Configuring a restricted session for Windows integrated logon

When you configure the SafeLinx Client to use the Windows integrated logon, you can choose to offer these clients access to a restricted session.

About this task

You can specify the network resources to which a SafeLinx Client can pass traffic after it connects with an expired password. Using a restricted session lets users change an expired domain password without giving them access to the rest of the enterprise network.

Note: A restricted session is only available for secondary authentication when using an LDAP-bind authentication profile that is connected to a Microsoft Windows Server 2003 Active Directory service server (DSS) performing LDAP-bind operations.

Procedure

  1. Make sure that you have a connection profile to which you want to assign the LDAP-bind authentication profile. The connection profile must use the Diffie-Hellman key exchange algorithm.
  2. Make sure that you are using Active Directory for LDAP-bind operations, then define the LDAP-bind DSS as a Directory server using SafeLinx Administrator:
    1. Click the Resources tab and right-click the OU in which you want to create the Directory server.
    2. Select Add Resource > Directory server.
    3. Follow the instructions in the Add wizard to define the Active Directory LDAP-bind DSS, then click Finish.
  3. Determine how you want to allow SafeLinx Client traffic to pass after it connects with an expired password. Positive-mode filters allow traffic to pass, while negative-mode filters deny traffic from passing. A bidirectional filter is applied to both incoming and outgoing traffic. Use a positive-mode bidirectional filter to the LDAP-bind DSS. After you review the positive filters that were previously defined, determine if you need additional filters and create them:
    1. Click the Resources tab and right-click the OU in which you want to create the filters.
    2. Select Add Resource > Filter, then select the type of filter to create.
    3. Provide a descriptive label that makes it easy for you to recognize the profile later.
    4. Select Direction > Bidirectional.
    5. Select Mode > Positive.
    6. Specify the LDAP-bind DSS IP address as the Destination IP address and do not specify a source IP address.
    7. Specify the LDAP-bind port as the Destination port and do not specify a source port.
    8. Follow the instructions in the Add wizard, then click Finish.
  4. Create an LDAP-bind authentication profile that offers restricted access.
    1. Click Add Resource > Authentication profile > LDAP-bind authentication.
    2. Define the common name and provide a descriptive label that makes it easy for you to recognize the profile later.
    3. Select the LDAP-bind DSS that you defined in step 2 to use as the Director server.
    4. In the LDAP attribute used for lock status field, type userAccountControl.
    5. Select the filter that you created in step 3 as the Restricted sessioon filters. If you are using Active Directory for LDAP-bind operations and you do not specify any filters to pass traffic, then all traffic is blocked by default.
    6. Follow the instructions in the Add wizard, then click Finish.
  5. Click the Resources tab and expand the OU that contains the connection profile to which you want to assign the LDAP-bind authentication profile.
  6. Double-click Connection profile, select the connection profile from the list, and then click Properties.
  7. Click the Security tab and make sure that the key-exchange algorithm is set to Diffie-Hellman.
  8. Select the authentication profile that you created in step 4 as the Secondary authentication profile, then click OK.
  9. Make sure that the connection profile is assigned to the MNC through which the SafeLinx Clients connect.
  10. Make sure that the SafeLinx Client is enabled to use the Windows user ID and password. On the SafeLinx Client for Windows system:
    1. Make sure that the custom program component Windows integrated logon that supports using the Windows user ID and password is installed along with the SafeLinx Client.
    2. Create a connection. For instructions, see the SafeLinx Client for Window's User's Guide.
    3. Right-click the icon that represents that connection, and select Properties.
    4. Click the Attributes tab and click Use Windows user ID and password, then click OK.

    When you have the SafeLinx Client configured to start a connection when the operating system starts, and configured the SafeLinx Server to provide a restricted session for changing Windows domain passwords, users can change their expired Windows domain password when prompted by the Windows logon operation. If the change password operation consistently fails with a message that the domain is unreachable, you might need to modify the TCP/IP settings on the client system. If the Advanced TCP/IP settings for the Windows network connection specify DNS suffixes to append, make sure the DNS domain that represents the domain controller is present in this list or select the Append primary and connection specific DNS suffixes option. After you modify the TCP/IP settings, restart the system and logon.