Authenticate administrators using certificate-based authentication

You can authenticate administrators using an X.509 certificate stored in the Windows certificate store or on a smart card, such as a Common Access Card (CAC).

Before you begin

To use smart cards for authentication, you must have smart card reader hardware and software.

To use certificate files for authentication, you must save the certificates in the Windows certificate store.

A client certificate in the Windows certificate store is used for client authentication. There is also a trusted certificate authority (CA) for the client certificate in the Windows certificate store. There are two ways to store the private key for the client certificate:

  • The private key can be stored on a smart card, from which the client certificate can be populated to the Windows certificate store.
  • A Windows software provider can be used for key storage.
Note: Certificate-based authentication is only supported for Management Clients installed in Windows 10. Certificate-based authentication is not supported for Web Portal Users.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. To define the certificate that is used to authenticate the Management Server in communications for certificate-based authentication, create a TLS Credentials element.

    You can generate and sign a new certificate request, or import an existing certificate.

    The certificate defined in the TLS Credentials element is used for server authentication. The Management Client validates the server certificate path using the trusted CA certificates in the Windows certificate store.

  2. To define the trusted CAs for the Management Server and the client certificates, create a TLS Profile element.
    Make sure that the TLS Profile element includes the trusted CAs for both the Management Server's certificate and for the client certificates. The trusted CA can be the same for the Management Server's certificate and for the client certificates.
  3. Configure the Management Server for certificate-based authentication.
    1. Select Configuration, then browse to Network Elements.
    2. Select Network Elements > Servers.
    3. Right-click the Management Server, then select Properties.
    4. Next to the TLS Credentials field, click Select, then select a TLS Credentials element.
    5. Next to the TLS Profile field, click Select, then select a TLS Profile element.
    6. Click OK.
  4. In the properties of each Administrator, configure certificate-based authentication.
    1. Select Configuration, then browse to Administration.
    2. Select Access Rights > Administrators.
    3. Right-click an Administrator element, then select Properties.
    4. From the Authentication drop-down list, select Client Certificate.
    5. From the Client Identity Type drop-down list, select the certificate attribute that is used to identify the administrator.
    6. Specify the value of the certificate attribute in one of the following ways:
      • In the Identity Value field, enter the value of the certificate attribute.
      • Click Fetch From Certificate, then import the certificate to get the value from the certificate.
    7. Click OK.
  5. If the certificate for the Management Server was not signed using a CA that is already trusted by the administrators' client operating systems, add the CA that signed the certificate as a trusted CA on each administrator's computer.
    1. Export the CA certificate from the CA that signed the certificate for the Management Server.
    2. Import the CA certificate on each administrator's computer.
    3. Configure the operating system to trust the CA certificate.

Management Server Properties dialog box

Use this dialog box to define Management Server properties.

Option Definition
General tab
Name The name of the element.
Installation ID Shows the unique installation identifier (UIID) for the Secure SD-WAN Manager.
IPv4 Address Specifies the IPv4 address of the server. The server can have both an IPv4 and an IPv6 address.
IPv6 Address Specifies the IPv6 address of the server. The server can have both an IPv4 and an IPv6 address.
Resolve Automatically resolves the IP address of the server.
Location

(Optional)

Specifies the location to which the server belongs if there is a NAT device between the server and other Secure SD-WAN Manager components.
Contact Addresses section

(All optional settings)

Default Used by default when a component that belongs to another Location connects to this server.
Exceptions Allows you to define exceptions to the default contact address. Opens the Exceptions dialog box.
Log Server Specifies the Log Server to which the server sends its logs.
RADIUS Method

(Optional)

Specifies a RADIUS authentication method for authenticating administrators.
  • PAP — Password Authentication Protocol.
  • CHAP — Challenge-Handshake Authentication Protocol.
  • MSCHAP, MSCHAP 2 — Microsoft versions of the CHAP protocol. We recommend using MSCHAP 2 if the server supports it.
  • EAP-MD5 — Extensible Authentication Protocol with an MD5 Hash. This option is selected by default.
TACACS Method

(Optional)

Specifies a TACACS+ authentication method for authenticating administrators.
  • ASCII — American Standard Code for Information Interchange.
    CAUTION:
    This authentication method transmits the user name and password as unencrypted plain text.
  • PAP — Password Authentication Protocol.
  • CHAP — Challenge-Handshake Authentication Protocol.
  • MSCHAP — Microsoft versions of the CHAP protocol. This option is selected by default.
TLS Credentials

