1. Home
  2. NetConnect 8.4.0 Configuration Guide

NetConnect 8.4.0 Configuration Guide

Introduction

The purpose of this guide is to provide a single source of information for the core features of NetConnect Release 8. This document will cover the most common steps involved with configuring and deploying a NetConnect instance. This document is split into four main sections; Installation, Authentication, Application Configuration and System Administration.
Should you require assistance beyond this document, please contact: customersupport@northbridgesecure.com.

Supported Versions

While this information may be relevant to other versions / environments, the ones stipulated here have been actively tested with positive results.

ProductVersion
NetConnect7.8.8.0 and above
Microsoft Windows Server2008 R2 and above
Microsoft Windows Desktop7 and above
Apple Mac (OS X)OSX 10.9 and above
Apple iPhone, iPad & iPod Touch (iOS)iOS 9 and above
Android6.0 and above
Java8.4x and above
Browsers (HTML5 applications)Chrome, Firefox, Internet Explorer 11, Safari, Edge
Browsers (Java Port Forwarder) Internet Explorer 11, Safari
HardwareNSS5000, NSS50

Installation

For NetConnect Release 8.1 and above, our recommended approach is to utilise pre-configured images of NetConnect on a virtual platform, available from Northbridge Secure. Installation directly on to Centos 6.8 Minimal (a widely used distribution of Linux based on RHEL – Red Hat Enterprise Linux) is also possible. This section will cover the following:

  • Virtual installation (VMWare)
  • Virtual installation (Hyper-V)
  • Cloud installation (AWS)
  • Cloud installation (Azure).

Once you have completed the installation, you will be able to access your NetConnect instances web interface locally, via the default admin account; you will then be able to begin additional configuration, including:

  • Integration with your Active Directory
  • Enabling Single Sign On
  • Apply an SSL Certificate to ensure secure, encrypted connections
  • Apply a licence to allow multiple users access
  • Publish multiple desktops or applications
  • Configure multi-factor authentication
  • Print to any locally configured printer
  • Configure groups and V-Realms for enhanced access management
  • Change default admin passwords.

All these topics and more are covered in subsequent sections.

Virtual Installation

VMWare Installation

Overview
This section is intended to act as a guide to installing NetConnect within a VMWare environment via a pre-configured .OVA file. Note, the NetConnect OVA file was created using vSphere 6, Virtual Machine 11.

Before you begin
Prior to commencing your installation, you will require the following:

  1. A capacity to install a virtual instance that meets the following minimum specs:
    • 2GB of RAM
    • 1 CPU
    • 40GB of hard disk space
    • Internet access
  2. Logon credentials to the Partner Portal as supplied by Northbridge Secure
  3. A copy of the latest NetConnect OVA file. This is available on the Partner Portal
  4. 1 (one) dedicated static internal/private IP address
  5. 1 (one) dedicated static external/public IP address. Required to access your NetConnect externally.

Default Passwords
For reference, the default Admin credentials for console and web access are below:

Console:

Username:sadmin
Password:$admin.v801

Web:

Username:admin
Password:adminv8

Installing the OVA
This guide will not cover the standard OVA installation process and concentrate instead on the specific steps required for NetConnect. For steps on the standard OVA installation process, please refer to the publicly available VMWare guides.

Note, at the Desk Format stage, we recommend selecting Thick Provision Lazy Zeroed.

When selecting the network at the Network Mapping stage, ensure you select a network and subnet with access to the desktops/server/applications you wish to access via NetConnect.

Once you have followed the deployment prompts, VMWare will provision your NetConnect VM based on the OVA file. Once completed, right-click on your new NetConnect VM, select “Open Console” logging in using the default console credentials (sadmin/$admin.v801).

Configuring Network Settings
Once you have connected via console, you will be required to configure your network settings in order to access NetConnect internally. When prompted for ‘Terminal Type’, press the number 1 in your keyboard to select Linux. You will then be prompted to change the console password. Ensure you record the new password in a secure location. If the password is lost, there is no facility to recover.

Once the default password has been changed, next step is to assign the internal network details to the NetConnect server. When presented with the below screen, open the “Network Settings” page:

Once in “Network Settings”, enter the Hostname and Default Gateway into the appropriate fields. Ensure the static Private IP address is entered under the Primary Interface field. Confirm all the information is correct, highlight Save and press the Enter key. Below is an example of a completed. Network Settings page using a single NIC configuration:

You will then be taken back to the main console menu screen. Go down to Reboot Box then press the Enter key. After the server has rebooted, NetConnect will be accessible internally via the assigned static private IP using the default web credentials (admin / adminv8). If you are unable to reach NetConnect at this stage, you will need to delete the Network Adapter from you instance via the VMWare console and then add and configure a new Ethernet Adaptor.

