2. ESET
  3. Secure Authentication Cloud (Early Access)

ESET Secure Authentication Cloud (Early Access) Owner's manual

  • Hello, I'm your chat assistant. I have thoroughly reviewed the ESET Secure Authentication Cloud Early Access user guide, covering its two-factor authentication capabilities, component installation, and configuration for Windows login, remote desktop, web applications, and VPN protection. I'm ready to help you with any questions you may have about the product and its features, including RADIUS server setup and API integration.
  • What are the components of ESET Secure Authentication Cloud Early Access?
    What kind of authentication options does it provide?
    What do you need to install the ESET Secure Authentication Cloud Early Access?
    What operating systems are supported?
ESET Secure Authentication Cloud
Early Access
User guide
Click here to display the online version of this document
Copyright ©2023 by ESET, spol. s r.o.
ESET Secure Authentication Cloud Early Access was developed by ESET, spol. s r.o.
For more information visit https://www.eset.com.
All rights reserved. No part of this documentation may be reproduced, stored in a retrieval system or transmitted
in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise without
permission in writing from the author.
ESET, spol. s r.o. reserves the right to change any of the described application software without prior notice.
Technical Support: https://support.eset.com
REV. 9/5/2023
1 Overview 1 ...........................................................................................................................................
2 Changelogs 1 .......................................................................................................................................
3 Quick-start guide 2 ...............................................................................................................................
4 Requirements 3 ....................................................................................................................................
4.1 Supported Operating Systems 3 .....................................................................................................
4.2 Supported Web Browsers and Resolution 4 ......................................................................................
4.3 Supported Web Applications 4 ........................................................................................................
4.4 Supported Mobile Phone Operating Systems 5 .................................................................................
4.5 Installation Requirements 6 ...........................................................................................................
4.5 ESA components and OS compatibility 8 ................................................................................................
4.6 Firewall exceptions 9 .....................................................................................................................
4.7 Handling cloned computers 10 .......................................................................................................
4.8 IP addresses used by ESET Secure Authentication Cloud Early Access 10 ............................................
5 Installation 11 ......................................................................................................................................
5.1 Invitations 11 ...............................................................................................................................
5.2 Live installer 13 ............................................................................................................................
5.3 Install the Windows Login plugin 15 ................................................................................................
5.4 Install the Remote Desktop plugin 16 ..............................................................................................
5.5 Install the Web App plugin 18 .........................................................................................................
5.6 Change, repair, remove installation 19 ............................................................................................
5.7 Remote Installation via ESMC 19 .....................................................................................................
5.8 MSI arguments 20 .........................................................................................................................
5.9 Upgrade installation 21 .................................................................................................................
6 Getting started with ESET Secure Authentication Cloud Early Access Web Console 22 .......................
6.1 Multitenancy 22 ............................................................................................................................
6.2 User Management - Provisioning 23 ................................................................................................
6.2 User Status 27 ............................................................................................................................
6.2 Import users from file 29 .................................................................................................................
6.2 Self-enrollment 31 ........................................................................................................................
6.3 Notifications 35 ............................................................................................................................
7 Authentication options 36 ....................................................................................................................
7.1 Mobile Application 37 ....................................................................................................................
7.2 Push Authentication 38 .................................................................................................................
7.3 Hard Tokens 42 .............................................................................................................................
7.4 FIDO 46 .......................................................................................................................................
7.5 Master recovery key 47 .................................................................................................................
7.6 Delivery options 48 .......................................................................................................................
8 Credential providers supported by ESA 49 ...........................................................................................
9 Windows Login Protection 49 ...............................................................................................................
10 Remote Desktop Protection 52 ..........................................................................................................
10.1 Allowing Non-2FA Users 53 ...........................................................................................................
10.2 Usage 53 ....................................................................................................................................
10.3 Remote Desktop Web Access 54 ...................................................................................................
10.4 Remote Desktop Gateway and ESA RADIUS 55 ................................................................................
11 Web Application Protection 58 ...........................................................................................................
11.1 Configuration 58 .........................................................................................................................
11.2 Usage 59 ....................................................................................................................................
