The Edit User Verification Source screen is used to edit an existing User Verification Source or to create a new one. You can reach this screen by clicking New on the User Verification Sources page or by selecting an entry in the list and clicking Edit. On this screen you will designate the type of source, its location, the port on which you will connect to it, any required authentication credentials, and the SecurityGateway domains that will use the source for verifying users.
Properties
Type:
Use this drop-down list box to specify what method of user verification this entry will use: SMTP Verification (call forward), Active Directory/Exchange, MDaemon (Minger), LDAP, or Office 365. The Description, Host or IP, and Port options below apply to all four types of verification sources. The remaining options will change depending on which type you choose. For all verification types, when an unknown local user is verified a SecurityGateway account will be created for that user and a welcome message may be emailed to the new account, containing a login link for SecurityGateway. The user's email address and password can then be used to log in to his or her SecurityGateway account to view the message log, message quarantine, and so on. Because LDAP does not support dynamic authentication, if that verification type is selected then a SecurityGateway password must be supplied to your users before they will be able to log in to SecurityGateway.
|
All verification types but LDAP support dynamic authentication. When users attempt to authenticate or log in to SecurityGateway, their local SecurityGateway login credentials are first checked, but if they do not exist then the credentials are passed to the Verification Sources for authentication. This allows users to authenticate or log in to their SecurityGateway accounts without having to remember a separate set of credentials specifically for SecurityGateway. AUTH passwords cannot be verified dynamically when the CRAM-MD5 method of authentication is used. |
Description:
Use this text box for a description of the verification source (for example, "Server X at example.com"). It corresponds to the Description column on the User Verification Sources page.
Host or IP:
This is for the hostname or the IP address of the verification source. SecurityGateway will connect to this location when querying this source. This option corresponds to the Host column on the User Verification Sources page.
Port:
This is the port SecurityGateway will use when connecting to the verification source, and it corresponds to the Port column on the User Verification Sources page.
SMTP Verification (call forward)
Choose this type if you wish to use SMTP to verify unknown local recipients of incoming messages and unknown local senders of outbound messages. Similar to Callback Verification, SecurityGateway will attempt to verify the user via the SMTP protocol. For unknown local senders who attempt to authenticate, SecurityGateway will pass the user's credentials to the SMTP Verification source for authentication. If authentication is successful then the message will be accepted for delivery by SecurityGateway and an account for the user will be created. For accounts that already exist, SecurityGateway will first check the user's login credentials against the local user database. If no match is found there then the SMTP Verification source will be checked.
Requires authentication
Click this checkbox if the SMTP Verification source requires authentication. Then include the user name and password below.
User name:
If the SMTP Verification source requires authentication, specify your user name here.
Password:
Enter your SMTP Verification source password here.
Choose this type if you wish to use Active Directory or an Exchange server to verify unknown local users. As with SMTP Verification above, this verification type supports dynamic authentication. For unknown local senders who attempt to authenticate, SecurityGateway will pass the user's credentials to the Active Directory/Exchange server for authentication. If authentication is successful then the message will be accepted for delivery by SecurityGateway and an account for the user will be created. For accounts that already exist, SecurityGateway will first check the user's login credentials against the local user database. If no match is found there then the SMTP Verification source will be checked.
User name:
This space is for the Active Directory/Exchange/Windows user name needed to log in to the verification source.
Password:
Use this space to enter the password that corresponds to the Active Directory/Exchange user name specified above.
Search Filter:
This is the search filter that will be used when querying your Active Directory/Exchange server for users. In most cases the default search filter should be sufficient.
Choose this verification type if you wish to use an MDaemon server using Minger as the user verification source. This is an extended version of the Minger protocol exclusive to MDaemon servers and therefore this option cannot be used with other types of servers. This verification type supports dynamic authentication like the two previous verification types. This means that your users can authenticate or log in to their SecurityGateway accounts using their mail server login credentials.
Requires authentication
Click this checkbox if the MDaemon server requires authentication to use Minger.
Password:
Enter your MDaemon server's Minger password here.
Choose this option to use the MDaemon XML-API as a User Verification Source type. MDaemon's XML API provides a better alternative to Minger as it can authenticate accounts for which MDaemon has not stored a copy of the password using reversible encryption. It can also return all aliases for an account in a single call. NOTE: This option requires MDaemon version 23.0.2 or later.