(Optional)

Specifies the TLS Credentials element that is used for certificate-based authentication of administrators.
TLS Profile

(Optional)

Specifies the TLS Profile element that is used for certificate-based authentication of administrators.
Include in Database Replication

(Multiple Management Servers only)

When selected, the Management Server is included in database replication between Management Servers for high availability.
CAUTION:
Leave this option selected unless you have a specific reason to deselect it. Deselecting this option makes the Management Server's database incompatible with the databases of the other Management Servers.
Audit Storage Full Specifies the action when the Management Server detects that the audit storage is full.
  • Stop Management Server — The Management Server writes an audit entry indicating that the audit storage is full, stops all processes, then shuts down.
  • Overwrite Oldest — The Management Server overwrites audit entries, starting with the oldest audit entries.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Tools Profile Adds commands to the right-click menu for the element. Click Select to select an element.
Comment

(Optional)

A comment for your own reference.
Option Definition
Notifications tab
E-mail section — Specifies email notification details.
SMTP Server Select the SMTP Server that is used to send the alert notifications as email. Click Select to select an element.
Sender Name Enter the name to be used in the From field of the email.

If this setting is left blank, the Default Sender Name defined in the SMTP Server Properties is used.

Sender Address Enter the email address to be used in the From field of the email.

If this setting is left blank, the Default Sender Address defined in the SMTP Server Properties is used.

SMS section

Click Add to add an element to the table, or Remove to remove the selected element. Click Up or Down to move the selected item up or down.

Name Shows the name of the channel.
Channel Type Shows the type of the channel.
  • Script — SMS messages are sent using a custom script.
  • SMTP — SMS messages are sent using an SMTP server.
  • HTTP — SMS messages are sent using HTTP.

You can add multiple SMS Channels Types. If the first SMS Channel fails, the subsequent SMS channels are used in the order in which they are listed. Use the Up and Down buttons to change the order of the channels if necessary.

Host/URL/Script Shows the server, URL, or script used for SMS notification.
Edit Opens the Channel Properties dialog box for the selected entry.
SNMP section
Gateways Enter the host name or IP address of the SNMP Gateways to which the alert notifications are sent as SNMP traps.

You can specify a list of gateways separated by semicolons.

If your SNMP gateway port is not the default port 162, specify the port number by typing a colon and the port after the host name (for example, snmp-gw:4390).

Custom Alert Scripts section
Root Path Enter the root path on the Management Server where custom alert scripts are executed.

The default location is <installation directory>/data/notification.

Do not define the script name here. Add the script name in the Alert Chain at each place you want to call a particular script. You can use multiple scripts.

Option Definition
Secure SD-WAN Manager Web Access tab
Enable Enables the feature.
Host Name

(Optional)

Enter the host name that the service uses. Leave the field blank to allow requests to any of the server’s host names.
Port Number

Enter the TCP port number that the service listens to.

By default, port 8085 is used when Secure SD-WAN Manager Web Access is enabled on the Management Server and port 8083 when enabled on the Web Portal Server.

Note: Make sure that the listening port is not in use on the server.
Listen Only on Address

(Optional)

If the server has several addresses and you want to restrict access to one address, specify the IP address to use.
Session Timeout Enter the timeout in seconds after which the session expires. While the session is still active, the administrator does not need to log on again if they close the web browser.
Server Credentials You must select the TLS Credentials element that is used for HTTPS connections. Click Select to select an element.
Generate Server Logs

(Optional)

Select if you want to log all file load events for further analysis with external web statistics software.
Use SSL for session ID

(Optional)

Track sessions in your web application. Do not select this option if your network requires you to use cookies or URIs for session tracking.
Option Definition
Secure SD-WAN Manager API tab
Enable Enables the feature.
Host Name Enter the host name that the service uses. Leave the field blank to allow requests to any of the server’s host names.
Note: API requests are served only if the API request is made to this host name. To allow API requests to any host name, leave this field blank.
Port Number

(Optional)

Enter the TCP port number that the service listens to.

By default, port 8082 is used. In Linux, the value of this parameter must always be higher than 1024.