Hyper-V Installation

Overview
This section of the configuration guide is intended to act as a guide to trialling NetConnect within a Hyper-V environment. Installation will be via a prepared Hyper-V virtual machine which is available at the Northbridge Partner Portal. Note: the NetConnect virtual machine has been built using Hyper-V 6.3.

Before you begin
Prior to commencing your installation, you will require the following:

  1. A capacity to install a virtual instance that meets the following minimum specs:
    • 2GB of RAM
    • 1 CPU
    • 40GB of hard disk space
    • Internet access
  2. Logon credentials to the Partner Portal as supplied by Northbridge Secure
  3. A copy of the latest NetConnect OVA file. This is available on the Partner Portal
  4. 1 (one) dedicated static internal/private IP address
  5. 1 (one) dedicated static external/public IP address. Required to access your NetConnect externally.

Default Passwords
For reference, the default Admin credentials for console and web access are below:

Console:

Username:sadmin
Password:$admin.v801

Web:

Username:admin
Password:adminv8

Installing the Hyper-V Instance
Installation of the NetConnect Hyper-V instance is a straight forward operation. This document will pass over the standard image installation process and concentrate on the specific steps required for NetConnect. For detail on the standard Hyper-V virtual machine installation process, please refer to the publicly available Hyper-V guides.

The current NetConnect Hyper-V image file can be downloaded from the Partner Portal. Note, this will come as a virtual hard disk which will be used to build the Virtual Machine.

From your Hyper-V Console, select New > New Virtual Machine and follow the below steps:

Before You Begin
Select ‘Next’.

Specify Name and Location
Define the name and storage location of the VM.

Specify Generation
Select ‘Generation 1’.

Assign Memory
Define the memory of the VM. The recommended size is 2GB or 2048MB.

Configure Networking
Select the relevant pre-configured Network adapter.

Connect Virtual Hard Disk
Select ‘Use an Existing Virtual Hard Disk’, then use the browse option to select the NetConnect VHD downloaded from the Partner Portal.

Summary
Review and finish.

Once you have followed the deployment prompts, Hyper-V will provision your NetConnect VM based on the pre-configured virtual image file. Once completed, right-click on your new NetConnect VM and select “start”. This server will boot up and you will be presented with the console log in screen – log in using the default console credentials (sadmin/$admin.v801)

Configuring Network Settings
Once you have connected via console, you will be required to configure your network settings in order to access NetConnect internally. When prompted for ‘Terminal Type’, press the number 1 on your keyboard to select Linux. You will then be prompted to change the console password, you can opt to cancel this step. If you choose to change the password ensure you record the new password in a secure location. If the password is lost, there is no facility to recover.

Once the default password has been changed, next step is to assign the internal network details to the NetConnect server. When presented with the below screen, open the “Network Settings” page:

Once in “Network Settings”, enter the Hostname and Default Gateway into the appropriate fields. Ensure the static Private IP address is entered under the Primary Interface field. Confirm all the information is correct, highlight Save and press the Enter key. Below is an example of a completed Network Settings page using a single NIC configuration:

You will then be taken back to the main console menu screen. Go down to Reboot Box then press the Enter key. After the server has rebooted, NetConnect will be accessible internally via the assigned static private IP using the default web credentials (admin / adminv8).

Cloud Installation

Azure

Overview
NetConnect can be installed directly from the Azure Marketplace. The NetConnect application on Microsoft Azure allows you to deploy simply and very quickly a full NetConnect server. The NetConnect deployment available on the Azure marketplace is pre-installed, allowing you to dive into configuration and be ready for your first connection within 15 minutes. Installation instructions can be found within the NetConnect Azure MarketPlace page.

AWS

Overview
This section of the configuration guide is intended to act as a guide to trialling NetConnect within AWS. In it, we will cover the key steps involved with installing a fresh instance of the latest NetConnect release and publishing a desktop. Installation will be via a prepared Amazon Machine Image (AMI), which is available via the AWS Community AMI portal. This guide is intended for administrators looking to install NetConnect for evaluation purposes. By the end of this document, you will have published an AWS server desktop via NetConnect.

Once you have completed the installation steps detailed in this document, additional configuration can be performed in order to access additional features and expand functionality.

Before you begin
Prior to commencing your installation, you will require the following – each of these points are detailed within this guide and the accompanying video:

  1. An account with AWS
  2. An existing server within AWS that you wish to connect to via NetConnect
  3. Virtual Private Cloud configuration in place.

