Configure the correct ports and services to allow end users to authenticate using SSO through your on-premises Active Directory server from public networks or your corporate intranet locations.
 |
ImportantIf you have chosen Kerberos-based authentication, some endpoints may not be able to
connect to the Kerberos server while on a public network. If Kerberos authentication
fails, the authentication proxy service will use NTLM v2-based authentication.
|
The authentication proxy service on the Zero Trust Secure Access Internet Access On-Premises
Gateway facilitates NTLM v2 or Kerberos-supported single sign-on (SSO) authentication with your on-premises Active Directory server. The service runs within the DMZ between
firewalls, which allows users access for authentication whether the users are connecting
from the corporate intranet (user A in the above diagram), or from a public or home
network (user B in the above diagram). The service retrieves settings and data from
Trend Vision One via HTTPS through port 443 on firewall A.
Once configured, the authentication proxy service allows end users to reach your
Active Directory server from endpoints under the following scenarios.
|
Secure Access Module status
|
Location |
Connection method
|
|
Installed
|
Any location
|
Any method
|
|
Not installed
|
Corporate network
|
Through a configured Internet Access On-Premises Gateway, or through the Internet Access Cloud Gateway from a defined IP address
|
|
Not installed
|
Public or home network
|
Through the Internet Access On-Premises Gateway via
firewall
|
Before configuring the authentication proxy service, you must have a Service Gateway virtual appliance installed with the Zero Trust Secure
Access Internet Access On-Premises Gateway service enabled.
Procedure
- In , enable Single Sign-On with Active Directory (On-Premises) and complete the configuration steps.
- Ensure that DNS can resolve the FQDN of the authentication proxy with the proper IP
address for endpoints accessing from the corporate network or public/home network.Note that when accessing from a public or home network, the authentication proxy FQDN needs to be resolved to a public IP. If they are using:
- a single gateway, the authentication proxy FQDN is the <single gateway FQDN>
- multiple gateways behind a load balancer, authentication proxy FQDN is the <load balancer FQDN>
- In your firewall settings for firewall A, open the following ports according to
how users plan to access the authorization proxy service.
-
TCP 8089: For users accessing the service on a public network through the cloud gateway
Important
The authentication proxy service also requires TCP port 8089 as a listening port. -
TCP 8088: For users accessing the service on a public network through the on-premises gateway
-
- If your are using NTLM authentication:
- In your firewall settings for firewall B, ensure you allow the IP address of the Service
Gateway appliance running the on-premises gateway.
Tip
Find the IP address of your Service Gateway appliance in Service Gateway Management. - Open the port for your Active Directory server on firewall B according to the server
type and protocol.ProtocolMicrosoft Active DirectoryMicrosoft Active Directory Global CatalogLDAP3893268LDAPS6363269
- In your firewall settings for firewall B, ensure you allow the IP address of the Service
Gateway appliance running the on-premises gateway.