Listen Only on Address

(Optional)

If the server has several addresses and you want to restrict access to one address, specify the IP address to use.
Server Credentials You must select the TLS Credentials element that is used for HTTPS connections. Click Select to select an element.
Generate Server Logs

(Optional)

Select if you want to log all file load events for further analysis with external web statistics software.
Use SSL for session ID

(Optional)

Track sessions in your web application. Do not select this option if your network requires you to use cookies or URIs for session tracking.
Option Definition
Secure SD-WAN Manager Downloads tab
Enable Enables the feature.
ECA Evaluation To easily deploy Forcepoint One Endpoint to a limited set of users for evaluation purposes, enable the ECA Evaluation feature. For more information, see Knowledge Base article 16193.
Management Client Download When selected, the Management Server provides the Management Client for download on the Secure SD-WAN Manager Downloads page.
Host Name

(Optional)

Enter the host name that the service uses. Leave the field blank to allow requests to any of the server’s host names.
Port Number

Enter the TCP port number that the service listens to.

By default, port 8080 is used for new Secure SD-WAN Manager installations, and port 8084 is used when you upgrade the Secure SD-WAN Manager.

Note: Make sure that the listening port is not in use on the server.
Listen Only on Address

(Optional)

If the server has several addresses and you want to restrict access to one address, specify the IP address to use.
Server Credentials You must select the TLS Credentials element that is used for HTTPS connections. Click Select to select an element.
Generate Server Logs

(Optional)

Select if you want to log all file load events for further analysis with external web statistics software.
Option Definition
Announcement tab
Display announcement to Web Portal Users Enables you to display announcements to the administrators who log on to the Web Portal.

Enter the announcement in the field. The length is limited to 160 characters. You can add formatting to the announcement with standard HTML tags (which are also included in the character count).

Option Definition
Connection tab
Proxy Settings
Use proxy server for HTTPS connection Select if the connection from the Management Server to the Forcepoint servers requires a proxy server.
Proxy address Defines the address of the HTTP proxy.
Proxy port Defines the port of the HTTP proxy.
Authenticate to the proxy server Select if the proxy server requires user authentication.
Proxy user name Enter the user name for the proxy user.
Proxy user password Enter the password for the proxy user. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.
Option Definition
Elasticsearch tab

The Elasticsearch tab is only visible after you have created an Elasticsearch Cluster element.

Important: Forwarding log data to an Elasticsearch cluster is an advanced feature that requires knowledge of how to configure Elasticsearch. You must already have an Elasticsearch cluster deployed and configured in your environment.
Elasticsearch Cluster Shows the Elasticsearch cluster that receives log data from the SMC server.
Client Authentication Settings

Defines how the connection between the server and the Elasticsearch cluster is secured.

  • Inherited — The SD-WAN Manager server uses the settings defined in the Elasticsearch Cluster element.
  • Override — The SD-WAN Manager server uses custom settings.
TLS Certificate

(When Override is selected.)

Specifies the TLS certificate that is used to secure the connection between the SD-WAN Manager server and the Elasticsearch cluster.

  • Use Internal Certificate — The SD-WAN Manager server uses its own internal certificate.
  • Use Imported Certificate — The SD-WAN Manager server uses the specified external certificate.
  • No Client Authentication — The connection is not authenticated.
Option Definition
Audit Forwarding or Log Forwarding tab

Click Add to add a row to the table, or Remove to remove the selected row.

Target Host The Host element that represents the target host to which data is forwarded. Double-click to open the Select Host dialog box.
Service Click the cell, then select the network protocol for forwarding data from the drop-down list. For log data in IPFIX or NetFlow v9 format, UDP is the only available network protocol.
Note: You might have to define an Access rule that allows traffic to the target host. In this case, make sure that the Service you select is also used as the Service in the Access rule.
Port The Port that is used for forwarding data. Double-click to edit the cell. The default port is 2055. For log data, the default port used by IPFIX/NetFlow data collectors is 2055.
Note: You might have to define an Access rule that allows traffic to the target host. In this case, make sure that the Port you select is also used as the Port in the Access rule.
Format Click the cell, then select the data forwarding format from the drop-down list.
  • CSV — Forwards in comma separated value format.
  • Short CSV — Forwards truncated data in comma separated value format. (Log Server only)
  • XML — Forwards in XML format.
  • CEF — Forwards in common event format.
  • LEEF — Forwards in log extended event format.
  • NetFlow v9 — Forwards in a format that is compatible with NetFlow v9. (Log Server only)
  • IPFIX — Forwards in a format that is compatible with IPFIX. (Log Server only)
  • McAfee ESM — Forwards in a format that is compatible with McAfee ESM.
  • Forcepoint UEBA — This option is not yet supported. For more information about Forcepoint UEBA, see the Forcepoint UEBA documentation at https://⁠support.forcepoint.com/Documentation.
Filter