12 Identity Provider Connector 60 ..........................................................................................................
12.1 Configure Identity Provider Connector in ESA Web Console 63 .........................................................
12.2 IdP Connector Configuration Examples 66 ......................................................................................
13 RADIUS server and VPN Protection 74 ...............................................................................................
13.1 RADIUS Configuration 74 ..............................................................................................................
13.2 RADIUS Usage 78 ........................................................................................................................
13.3 VPN Authentication Options 78 .....................................................................................................
13.3 SMS-based OTPs 78 .....................................................................................................................
13.3 Mobile Application 79 ...................................................................................................................
13.3 Hard Tokens 79 .........................................................................................................................
13.3 Migration from SMS-Based OTPs to Mobile Application 80 ............................................................................
13.3 Non-2FA Pass-through 80 ...............................................................................................................
13.4 ESA Authentication Methods and PPP Compatibility 80 ....................................................................
13.5 Verifying ESA RADIUS functionality 81 ...........................................................................................
13.5 Make sure your ESA RADIUS Service is running 81 ...................................................................................
13.5 Configure your RADIUS Server 82 ......................................................................................................
13.5 Verify functionality (localhost) 83 ......................................................................................................
13.5 Verify network connectivity from another machine (optional) 84 ....................................................................
13.5 I received an Access-Reject 85 .........................................................................................................
13.5 I received a connection error 86 .......................................................................................................
13.5 I experienced timeouts 87 ..............................................................................................................
14 RADIUS PAM modules on Linux/Mac 88 ..............................................................................................
14.1 Create ESA RADIUS clients via API 88 ............................................................................................
14.2 PAM configuration 92 ..................................................................................................................
14.3 Other RADIUS configurations 95 ....................................................................................................
15 IP address whitelisting 97 ..................................................................................................................
16 AD FS 99 ............................................................................................................................................
16.1 AD FS Policies 101 ......................................................................................................................
17 Custom integration via API and SDK 102 ...........................................................................................
17.1 API 103 ......................................................................................................................................
17.1 Integration Overview 103 ..............................................................................................................
17.1 Configuration 103 ......................................................................................................................
17.2 SDK 105 .....................................................................................................................................
17.2 Integration Overview 106 ..............................................................................................................
17.2 SDK License Activation 106 ............................................................................................................
17.2 SDK in practice 107 ....................................................................................................................
17.2 Using the SDK 107 .....................................................................................................................
17.2 SDK System Integration 107 ...........................................................................................................
17.2 Database requirements 108 ...........................................................................................................
17.2 Reading and Writing 2FA Data 108 ....................................................................................................
17.2 Update Login UI With 2FA Methods 109 ...............................................................................................
17.2 Update the Management UI to Enable/Disable 2FA For Users 111 ...................................................................
17.2 Additional Components 111 ...........................................................................................................
17.3 Summary of differences 111 .........................................................................................................
18 Auditing and Licensing 112 ................................................................................................................
18.1 Reports 112 ...............................................................................................................................
18.2 Auditing 114 ...............................................................................................................................
18.3 License Overview 115 ..................................................................................................................
18.4 License States 115 ......................................................................................................................
18.5 License Enforcement 116 .............................................................................................................
19 Troubleshooting 116 ..........................................................................................................................
19.1 Windows Login protection does not work 117 ................................................................................
20 Known issues 118 ..............................................................................................................................
21 Glossary 118 ......................................................................................................................................
22 Terms of Use 119 ...............................................................................................................................
22.1 ESA Cloud Components EULA 123 .................................................................................................
22.2 Data Processing Agreement 129 ...................................................................................................
22.3 Standard Contractual Clauses 131 ................................................................................................
23 Privacy Policy 155 ..............................................................................................................................
1
Overview
ESET Secure Authentication Cloud Early Access (ESAC EA) adds Two-Factor Authentication (2FA) to Microsoft
Active Directory domains or local area network, meaning a one-time password (OTP) is generated and provided
along with the generally required username and password. Or a push notification is generated and has to be
approved on the user's cell phone running Android OS, iOS, or Windows once the user has successfully
authenticated using their general access credentials. Or other authentication option is required.