Default Passwords
For reference, the default Admin credentials for NetConnect are below:

Username:admin
Password:adminv8

Installing the AMI
Installation of the NetConnect AMI is a straightforward operation. This section of the guide will cover the specific steps required for NetConnect. For further information on AWS AMIs, please refer to the AWS website.

Installation
Log in to your AWS account, navigate to ‘EC2’ and select ‘Launch instance’. You will then be able to follow the installation via the standard AMI wizard.

Step 1: Chose an Amazon Machine Image (AMI)
Under the ‘Community AMI’ section, search for “NetConnect” and select this image:

Step 2: Choose an Instance Type
We recommend using the instance type T2 Small, as this meets the minimum specification of 1 CPU & 2GB RAM.

Step 3: Configure Instance Details
Ensure you select a network and subnet with access to the server(s) you wish to access via NetConnect. Ensure you enable Auto-Assign Public IP. All remaining settings are to be configured to your specific AWS requirements.

Step 4: Add Storage
The AMI storage is pre-configured with 40GB and does not require any further configuration.

Step 5: Tag Instance
Tag your instance as required, for example ‘NetConnect Trial’.

Step 6: Configure Security Group
Create or assign a security group that allows port 443 from any location, as well any other environment specific requirements.

Step 7: Review Instance Launch
Review the settings and select Launch, you will then be presented with key pair options. While you will need to select/create a key pair and tick the acknowledgement in order to complete the process, NetConnect is configured with default credentials and as such key pairs will not be relevant.

After a short while your NetConnect server will be accessible from ‘Instance’ window. Once the standard automatic status checks have been completed NetConnect will be accessible via the Public IP.

Elastic IP
Note that by default the IP address assigned by AWS is dynamic and will change if the server is shutdown – it will remain after reboot. It is recommended that an elastic IP is assigned for any production environment instance as access will be via a URL which relies on a static IP configured via DNS.

Physical Installation

Overview
This section describes how to install NetConnect onto an NSS5000 or NSS50 appliance. With this approach, CentOS 6.8 will be applied to the appliance (a widely used distribution of Linux based Red Hat Enterprise Linux), with a NetConnect TGZ file installed on top of this OS.). This section assumes the reader is comfortable with Linux command line interface.

Before you begin
Prior to commencing your installation, you will require the following – each of these points are detailed within this document and the accompanying video:

  1. An NSS5000 or NSS50. Note, this instance must have internet access in order to download required RPMs.
  2. A copy of CentOS 6.8 minimal. This is available from the Partner Portal
  3. 1 (one) static internal IP address.

Default Passwords
For reference, the default Admin credentials for NetConnect are below:

Username:admin
Password:adminv8

Installing CentOS
Installation of CentOS is a straight forward operation. If you need a step-by-step guide on how to install CentOS, please refer to the ‘Install CentOS 6.8’ section here. Note, you will using the root account at various points during the installation process, please be sure to record the credentials.

Installing NetConnect
Once your virtual instance is running CentOS 6.8 minimal, you’re ready to install NetConnect.

CentOS Preparation
You need to download ‘wget’ tool which is a non-standard CentOS package for minimum install. To do this, run the following command from the shell prompt:
yum install wget –y

Then you will need to download the script that is required to perform the installation:
wget https://s3-ap-southeast-2.amazonaws.com/nos-installer/runscript.sh

When ready, run the following command to make the file executable:
chmod +x runscript.sh

Finally, run the below command to execute the script:
./runscript.sh

Press any key to continue when prompted. CentOS will download and install the required files. After one to two minutes, you’ll be presented with the network configuration interface.

  • Enter ‘Device Configuration’
  • Enter the network card you wish to configure
  • Arrow down and use the spacebar to toggle off ‘Use DHCP’
  • Enter the Static IP, subnet mask, default gateway, primary & secondary DNS server addresses into the relevant fields
  • Arrow down and use the spacebar to toggle off ‘Controlled by NetworkManager’ (spacebar)
  • Select ‘OK’
  • Select ‘Save’
  • Select ‘Save&Quit’
  • Press any key to continue.

At this point, the CentOS server will reboot and apply the changes.

Once your CentOS server has rebooted, connect via console to your CentOS image, log in as root and run the following commands:
cd /tmp
./netconnect.sh

Again, press any key to continue when prompted. This will run the NetConnect installation script, which will take between five to ten minutes. Once the installation has finished, you will be prompted to reboot; simply enter the command reboot and press Enter.