(Optional)

An optional local filter that defines which data is forwarded. The local filter is only applied to the data that matches the Audit Forwarding or Log Forwarding rule. Double-click to open the Local Filter Properties dialog box.
TLS Profile Allows you to select a TLS Profile element that contains settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected traffic. Double-click to open the Select Element dialog box. The TLS Profile is only available if you have selected TCP with TLS as the Service.
TLS Server Identity

(Optional)

(When a TLS Profile is selected)

Select the identity of a TLS server to secure the TLS-protected traffic from the Management Server or Log Server to an external syslog server. Double-click to open the TLS Server Identity dialog box.
TLS Certificate Used for Forwarding Logs Select the certificate for TLS-protected data forwarding.
  • Use Internal Certificate — A Management Server or Log Server certificate (signed by the Internal CA) is used for TLS-protected syslog communication.
  • Use Imported Certificate — A certificate signed by an external CA is used. Click Select to select a certificate or to create a TLS Credentials element.
  • No Client Authentication — The Management Server or Log Server certificate is not authenticated.
Option Definition
NAT tab

(All optional settings)

Firewall Shows the selected firewall.
NAT Type Shows the NAT translation type: Static or Dynamic.
Private IP Address Shows the Private IP Address.
Public IP Address Shows the defined Public IP Address.
Port Filter Shows the selected Port Filters.
Comment An optional comment for your own reference.
Add NAT Definition Opens the NAT Definition Properties dialog box.
Edit NAT Definition Opens the NAT Definition Properties dialog box for the selected definition.
Remove NAT Definition Removes the selected NAT definition from the list.

Administrator Properties dialog box

Use this dialog box to change the properties of an Administrator element.

Option Definition
General tab
Type Specifies where the administrator account is stored.
  • Local — The administrator account is stored locally on the Management Server.
  • Linked to LDAP — The administrator account is stored in an integrated external directory server.
User

(When Type is Linked to LDAP)

Specifies the user account on the integrated external directory server to which the administrator account is linked. Click Select to select an element.
User Domain

(Not editable)

(When Type is Linked to LDAP)

Shows the LDAP domain to which the user account on the integrated external directory server belongs.
Group

(Optional)

(When Type is Linked to LDAP)

Specifies the user group in the integrated external directory server to which the user account must belong for Secure SD-WAN Manager access to be allowed. Click Select to select an element.
Name Specifies the user name that the administrator uses to log on to the Management Client. When Type is Linked to LDAP, this field is not editable.
Comment

(Optional)

A comment for your own reference.
Authentication

Specifies the type of authentication for administrator logons.

  • Local Username and Password — When selected, authentication is done by the Management Server using a user name and password.
  • RADIUS — When selected, RADIUS authentication is done by an external authentication server.
  • TACACS+ — When selected, TACACS+ authentication is done by an external authentication server.
  • LDAP — When selected, authentication is done using simple password authentication against integrated external LDAP databases. This option is only available when Linked to LDAP is selected.
  • Client Certificate — When selected, authentication is done by the Management Server using an X.509 certificate presented by the administrator.
Password

(When Authentication is Local Username and Password)

Specifies the password.
Generate Password

(Optional)

(When Authentication is Local Username and Password)

Generates a random temporary password according to the settings in the password policy. Generated passwords are one-time passwords. The administrator is prompted to enter a new password at the first logon.
Confirm Password

(When Authentication is Local Username and Password)

Confirms the password.
Require Administrator to Change Password at First Logon

(Optional)

(When Authentication is Local Username and Password)

When selected, the administrator must enter a new password at the first logon.
Always Active

(Optional)

(When Authentication is Local Username and Password)

When selected, the user account is active immediately and is never automatically disabled.
Expiration Date

(Optional)

(When Authentication is Local Username and Password)

Specifies the date when the user account is automatically disabled.
Authentication Method

(When Authentication is RADIUS or TACACS+)

Specifies the authentication method provided by an external authentication server.
Client Identity Type

(When Authentication is Client Certificate)

Specifies the attribute in the certificate that is used to identify the administrator.

