Documentation

Introduction

Use this guide to deploy the SecureAuth IdP appliance(s) for your company.

Please contact the SecureAuth Project Management Office to discuss the deployment of your SecureAuth IdP Appliance(s).

Prerequisites
  1. Define and discuss your project with a SecureAuth Sales representative to determine the appropriate SecureAuth IdP Appliance platform (Virtual or Hardware) for your environment.
  2. Complete an Appliance Request Form provided by your SecureAuth Sales representative.
  3. Receive or download the SecureAuth IdP Appliance. Shipping or download Information provided via email.
  4. Receive the SecureAuth IdP Appliance Activation Code via email.
SecureAuth Appliance: Installation and Basic Settings
Installing the SecureAuth Appliance
  1. Read through and become familiar with the information in the SecureAuth IdP Appliance Specifications.
  2. Install the SecureAuth Appliance and power it up.
  3. Domain Membership.  Avoid adding the SecureAuth appliance to an Active Directory Domain unless required for specific functionality (e.g. Integrated Windows Authentication used for Desktop SSO) or if required by your Enterprise Security Policy. The SecureAuth Appliance is designed to function as a stand-alone appliance or as a domain member. If you plan to join the Appliance to your Active Directory domain SecureAuth recommends Adjusting the local Advanced Firewall rules to complete the process of joining a domain.
     

  4. Review any Domain GPOs applied to the SecureAuth appliance with your SecureAuth Sales Engineer.
     
  5. Review network firewall rules for the Network Communication Requirements for SecureAuth IdP 8.1.x guide for appropriate configuration.

    • The local Firewall/Windows Advanced firewall is configured  to allow specific network communications only. If you require ICMP or additional ports and protocols for your environment, please work with your Sales Engineer or temporarily disable the local firewall to complete the setup.

      The final configuration of the Windows Advanced firewall during the installation meeting.
       

  6. Set/verify NTP Services, the Appliance Clock, and Time Zone settings by completing the Windows Mini Setup Wizard prompts. These setting must be set correctly for your region. 
    Appliance NTP services are set using the SecureAuth Local Firewall configuration script as well. A default Internet based NTP configuration is completed on the appliance prior to shipment. Problems validating certificates may occur if a deviation of more than 5 minutes or an incorrect time zone is set.

    • For Virtual Appliances Only: If you are deploying a SecureAuth Virtual Appliance, please verify the NTP configuration, time zone and clock settings are correct on the Host (Hyper-visor) Server.
       
  7. Connecting SecureAuth Services to your Enterprise Data Store. SecureAuth uses the existing enterprise data store such as LDAP/AD or a SQL Database.
  8. Define the appropriate User Data Store Connection information.  
    • If using LDAP or AD: Contact your IT department and request LDAP or AD information. Bring this information to the pre-deployment meeting. An LDAP string in the first bullet listed below is required for deployment; it is used to connect a Microsoft Active Directory or another LDAP Directory.
      • Set the minimal string to the following: LDAP://domain.com/DC=domain,DC=com. This configuration searches from the highest level in your AD hierarchy using Integrated Active Directory DNS to resolve all DCs in the Active Directory site Domain.com
      • (Optional) Include a CN or OU in the String above to limit the search capabilities to only that specific Directory Container (e.g. LDAP://domain.com/CN=Users,DC=domain,DC=com)
         
    • If using SQL: Define the ODBC Connection details (for database integrations)  The following connection information is required to connect SecureAuth to your User Database. Please have it available during the scheduled installation 
      • FQDN or IP Address of your Database Server
      • TCP (or UDP) port
         
  9. Check for Service Specific Network Connectivity.

    If you have legacy appliances running in your environment, please check the network requirements for the version of SecureAuth IdP or speak to your sales or deployment engineer.
    • Verify proper DNS resolution is configured and working (Internal and external) from the appliance. Please register the SecureAuth Appliance name in the appropriate DNS lookup zones.
    • Test http Connectivity. The appliance should be able to access the following sites: HTTP:// cloud.secureauth.com and HTTP://trx.secureauth.com. If you cannot connect to these sites, check your perimeter firewall rules.

    • If the installation requires a proxy setup, verify that proxy settings are correctly configured in the Internet Options window.

      • To access Internet Options, click Start, then type 'Internet Options'.
    • (If Applicable) Test for connectivity to the Active Directory Domain controller(s) using the LDAP Tool provided on the SecureAuth menu of the SecureAuth Appliance or your preferred LDAP Browser utility. (If Applicable) Test for connectivity to the Database Server. Connect to the database server using telnet [Telnet <IP Address> <Port Number>]

      The Telnet feature is not installed by default. Use Add/Remove programs / features to enable the Telnet client. Use this tool to verify LDAP stings, Service Account, password and read/write permissions on specific attributes. If you are not familiar with the Microsoft LDAP (LDP.exe) tool, contact your Sales Engineer for a quick introduction.

    • If you are using SMTP Mail for OTP delivery test connectivity to your preferred SMTP Server (Exchange or mail  relay). Test for port 25 connectivity from the SecureAuth Appliance to the SMTP provider.
      Mailbox, account and reply-to address are typically required.
       
  10. Review the Ongoing Appliance Security Patching and Update Maintenance guide.
     
  11. Once you have successfully completed these service checks, you are ready to begin a guided installation. If the pre-deployment meeting has not been completed or scheduled, please contact the SecureAuth Project Management Office via email at PMO@Secureauth.com or call +1 (949) 777-6959 and ask for a PMO team member.