Authentication

Once NetConnect is installed, there are several steps that can be taken to integrate with the internal infrastructure to allow access for specific users/accounts. From this stage, all configuration steps will be performed within the Administration page. Access to this area is restricted to Admin users. The Admin page can be reached by navigating to the assigned internal IP address configured during Installation, and logging on using the default Admin credentials:

Username:admin
Password:adminv8

This section will cover the following:

    • An introduction to the Administrator accounts
    • An introduction to the Administrator page
    • V-Realms
    • Active Directory integration
    • SMB Authentication
    • Local User Authentication
    • Multi-Factor Authentication.

Administrator Access

Understanding Administrator Accounts

The following four default administrative accounts are provided:

      • Auditor: The auditor account is the lowest privilege level. This is essentially a read-only
        account
      • Radmin (or reseller administrator): An account created for managing the service in the field
      • Maint: An account created for general maintenance and has the least number of privileges
      • Admin: This account has the highest privilege level.

Admin or Radmin provides the level of privileges necessary for configuration. It is recommended that all default passwords are changed prior to production roll out. All configuration instructions presented in this guide can be performed as admin or radmin. Exceptions are noted. The rights of each of the administrative accounts are listed in the following table:

Administrator RightsAuditorRadminMaintAdmin
Administer the product licencesNoYesNoYes
Backup and restore configuration
settings
NoYesNoYes
Create, modify and delete application
objects
NoYesYesYes
Access and change network settings
such as IP addresses
NoYesNoYes
Activate and de-activate the internal
firewall
NoYesNoYes
Create, modify and delete usersNoYesYesYes
Customise the login screenNoYesNoYes

Default Passwords
Default passwords can be found below:

admin
adminv8 (web)

sadmin – used for SSH and Console access.
$admin.v801

radmin
r@dmin801

maint
m@intain801

Administrator Access Requirements
To access the Administrator Site, you will need the following:

      • Supported web browsers:
        • Microsoft Internet Explorer 11
        • Microsoft Edge
        • Firefox version 4x.x
        • Chrome version 4x.x
        • Safari version for Mac OS X 10.9 and above
      • A valid username and password, and the IP or URL of your NetConnect platform.

Logging in to the Administrator Site

To access the Administrator Site:

      • Initiate a connection to the Internet and launch a Web browser
      • Enter the IP address you configured during the initial setup.

You will be presented with the log in page, as shown below:

      • Initiate a connection to the Internet and launch a Web browser
      • For User Name, enter admin. This field is case-sensitive.
      • For Password, enter adminv8. This field is case-sensitive.
        • The default password should be changed prior to production roll out.
      • Make sure the V-Realm field is set to Local (or type Local in the V-Realm field if the V-Realm drop-down list is box is not displayed).
      • Click Log In
        • The Licence agreement is displayed when you log in for the first time as admin. Accept the licence agreement by clicking Yes.
      • Click the Admin icon to access the configuration pages referred to as the Administrator Site.

The admin page can be used for the following:

      • Manage Access: Assign applications, policies and other services to users and groups on a per V-Realm basis.
      • Groups: Add and manage groups of users.
      • Applications: Create pointers to the applications that you want users to be able to access.
      • Services: Configure system-wide settings for each of the services.
      • Reporting: Gather reports on usage statistics and the like.
      • Monitoring: Gather and review product statistics some of which are based on time periods you specify.
      • Customisation: Customise the login page with your company’s name and logo.
      • System Configuration: Configure network settings such as Ethernet and DNS settings, as well as install licences, manage digital certificates, backup system settings and restore system settings.
      • Authentication Settings: Configure V-Realms and authentication states within V-Realms such as SMB, LDAP and RADIUS.

Changing an Administrator’s Password

To change the password of your administrator account, follow the below:

WARNING: If you change the password for the admin account, be sure to document the new password and keep it in a safe location. If you forget the password you will not be able to access NetConnect and there is no other way to gain access.

      • From the Administrator Site, navigate to Authentication Settings > Datastores > Internal Auth Stores
      • Select Admins and then click Get User List as shown:
      • Select the admin account for which you want to change the password and then click Edit Properties:

        • The Password field is case sensitive. The password may have any alphanumeric character, or punctuation marks such as the following English punctuation marks: !”#$%&'()=-~^|\`@{[+;*:}]<,>.?/_\ .
      • Enter a new password in the New Password field and then type the identical password in the New Password Confirm field.
      • Click Update Password to save the changes.

If you changed the password, log out and then log in again using the new password.

Configuring Role Based Administration
You can allow users to also assume the role of administrator by assigning administrator privileges to users and then granting them membership to the Admin Service. The various administrator roles that may be assigned to a user are Radmin, Maint and Auditor. Note that roles cannot be assigned or changed for the default administrator accounts (Admin, Radmin, Maint).

To assign administrator privileges to a user, do the following.

