You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 19 Next »

Prior to the installation of the DualShield MFA server, prepare the following items:

  1. A Windows or Linux server machine (virtual or real machine) with 8GM RAM, 4-core CPU, and 10GB free disk space 

    Before launching the installation of the DualShield Platform, make sure that the following prerequisites are met:
    ComponentDescription
    Hardware

    For a user base of 10,000 users or less, the minimum hardware requirements are:

    • CPU: 4 Core
    • Memory: 8 GB
    • DISK: 10 GB at installation. (grows by 10KB per event, on average)
    OS

    DualShield Server can be installed and operating on both Windows and Linux servers.

    Windows

    • Windows 2012/R2
    • Windows 2016
    • Windows 2019
    • Windows 2022

    Linux

    • CentOS
    • RedHat
    • Fedora
    • Ubuntu

    Only 64bits is supported.

    Database

    DualShield Server uses a SQL database as its data store, and it includes MySQL database sever in its installation package.

    It is also possible to use an external SQL Server as the data store for DualShield. At the installation, you can opt out to use an external SQL server.

    Following external SQL servers are officially supported:

    • MySQL
    • Microsoft SQL
    • Oracle SQL
    • IBM DB2

    If you opt out to use your own SQL server, then you will need the following:

    • An account name by which your DualShield server will connect to your SQL server. 
    • The account must be able to create databases and tables on the SQL server.
    • The account password.

    It is possible to use other SQL servers not listed above such as PostgreSQL, although they are not officially supported.

  2. An FQDN for your DualShield MFA server consoles, e.g. mfa.acme.com

    A DualShield server must be given a unique Fully Qualified Domain Name (FQDN) which is provided in the installation process.

    The DualShield server includes several web consoles, including

    • Admin Console
    • User Console
    • Single Sign-On Console (mainly used for SAML SSSO)
    • Deployment Console (for device and tokens)

    DualShield consoles are all web-based portals that can be accessed with a web browser. The FQDN is the web address of the DualShield consoles. 

    If the DualShield server is a backend server located in the internal network and to be accessed from internal PCs and workstations, then the DualShield's FQDN must be added into the internal DNS server.

    If the DualShield server is a frontend server located in the DMZ and to be accessed from external PCs and workstations, then the DualShield's FQDN must be added into the external DNS server.

    If the DualShield server is an all-in-one server that is accessed from both internal & external PCs and workstations, then its FQDN must be added into both the internal & external DNS servers. 

    If you do not plan to make your DualShield MFA server consoles accessible from the public network, then the FQDN can be an internal domain name. However, if you do plan to make one or some of your Dualshield server consoles accessible from the public network, then the FQDN must be an external domain name.

    Note: You can change the FQDN after the installation of the DualShield MFA server.


  3. An SSL certificate for your DualShield MFA server consoles in a PFX file (a wildcard certificate is acceptable, e.g. *.acme.com)

    DualShield consoles are web portals, therefore require an SSL certificate. You may use a self-signed SSL certificate which will be provided by the DualShield installer itself during the installation process. However, it is recommended that you use a commercial certificate, particularly for the DualShield Service Console that is going to be accessed by end-users from the Internet. (You can change the server certificate after the MFA server installation).

    Furthermore, if you are going to use the Out of Band Authentication (OOBA) from iOS and Android mobile devices, then you will have to make the DualShield Deployment Service and the Single Sign-On portals accessible by end users from the public network. In this case, you must not use a self-signed certificate because it will not be accepted by iOS and Android devices. 

    A web SSL certificate is issued to a specific FQDN (Fully Qualified Domain Name), e.g. "support.deepnetsecurity.com" in the certificate below:

    Therefore, before you purchase a web SSL certificate from a commercial Certificate Providers such as GoDaddy, Comodo, DigiCert etc, you need to decide the FQDN for your DualShield server.

    A DualShield server must be given a unique Fully Qualified Domain Name (FQDN) which is provided in the installation process.

    The DualShield server includes several web consoles, including

    • Admin Console
    • User Console
    • Single Sign-On Console (mainly used for SAML SSSO)
    • Deployment Console (for device and tokens)

    DualShield consoles are all web-based portals that can be accessed with a web browser. The FQDN is the web address of the DualShield consoles. 

    If the DualShield server is a backend server located in the internal network and to be accessed from internal PCs and workstations, then the DualShield's FQDN must be added into the internal DNS server.

    If the DualShield server is a frontend server located in the DMZ and to be accessed from external PCs and workstations, then the DualShield's FQDN must be added into the external DNS server.

    If the DualShield server is an all-in-one server that is accessed from both internal & external PCs and workstations, then its FQDN must be added into both the internal & external DNS servers. 


    The certificate must be provided in the PFX format. There are various third-party tools that you can use to apply for and download an SSL certificate, or you can use the tool below:

    The Deepnet Certificate Tool is indispensable for anyone using SSL Certificates for Websites. It provides the following functions:

    Download Here - Deepnet Certificate Tool (2.0)

    The DualShield Administration Console includes a certificate management facility that allows you to apply, replace and renew certificates. 

    Certificate Management

    Therefore, for DualShield Administrators, they are recommended to use the Dualshield Admin Console instead of this tool.