MDaemon XML API URL:
MDaemon's installation default XML-API URL is: "http://servername:RemoteAdminPort/MdMgmtWS/" However, it is highly recommended to configure HTTPS options in MDaemon and use secure HTTP (i.e. https://servername:RemoteAdminPort/MdMgmtWS/).
Create MDaemon XML API Service Account
When configuring this User Verification Source within SecurityGateway, the process will create an "MDaemon XML API Service Account." The MDaemon XML API supports service accounts with limited permissions. When configuring a User Verification Source to use the MDaemon XML API, SecurityGateway will call the MDaemon XML API to create a service account with permission granted only to execute the "XMINGER" operation used for verifying and authenticating user accounts. Creating the service account requires the credentials of an MDaemon global administrator. SecurityGateway does not retain the MDaemon global administrator credentials after creating the service account. The returned service account credentials are used for the User Verification Source.
Choose this verification type if you wish to use an LDAP server to verify your users. However, unlike with the other verification types, you cannot use LDAP to authenticate a user's login credentials. Consequently, dynamic authentication, or authenticating "on the fly", isn't supported. Therefore, if you require your users to authenticate then users verified through an LDAP verification source will not be able to log in or send messages through SecurityGateway without using their SecurityGateway account's password.
Bind DN:
Enter the Distinguished Name (DN) that has access to your LDAP server so that SecurityGateway can query it for user names. This is the DN used for authentication in the bind operation.
Password:
This password will be passed to your LDAP server along with the Bind DN value for authentication.
Base entry DN:
This is the root DN or starting point in the Directory Information Tree (DIT) at which SecurityGateway will search your Active Directory for users.
Search Filter:
This is the LDAP search filter that will be used when querying your LDAP server for users. In most cases the default search filter should be sufficient.
Search Scope:
This is the scope or extent of your LDAP searches.
Base DN only
Choose this option if you wish to limit your search to only the Base entry DN supplied above. The search will not proceed below that point in your tree (DIT).
1 level below base DN
Use this option if you wish to extend your search to one level below the Base entry DN in your DIT.
Base DN and all children
This option will extend the scope of your search from the Base entry DN to all of its children, down to the lowest child entry in your DIT. This is the default option selected.
Choose this verification type if you wish to utilize Office 365 as a user verification source, and follow the steps below to set it up.
|
To allow SecurityGateway to access the Office 365 tenant, the Office 365 plan requires Exchange Online. Please make sure the Office 365 plan includes this feature. |
To use Office 365 as a user verification source, SecurityGateway requires a service principal that has been granted permission to access the Office 365 tenant. Further, Office 365 utilizes Azure Active Directory as its directory service. The steps below detail how to configure Office365 as a user verification source in SecurityGateway.
In Azure Active Directory:
1.Navigate to the App Registrations page in Azure AD.
2.Select New Registration
3.Enter an application name in the name field.
4.Select Register
5.Make note of the Application ID
6.Select API Permissions
7.Select + Add a permission
8.Select Microsoft Graph
9.Select Application Permissions
10.Select Group.Read.All and User.Read.All
11.Select Add permissions
12.Click the Grant admin consent for... button
13.Click Yes
14.Select Certificates & Secrets
15.Click + New Client Secret
16.Enter a description in the description field
17.Select the radio button to determine how long the password will be valid for.
18.Make note of the generated password
In SecurityGateway:
1.Login to SecurityGateway with the global admin.
2.Select Setup/Users
3.Select Accounts
4.Select User Verification Sources
5.Click New
6.Select Office 365
7.Enter a description
8.Enter the Office 365 domain name in the Domain Name field.
9.Select the Type
For most configurations, the option will be "Global."
10.Enter the Application ID from Azure AD in the Service Principle field.
This can be found on the Overview page of the app registration in Azure AD
11.Enter the password generated in Azure AD above in the Password field.
Type
This server is a default user verification source
If you wish to designate this source as one of your default user verification sources, click this checkbox. The default User Verification Sources are used for all SecurityGateway domains that haven't had sources specifically designated for their use. They are also used by the Automatic Domain Creation feature.
Specify below which domains should utilize this user verification source...
Use the options below to assign this verification source to one or more of your SecurityGateway domains. If multiple verification sources are assigned to a domain then you can designate the order in which they will be queried on the Verification tab of the domain's Properties screen.
Available Domains:
This box lists all available SecurityGateway domains. To specify the domains that should utilize this verification source, select them from the list and click the "--->" arrow.
Selected Domains:
This box lists all SecurityGateway domains that you have configured to utilize this source to verify users. To remove a domain from the list, select it and click the "<---" arrow.
