Remote Access with F5 BIG-IP VPN

Imprivata Confirm ID integrates with F5 BIG-IP VPN to streamline authentication management and simplify two-factor authentication for remote access for employees. In addition to logging in remotely, Imprivata Confirm ID users can also enroll authentication methods from outside your network.

Before You Begin

Fully configure your F5 BIG-IP VPN environment for remote access with single-factor username and password authentication before configuring its connection to Imprivata.

Diagram: Two-Factor Remote Access Authentication

The Imprivata Cloud Remote Access experience replaces the F5 BIG-IP default login screen with an Imprivata-powered graphical login screen.

This graphical login screen authenticates the user with Imprivata Confirm ID via the Imprivata Cloud. Only after the authentication is complete, Imprivata Confirm ID sends the following to F5 BIG-IP:

• Username and Password go to the F5 BIG-IP LDAP primary authentication
• Username and authentication success token go to the F5 BIG-IP RADIUS secondary authentication

Unlike the legacy Remote Access experience that required 30 seconds for the users to respond and complete the authentication, the Imprivata Cloud Remote Access experience only requires time to send this one message to F5 BIG-IP.

click to enlarge

1. Primary authentication initiated to the F5 BIG-IP. In the background, the browser renders the login page with three fields (e.g. username, password1, password2.)
2. The browser downloads Imprivata web content. The initial login page is overlaid with Imprivata’s custom login featuring only username and password fields.
3. The user enters his username and password. This information is sent to the Imprivata Cloud Service.
4. The Imprivata Cloud Service sends the user’s credentials to the customer’s on-premises Imprivata appliance.
5. The Imprivata appliance verifies the username and password with Active Directory (or another directory service.)
6. The Imprivata appliance sends a push token request to the Imprivata Cloud Token Service.
7. The Imprivata Cloud Token Service sends a push notification to the proper notification service (e.g. APNS or GCM.)
8. The notification service sends the push notification to the user’s phone.
9. The user accepts the push notification. The user’s phone sends a token back to the Cloud Token Service.
10. The Cloud Token Service sends a 'push token accepted' to the Imprivata appliance.
11. The Imprivata appliance sends an 'access accept' with a secure token to the Imprivata Cloud Service.
12. The Imprivata Cloud Service forwards the secure token to the user’s browser.
13. The user’s browser sends his username, password, and the secure token in the second password field.
14. F5 BIG-IP verifies the username and password. The group and other attributes are sent back to the gateway for authorization.
15. F5 BIG-IP verifies the Imprivata secure token over RADIUS to the Imprivata appliance.
16. F5 BIG-IP VPN access granted to the user.

Cloud-Based Remote Access Integration

Integrate your Imprivata Confirm ID environment with F5 BIG-IP.

1. In the Imprivata Admin Console, go to Applications > Remote access integrations.

2. Click f5 > Add new integration.

   If your connection to the Imprivata cloud looks good, your Customer ID will appear.

Cloud Connection

Imprivata Services will enter the Enterprise ID and one-time cloud provisioning code required to establish trust between your Imprivata enterprise and the Imprivata cloud:

1. If you're not on the Cloud Connection page already: In the Imprivata Admin Console, click the gear icon > Cloud connection.
2. Services will enter your Enterprise ID and cloud provisioning code.
3. Click Establish trust.

Cloud Connection Status

You can review the status of your enterprise's connection to the Imprivata cloud at any time. Status notifications are displayed on the Imprivata Admin Console, and the cloud connection status of every appliance at every site is also available:

1. In the Imprivata Admin Console, go to the gear icon > Cloud connection.

2. Every appliance host is listed with its status. If there are problems with a connection, recommendations for resolving the problem are displayed here.

Add New F5 BIG-IP Integration

1. On the Add new F5 BIG-IP integration page:

   • Enter a descriptive Nickname

   • Enter the Hostname or IP address of the F5 BIG-IP client. (The F5 BIG-IP client may also be referred to as the Network Access Server (NAS) or RADIUS client);

   • Enter the Encryption key (shared secret).

     BEST PRACTICE: This encryption key will be used as a shared secret between your RADIUS server (Imprivata appliance) and RADIUS client (F5 BIG-IP). Use a computer-generated string at least 22 characters in length.

     You do not need to repeat this process for each Imprivata appliance. This client configuration is distributed to all Imprivata appliances in your enterprise.

2. Optional — Some RADIUS clients demand return information about authenticating users in the form of RADIUS attributes. You can add these attributes here. See Managing RADIUS Connections

3. Click Save and get integration script. Contact your F5 BIG-IP administrator to include the script in a rewrite script (see below). This script is also available on the Imprivata Admin Console > Applications > Remote access integrations page.

