Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:04 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Fri Aug 17, 2012 2:27 pm 
Offline

Joined: Fri Aug 17, 2012 11:44 am
Posts: 3
Hi all.

Just got my first YubiKey and plan to use them along with YubiRADIUS and Cisco ASA.

Is there some way to protect my exposed webmail application from the Internet with YubiKey's OTP? I mean, is it possible to set up some kind of a front-end to it, that only allows valid YubiKey users through to the login window?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Aug 20, 2012 4:48 pm 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
Hello,

At a high-level the Yubico technology and ecosystem comprises of following main parts:

a. YubiKey hardware token that generates one time passwords (OTPs)
b. Yubico Validation server that validates the OTPs generated by YubiKeys and
c. Validation Protocol that defines the client-server communication protocol between the clients and Yubico Validation server

The link http://www.yubico.com/technical-description gives an overview and details of various components mentioned above. This page has several links on the left side for further reading on each component.

We further recommend the following links:

1. For more information on Yubico Validation Server please visit http://www.yubico.com/validation-server and look for Yubico PHP server which is free open-source project you can download and deploy in your environment to meet your requirements. The Validation server has a dependency on key storage module for secure storage of Secret AES keys. Yubico YK-KSM is an open-source implementation of secure key storage module and YubiHSM is hardware based solution that offers much stronger security of the key storage module. Please visit http://www.yubico.com/yubihsm for more information on YubiHSM.

2. Yubico also offers open-source client implementation in a number of programming languages (including for .NET) to make it easy for customers to implement YubiKey based strong 2 factor authentication. Please visit http://www.yubico.com/web-api-clients for more details on the validation clients and links to Validation Protocol.

3. Most relevant to your needs could be YubiRADIUS solution from Yubico which is enterprise class software for secure remote access with YubiKey two-factor authentication. It provides 3 potential ways of integrating YubiKey based authentication into your environments:
a) RADIUS
b) Web API for YubiKey based two-factor authentication. (In both a) and b) one of the factors for authentication is standard username + password based on AD binding and the second factor is YubiKey OTP)
c) Web API for validating the YubiKey OTPs

The solution is based on FreeRADIUS and open source components and is offered as a free virtual appliance for easy download and quick installation. YubiRADIUS virtual appliance has a pre-configured instance of the Yubico PHP validation server that can be used for OTP validation and an option to use YK-KSM and YubiHSM for secure key storage.

4. Finally, Yubico offers guidelines and best practices on how YubiKey based two-factor authentication can be implemented. Please visit http://www.yubico.com/development-guidelines for more details.

Hope this helps.

Thanks and best regards,
Samir.


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 20, 2012 5:38 pm 
Offline
Yubico Team
Yubico Team

Joined: Mon Jul 23, 2012 9:59 pm
Posts: 27
jakobjs wrote:
Hi all.

Just got my first YubiKey and plan to use them along with YubiRADIUS and Cisco ASA.

Is there some way to protect my exposed webmail application from the Internet with YubiKey's OTP? I mean, is it possible to set up some kind of a front-end to it, that only allows valid YubiKey users through to the login window?



Hello Sir,

Can you provide us with some more information about your webmail application?

Are you using OWA, Gmail or another application. Due to the different methods used by various webmail apps to connect to the web, you will need to approach this solution differently. Any additional information you may provide will help!

Thanks!

_________________
-David Maples
Yubico Senior Solutions Engineer
http://www.Yubico.com


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 21, 2012 12:02 pm 
Offline

Joined: Fri Aug 17, 2012 11:44 am
Posts: 3
Its OWA on Exchange 2010.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 21, 2012 1:03 pm 
Offline

Joined: Fri Aug 17, 2012 11:44 am
Posts: 3
Would it be possible to set up a PHP app that would authenticate the keys and then forward requests to OWA?


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 19, 2012 1:41 am 
Offline

Joined: Thu Oct 18, 2012 9:31 am
Posts: 2
Use TMG 2010. You won't have access to ActiveSync unless you have two external IPs for two different listeners tho.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group