Table of Contents

1       Summary

This is the complete installation guide for securing the authentication to your Palo Alto Networks Next-Generation SSL-VPN solution with Nordic Edge One Time Password Server, delivering two-factor authentication via SMS to your mobile phone. You will be able to test the product with your existing Palo Alto Networks Next-Generation Firewall SSL-VPN solution server and your LDAP user database, without making any changes affecting existing users. The guide will also allow you to make the complete installation efficiently, using a maximum of 1 hour. Nordic Edge provides several methods for delivering one time passwords, like e-mail, tokens, mobile clients, Pledge, prefetch, Yubikey etc.

However in this test configuration we are only going to use SMS.

This is a step-by-step guide covering the entire installation from A to Z. It is based on the scenario that you are running your Palo Alto Networks Next-Generation Firewall SSL-VPN solution against Active Directory, and that you install the One Time Password Server on a Windows Server. The One Time Password Server is platform independent and works with all other LDAP user databases, like eDirectory, Sun One, Open LDAP etc. If you are not running Active Directory or Windows and if you have any questions regarding the slight differences in the installation process, you are most welcome to contact us at support@nordicedge.se and we will take you through the entire process.

Versions

Definitions

In this guide the Palo Alto Networks Next-Generation Firewall SSL-VPN solution is referred as "SSL-VPN-Server"

2 Prerequisites

You will need a server, for example a VMware virtual machine, with Windows Server 2003 or higher installed with Ethernet in bridge mode. The server must have a static ip-address configured and must also be able to reach your DNS-servers, your SSL-VPN solution and Active Directory. Since the software is quite small (315 mb) and easy to remove, you can also use any existing server from your network.

Important information regarding communication

The One Time Password Server is a software that can be installed on any existing server in your network or DMZ.

– The One Time Password Server must be able to communicate (Outbound traffic) with your LDAP or JDBC User Database. Default port for LDAP and Secure LDAP are TCP port 389 / 636.

– The SSL-VPN solution must be able to communicate (Outbound traffic) with the One Time Password Server via Radius, UDP port 1812 or 1645 (Outbound traffic).

– If you want to use the Nordic Edge SMS Gateway, the One Time Password Server must be able to communicate (Outbound traffic) with otp.nordicedge.net and otp.nordicedge.se with HTTPS on TCP port 443.

In the following test-scenario you will need to communicate with RADIUS port 1812 or 1645 and use the Nordic Edge SMS Gateway.

3 Getting started

Type in your name and contact details to receive the software.

You will receive a link for downloading the software. A 30 days evaluation license will be sent via e-mail when you download the software.

Download the 32 or 64 bit version depending on your platform.

4       Installation

 

Please note that if you are installing on a Windows 2008 Server you need to right click on the otp3install.exe using explorer and click on “Run as Administrator”.

 

Click Next

Click Next

5   Configuring the One Time Password Server

5.1  Start the OTP Configurator

Start the OTP Configurator by clicking on the left button – “Configuration”              

5.2   Configure the One Time Password Server

On the Server page you can set the length of the one-time password and for how long it should be valid. The default value is set to five minutes.

You can also set a default country prefix, which means you will not need to set it in the mobile attribute.

For more information regarding the optional setting please see One Time Password Server 3 – Administration manual

For now, leave this page as default and go on to the next part – Configure RADIUS.

5.3      Configure RADIUS

Change to the RADIUS tab and configure the RADIUS port you want to use to communicate with your SSL-VPN server. In this example we are using RADIUS port nb 1645.

 Click Save config.

5.4      Configure databases

In this setup we are going to use the Microsoft Active Directory LDAP database.

Change to the Databases tab and click on the LDAP Database button.

5.5      Configure LDAP Host Settings

For this configuration we will use the active directory installed on the same server as the One Time Password Server. We will use the internal IP-address (127.0.0.1) as host address.

We will use the standard LDAP port No. 389 to communicate with Active Directory.

Admin DN will be the Administrator user to search for user objects in the Active Directory database. For now this user only need read rights to the user objects attributes but be aware that later you might want to use options like disable accounts or the Pledge Enrollment concept from the Pledge Mobile Client. In this event the Admin DN need write rights to modify the disable account attribute and to store oath-keys into an optional user attribute.

Configure your LDAP host settings and click test. You should now get a messages saying “LDAP connection success”

Click OK and Save

 

Next step is to configure the LDAP database settings.

5.6   Configure the LDAP database settings

The BASE DN is the search base from where OTPServer will start looking for user objects.

Click on the button with three dots at the right side of the Base DN field to browse your LDAP Database.

Select an Organization Unit or Organization in Active Directory and click OK.

7    Configure Delivery Method

The Delivery Methods category is meant for enabling and configuring one or more delivery methods that can be used by the OTP Server to send one-time passwords.

 

One Time Password Server offers various methods like SMS, Oath Tokens, Instant Messaging, HTTP, Yubikey.

In this example we will use SMS with the Nordic Edge SMS-service as the SMS-provider.

During the evaluating phase we offer customers to use our Nordic Edge SMS-service free of charge for 30 days from the activation of the Demo Account.

In the left Pane, click “Delivery Methods” and then Nordic Edge SMS. In the right pane enable Nordic Edge SMS Gateway.

To Request a demo account click “Request a demo account”.

Click “Yes”

You should now get a success message and the Username and Password for the Nordic Edge SMS-gateway has automatically been filled in. Click OK and Save Config.

8 Restart the One Time Password Server as Windows Service

In the server panel for click “Shutdown”

In Windows Control Panel, open Administrative Tools / Services

Find the Nordic Edge OTP Server Service, right click on that service and click “Start”.

9  Add mobile phone number with Microsoft Management Console

Add a mobile phone number to your test user mobile phone attribute by starting the Microsoft MMC, select the test user and enter the mobile phone number into the Mobile attribute.

10 Configure the Palo Alto SSL-VPN to use RADIUS and Nordic Edge One Time Password Server.

Configuring the Palo Alto SSL-VPN for sms-authentication

 

10.1 Create RADIUS Profile

10.1.1 Using a web browser, start the Palo Alto Management Console and click on the ”Device” tab.

You have now finished configuring the SSL-VPN portal.

You will receive a one-time password to your mobile phone within a couple of seconds.