The Edge Security Pack (ESP) pack delivers a solution using the LoadMaster line of load balancers to customers who would have previously deployed Microsoft’s Threat Management Gateway (TMG) to publish their Microsoft applications.

ESP offers the following key features:

  • End point authentication for pre-auth
  • Persistent logging and reporting for user logging
  • Single Sign On (SSO) across Virtual Services
  • LDAP authentication from the LoadMaster to the Active Directory
  • Basic and form-based authentication communication from a client to the LoadMaster
  • Remote Access Dial In User Service (RADIUS) authentication
  • RSA SecurID two-factor authentication
  • Kerberos Constrained Delegation (KCD) authentication
  • Client certificate authentication
  • Dual-factor authentication

End Point Authentication for Pre-Auth

Clients who are trying to access Virtual Services on the LoadMaster will have to provide authentication information which will be used by the ESP to validate the clients’ right to access the service. In the event of success, the client is enabled to access the service. In the event of failure, the client will be blocked until valid credentials are provided.

Persistent Logging and Reporting for User Logging

When clients try to access a service this will be logged on the LoadMaster as part of the ESP. This allows monitoring by the administrator.

Single Sign On Across Virtual Services

The LoadMaster is designed to handle multiple virtual services supporting unique workloads. These Virtual Services can be joined together by associating them with the same Single Sign-On (SSO) Domain.

Note: The Virtual Services need to be on the same domain for this to work, for example ecp.example.com and www.example.com.

SSO in ESP will enable clients to only enter the authentication information when accessing the first Virtual Service and then this same information will be used to access other services associated with the Single Sign-On Domain. Therefore, a client accessing Exchange will also be able to access SharePoint and other workloads if they are associated with the same Single Sign-On Domain.

LDAP Authentication from the LoadMaster to Active Directory

Active Directory is the standard Authentication Provider for Microsoft workloads. LoadMaster supports the key connection types between the LoadMaster and Active Directory.

Basic Authentication Communication from a Client to the LoadMaster

LoadMaster with ESP currently supports basic and form-based authentication between the client and the LoadMaster, providing clients with an optimum authentication experience. In future releases, there are plans to also support NTLM.

Large and small businesses are deploying large numbers of internet-facing applications to support ever expanding business requirements. This rapidly growing number of servers needs to be scalable and highly reliable. Above all, the access to these servers and services needs to be secure. With the addition of the ESP, the LoadMaster will continue to deliver on customer security requirements for internet-facing applications in a world without TMG, while continuing to address requirements for feature-rich and cost-effective scalability and high reliability.

RADIUS Authentication

A Remote Access Dial In User Service (RADIUS) server can be used to authenticate users who log in to the LoadMaster. The LoadMaster passes the user’s details to the RADIUS server and the RADIUS server informs the LoadMaster whether the user is authenticated or not.

RADIUS in Windows Server 2008 R2 is done with network policy and access services.

For more information, refer to the RADIUS Authentication and Authorization, Technical Note.

RSA SecurID Two-Factor Authentication

As part of the Edge Security Pack (ESP), the LoadMaster supports the RSA SecurID authentication scheme. This scheme authenticates the user on an RSA SecurID Server. When RSA is enabled as the authentication method, during the login process the user is prompted to enter a password that is a combination of two numbers – a Personal Identification Number (PIN) and a token code which is the number displayed on the RSA SecurID authenticator (dongle).

There are two additional challenge-response modes: next token and new PIN.

For more information, refer to the RSA Two Factor Authentication, Feature Description.

Kerberos Constrained Delegation (KCD) Authentication

When using KCD as the authentication protocol, the LoadMaster provides seamless access to protected resources in a Kerberos realm even when credentials provided are not directly valid for such an environment.

The KCD authentication protocol is used to confirm the identity of the users that are attempting to access resources on a network. KCD authentication uses tickets that are encrypted and decrypted by secret keys and do not contain user passwords. These tickets are requested and delivered in Kerberos messages. When the user’s password is not provided, a trusted administrator user account is used to get tickets on behalf of services and users.

For more information refer to the Kerberos Constrained Delegation (KCD), Feature Description.

Client Certificate Authentication

Using certificates for authentication can be considered more secure because a user cannot gain access to something simply by knowing the username and password. Using certificates prevents key loggers or other malware on a client machine from capturing keystrokes to identify user accounts and passwords.

The LoadMaster supports the use of certificates with KCD authentication. For more information refer to the Kerberos Constrained Delegation (KCD), Feature Description.

Dual-factor Authentication

Some authentication mechanisms assume a dual-factor approach where both the Active Directory and a secondary mechanism are used in sequence. For these, the form includes the username, password and also a passcode which is checked after the username and password.

OIDC OAUTH ESP Authentication

Open ID Connect (OIDC) is an identity layer added to the OAuth2.0 Protocol that enables authentication of users via tokens provided by an Identity Provider (IdP) (Referred to as the Authorisation Server role in Oauth). OIDC is commonly used to enabled Single Sign On of users across multiple applications via a single Identity Provider. OIDC uses the standardized message flows from OAuth2 to provide identity services.

When using OIDC, the loadmaster performs the Resource Server role, granting or denying access to an application via authorisation tokens. This requires an Identity Provider to be utilised for authenticating the users for example Microsoft Azure AD Identity Management.

For more information, refer to the OIDC OAUTH ESP Authentication, Feature Description.