Configuring the authentication proxy service | Trend Micro Service Central

Views:

Configure the correct ports and services to allow end users to authenticate using SSO through your on-premises Active Directory server from public networks or your corporate intranet locations.

Internet Access On-Premises Gateway Authentication Proxy Diagram

The authentication proxy service on the Zero Trust Secure Access Internet Access On-Premises Gateway facilitates NTLM v2 or Kerberos-supported single sign-on (SSO) authentication with your on-premises Active Directory server. The service runs within the DMZ between firewalls, which allows users access for authentication whether the users are connecting from the corporate intranet (user A in the above diagram), or from a public or home network (user B in the above diagram). The service retrieves settings and data from Trend Vision One via HTTPS through port 443 on firewall A.

Once configured, the authentication proxy service allows end users to reach your Active Directory server from endpoints under the following scenarios.

Secure Access Module status	Location	Connection method
Installed	Any location	Any method
Not installed	Corporate network	Through a configured Internet Access On-Premises Gateway
Not installed	Public or home network	Through the Internet Access Cloud Gateway from a defined IP address
Not installed	Public or home network	Through the Internet Access On-Premises Gateway via firewall

Before configuring the authentication proxy service, you must have a Service Gateway virtual appliance installed with the Zero Trust Secure Access Internet Access On-Premises Gateway service enabled.

Procedure

In Secure Access Configuration → Internet Access Configuration → Global Settings, enable Single Sign-On with Active Directory (On-Premises) and complete the configuration steps.

Important

If you have chosen Kerberos-based authentication, some endpoints may not be able to connect to the Kerberos server while on a public network. If Kerberos authentication fails, the authentication proxy service will use NTLM v2-based authentication.

In your firewall settings for firewall A, open the following ports according to how users plan to access the authorization proxy service.
- TCP 8089: For users accessing the service on a public network through the cloud gateway
  
  Important
  
  The authentication proxy service also requires TCP port 8089 as a listening port.
- TCP 8088: For users accessing the service on a public network through the on-premises gateway
In your firewall settings for firewall B, ensure you allow the IP address of the Service Gateway appliance running the on-premises gateway.

Tip

Find the IP address of your Service Gateway appliance in Service Gateway Management.
Open the port for your Active Directory server on firewall B according to the server type and protocol.

Protocol

Microsoft Active Directory

Microsoft Active Directory Global Catalog

LDAP

389

3268

LDAPS

636

3269

Protocol	Microsoft Active Directory	Microsoft Active Directory Global Catalog
LDAP	389	3268
LDAPS	636	3269