portal in the Identifier (Entity ID) field.
-
Copy the Reply URL from the Quantum Spark Gateway WebUI and paste it in the Azure portal in the Reply URL (Assertion Consumer Service URL) field.
Note - By default, the WebUI generates these values based on the DDNS settings in the Device view > System section > DDNS & Device Access page. If you did not configure DDNS, these values are based on the appliance's public IP address. If you did not configure DDNS for a cluster, these values are based on the cluster's Virtual IP Address (VIP).
-
-
Optional: You can override the DDNS or IP address of the Quantum Spark Gateway:
-
To use a static IPv4 address instead of DDNS, select Override DDNS/IP and enter an IPv4 address.
The Quantum Spark Gateway WebUI generates a new Unique identifier URL and Reply URL based on the IPv4 address.These fields are automatically generated the first time the user configures the identity provider object on the gateway.
If DDNS was configured before, these fields are created with the domain name. Otherwise, they are created with the gateway’s IP.
-
To use DDNS instead of a static public IP address for the Unique identifier URL and Reply URL, select Override DDNS/IP and enter a DDNS.
Example: You configured DDNS but want to use an IP address for the Unique Identifier URL and the Reply URL. After you select the checkbox Override DDNS/IP and enter an IP address, the values of the Unique Identifier URL and the Reply URL change, because they are now based on the IP address, not the DDNS.
-
-
In the Azure portal > Basic SAML Configuration window, click Save.
-
-
In the Data received by the SAML Identity Provider section, select and configure the applicable option:
-
Import Metadata File
-
In the Azure Portal >SAML Certificates section, next to Federation Metadata XML, click Download.
Your computer downloads the metadata file.
-
In the Quantum Spark WebUI > Data received from SAML Identity Provider section, next to Metadata file, click Upload.
-
On your computer, select the metadata file and click Open.
-
-
Insert manually
-
In the Azure portal > Set up [NAME OF YOUR APPLICATION] section, copy the Microsoft Entra Identifier.
-
In the Quantum Spark Gateway WebUI > Data received from the SAML Identity Provider section, paste the Microsoft Entra Identifier you copied from the Azure portal.
-
In the Azure portal > Set up [NAME OF YOUR APPLICATION] section, copy the Login URL.
-
In the Quantum Spark Gateway WebUI > Data received from the SAML Identity Provider section, paste the Login URL you copied from the Azure portal.
-
In the Azure portal >SAML Certificates section, next to Certificate (Base64), click Download.
Your computer downloads the certificate file.
-
In the Quantum Spark Gateway WebUI > Data received from SAML Identity Provider section, next to Certificate, click Upload.
-
On your computer, select the certificate file and click Open.
-
-
-
In the Quantum Spark Gateway WebUI, click Save.
-
There are two possible deployment scenarios:
-
The Quantum Spark Gateway is already installed and has an existing Remote Access community with a different authentication method, and the administrator wants to change the method to "SAML User."
-
Instruct members of the Remote Access community to disconnect from the site and connect again. Select "SAML User" as the preferred login option.
-
The user, on connecting to the Gateway, is redirected to Azure to enter their Azure credentials.
-
On verification, the Remote Access User gets access to corporate resources.
-
-
The Quantum Spark Gateway is already installed but has no Remote Access community and the administrator creates it for the first time.
-
Instruct members of the Remote Access community to create the site with the Quantum Spark Gateway as the URL. ("SAML User" is already set as the default authentication method).
-
The user, on connecting to the Gateway, is redirected to Azure to enter their Azure credentials.
-
On verification, the Remote Access User gets access to corporate resources.
-
For more information, see:
-
Remote Access VPN Clients for Windows Administration Guide > "Getting Started with Remote Access Clients" > "Helping Users Create a Site"
-
Endpoint Security VPN for macOS Administration Guide > "Helping Your Users" > "Helping Users Create a Site".
-
In the basic configuration, the global setting of Route Internet traffic from connected clients through this Security Gateway applies to remote users who authenticate with Microsoft Entra ID.
In the advanced configuration, you can override the global setting of Route Internet traffic from connected clients through this Security Gateway for specific groups in Microsoft Entra ID.
For more information about Route Internet traffic from connected clients through this Security Gateway, see Configuring Advanced Remote Access Options.
Do this procedure for one or more groups in Microsoft Entra ID.
-
Put the relevant Microsoft Entra ID users into a group (example:
VPN_Users
) and assign this group to the SAML application you created for the Quantum Spark Gateway. -
In the Azure Portal, click App registrations.
The App registrations homepage opens.
-
Click All applications.
-
Click the application you created for the Quantum Spark Gateway.
The App registrations page for the application opens.
-
From the left menu, expand Manage > click App roles.
-
Click Create app role.
The Create app role sliding window opens.
-
In the Display name field, enter a name for the app role. We recommend to make this the same as the name of the group (in our example:
VPN_Users
). -
In the Value field, enter the name of the group (in our example:
VPN_Users
). -
Enter a Description for the app role.
-
Select the checkbox below Do you want to enable this app role?
-
Click Apply.
-
In the upper left, click Home.
-
Click Enterprise Applications.
-
Click the name of the application you created for the Quantum Spark Gateway.
-
From the left menu, expand Manage > click Users and Groups.
-
Select the checkbox to the left of the name of the relevant group.
-
Click Edit assignment.
-
Select the group for which you created the app registration.
-
Click Select a role.
-
Select the role (in our example:
VPN_Users
) you assigned to the group. -
Click Save.
-
Click Assign.
-
In the upper left, click Home.
-
Click Enterprise Applications.
-
Click the name of the application you created for the Quantum Spark Gateway.
-
From the left menu, expand Manage > click Single sign-on.
-
In the Attributes & Claims section, click Edit.
-
Click Add new claim.
-
For Name, enter
group_attr
. -
For Source, select Attribute.
-
For Source attribute, select
user.assignedroles
. -
Click Save.
-
Go to the VPN view > Remote Access section > Remote Access Users page
-
Near the Add button, click the downward arrow > Active Directory > Azure AD Group.
-
In the Name field, enter the group name as configured in Microsoft Entra ID.
Important - On the Quantum Spark Gateway, this name must always start with the prefix "
EXT_ID_
".Example:
If the Azure AD group is called "
VPN_Users
", then you must enter "EXT_ID_VPN_Users
". -
Click Save.
-
Go to the VPN view > Remote Access section > Advanced page
-
In the table, click the name of a group you selected for users who authenticate using Microsoft Entra ID.
The Edit [NAME OF THE GROUP] window opens.
-
Select Override global settings.
-
Do one:
-
Select Route all traffic for this Azure AD group through VPN to override the global setting. For members of the group, all traffic goes through the VPN tunnel.
-
Leave the Route all traffic for this Azure AD group through VPN blank to override the global setting. For members of the group, only traffic to resources behind the Quantum Spark Gateway goes through the VPN tunnel.
-
-
Click Save.