ADFS Proxy with VDI

OPSWAT MetaAccess can be easily integrated with ADFS Proxy to ensure that a device is compliant with the organization's security policy before it is granted access to a virtual desktop. This ensures that the device is not only authenticated by the IdP, but also tested for risks and vulnerabilities such as threats or unpatched versions of operating systems, BEFORE it access an organization's cloud services.

To get started integrating OPSWAT MetaAccess to enforce device posture check before granting a device to access VDI with ADFS Proxy, you set up SSO between ADFS and VDI manually. You need the following requirements

  1. A domain.

  2. An Active Directory instance.

  3. Add your domain to Azure AD.

  4. Install Windows PowerShell for Azure Active Directory here.

  5. Install ADFS server.

  6. Using Azure AD Connect to enable Single Sign-On for your domain.

Configuring, installing ADFS server and enabling SSO are beyond the scope of this tutorial. This tutorial uses screenshots from Server 2016, but similar steps should be possible on other versions.

Now it's the time you can integrate MetaAccess with your ADFS by following below steps. You can learn more details for each step here at 3.1.1. How to set it up?

Step 1. Enable Access Control on your MetaAccess account

  1. Login to the MetaAccess console

  2. Navigate to Access Control and then Configurations

  3. Check on the box "Enable access control" and configure a port for the cross-domain API. Note that you must select a port which no applications on endpoints is running.

    images/download/attachments/4354679/image2018-4-10_7-57-12.png


  4. Click SAVE.

Step 2. Add protected applications with IdP Method

  1. The next step is importing an ADFS Signing certificate to MetaAccess. This allows MetaAccess to verify users signing though a trusted IdP. Each identity provider has a unique X.509 certificate. Download the ADFS Signing certificate by following these steps:

    1. Login to Windows Server

    2. Open Server Manager

    3. Click Tools

    4. Click AD FS Management

    5. Expand Service

    6. Click Certificates

    7. Double-click on the "Token-signing" being used to sign your responses

      images/download/attachments/4354679/image2018-4-5_16-47-12.png
    8. Click Copy to File to download the certificate. That should open another box, showing the certificate export wizard. Click Next and you will be asked which format to export the certificate in. Choose Base-64 encoded X.509

      images/download/attachments/4354679/image2018-4-5_16-50-57.png

  2. Collect Idp Login URL
    In this case, Idp Login URL is https://login.microsoftonline.com/login.srf

  3. Add the ADFS Identity Provider. If you already have ADFS IdP settings on your MetaAccess account, go to next step to add an application.

    1. Login to the MetaAccess console

    2. Navigate to Access Control and then Configurations

    3. On the Identity Providers tab, click "Add New Identity Provider" to add your IdP

    4. Fill in required fields for the Identity Provider

      1. IdP Name: an IdP name, for example: ADFS

      2. IdP Certificate: upload ADFS certificate you downloaded in Step 2.1

        images/download/attachments/4354679/image2018-4-10_8-5-17.png
    5. Click Add IDP

    6. Click SAVE

  4. Add the application:

    1. Expand the ADFS IdP settings you have just added in Step 2.3 above.

    2. Click Add New Application

    3. Enter required field

      1. Application: application name, for example: vdi

      2. IDP Login URL: application login URL which you have from Step 2.2

      3. Login URL: https://login.microsoftonline.com/login.srf

      4. Logout URL: https://login.microsoftonline.com/logout.srf

      5. Access Mode: pick an access mode you prefer. See details on the access modes at Step 2. Add protected applications with IdP Method

        images/download/attachments/4354679/image2020-5-15_16-8-55.png
    4. Click SAVE

  5. After saving your changes successfully, click the Setup Instructions button of the VDI application you have just added and then copy the URL MetaAccess generated there. This URL is used to replace VDI login URL on ADFS.

    images/download/attachments/4354679/image2020-5-15_16-9-57.png

Note: you can add VDI application (step 2.4) when you add ADFS IdP settings.

Step 3. Configure Access Rules

  1. On MetaAccess console, navigate to Access Control and then Settings

  2. On Access Rules tab, click "ADD NEW RULE" to add a new rule for this application OR you can update existing access rules to add this application

  3. With a new access rule, you need to specify how you would like to block/allow access a device from the application

    1. Rule name: a rule name, for example Block non-compliant devices

    2. Action: Block or Allow

    3. Configure conditions to do the action. Details at Step 3. Configure Access Rules

  4. Click ADD RULE

    images/download/attachments/4354679/image2018-4-10_8-7-43.png

Step 4. Create new Relying Party Trust For VDI in ADFS Server

  1. Login to Windows Server

  2. Open Server Manager

  3. Click Tools

  4. Click AD FS Management

  5. Expand Trust Relationships

  6. Click Relying Party Trusts

  7. Follow this tutorial to create new Relying Party Trust

  8. Change the default Endpoint with the URL in step 2.5

    images/download/attachments/4354679/image2018-4-9_12-32-27.png

Step 5. Edit SSO settings on Office 365

After install and configure ADFS server, it will enable SSO for your domain, but you need to replace SigningCertificate in SSO setting to work with MetaAccess

  1. Login to Azure Active Directory via Windows PowerShell

    1. Login to a computer installed Windows PowerShell for Azure Active Directory

    2. Start PowerShell and run Connect-MsolService cmdlet and enter your administrator credentials for your Azure AD domain when prompted

      C:\Windows\system32>Connect-MsolService
  2. Backup current SSO settings

    1. Run Get-MsolDomainFederationSettings -DomainName <your domain> cmdlet to get current SSO setting

    2. Get these information

      1. FederationBrandName

      2. IssuerUri

      3. LogOffUri

      4. PassiveLogOnUri

        images/download/attachments/4354679/Capture.PNG
  3. Click Download OPSWAT certificate to download a self-signed certificate MetaAccess generated for your account

    images/download/attachments/4354679/image2018-4-10_7-59-45.png

  4. Update existing current setting

    1. Run following cmdlet

      C:\Windows\system32>Set-MsolDomainAuthentication -DomainName <your domain> -Authentication Managed
    2. Run Set-MsolDomainAuthentication cmdlet

      C:\Windows\system32>Set-MsolDomainAuthentication `
      -FederationBrandName <FederationBrandName in step 5.2> `
      -DomainName <Your Domain> `
      -Authentication Federated `
      -IssuerUri <Issuer in step 5.2> `
      -PassiveLogOnUri <Passive Endpoint in step 5.2> `
      -LogOffUri <LogOffUri in step 5.2> `
      -SigningCertificate <OPSWAT Certificate in step 5.3>

      Note: enter the certificate on a single line without break line

    3. Run following cmdlet to verify configuration

      C:\Windows\system32>Get-MsolDomainFederationSettings -DomainName <Your Domain>

      Note: It can take some time for Azure AD to apply new configuration

Step 6: Test your integration

Follow guideline at Step 6: Test your integration to test your integration to verify if it works as your expectation.

DONE! CONGRATULATIONS.