Push notifications require Android 4.1 and later, along with Google Play services 10.2.6 and later, or iOS.
ESAC EA introduces multitenancy.
ESA Components
The ESAC EA product consists of the following components (usually referred to as ESA Components):
ESAC EA Web Console, an all-in-one management tool, is used to configure ESET Secure Authentication
Cloud Early Access, manage users and download installers
The Windows Login plug-in provides 2FA for Windows computers
The Remote Desktop plug-in provides 2FA for the Remote Desktop Protocol
The RADIUS Server for VPN Protection adds 2FA to VPN authentication
The Web Application plug-ins provide 2FA to various Microsoft Web Applications
The AD FS plug-in provides 2FA for Active Directory Federation Services
The Identity Provider Connector
The ESAC EA Authentication Server includes a REST-based API that can be used to add 2FA to custom
applications
Changelogs
ESET Secure Authentication Cloud Early Access
New:
Authentication Server along with the Web Console is available in the cloud (no manual deployment needed)
Live installer
Multitenancy
2
Quick-start guide
Verify system requirements and installation prerequisites
Complete or verify each installation prerequisite before proceeding to step 2.
Verify outbound connectivity of the computers/services to be protected to esa.eset.com and esac.eset.com
on TCP port 443
Verify your servers and clients to protect by 2FA are running the following supported software:
oOperating systems
oWeb browsers
oMobile phone operating systems
Register with ESET Business Account and import an eligible ESA license
Register at eba.eset.com and import an eligible ESET Secure Authentication (ESA) license
Enable self-enrollment or import users manually
To automatically enroll users, enable self-enrollment and configure the default authentication options.
Alternatively, import users manually.
Install ESA components
Create an invitation and install all applicable ESET Secure Authentication (ESA) components on the appropriate
devices.
Windows Login Protection
Remote Desktop Protection
VPN Protection
Web Application Protection
Identity Provider Connector (SAML)
AD FS
Complete user provisioning
If self-enrollment is not enabled, complete user provisioning manually.
3
Requirements
To get started with ESET Secure Authentication Cloud Early Access:
1. Register with ESET Business Account at eba.eset.com and log in.
2. Add a valid ESET Secure Authentication license.
3. Open esac.eset.com in a new browser tab.
To protect computers in an offline environment with 2FA, use the on-premise version of ESET Secure
Authentication and activate it with an offline license.
ESA components can communicate with the Authentication Server via both IPv4 and IPv6.
Required ESA Component version
ESA Components version 3.0.61 or later must be used with ESET Secure Authentication Cloud Early Access.
Limited support for end-of-life third-party products
ESET Secure Authentication Cloud Early Access provides limited support for compatible third-party
products that reached the end of their support lifecycle.
Supported Operating Systems
Below is a list of supported operating systems (OS) in general. For component-specific OS support, refer to
installation requirements.
Server operating systems (server OS)
Windows Server 2008*
Windows Server 2008 R2 SP1*
Windows Server 2012
Windows Server 2012 R2
Windows Small Business Server 2008
Windows Small Business Server 2011
Windows Server 2012 Essentials
Windows Server 2012 R2 Essentials
Windows Server 2016
Windows Server 2016 Essentials
Windows Server 2019
Windows Server 2019 Essentials
4
Windows Server 2022
Client operating systems (client OS)
Windows 7
Windows 8
Windows 8.1
Windows 10 (including 22H2 Update)
Windows 11 (including 22H2 Update)
Supported Web Browsers and Resolution
The ESET Secure Authentication Cloud Early Access Web Console has optimal functionality in the following
browsers:
Microsoft Internet Explorer 11
Google Chrome latest
Mozilla Firefox latest
Microsoft Edge latest
Safari latest
Functional details
The execution of JavaScript needs to be enabled in your web browser.
The minimum resolution required is 1024x768.