      • From the Administrator Site, click Manage Access.
      • Select the name of the V-Realm that you want to work with and click Get The User List. In the following example, test V-Realm is selected.
      • Select the name of the user to whom you want to add administrator privileges and then select General Properties. The properties page for that user appears:
      • Locate the Role Based Administration section
      • Choose one of the following roles:
        • None: Choose None (the default setting) to prevent this user from having administrator privileges. When None is specified, the users only have user level privileges that have been allowed such as application access and the ability to change their own passwords.
        • Radmin: Choose Radmin to allow this user to also have radmin level administrator privileges.
        • Maint: Choose Maint to allow this user to also have Maint level administrator privileges.
        • Auditor: Choose Auditor to allow this user to also have an auditor role. Auditor provides read only access to the administrator site. Attempts to change settings result in error messages indicating that the user is not authorised.
      • Click Assign. You will be prompted to confirm that you want to change the role for this user.
      • Click OK to confirm.
      • Navigate to Services menu, select Admin. The Membership page for the various administrator accounts appears.
      • If the name of the user whose role you just changed is in the NonMembers column, select the user name and then click the right arrow to move it to the Members column as shown:

The user is now a member of the Admin service and, if administrator privileges were added, then those additional privileges are now in effect.

The next time the user logs in, the Admin icon will appear on the WebTop.

V-Realms

NetConnect can be configured to allow user authentication in a number of ways. Authentication is built around the concept of V-Realms, which allow for advanced authentication management.

V-Realms Overview

The advanced V-Realms client identity engine simplifies the provisioning of authentication and entitlements, which can include employees, partners and affiliated authorised users (such as physicians affiliated with a hospital).
This section presents a conceptual overview of V-realms and their implementation. A user’s association with a V-Realm determines the user’s method of authentication, and also determines the authentication server(s) against which a user’s credentials are validated.
Each V-Realm page can be customised with unique company names, logos and messages. Please refer to the ‘Customisation’ section of this guide for further details

About the Local V-Realm
By default, there is a V-Realm named “local” that uses internal authentication and contains the
following administrative accounts:

      • Admin: The admin account is the highest privilege level.
      • Radmin (or reseller administrator): An account with fewer privileges than admin.
      • Maint: An account created for general maintenance and has the least number of privileges.

Adding Authentication Stages to the Local V-Realm
For stronger administrator authentication, you can add more authentication stages such as Active Directory, RADIUS or SMB to the local V-Realm. Details on how to configure specific changes are covered in this section.

V-Realm Considerations
Several items to consider when configuring V-Realm are listed below:

      • To log in, every user must belong to a V-Realm
      • A user can only exist in one V-Realm. Duplicate names in two V-Realms are treated as unique users
      • You can create a maximum of 1,000 authentication V-Realms
      • All members of the V-Realm inherit all applications assigned to that V-Realm.

Authentication Stages within V-Realms
Authentication stages are defined within a V-Realm and are used to indicate the type of authentication server that validates a user’s login credentials. Each defined authentication stage has two components, an authentication section and a policy section. The authentication section is required for any given stage. However, the policy definition is optional. Configuring policy enables retrieval of group membership information about users from external authentication servers when they log in.

Types of Authentication Stages within a V-Realm
Below is a list of some of authentication stages that can exist within a V-Realm:

Authentication StageDescription
LDAPAuthenticates the user against the user account maintained on an external
LDAP server
RADIUSAuthenticates the user against the user account maintained on the external
RADIUS server
SMBAuthenticates the user against the user account information maintained on
an external Windows Domain Controller
InternalAuthenticates the user against the NetConnect internal user account
information. The user account information is cryptographically maintained in
NetConnect itself. Internal user account information is hashed in a form
where the original password cannot be recovered

Multiple Stage Authentication Within a V-Realm
For added security, you can set up multiple authentication stages within the same V-Realm. When a
user logs in to a V-Realm that has been set up with multiple authentication stages, successful
authentication must occur at every stage within that V-Realm before access is allowed. This is an
important consideration when creating different stages within a V-Realm.

NOTE: A maximum of 10 different authentication stages can exist within a V-Realm.

Logging in as Multiple Users
By default, V-Realms with multiple stages are configured so that users log in with the same username for every stage. The user is challenged for username and password for the first stage, and then prompted only for their password at each subsequent authentication stage (i.e. the username is carried forward from stage to stage). This default arrangement, when the user name is the same between stages, provides a level of user convenience. Alternatively, V-Realms can be configured to force users to log in using different user names as well as passwords for every stage. In effect, this allows a user to log in under different user names for the same session. There are several advantages to this arrangement, including:

      • Users can access distinct systems (i.e., a UNIX server, and Windows terminal server, etc.) where they hold different accounts within the same session
      • Increased security
      • Administrators can log in with different administrative privilege levels for various administration needs, such as system testing.