Configure the F5 BIG-IP VPN

There are five configuration steps to integrate Imprivata Confirm ID Remote Access with F5 BIG-IP:

• Add the RADIUS Client to point to the Imprivata appliance
• Edit the login page to include a third login field
• Add token authentication via the RADIUS server as a second factor to your Access Policy
• Customize the logon page by pasting in the integration script
• Increase the logon page session timeout to allow time for the user to enroll IID

Add RADIUS Client

1. On the F5 console, go to Access > Authentication > RADIUS > Create...
2. Configure the fields as follows. Click Finished when you're done:

Name	impr-radius-server
Server Connection	Direct
Server Address	Enter the IP address of the Imprivata appliance.
Authentication Service Port	1812
Secret	Enter the Secret, and again in the Confirm Secret field.	This is the same key as the "encryption key" entered in the Imprivata Admin Console > Applications > Remote access integrations.
Timeout	5 seconds (default)
Retries	3 (default)

Edit Logon Page to Include Third Logon Field

1. On the F5 console, go to Access > Profiles / Policies > Access Profiles (Per-Session Policies)

2. In the row for your existing Access Profile for LDAP authentication, in the Per-Session Policy column, click Edit...

3. Click the Logon Page action. Configure the fields as follows:

   Third field Type:	password
   Post Variable Name	password1
   Session Variable Name	password1
   Logon Page Input Field #3	Token (default)

4. Save your changes when you're done.

5. Apply the saved changes to the Access Policy: click Apply Policy next to the F5 logo at the top of the page (this click redirects you to Access > Profiles / Policies > Access Profiles (Per-Session Policies)).

6. Select the Access Policy and click Apply.

Add Token Authentication As A Second Factor

1. On the F5 console, go to Access > Profiles / Policies > Access Profiles (Per-Session Policies)

2. In the row for your existing Access Profile for LDAP authentication, in the Per-Session Policy column, click Edit...

   Your existing Access Policy should look something like this:

   

3. Just to the right of LDAP Auth action Successful , click + to add a new action.

4. Click the Authentication tab, select RADIUS Auth from the list, and click Add Item.

5. Configure the fields as follows.

AAA Server	impr-radius-server	Select the server you created above.
Password Source	%{session.logon.last.password1}	Add a "1" to "password" to match the variable name you created above

6. Click Save.

   Your revised Access Policy should look like this:

   

7. Apply the saved changes to the Access Policy.

Add Integration Script to Logon Page

1. In the Imprivata Admin Console, copy the Remote Access Integration script. Go to Applications > Remote access integrations page.

2. On the F5 console, go to Profiles / Policies > Customization > Advanced

3. In the Form Factor navigation, go to Customization Settings > Access Profiles > your policy name > Access Policy > Logon Pages > logon.inc

4. Paste the Imprivata integration script manually before the close body tag. Example (your token code will be different):

   <!--Imprivata F5 Integration Script -->

   <script src='https://cidra.integration.common.imprivata.com/static/js/embed/f5.js' data-access-token='eyJ0ZW5hbnRJZCI6IjQyNTQ3NzU5ODUwMDM2MzUzNiIsCiJjb250ZXh0RGF0YSI
   6CnsiYXV0aEFwcElkIjoiTmV0c2NhbGVyIiwKImF1dGhJbnN0YW5jZUlkIjoiMDkxNDdiNzktYjEwNS00N
   WQzLTk0N2ItNzliMTA1NjVkM2VhIn19'></script>
   </body>

   </html>

5. Click Save.

6. Apply the saved changes to the Access Policy.

Repeat for every server's access policy where you need to integrate with Imprivata Confirm ID. This script only affects servers using this access policy.

Best Practice: Increase Logon Page Session Timeout

Imprivata Confirm ID enables your users to enroll Imprivata ID when logging in remotely. However, unless you increase F5's default five minute session timeout, the user's session may time out when they turn away from their browser to install the Imprivata ID app on their device.

1. On the F5 console, go to Access > Profiles / Policies > Access Profiles (Per-Session Policies)

2. Click on the Access Profile Name (not the Edit link)

3. Go to Settings > Access Policy Timeout. This value is set to 300 seconds by default. Best Practice: increase value to to 900 seconds.

4. Click Update.

5. Apply the saved changes to the Access Policy.

Optional — Number Matching

Multi-factor authentication fatigue attacks, also known as "MFA bombing", are a common cyberattack strategy. In an MFA fatigue attack, the attacker sends MFA push notifications to a registered user. The user may accidentally or absent-mindedly accept one of these push notifications, giving the attacker access to protected resources. This type of attack is generally preceded by phishing of the registered user’s login credentials.

With Imprivata’s Number Matching authentication enabled, users must enter a 2-digit code into Imprivata ID that matches the randomly generated number displayed on the application being accessed. This reduces the risk of the user accepting a push notification they did not initiate, and keeps your digital assets out of the hands of bad actors.

Setup

1. In the Imprivata Admin Console, go to Users > Workflow Policy.

2. On the Confirm ID workflow policy page > Authentication Options, select Require Web SSO and remote access users to enter a code when using Imprivata ID for MFA (number matching)

Expected Workflow

In this example, the user is at an endpoint computer where the Imprivata Agent is not present, and/or they are completing WebSSO or Remote Access workflows that require the user to accept an Imprivata ID push notification:

1. The user is logging in remotely, or provides the URL for an app enabled for Imprivata Web SSO.

2. The user is prompted to enter their username and password.

3. After the user successfully enters their username and password, they are prompted to approve a push notification sent to their enrolled Imprivata ID. A two-digit code will be shown on the application or resource being accessed.

4. Imprivata ID will display the username and the application the user is accessing.

   The code expires in 30 seconds.

5. After the user accepts the push notification, they are given access to the application/resource.

   When authenticating to some sites, the user may need to manually enter the six-digit Token Code from Imprivata ID app.

   For WebSSO, subsequent apps are automatically authenticated within the same browser and the same session.

   If the user closes an app without logging out of the app, he can return to the app during the same session without logging in again.

   If the user fails to enter the code correctly, or the code expires, the user must begin authentication again.