Supported Web Applications
ESET Secure Authentication Cloud Early Access provides 2FA for the following Microsoft products:
Microsoft Exchange 2007
oOutlook Web Access - Exchange Client Access Server (CAS)
Microsoft Exchange 2010
oOutlook Web Access - Exchange Client Access Server (CAS)
oExchange Control Panel
Microsoft Exchange 2013
oOutlook Web App - Exchange Mailbox Server Role (MBX)
oExchange Admin Center
5
Microsoft Exchange 2016
oOutlook Web App - Exchange Mailbox Server Role (MBX)
oExchange Admin Center
Microsoft Exchange 2019
oOutlook Web App - Exchange Mailbox Server Role (MBX)
oExchange Admin Center
Where is 2FA applicable
ESAC EA adds 2FA protection only to the web-based interface of Outlook Web Access. Login to Microsoft
Outlook and similar email clients cannot be protected by ESAC EA, due to the nature of their protocol, also
known as RPC over HTTPS. We recommend not to expose such email clients to external access. See how to
control access to Exchange Web Services.
Microsoft Dynamics CRM 2011
Microsoft Dynamics CRM 2013
Microsoft Dynamics CRM 2015
Microsoft Dynamics CRM 2016
Microsoft SharePoint 2010
Microsoft SharePoint 2013
Microsoft SharePoint 2016
Microsoft SharePoint 2019
Microsoft SharePoint Foundation 2010
Microsoft SharePoint Foundation 2013
Microsoft Remote Desktop Web Access
Microsoft Terminal Services Web Access
Microsoft Remote Web Access
Supported Mobile Phone Operating Systems
The ESET Secure Authentication Cloud Early Access mobile app is compatible with the following mobile phone
operating systems:
iOS 12 to iOS 16
Android™ 4.4 to Android 13 - Google Play Services 10.2.6 are required for push notifications.
6
oThe permission to access the camera and flashlight is required to scan the QR code
Installation Requirements
Quick links: Installation access rights, Prerequisites of each component, .NET requirements
Installation requires outbound connectivity to esac.eset.com on TCP port 443.
Another requirement for running the installer is to have .NET Framework Version 4.5 (Full Install). The installer
will automatically attempt to install .NET 4.5 if it is not already installed.
Windows Firewall exceptions essential for the proper function of ESET Secure Authentication Cloud Early Access
will be added automatically as part of the installation. If you are using a different firewall solution, see Firewall
exceptions for information about essential exceptions that you will need to create.
Installation access rights
Active Directory environment:
Domain administration rights: The installer must be run by a member of the "Domain Administrators"
security group or by a user with administrator privileges.
Standalone deployment:
Local administrator rights
Table of compatibility of ESA Components and Supported Operating Systems
Prerequisites for each component installation
Identity Provider Connector
Windows7 or later client OS in the list of Supported Operating Systems, Windows Server 2008 R2 or later
server OS in the list of Supported Operating Systems
IIS 7 or later with ASP.NET Framework version 4.7.2
RADIUS Server
Windows7 or later client OS in the list of Supported Operating Systems, Windows Server 2008 or later server
OS in the list of Supported Operating Systems
Web App Plug-in for Microsoft Exchange Server
Microsoft Exchange Server 2007 or later (64-bit only), with the Client Access role (Outlook Web App /
Outlook Web Access) installed
7
.NET Framework version 3.5
Internet Information Services 7 (IIS7) or later
Web App Plug-in for Microsoft SharePoint Server
Microsoft SharePoint Server 2010, 2013, 2016, 2019 (64-bit only)
Microsoft SharePoint Server 2010, 2013 Foundation (64-bit only)
.NET Framework version 4.5
Web App Plug-in for Microsoft Dynamics CRM
Microsoft Dynamics CRM 2011, 2013, 2015 or 2016
.NET Framework version 4.5
Web App Plug-in for Microsoft Terminal Services Web Access
The Terminal Services role with the Terminal Services role service installed on Windows Server 2008 R2
.NET Framework version 4.5
Web App Plug-in for Microsoft Remote Desktop Services Web Access
The Remote Desktop Services role with the Remote Desktop Web Access role service installed on Windows
Server 2008 R2 and later server OS in the list of Supported Operating Systems
.NET Framework version 4.5
Web App Plug-in for Microsoft Remote Web Access
The Remote Web Access role service installed on Windows SBS 2008 where it is called Remote Web Access,
Windows SBS 2011, Windows Server 2012 Essentials, Windows Server 2012 Essentials R2 and Windows Server
2016 Essentials
.NET Framework version 4.5
Remote Desktop Protection
Windows Server 2008 R2 or later server OS in the list of Supported Operating Systems
Microsoft Windows 7 or later client OS in the list of Supported Operating Systems
Only 64-bit operating systems are supported
Windows login protection
Windows Server 2008 R2 or later server OS in the list of Supported Operating Systems
Windows 7 or later client OS in the list of Supported Operating Systems
8
AD FS protection
Windows Server 2012 R2 or later server OS in the list of Supported Operating Systems
.NET Requirements
All components: .NET 4.5 Full Install
RADIUS Server: .NET 4.5 Full Install
Web App Plugin: .NET 4.5, however, IIS Filters require .NET version 3.5
FIDO: .NET Framework version 4.7.2
Identity Provider Connector: .NET Framework version 4.6.2
ESA components and OS compatibility
The following table displays the supported Windows operating systems for each ESET Secure Authentication
Cloud Early Access component.
