Solutions by Application
Solutions with Every Business and Technology Needed

Single Sign-on (SSO):

Challenges faced while Integrating Cloud/SaaS Applications in your network

In recent years, we have witnessed a dramatic rise in the use of Software as a Service (SaaS) applications within enterprises. This has been coupled with a similar shift of on-premises applications to the cloud. Some of the driving forces behind this explosive adoption are IT cost reduction, software application standardization, scalability, easier administration, automatic updates and patch management.

This is a paradigm shift and it simplifies a variety of issues faced by enterprise IT today. However, cloud and SaaS Applications introduce a new set of challenges, especially in the areas of access and identity management.

Managing Multiple User Directories for Each Applications – IT administrators need to manage multiple user identities across different applications and control who is granted access to which application. For this, IT admins need to create user identities on each cloud service which could mean creating a separate credential directory for every applications. It is a burden for IT admins and users to manage multiple logon identities and passwords.

Security Risks – Users are often expected to create their own logon credentials to these business-related cloud applications. Multiple logon credentials expose businesses to various risks, including the potential use of easy-to-crack passwords by users and the difficulty of cutting off access when users leave the company.

Decrease in Productivity – Businesses can experience productivity decreases if users constantly have to deal with multiple application logins, password resets, and helpdesk calls. This potential increase in administrative overhead can largely offset the benefits of switching to cloud-based applications.

Beating the Identity and Access Management Challenges with Single Sign-On

Single sign-on (SSO) is a process that allows users to authenticate once using their corporate credentials and gain access to multiple applications without having to re-authenticate. The user has to deal with just a single set of credentials, greatly reducing the barriers for cloud adoption. SSO provides an enhanced user experience and helps reduce administrative overhead.

SSO can be achieved by leveraging on-premises user directory services like Active Directory (AD) to manage access to cloud applications that are outside the enterprise domain and have their own native user directories. Integrating these cloud applications with Active Directory can address challenges at two levels. First, IT admins can control user access from a central location. Second, users can use their existing on-premises credentials to log on to all cloud applications.

Administrators can effectively manage user access across all applications from a single point. They can quickly and easily grant access to new employees and revoke access from employees leaving the company. Thus, SSO is an effective tool to enhance security and increase overall productivity.

Single Sign-On Benefits

• Centralized authentication servers that all applications and systems can use for authentication
• Ability to enforce consistent and strong access control policies across on-premises and cloud applications
• Single set of credentials to manage
• Credentials stored on-premises
• Significant cost savings from reduction in password related help desk calls
• Reduces the administrative burden of adding and removing users to/from individual applications
• Enhances security and compliance capabilities
• Provides convenience to the users – don’t need to enter credentials more than once
• Reduces password fatigue for users who just have to remember single set of credentials
• Increases productivity for both users and IT administrators

Establishing Single Sign-On for Office 365

Microsoft Office 365 is the most widely adopted cloud business solution that includes Exchange Server, SharePoint® and Lync®. Office 365 helps users access their applications and files from any device anywhere.

Establishing true SSO for Office 365 requires creating federated user identities. Federated identity enables users to use their existing Active Directory (AD) corporate credentials to get seamless access to the Office 365 cloud productivity suite. The corporate AD stores and controls the password policy. Users are authenticated via on-premises AD services that requires setting up Active Directory Federation Services (AD FS), AD FS Proxies and Directory Synchronization (DirSync).

Installation and configuration of AD FS and DirSync is a complex and time consuming process. To simplify this complex process of deploying AD FS and Directory Sync to establish SSO, Celestix offers the Celestix Federated Appliance.

Celestix Single Sign-On Solution

Celestix Federated Appliance is a plug-and-play solution that provides seamless Active Directory (AD) integration with Office 365 and other applications located either behind the firewall or in the cloud to enable single sign-on (SSO) and access management.

• Purpose-built solution to tightly integrate Office 365 with AD
• Reduces Microsoft ADFS installation and configuration complexity
• ADFS installation for Office 365 in less than 15 minutes
• Preconfigured and wizard process for rapid deployment
• Minimal technical expertise required
• Increased security with on-premises deployment
• Keep your user credentials at one place in Active Directory
• Lowest total cost of ownership

Web Application Proxy:

Web Application Proxy is one of the components in Celestix Edge E Series Security solution. Web Application Proxy provides reverse proxy functionality for web applications inside your corporate network to allow users on any device to access them from outside the corporate network. Web Application Proxy preauthenticates access to web applications using Active Directory Federation Services (AD FS), and also functions as an AD FS proxy.

