Using the LMC to configure the LTA client with external user administration via Microsoft Entra ID

Description:

LANCOM Trusted Access (LTA) is the trusted network access security solution for enterprise networks. It enables secure and scalable network access for employees in the office, at home, or on the road, thus protecting modern hybrid working from anywhere at any time.

The LANCOM Trusted Access solution adapts to increasing security requirements in your organization. It supports not only classic full network access as a cloud-managed VPN client, but also the migration to a zero-trust security architecture with comprehensive network security. In the latter case, users receive granular access rights only to those applications that have been assigned to them (zero-trust principle). Existing systems for administering users and user groups (Active Directory) can be fully integrated into the LANCOM Management Cloud (LMC). For smaller networks, the LMC alternatively offers internal user administration.

This article describes how the LMC is used to configure the LTA client operating external user administration with Microsoft Entra ID (formerly Azure AD).

Requirements:

• Access to the LMC including your own project (subject to charge)
• LANCOM router or LANCOM R&S®Unified Firewall as LTA gateway
  • LCOS from version 10.80 REL (download current version)
  • LCOS FX as of version 10.13 (download latest version)
• LTA client (download current version)
• Configured and functional local network including Internet connection
• Any web browser for accessing the LMC
• Configured and functional Active Directory in Microsoft Entra ID
• DynDNS provider for the e-mail domain with support of a “TXT Resource Record”

Procedure:

1) Initial configuration steps in the LMC:

1.1) Activate the VPN function:

1.1.1) In the LMC, go to the Networks menu and click the network that the LTA client should log in to (in this example INTRANET).

1.1.2) In the Overview, click Edit network.

1.1.3) Modify the following parameters and then click Save:

• Link devices via secure connection (VPN): Set a checkmark to enable the VPN functionality.
  
• Central-site IP addresses or DNS names: Enter the public IP address or public DNS name of the router. This must be specified as soon as the VPN function is activated.

1.2) Activate LTA:

1.2.1) In the Security menu, go to the LANCOM Trusted Access tab and click the Activate LTA slider.

1.2.2) Click Activate.

1.3) Client configuration:

The Client configuration is used to store basic parameters such as the address of the LTA gateway. These settings apply globally and cannot be configured for individual users.

1.3.1) Go to the Client configuration tab and modify the following parameters:

• Accessible network: From the drop-down menu, select the network edited in step 1.1 that the LTA client should log in to (in this example INTRANET).
• Gateway IP or domain: Enter the public IP address or DNS name of the router where the LTA client can reach the router (in this example 81.81.81.81).
• Trusted Access Client IP network: Enter the network address of a network in CIDR (Classless Inter Domain Routing) notation. The LTA client is assigned an IP address from this network (in this example 10.0.0.0/8). In most cases the Accessible network is used for this, but it is also possible to specify a different network.
• Tunneled domains for DNS resolution: Enter Domains which should always be transmitted via the VPN tunnel (in this example *.intern).

1.3.2) Modify the following parameters if required:

• Allow AVC mode in LTA client: If this option is enabled, the user can switch between the LTA client and the Advanced VPN client. This can be helpful, for example, if there are VPN connections to customers in addition to the LTA access to the company.
• Enable LTA client self-sustaining continued operation: If standalone continued operation is enabled, the LTA client is able to establish a VPN connection for the specified period of time, even if the LMC cannot be reached.

1.3.3) Under Split Tunnel, select the option Only network traffic to configured networks through tunnel (Split Tunnel) and click the “+” icon to specify the target networks.

1.3.4) Enter the target network in CIDR notation and click Save.

1.4) Endpoint Security (optional):

Endpoint Security can optionally be activated. The LTA client then checks whether the specified parameters are met and only then will the VPN connection be established. These settings apply globally and cannot be configured for individual users.

1.4.1) Go to the Endpoint Security tab, adjust the following parameters and click Save:

• Enable endpoint verification: Enable the option with the slider.
• Allowed OS: If required, select the permitted operating systems as well as the minimum and maximum build versions (in this example, Windows 10 or Windows 11 is assumed).
• Anti-Virus: If necessary, enable the anti-virus function check on the user's computer (in this example the option used is enabled and up-to-date).
• Firewall: If necessary, enable the firewall function check on the user's computer (in this example the option used is enabled, which checks whether a firewall is active).

1.5) User administration:

The User administration is where you enter your own domain. Users can be connected to an Active Directory, if available, or they can be configured in the LMC.

1.5.1) Go to the User administration tab and enable the option IdP-managed.

1.5.2) Modify the following parameters:

• Name: Enter a descriptive name for the identity provider as entered into the LMC.
• Domains: Use the Domains field to enter the domain you are using (in this example mydomain.com).

1.5.3) Click Finalize Setup.

1.5.4) Copy the following parameters and save them in a text file.

• TXT resource record: Enter this as the TXT resource record in the account of your DynDNS provider for the domain.
• LMC Entity URL: Enter this into Entra ID as the Identifier (Entity ID) in step 2.2.4.
• Reply URL: Enter this into Entra ID as the Reply URL (Assertion Consumer Service URL) in step 2.2.4.