See installation requirements for further details.
Server operating systems
Windows
Server 2008
Windows
Server 2008
R2
Windows
Server 2012
Windows
Server 2012
R2
Windows
SBS 2008
Windows
SBS 2011
Windows
Server 2012
Essentials
Windows
Server 2012
R2
Essentials
Windows
Server 2016
Windows
Server 2016
Essentials
Windows
Server 2019
Windows
Server 2019
Essentials
Windows
Server 2022
RADIUS
Server ✔✔✔✔✔✔✔✔✔✔✔✔✔
Web App
Plug-in for
MS
Exchange
Server
✔* ✔✔✔✔✔✔✔✔✔✔✔✔
Web App
Plug-in for
MS
SharePoint
Server
✔✔ ✔✔✔✔✔✔✔✔
Web App
Plug-in for
MS
Dynamics
CRM
✔✔ ✔✔✔✔✔✔✔✔
Web App
Plug-in for
MS
Remote
Desktop
Services
Web
Access
✔** ✔✔✔ ✔✔✔✔✔✔✔✔
Web App
Plug-in for
MS
Remote
Web
Access
✔✔✔✔
Remote
Desktop
Protection
✔✔✔ ✔✔✔✔✔✔✔✔
9
Windows
Server 2008
Windows
Server 2008
R2
Windows
Server 2012
Windows
Server 2012
R2
Windows
SBS 2008
Windows
SBS 2011
Windows
Server 2012
Essentials
Windows
Server 2012
R2
Essentials
Windows
Server 2016
Windows
Server 2016
Essentials
Windows
Server 2019
Windows
Server 2019
Essentials
Windows
Server 2022
Windows
login
protection
✔✔✔ ✔✔✔✔✔✔✔✔
AD FS ✔✔✔✔✔✔✔
Identity
Provider
Connector
✔✔✔ ✔✔✔✔✔✔✔✔
* 64-bit version of the operating system is required
** MS Terminal Services on Windows Server 2008
Client operating systems
Windows 7 Windows 8 Windows
8.1
Windows
10
Windows
11
RADIUS Server ✔✔✔✔✔
Web App Plug-in for MS Exchange Server *
Web App Plug-in for MS SharePoint Server *
Web App Plug-in for MS Dynamics CRM
Web App Plug-in for MS Terminal Services
Web Access
Web App Plug-in for MS Remote Desktop
Services Web Access
Web App Plug-in for MS Remote Web Access
Remote Desktop Protection* ✔✔✔✔✔
Windows login protection ✔✔✔✔✔
AD FS
Identity Provider Connector ✔✔✔✔✔
* 64-bit version of the operating system is required
Firewall exceptions
Ensure the computers where ESA Components are installed can reach https://esac.eset.com (port 443). To use
RADIUS Service, add the exceptions below to your firewall.