  4. An AD service account (domain user) to be used for the connection between your MFA server and AD server

    Introduction

    Most organisations use Microsoft Active Directory as their user directory. When implementing DualShield they will need to connect their DualShield authentication server to their Active Directory server, so that DualShield can carry out operations such as searching users, reading account properties etc. The access from DualShield to AD requires a user account with necessary access rights and privileges.

    DualShield is capable of performing most of the tasks that are required of it, and requires no additional access rights other than those it would have by default as a Domain User.

    There are however three optional features of the software that if used would require additional task access privileges to be designated.


    Optional Features

    Lock/Unlock User Accounts:

    In order for DualShield to be able to lock and unlock users, write access is required to the Active Directory property "Write lockoutTime”.

    Enable/Disable User Accounts:

    In order for DualShield to be enable or disable user accounts, write access is required to the Active Directory property “Write account restrictions”.

    Change and Reset Users Passwords:

    In order for DualShield to be enable or disable user accounts, write access is required to the Active Directory properties "Write Useraccount Control” and “Write pwdLastSet” .

    Additionally, these features also need to obtain the permissions “Change Password” and “Reset Password”.


    Creating a Domain User Account

    First we need to create a user account called “DualShield” that will be a member of the group “Users”.

     

    1. From the server manager dashboard select “Tools”, then “Active Directory Users and Computers

       
    2. A new window opens titled “Active Directory Users and Computers”.
       

    3. Right click on the folder named “Users”, then Select “New”, then “User”.
    4. A form will open with the title “New Object – User”. Type in “DualShield” at the prompts “First Name:” and “User logon name:”.DualShield” will automatically be copied to the other fields (as below). Click on “Next >” to supply the password information.
    5. Remove the tick from “User must change password at next logon”. Fill in the fields “Password” and “Confirm password” with a password compliant with your company password policy then click on “Next >”.
    6. A confirmation window will now open. Click on “Finish” to exit this window.
          7.  
           

    Preparation for adding properties and permissions

    The next steps will add this user account to the list of security managers of the users folder in preparation for designating the necessary additional write properties and permissions.

     

    1. You will now return to the window titled “Active Directory Users and Computers, Select the “Users” folder, Right click on the folder “Users” then select “Properties”.
    2. A new window now opens up headed “Users Properties”, Select the “Security” tab, then click on the “Add” button.
    3. A form now opens with the title “Select Users, Computers, Service Accounts , or Groups”.  In the field “Enter the object names to select (examples):”  type “DualShield”, Click on “Check Names”.   You will return to the window below with the account name updated, then click on the “OK” button.
    4. You will now return to the Users Properties form. The user “DualShield” has now been added to the list of users in the tab “Security”.  Click on "Apply" then “Advanced.

    Adding properties and permissions

    We will now add the necessary additional properties and permissions to the user account within the scope of the users folder.


    1. A window now opens titled “Advanced Security Settings for DualShield”, click on the “Add” button.
    2. A window now opens titled “Permission Entry for DualShield”, click on “Select a principle".
    3. A form now opens with the title “Select Users, Computers, Service Accounts , or Groups”.  In the field “Enter the object names to select (examples):” type “DualShield”, then click on “Check Names”.

      You will return to the window below with the account name updated, click on the “OK” button”.
       

    4. You will return to the form headed “Permission Entry for DualShield”.  Against the option “Applies to:” select the last option “Descendant User objects”.  Next, in the section headed “Permissions:” select the permissions “Change password” and “Reset password”.

    5. We now need to select options “Write account restrictions” (to Enable/Disable users), “Write lockoutTime” (to Lock/Unlock users), “Write userAccountControl” (to Reset user passwords) and “Write pwdLastSet” (to Reset user passwords) in the “Properties:” section.

      Scroll down to the properties section and select “Write account restrictions”.

       

    6. Scroll down about halfway through the properties section then select “Write lockoutTime”.


       
    7. Scroll further down the properties section then select “Write pwdLastSet”.
      .
       

    8. Towards the end of the properties section then select “Write userAccountControl” then press the “OK” button.


       

    9. You will now return to the window titled “Advanced Security Settings for DualShield”.  Scroll through the list of permission entries.  The 6 option selections made above will each create an entry in the permission entries list (in the example below they are the permissions int the “access” column from the “Reset password” to the “Write account restrictions”).  Click on the “Apply” button”.

    10. A window will now open with the title of “Permissions”, click on the “Yes” button.

      .

    11. You will now return to the window titled “Advanced Security Settings for Users”.

      In the section “Permission entries:” you will be able to find 6 entries against DualShield click on the “OK” button.

      .

    12. We have now return to the “Users Properties” window, and have created an account in the users folder called “DualShield” with the necessary security access rights, press “OK”.
       

  5. (Optional) An MS-SQL service account

    Unable to render {include} The included page could not be found.

  6. An AD group for MFA – only users in the MFA group will be MFA enabled
  7. (Optional) If you need to implement one of the following functions or features, then you need to configure your corporate firewall and open HTTP port 8074 and 8076, forward traffic to your DualShield MFA server
    1. Push Authentication
    2. Self-Services such as downloading MobileID tokens, activating DeviceID tokens, etc. 
    3. SAML integration with external cloud services such as Office 465, SalesForce, Zoom, etc.
  8. Download the DualShield server software from https://support.deepnetsecurity.com, and save it on your DualShield MFA server machine

For more details, please check out the following articles:

  • No labels