Documentation

 

Introduction

Whether you have received the hardware appliance or have downloaded and installed the virtual machine image, the process to initially setup your appliance after it is powered on remains the same for both versions. SecureAuth IdP virtual and hardware appliances also come with Proof of Concept (POC) licenses automatically included and activated. These evaluation licenses are typically good for 180 days. Therefore once you receive your appliance by either downloading the image or by plugging in and turning on the hardware, you are ready to go through the steps outlined below to setup your appliance for first time use. Once a new production license key is purchased, the key is sent to the company contact via email with a link to instructions on activating the key.

Purpose

After you receive the SecureAuth Appliance with the POC license, use this article to reference information on how to install your specific hardware appliance. Step 1 references documents with specifications and requirements for both hardware and virtual appliances. Step 2 includes instructions on how to download and install virtual machines or to rack and power on hardware appliances. Steps 3 through 11 apply to both SecureAuth IdP appliance types. Complete or verify all these procedures prior to the guided deployment installation meeting.

If you want assistance setting up your appliance(s), please contact your SecureAuth Sales Account Manager or Engineer to schedule a pre-deployment meeting when your appliance arrives.

SecureAuth Appliance: Installation and Basic Settings
Installing the SecureAuth Appliance
  1. Read through and become familiar with the information in the SecureAuth IdP Appliance 8.0 Specifications  and the Network Communication Requirements for SecureAuth IdP 8.0 .
  2. Install the SecureAuth Appliance and power it up.
    • For Virtual Machines: Part I listed below contains the procedure for importing your virtual machine into your virtual host server. To save you time, the appliance is configured to use Dynamic Host Configuration Protocol (DHCP) by default to automatically acquire an IP address from the network. 

    • For Hardware Machines: SecureAuth IdP Hardware Appliances Setup Guide : Install the hardware appliance in your data center. Connect the power cable(s) and one network cable to the appliance. It may be helpful to connect a KVM or console to configure the TCP/ IP stack. By default the appliance is configured to use DHCP for IP Address assignment.
       
  3. Log onto the SecureAuth appliance via the local, virtual, or remote desktop (RDP) console.
    • Account passwords are delivered to the technical contact as part of the shipment or download notification. 
    • Reviewing any Domain GPOs applied to the SecureAuth appliance with your SecureAuth Sales Engineer. 
       
  4. Domain Membership. Avoid adding the SecureAuth appliance to an Active Directory Domain unless required for specific functionality (e.g. Integrated Windows Authentication used for Desktop SSO) or if required by your Enterprise Security Policy. The SecureAuth Appliance is designed to function as a stand-alone appliance or as a domain member. If you plan to join the Appliance to your Active Directory domain SecureAuth recommends Adjusting the local Advanced Firewall rules to complete the process of joining a domain.
    • Review any Domain GPOs applied to the SecureAuth appliance with your SecureAuth Sales Engineer.
       
  5. Review network firewall rules for the Network Communication Requirements for SecureAuth IdP 8.0.
    • The local Firewall/Windows Advanced firewall is configured for specific network communications only. If you require ICMP or additional ports and protocols for your environment, please work with your Sales Engineer or temporarily disable the local firewall to complete the setup.
      The final configuration of the Windows Advanced firewall is completed during the installation meeting.

      Please ensure that the  NTP Services, the Appliance Clock, and Time Zone settings are correct. Problems validating certificates may occur if a deviation of more than 5 minutes or an incorrect time zone is set. 

  6. Set/verify NTP Services, the Appliance Clock, and Time Zone settings by completing the Windows Mini Setup Wizard prompts. These setting must be set correctly for your region. 
    Appliance NTP services are set using the SecureAuth Local Firewall configuration script as well. A default Internet based NTP configuration is completed on the appliance prior to shipment.
    • For Virtual Appliances Only: If you are deploying a SecureAuth Virtual Appliance, please verify the NTP configuration, time zone and clock settings are correct on the Host (Hyper-visor) Server.
       
  7. Connecting SecureAuth Services to your Enterprise Data Store. SecureAuth uses the existing enterprise data store such as LDAP/AD or a SQL Database.
  8. Define the appropriate User Data Store Connection information.  
    • If using LDAP or AD: Contact your IT department and request LDAP or AD information. Bring this information to the pre-deployment meeting. An LDAP string in the first bullet listed below is required for deployment; it is used to connect a Microsoft Active Directory or another LDAP Directory.
      • Set the minimal string to the following: LDAP://domain.com/DC=domain,DC=com. This configuration searches from the highest level in your AD hierarchy using Integrated Active Directory DNS to resolve all DCs in the Active Directory site Domain.com
      • (Optional) Include a   CN  or   OU  in the String above to limit the search capabilities to only that specific Directory Container (e.g. LDAP://domain.com/CN=Users,DC=domain,DC=com)
         
    • If using SQL: Define the ODBC Connection details (for database integrations) The following connection information is required to connect SecureAuth to your User Database. Please have it available during the scheduled installation 
      • FQDN or IPAddress of your Database Server.
      • TCP (or UDP) port.
         
  9. Check for Service Specific Network Connectivity.
    • Verify proper DNS resolution is configured and working (Internal and external) from the appliance. Please register the SecureAuth Appliance name in the appropriate DNS lookup zones.
    • If the installation requires a proxy setup, verify that proxy settings are correctly configured in the Internet Options window.

      • To access Internet Options, click Start, then type 'Internet Options'.
    • Test http Connectivity. The appliance should be able to access the following sites HTTP://x509.multifactortrust3.com and HTTP:// cloud.secureauth.com. If you cannot connect to these sites, check your perimeter firewall rules. 
    • (If Applicable) Test for connectivity to the Active Directory Domain controller(s) using the LDAP Tool provided on the SecureAuth menu of the SecureAuth Appliance or your preferred LDAP Browser utility. (If Applicable) Test for connectivity to the Database Server. Connect to the database server using telnet. [Telnet <IP Address> <Port Number>]

      The Telnet feature is not installed by default. Use Add/Remove programs / features to enable the Telnet client. Use this tool to verify LDAP stings, Service Account, password and read/write permissions on specific attributes. If you are not familiar with the Microsoft LDAP (LDP.exe) tool, contact your Sales Engineer for a quick introduction.

    • If you are using SMTP Mail for OTP delivery test connectivity to your preferred SMTP Server (Exchange or mail relay). Test for port 25 connectivity from the SecureAuth Appliance to the SMTP provider.
      Mailbox, account and reply-to address are typically required.
       
  10. Review the Ongoing Appliance Security Patching and Update Maintenance guide.
     
  11. Once you have successfully completed these service checks, you are ready to begin the guided installation. If the pre-deployment meeting has not been completed or scheduled, please contact your SecureAuth Sales Account Manager or Engineer to schedule as soon as possible