Exception Name: ESET Secure Authentication Cloud Early Access RADIUS Service
Scope: Any
Protocol: UDP
Local Port: 1812
Remote Ports: All
10
Exception Name: ESET Secure Authentication Cloud Early Access RADIUS Service (Alternative
Port)
Scope: Any
Protocol: UDP
Local Port: 1645
Remote Ports: All
Handling cloned computers
Suppose you want to have cloned computers in your network where ESET Secure Authentication Cloud Early
Access (ESAC EA) will be used. In that case, the attributes below must be unique for each computer to be
protected by ESAC EA.
For correct registration of ESA components (Windows Login plugin, Remote Desktop plugin):
Computer name
For correct registration of realms for local users:
Computer name
Computer SID
Use Microsoft's SysPrep tool to ensure unique attributes are applied to cloned computers.
1. In the SysPrep, use the Generalize option to create a generalized Windows image to be cloned later. Each
image is configured during its first boot.
2. If the cloned computers are used in a domain:
a.On the cloned machine, run the SysPrep tool.
b.Reboot the computer.
c.Connect the computer to the domain.
3. Install ESA (Windows Login plugin, Remote Desktop plugin) to each cloned computer either manually or
through ESET PROTECT.
IP addresses used by ESET Secure Authentication Cloud
Early Access
ESET Secure Authentication Cloud Early Access connects automatically to the IP addresses listed below.
93.184.220.29 - Certificate revocation check based on publicly available Certificate Revocation Lists
11
23.42.27.27 - Certificate revocation check regarding EXE/DLL signatures
Installation
ESET Secure Authentication Cloud Early Access provides two installer types:
Live installer—a pre-configured installer containing invitation details and specific ESA components to
install. The user launches the installer, and the installation completes without their interaction if the
installation requirements are met.
Installer—Generic .EXE installer (also known as bootstrapper). During installation the user can select the
components to install and define the invitation details.
Generic .EXE installer - deployment type and components
When using the generic .EXE installer, select Standalone deployment type.
Do not select the Authentication Server or Reporting Engine (Elasticsearch) components.
To configure a live installer:
1. Create an invitation.
2. Navigate to Settings > Installers.
3. Select an invitation.
4. Select the desired ESA components to install.
5. Click Live Installer.
Invitations
An invitation is like a business card. It contains the connection details of the Authentication Server (your instance
of ESET Secure Authentication Cloud Early Access account) so that ESA components can connect to it. It also
contains a unique code identifying the invitation. Each invitation is limited by time and usage count.
Generate an invitation
1. In the ESAC EA Web Console, click Components > Invitations.
2. If prompted, select a company.
3. Click Create invitation.
4. Enter an invitation name, expiration time and usage count. Click Create.
12
5. The invitation details display. To save the details to a text file or to copy elsewhere, click Copy data to
clipboard.
6. Click Close, and the list of invitations will display. Alternatively, click Create installer to proceed with the
creation of a live installer.
13
Click the name of an invitation to open the invitation details again.
Expiration of invitations
The maximum available expiration time for an invitation is four weeks.
Live installer
The live installer is a pre-configured installer containing invitation details and specific ESA components to install.
The user launches the installer, and the installation completes without their interaction if the installation
requirements are met.
To create a live installer:
1. Log in to ESET Secure Authentication Cloud Early Access Web Console.
2. Navigate to Settings > Installers.
3. Select an invitation and the desired ESA components.
If the machine to protect by 2FA is behind a proxy server, select the Custom proxy check box and fill in the
required details. Otherwise, the ESA component will not connect to the Authentication Server.
4. Click Live installer.
14
When you launch the installer, it will list the ESA components to install.
15
Install the Windows Login plugin
Windows Login protection is available for local user accounts and Active Directory user accounts only.
1. To install the ESA Windows Login plug-in on the applicable machine, either use the live installer or run the
generic installer (.EXE file). If not detected, the .NET Framework version 4.5 is installed automatically.
Generic .EXE installer - deployment type and components
When using the generic .EXE installer, select Standalone deployment type.
Do not select the Authentication Server or Reporting Engine (Elasticsearch) components.
2. When prompted, click Select components, select the check box next to Windows Login, and click Next.
/