Credential type

Specifies the type of credentials that users must provide (Username/Password). If you are using Active Directory with certificates, you must configure it as an LDAP authentication server.

Name box

Type a name for the authentication server.

Root domain box

Enter the fully qualified root domain for the AD server (for example, company.com). Users must belong to this domain or one of its subdomains.

Enable cross-forest trust check box

Check to enable appliance access to other trusted forests. If not enabled, the appliance can access only the forest in a direct trust relationship with the configured forest

Login name box

Type a fully-qualified Windows domain username (for example, vpn_admin@company.com). The login should be for a user who has read access to the entire domain tree, such as the administrator on that domain controller.

Password box

Type the password that corresponds with the Login name.

Test button

Tests whether the appliance can bind to an external directory. If you’ve correctly configured the appliance, a “Valid connection!” message appears. If there is an error in the configuration settings, the message summarizes the problem.

If you enter login credentials, the appliance uses them; otherwise the appliance attempts to bind to the directory anonymously.

Users can type a domain in the Username field check box

If this is the only option you specify, users must type a domain name during authentication; for example, username@domain.

Use a default domain if user does not type a domain check box

To allow users to log in without entering or specifying a domain, select this option. Click Load all domains to add the available domains to this drop-down list. The VPN will assume the domain you select from the list and try to authenticate the user.

Users can choose from a list of domains check box

To display all of the domains that belong to this root domain, select this check box and then click Load all domains. You can select all or some of the domains users will be able to choose from, and rearrange the order of the list.

Cache group checking check box

Indicate whether you want the results of a static group search to be cached. This can save processing time for future searches.

Cache lifetime box

Specify the lifetime of the cache (in seconds). The default value is 1800 seconds (30 minutes).

Use SSL to secure directory server connection check box

Select this check box to secure the Active Directory connection with SSL (known as ADS).

CAUTION: If the internal network is not trusted, you should enable SSL. Your Active Directory server must also be enabled to use SSL. See your Microsoft Active Directory documentation for details.

SSL Settings hyperlink

Click this link to view details about the SSL roots file. This file contains trusted CA certificates. Every domain in the AD tree must have a certificate; if your AD server’s CA is not listed in the file, or if you use a self-signed certificate, you must add your certificate to this file. See Importing CA Certificates for details.

Match certificate CN against Active Directory domain controller check box

Select this check box to have the appliance verify that the LDAP host name is the same as the name in the certificate presented by the LDAP server. This option is enabled by default, and should be enabled in any production environment using ADS.

If you enable multiple ADS realms, the state of this check box should be the same for all of them. Only one state is allowed for all ADS realms, and the last one you define is the one that is used.

Username attribute box

Type the username attribute you want to use to match user names. In most AD implementations, sAMAccountName matches the user ID (for example, jdoe). You can use cn instead, but that would require the user to authenticate with a full name (John Doe) instead of a user ID (jdoe).

Custom prompts area

When you select the Customize authentication server prompts check box, the page Title, Message, and login prompts (Identity, Proof, and Domain) can all be customized (Windows clients only). If users log in using a PIN as a password, for example, change the text for the Proof prompt from Password: to PIN: (a customized Message might explain how to retrieve a forgotten PIN).

Password management area

l: You can allow users to change their passwords (in WorkPlace only) by selecting Enable user-initiated password change.

NTLM authentication forwarding area

Use this area to configure NTLM authentication forwarding.

l: Forward a custom domain name button: To specify a domain name, click this button and then type the name in the Domain name box.

Use one-time passwords with this authentication server check box

To configure authentication that includes an OTP, select this check box. In addition, you must configure your mail server: if one-time passwords are going to be delivered to external domains (for example, an SMS address or external webmail address), you may have to configure the SMTP server to allow passwords to be sent from the appliance to the external domain.

Password contains fields

In the first text box, specify the number of characters in the generated OTP. In the drop-down list, select the type of characters: Alphabetic, Alphabetic and numeric, or Numeric.

From address text box

Specify the e-mail address from which the OTP is sent.

Primary email address attribute text box

Enter the directory attribute for the email address to which one-time passwords will be sent. If the primary attribute exists on the authentication server, it is used.

Secondary email address attribute text box

This attribute, if specified, is used if the primary email address attribute cannot be found.

Subject text box

Specify a customized subject line for the OTP e-mail. This can include variables such as {password} or {username} that act as placeholders for the actual values that are inserted when the message is sent.

Body text box

Specify a customized message body for the OTP e-mail. This can include variables such as {password} or {username} that act as placeholders for the actual values that are inserted when the message is sent.

Email address text box

Enter a user’s e-mail address and click the Send test message button to verify that the message, password, and SMTP settings are correct.

Use DNS to lookup Active Directory domains box

Select to enable DNS lookups for a KDC/Kerberos realm, and then select the domains that will be displayed on WorkPlace. Only domains fetched from the configured forest are listed when Enable cross-forest trust is disabled (check box not checked).

Use these Active Directory domains and KDCs area

Select to also use KDCs and then click New and configure the KDCs.