This feature is configured when you create additional authentication stages within a V-Realm. The Authentication Stage properties page has a check box labelled “Use same username as previous stage”, explained later in “Creating an Authentication Stage Within a V-Realm”.

Multiple Landing Pages
With Multiple Landing Pages, different log in pages can be presented from a single site. Each page or landing area is differentiated by V-Realm. The text and graphics of each V-Realm portal page can be customised.

Once you have created V-Realms, simple add the suffix /realm/”vrealname” to the URL to access each landing page. No additional configuration is needed. For instance, with a host name of “myproduct” and two V-Realms, realm1 and realm2, type “/realm” after NetConnect’s URL and then type the realm name of the landing page you want to access. For example, if you have two landing pages and the associated V-Realms are “realm1” and “realm2” you would enter the following URL:

      • www.myproduct.com/realm/realm1
      • www.myproduct.com/realm/realm2

Only the following characters are allowed in a V-Realm URL: letters a through z; numbers 0 through 9, underscore “_”, dash “-“ and dot “.” Letters used in a V-Realm can be upper or lower case but must be typed as lower case when entering the URL for a multiple landing page area. For example, if the V-Realm is configured as “MyRealm”, MYREALM” or “myrealm”, for all of these cases, the URL would be: https://virtual.northbridgesecure.com/realm/myrealm

Creating a V-Realm

This section describes the steps required to create a V-Realm.

      • Log in as either the admin or radmin administrator account. Make sure the V-Realm name field is set to Local, or type Local in the Realm name field (when NetConnect is configured to hide the realm drop-down list box).
      • From the Administrator Site, click Authentication Settings.
      • Click V-Realm Management. The Authentication Settings page opens.
        • Note once you have created your V-Realm, you use the arrows buttons to change the
          order that V-Realms appear on the log on page.
      • Click Add Realm as shown:
      • Enter a name to identify the authentication V-Realm. Acceptable characters are letters (a through z), numbers (0 through 9), dash “-”, underscore “_” and period “.” The default V-Realm number is where # is the number of existing V-Realms plus one.
      • Click Submit. The following page appears:

To complete the creation of this V-Realm, you must define at least one authentication stage within it. See the “Creating an Authentication Stage Within a V-Realm” section for further details.

Creating an Authentication Stage within a V-Realm

Once you have an understanding of V-Realms, you can move on to creating Authentication Stages in order to integrate NetConnect with your environment to enable user access. This section will cover:

        • Active Directory integration
        • SMB Authentication
        • Internal Authentication
        • Multi-Factor authentication

Creating an LDAP Authentication Stage

This section describes how to set up NetConnect to authenticate users against an external LDAP server, typically Active Directory. The following main steps are required:

Basic LDAP Configuration for Authentication
To configure the basic settings for an LDAP authentication stage which includes connection and authentication information, follow the below steps. This assumes you have created a V-Realm, as per the “Creating a V-Realm” section and follows on accordingly.

        • After creating and naming a new V-Realm, select LDAP from the Stage Type drop down list box located under Create New Authentication Stage
        • Click Submit.

The Authentication Stage properties page opens. The basic settings that are required for configuring NetConnect to authenticate users against an external LDAP server can be seen below:

        • Specify the following settings and click Submit.

LDAP SettingDescription
Authentication ScopeThis field is used to enable Single Sign-On (SSO)/Password Forwarding. Enter a unique name of your choice for the Authentication Scope; for example SSO-01. This name can be referenced when configuring an Application should single sign-on be required.
DomainEnter the domain which the Active Directory is joined to.
Username TemplateThe Username template field is used to prefix or postfix a string to the username. This removes the need for end-users to include this information when logging in. For example, if a V-Realm member authenticates against a Domain Controller from a trusted domain, he would need to provide the domain name and username upon each login. Postpending the username template with the name of the trusted domain eliminates this requirement. In this case, you would add the domain name before the %USERNAME% template (e.g., mydomainname\%USERNAME%).
MethodSelect the connection method that should be used for the connection between NetConnect and LDAP server:

  • LDAP: Provides unencrypted or clear text communication during the session

  • LDAPS: An SSL connection is established and then LDAP runs over that SSL connection

  • LDAP+TLS: A connection is established and LDAP messages are sent followed by SSL

HostEnter either the DNS name or IP address of the LDAP server. DNS name is recommended because this field is used to create entries under Group/LDAP.
PortEnter the port number of the LDAP server
LDAP VersionSelect the LDAP protocol version of the server
Bind DNEnter the distinguished name (DN) of a client authorised to search within the LDAP server. If the LDAP server supports anonymous, this field may be left blank.
Bind PasswordEnter the password of a client authorised to search within the LDAP server. If the LDAP server supports anonymous, this field may be left blank.
Base DNSpecify the point in the directory hierarchy where a search begins. Enter the base DN (or base Object) from which you want to search.
Login AttributeEnter the name of the login attribute that contains the user’s login name. For example, for Sun Java System Directory Server it’s uid. For Active Directory, it’s sAMAccountName.
Search FilterFurther narrow down the search starting from the base DN by entering a filter(s). This is helpful if two objects have the same user attribute.