  • Distinguished Name — The distinguished name (DN) attribute identifies the administrator.
  • Common Name — The common name (CN) attribute identifies the administrator.
  • User Principal Name — The user principal name (UPN) that is mapped to the certificate identifies the administrator.
  • Email — The email address identifies the administrator.
  • SHA-256 — The SHA-256 hash of the certificate identifies the administrator.
  • SHA-512 — The SHA-512 hash of the certificate identifies the administrator.
Fetch From Certificate

(Optional)

(When Authentication is Client Certificate)

Gets the value of the selected attribute from a certificate that you import.

Opens the Import Certificate dialog box.

Identity Value

(When Authentication is Client Certificate)

Specifies the value of the selected attribute.

Option Definition
Permissions tab
Unrestricted Permissions (Superuser) When selected, the administrator can manage all elements and perform all actions without any restrictions.
Appliance Superuser

(Appliance only)

When selected, the administrator can log on to the Appliance command line.

Administrators with unrestricted permissions (superusers) are allowed to log on to the Appliance command line only if there are no administrators with Appliance Superuser permissions.

Restricted Permissions When selected, the administrator has a limited set of rights that apply only to the elements granted to the administrator.
Role

(Restricted Permissions only)

Shows the role or roles assigned to the selected administrator: Operator, Editor, Owner, or Viewer. Click the cell to select the role from the drop-down list.
Granted Elements

(Restricted Permissions only)

Shows the elements that an administrator has been given permission to edit and install when the selected administrator role would otherwise prevent them from doing so. Double-click the cell to open the Select Element dialog box.
Domains

(Restricted Permissions only)

If Domains have been configured, shows the Domains in which the rights granted by the administrator role and the selected elements apply. Click the cell to select the Domain from the drop-down list.

You can leave the default Shared Domain selected in the Domains cell. All elements automatically belong to the predefined Shared Domain if Domain elements have not been configured. You can also select the ALL Domains Access Control List to grant permissions for all Domains that have been defined.

Add Role

(Restricted Permissions only)

Adds a row to the table.
Remove Role

(Restricted Permissions only)

Removes the selected role from the selected administrator.
Allow Administrators to Log On to the Shared Domain

(Multiple Domains only)

When selected, allows the administrator to log on to the Shared Domain. Otherwise, the administrator is only allowed to log on to the specified Domains.
Log Filters

(Restricted Permissions only)

Filter You can select filters that are applied before logs from the granted elements are shown to the administrator. Click Select to select a filter.
Option Definition
Color Filters tab
Log and Alert Specifies the colors for logs and alerts displayed in the Logs view.
Connections Specifies the colors for currently open connections displayed in the Connections view.
Blacklist Specifies the colors for blacklist entries in the Blacklist view.
VPN SAs Specifies the colors for Internet Exchange Keys (IKE) and IPsec protocols displayed in the VPN SAs view.
Users Specifies the colors for different users in the Users view.
Routing Specifies the colors for routing entries displayed in the Routing Monitoring view.
SSL VPNs Specifies the colors for entries in the SSL VPN Monitoring view.
Filter Shows the color filters that are in use.
Color Specifies the color. To change the color, double-click the cell, then select the color from the palette.
Comment An optional comment for your own reference.
Up Moves the selected color filter up on the list.
Down Moves the selected color filter down on the list.
Add Adds color filter to the list.
Remove Removes a color filter from the list.
Set to Default Returns all changes to default settings.
Option Definition
Account Replication tab
Replicate Account on Selected engines When selected, allows the replication of the administrator user account on the selected engines.
Password Specifies the password used when logging on to the engine.
Confirm Confirms the password.
Generate password Generates a random password according to the settings in the password policy.
Allow executing root-level commands with the sudo tool Allows the administrator to use sudo commands to execute root-level commands on the selected engines.
Add Adds Engines, Access Control Lists and Domains to the list.
Remove Removes Engines, Access Control Lists and Domains from the list.