2) Configuration in Microsoft Entra ID:

2.1) Create your own application:

2.1.1) Open the configuration menu in Entra ID and go to the Enterprise applications menu.

2.1.2) Under Manage, select the option All applications and click New application.

2.1.3) Click Create your own application.

2.1.4) Modify the following parameters and then click Create:

• What's the name of your app?: Enter a descriptive name for the app (in this example LTA-App).
• What are you looking to do with your application?: Select the option Integrate any other application you don't find in the gallery (Non-gallery).

2.2) Set up single sign-on:

2.2.1) In the app you just created, click 2. Set up single sign on.

2.2.2) Select the option SAML.

2.2.3) In the field Basic SAML Configuration, click Edit.

2.2.4) Enter the parameters copied in step 1.5.4 and click Save.

• Identifier (Entity ID): Enter the LMC Entity URL.
• Reply URL (Assertion Consumer Service URL): Enter the Reply URL .

2.2.5) In the field Attributes & Claims, click Edit.

2.2.6) Click Add a group claim.

2.2.7) Select the option All groups and click Save.

2.2.8) In the SAML Certificates field, copy the App Federation Metadata Url and save it in a text file. This is stored in the LMC as the IdP Metadata URL in step 3.1.1.

2.3) Application registration:

2.3.1) Go to the menu App registrations.

2.3.2) On the All applications tab, click the app created in step 2.1.4.

2.3.3) Click Add a certificate or secret.

2.3.4) Click New client secret.

2.3.5) Modify the following parameters and then click Add:

• Description: Enter a descriptive name for the application password (in this example LTA-Secret).
• Expires: Select a suitably long validity period (in this example 24 months). 

2.3.6) Copy the application password from the Value field and save it in a text file.

2.4) Copy application ID and directory ID:

In the app, go to the Overview. Copy the following two parameters and save them in a text file:

• Application (client) ID: This is entered as the Application-ID (Client-ID) in step 3.1.2.
• Directory (tenant) ID: This is entered as the Directory-ID (Tenant-ID) in step 3.1.2.

2.5) API permissions:

2.5.1) Go to the menu API permissions and click Add a permission.

2.5.2) On the Microsoft APIs tab, select the option Microsoft Graph.

2.5.3) Select the option Application permissions.

2.5.4) Select the permissions Group.Read.All and then click Add permissions. 

2.5.5) Click Grant admin consent for <Active-Directory>.

2.5.6) Confirm the prompt by clicking Yes.

3) Further configuration steps in the LMC:

3.1) Configuration of user administration:

3.1.1) Go back to the LTA user administration in the LMC and fill out the field IdP Metadata URL with the App Federation Metadata Url copied in step 2.2.8.

3.1.2) Enter the following parameters under IdP credential to sync with AD:

• Application-ID (Client-ID): Enter the Application (client) ID copied in step 2.4.
• Client Secret: Enter the application password copied in step 2.3.6.
• Directory-ID (Tenant-ID): Enter the Directory (tenant) ID copied in step 2.4.

3.1.3) After synchronizing with Microsoft Entra ID, select the primary group that should be used to enable LTA and activate the authorization profile for this group. Then click Save. 

3.2) Connection targets:

The Connection targets menu is used to create resources that can be assigned to the users (see step 3.3).

3.2.1) Go to the Connection targets tab and click Add connection target.

3.2.2) Modify the following parameters and then click Save:

• Name: Enter a descriptive name for the connection target (in this example Web-Server).
• Hostname / IPv4 address / CIDR notation: Enter a DNS name or the IP address of the connection target (in this example 10.0.0.250). Alternatively, you can provide access to an entire network by entering the network address in CIDR notation (e.g. 10.0.0.0/8).
• Protocol: Select the communications protocol (in this example TCP).
  • The following protocols are available:
    • TCP
    • UDP
    • ICMP
    • AH
    • ESP
    • GRE
    • TCP+UDP
    • All protocols
• Port: Enter the ports for the communications (in this example 80 and 443). Multiple ports can be separated by a comma (e.g. 80,443). Port ranges can be entered with a hyphen (e.g. 5060-5061).

3.3) Authorization profiles:

The Authorization profiles are used to link users to the connection targets. Different users can be assigned to individual connection targets. The LMC uses these settings as a basis to automatically create firewall rules that allow communication to the connection targets.

3.3.1) Go to the Authorization profiles tab and click Add authorization profile.

3.3.2) Enable the authorization profile using the slider and adjust the following parameters:

• Profile name: Enter a descriptive name for the profile (in this example Admin).
• Users / Groups: From the drop-down menu, select a Group from the Active Directory (in this example Admin). You can optionally select multiple users and assign them the same permissions.

3.3.3) Under Status enable the necessary connection targets for the user (see step 3.2.2) and click Create.

4) Configuration steps in the LTA client:

4.1) In the LTA client, click Settings and select the option LMC Domain.

4.2) Change the following parameters:

• URL: Enter the URL lancom.de.
• Domain: Enter the e-mail domain that you stored in the LMC in step 1.5.1 (in this example mydomain.com).