If you intend to enable MyDesktop, populate the MyDesktop Settings area accordingly. See ‘Configuring MyDesktop Application’ within the ‘Application Configuration’ section for further details.

Creating an SMB Authentication Stage

Before you begin, have the following SMB server information ready.

        • Primary Name: NetBIOS name of your primary SMB server
        • Primary IP: IP address of your primary SMB server
        • Secondary Name: Name of your secondary SMB server (optional)
        • Secondary IP: IP address of your secondary SMB server (optional)

To create an SMB authentication stage, follow the below steps. This assumes you have created a V-Realm, as per the “Creating a V-Realm” section and follows on accordingly.

        • Choose SMB from the Stage Type drop down list box located under Create New Authentication Stage.
        • Click Submit.

The Authentication Stage properties page opens:

        • Enter the SMB information per table below:
SMB SettingDescription
Authentication ScopeIf enabling Single Sign On for this stage, enter a name of your choice for example SSO-01. This name can be referenced when configuring an Application should single sign-on be required.
DomainEnter the domain which the server is joined to.
Username TemplateUsed to prefix or postfix a string to the username. This removes the need for end-users to include this information when logging in. For example, if a V-Realm member authenticates against a Domain Controller from a trusted domain, he would need to provide the domain name and username upon each login. Postpending the username template with the name of the trusted domain eliminates this requirement. In this case, you would add the domain name before the %USERNAME% template (e.g., mydomainname\%USERNAME%).
Primary NameNetBIOS name of your primary SMB server.
Primary IPIP address of your primary SMB server.
Secondary Name (optional)Name of your secondary SMB server
Secondary IP (optional)IP address of your secondary SMB server

Internal Authentication

The authentication stage named Internal uses NetConnect authentication. Internal authentication is used for NetConnect administrator accounts and is also useful for users that do not use an external authentication server.

Creating an Internal Database of Users
Prior to creating an Internal Authentication stage, you will require an internal user database – this section will outline how to create and populate a database of internal users.

        • From the Administrator Site, navigate to Authentication Settings > Datastores.
        • Click Internal Auth. Stores from the Datastores submenu. The Internal Auth Stores page appears.
        • Click Create New Store. The Create a new store page appears.
        • Enter a name for the group of users you want to add. Note that you can create multiple internal authentication stores.
        • Click Create Store.

Adding a User
To add a user to an internal database that you have already created:

        • From the Administrator Site, navigate to Authentication Settings > Datastores.
        • Click Internal Auth. Stores from the Datastores submenu.

The Internal Auth Stores page appears.

        • Choose a store and then click Get User List.
        • Under Actions, click Add User. The Add a New User page appears for the user group just selected.
          • FieldDescription
            User NameEnter the user’s name. The username may have any alphanumeric character, '_' (underscore), space and '.' (dot). It can contain up to 128 uppercase or lowercase characters. Note that user names are not case sensitive, and therefore should not be differentiated by case. For example, a username of “John” is considered to be the same as the user name “john”.
            PasswordEnter the user’s password. Locally stored passwords can contain up to 128 uppercase or lowercase characters. The Password field is case sensitive. The password may have any alphanumeric character, or punctuation marks such as the following English punctuation marks: !"#$%&'()=-~^|\`@{[+;*:}]<,>.?/_\
            Password ConfirmEnter the user’s password again.
        • Click Add User.

This database of users must be associated during internal authentication stage. For details, refer to “Creating an Internal Authentication Stage” section for further details.

Creating an Internal Authentication Stage

To create an internal authentication stage, follow the below steps. This assumes you have created a V-Realm, as per the “Creating a V-Realm” section and follows on accordingly.

        • Choose Internal from the Stage Type drop down list box located under Create New Authentication Stage and then click Submit

          The Authentication Stage properties page opens.

