25 October 2011

Accommodate Tablets and Smart Phones in your company using TMG as a Wifi gateway

The Problem
There has been a steady increases of more and more tablet / slate devices and more and more user bringing their own un-manged devices to work.  With this increase there is a higher than ever demand for IT departments to provide the services need for these devices to fully function in the workplace.  I have been trying to figure a good way to accommodate their need on a corporate network without compromising security.

My simple answer was to just create a public hotspot for them and give them the same access anyone from the internet would have.

There was just one big catch though.  These devices can be anything from an I-Phone to an Android tablet to an unmanaged Windows XP laptop.  I needed a generic one size fits all approach to authenticate users who should be and should not be on the Wifi Hotspot.  Using a proxy would have been perfect except not all devices or apps support proxies, and you have a different "setup procedure" for each device. The only answer was to use a NAT.  The limitation with TMG though, is there is no native way to authenticate users for using a NAT.

The Answer
Collective Software has a product called Captivate that allows you do do just that.  In my example I needed users to provide a username and password into a web form before they were granted access.


Captivate allows you to use TMG forms based authentication to authenticate a user.  This has the advantage of using a "native authentication method, so you can use any of the TMG supported authentication validation methods:

  • Windows Active Directory
  • LDAP
  • RSA SecureID
You can therefore have guest accounts residing in a separate LDAP store without ever having to create a domain user for them.  You can also use customised forms and provide the functionality of notify users about passwords that are expiring, and provide them a way to change it.  I customised the Exchange template for this (check http://fixmyitsystem.com/2010/11/customise-tmg-exchange-forms.html )

Now this all seems very basic, but image a users who never ever uses a PC, only their own private I-Pad...

Building the Solution
You will need to download the Captivate Evaluation package.
Download the Captivate Documentation. - The doc is really well put together and all you have to do to get it working is to follow the doc.

TMG server
I built a TMG server with three networks.

  • Corporate Internal
  • Wifi Internal
  • External

  • The relationship between Corporate and External is a NAT
  • The relation ship between Wifi and External is a NAT
  • The relation ship between Wifi and Corporate is a NAT *

I configured rules so that the Wifi network never communicates to the corporate network.  Instead the connections flow out to the Internet where it can be routed back to my internet published applications.  This gives me the advantage of have a single point of exposure to un-trusted networks such as the Internet and this Wifi Guest network.  TMG only communicates with the corporate network for the authentication and management.

It is of course also possible to configure rules to allow access to the corporate network, you can even allow this without having to authenticate the user with the Captivate plug in.

Captivate Configuration
Before you configure anything for this - read the PDF from http://www.collectivesoftware.com/Products/Captivate you will need to follow this guide for configuring the Luna scripts.

Essentially it installed as a web filter.  This then becomes an option to enable on the rules where you want this to apply.

As a minimum you will need to create a publishing rule to host the authentication form.  Secondly you need to configure your access rule for Internet access.

Changing the "Trigger Captivate process" essentially give the authenticated session a lifespan - something like a DHCP lease.

Enabling the Tracking options enable you to keep track of the user / machine relationship.  This is important if you would ever need to forensically trace a user to a session.  If however you simply want to  secure the access it is not required.

Internet Access and other rules
The only drawback you have is that the user is authenticated but it does not pass on the user credentials to NAT requests.  You can therefore not set user level access rules.  On the up side you can still apply URL filtering rules to prevent access to certain site categories. You are also able to limit access to IPs ports and protocols you want to allow.  You can do anything you would normally do with a secure NAT client.

Un-manged devices are un-trusted devices, they should not ever have unrestricted access to your corporate network.  Device limitations mean that the traditional health check / UAG kind of solution simply will not work for this.  It the past it was easy to simply say no to these requests but realistically you will have to accommodate them in the not too distant future.

Check the follow up article  - http://fixmyitsystem.com/2011/11/accommodate-tablets-and-smart-phones-in.html

No comments:

Post a Comment