        • Specify settings in accordance with the table below:
SettingDescription
Authentication ScopeIf enabling Single Sign On for this stage, enter a name of your choice for the; for example SSO-01. This name can be referenced when configuring an Application should single sign-on be required.
DomainEnter the domain which the server is joined to.
Username TemplateUsed to prefix or postfix a string to the username. This removes the need for end-users to include this information when logging in. For example, if a V-Realm member authenticates against a Domain Controller from a trusted domain, he would need to provide the domain name and username upon each login. Postpending the username template with the name of the trusted domain eliminates this requirement. In this case, you
would add the domain name before the %USERNAME% template (e.g. mydomainname\%USERNAME%).
Authentication StoreSelect the name of the group of users that you want to associate with this authentication stage. See the ‘Creating an Internal Database of Users’ section for further details.

Deleting a User from an Internal Database of Users
To delete a user, do the following:

        • From the Administrator Site, navigate to Authentication Settings > Datastores.
        • Select Internal Auth Stores from the Datastores submenu.
        • Locate and then select the name of the database that contains the user you want to delete and then click Get User List. An example is shown:
        • Select the name of the user you want to delete and then click Edit Properties. An example is shown:
        • Select Delete User as shown:

Deleting a Datastore
To delete the entire database of users, do the following:

        • From the Administrator Site, navigate to Authentication Settings > Datastores.
        • Select Internal Auth Stores from the Datastores submenu.
        • Select the database that you want to delete and then click Edit Store Properties.
        • Click Delete Store. A pop up message will ask you to confirm that you want to delete this store.
        • Select Yes. The datastore is deleted.

Two Factor Authentication

The Radius authentication stage can be used to integrate two-factor authentication solutions, providing the solution you wish to incorporate supports Radius authentication. This section will outline the steps in configuring a two-factor authentication stage.

Creating a RADIUS Authentication Stage
The follow assumes you have created a V-Realm, as per the “Creating a V-Realm” section and follows on accordingly.

Before you begin, please have the following RADIUS server information ready:

Authentication StageDescription
Primary RADIUS Server IPIP address of RADIUS server.
Primary RADIUS SecretEnter the Shared Secret configured on the RADIUS server in this field. The RADIUS Secret is case-sensitive and must match the RADIUS server secret exactly.
Primary RADIUS PortEnter the port number of the RADIUS server. It is usually 1812 or 1645
Primary RADIUS Timeout60 seconds is recommended.
Initial Password (optional)If using challenge response, you can preconfigure an initial password for use until the RADIUS server sends the challenge. Alternatively, you can configure the Empty Password field
Empty First Password (optional)If using challenge response, check this box to eliminate the use of the first password.
Group attribute ID (optional)Enter the number that represents the ID of the attribute which contains group membership information. Group membership information _is_ space separated list of group names.

For example, an attribute named “Role” contains group membership information (such as “Group1 Group2 Group3”) and the numeric ID of “Role” attribute is 123. For this example, the “Group Attribute ID” should be set to 123.
Attributes EncodingThis required field is set to UTF-8 by default. This is the encoding of attribute values (e.g., user name, password, group name).
Secondary RADIUS Server IP (optional)IP address of backup RADIUS server.
Secondary RADIUS Port (optional)Port of backup RADIUS server.
Initial Password (optional)If using challenge response, you can preconfigure an initial password for use until the RADIUS server sends the challenge. Alternatively, you can configure the Empty Password field
Empty First Password (optional)If using challenge response, check this box to eliminate the use of the first password.
Group Attribute ID (optional)Enter the number that represents the ID of the attribute which contains group membership information. Group membership information _is_ space separated list of group names.

For example, an attribute named “Role” contains group membership information (such as “Group1 Group2 Group3”) and the numeric ID of “Role” attribute is 123. For this example, the “Group Attribute ID” should be set to 123.
Attributes EncodingThis required field is set to UTF-8 by default. This is the encoding of attribute values (e.g., user name, password, group name).

        • Choose RADIUS from the Stage Type drop down list box located under Create New Authentication Stage.
        • Click Submit. The Authentication Stage properties page opens:
        • Specify settings in accordance with below table:
SettingDescription
Authentication ScopeIf enabling Single Sign On for this stage, enter a name of your choice: for example SSO-01. This name can be referenced when configuring an Application should single sign-on be required.
DomainEnter the domain which the server is joined to.
Username TemplateUsed to prefix or postfix a string to the username. This removes the need for end-users to include this information when logging in. For example, if a V-Realm member authenticates against a Domain Controller from a trusted domain, thhe would need to provide the domain name and username upon each login. Postpending the username template with the name of the trusted domain eliminates this requirement. In this case, you would add the domain name before the %USERNAME% template (e.g. mydomainname\%USERNAME%).
Updated on December 5, 2018

Was this article helpful?