Publishing Applications

Web Application Proxy publishing enables end users to access their organization’s applications from their own devices, so that users are not limited to corporate laptops to do their work, they can use their home computer, their tablet, or their smartphone. In addition, end users are not required to install any additional software on their device to access published applications. Web Application Proxy can be used on clients with a standard browser, an Office client or a rich client using OAuth (for example Windows Store apps). Web Application Proxy serves as a reverse proxy for any application that is published through it and as such, the end user experience is the same as if the end user’s device connects directly to the application.

Accessing Applications

Web Application Proxy must always be deployed with AD FS. This enables you to leverage the features of AD FS, such as, single sign-on (SSO). This enables users to enter their credentials one time and on subsequent occasions, they will not be required to enter their credentials. SSO is supported by Web Application Proxy for backend servers that use claims-based authentication; for example SharePoint claims-based applications, and Integrated Windows authentication using Kerberos constrained delegation. Integrated Windows authentication-based applications can be defined in AD FS as relying party trusts which can define rich authentication and authorization policies that are enforced in requests to the application.

Protecting Applications from External Threats

Web Application Proxy serves as a barrier between the Internet and your corporate applications. In many organizations, when you deploy Web Application Proxy and publish applications through it, those applications will be available to external users on devices that are not joined to your domain; for example, personal laptops, tablets, or smartphones. These devices are not domain-joined and as such, they are described as unmanaged devices, and are untrusted within the corporate network. Since you want your users to be able to access important information whenever and wherever they are located, you must mitigate the security risk of allowing users access to corporate resources from these unmanaged and untrusted devices. Web Application Proxy provides a number of security features to protect your corporate network from external threats. Web Application Proxy uses AD FS for authentication and authorization to ensure that only users on devices who authenticate and are authorized can access your corporate applications.

Two-Factor Authentication:

HOTPin is a simple and easy to deploy two-factor authentication solution that uses your phone as a token.  HOTPin authentication service is available as software, virtual machine or appliance form factor for on premise deployment or as a managed service with pay as you go price model.

What is HOTPin?

Celestix HOTPin is a tokenless two-factor authentication solution that enables organizations to empower their mobile workforce while ensuring industry leading protection of digital identities and protecting against unsolicited access to corporate resources, a primary reason for the loss of data.

Celestix HOTPin enables organizations not only to mobilize their workforce but allows them also to leverage the remote workers smart device, PC or tablet to act as a token capable of generating an event based one-time password (OTP).

How it works?

One Time Passwords

ATM cards provide two-factor authentication in the tightly controlled environment of ATM machines, where each machine is equipped with a special card reader. It is not feasible to equip every laptop, desktop or tablet with a special device to read a card. That would be cost-prohibitive, time-consuming and extremely impractical.

To provide two-factor authentication for computer services and sites, users rely on a One Time Password that is generated on a device that is uniquely assigned to a user. One Time Passwords (OTP) provides security in a number of ways.

• Always Changing
  The OTP changes after a fixed interval of time, commonly every 60 seconds. Even if an unauthorized user noted the OTP, they won’t be able to use it since it would have changed for the next session.
• Tied to a device
  OTPs are generated using a seed that is uniquely associated with a device. Thus, every user’s OTP will be different. Since the device is assigned to a user, the OTP uniquely authenticates a user and a PC desktop client. By leveraging smart devices or text messaging, the OTP is delivered ‘on demand’ to the user. And, of course, HOTPin easily integrates with AD.

QR Login

HOTPin client now supports QR codes.  Users can scan the QR code and will be instantly logged in to the application in a secure manner.  The integration of this function to any web services is simple. The latest HOTPin 3.7 includes API with the samples that helps to simplify the integration into your existing server architecture.

Licensing

Server License

HOTPin authentication server is available at a fixed priced and requires the procurement of an annual maintenance fee.

Subscription

User licensing is per registered user and is enforced on the server. One major benefit of HOTPin is that the per license price is fixed, regardless of the token form factor. For instance, the hardware token is priced the same as the soft token. This addresses a key issue in the authentication market which is the complexity of pricing for various token types.

HOTPin licenses are available on a renewable basis for terms of 1, 2 and 3 years.

Learn more about HOTPin Series

Threat Management:

Comprehensive secure web gateway to help protect employees from web based threats

Celestix MSA security appliances deliver Microsoft’s Forefront Threat Management Gateway 2010 for unmatched multi-threat protection with industry-leading ease of use and value. Performance, reliability, and ease of management backed by expert Celestix customer support have made MSA the world’s best-selling Microsoft security appliances.

Microsoft’s Forefront Threat Management Gateway 2010 (TMG) puts fortified layers of best-in-class security functions throughout your network to block, detect, and thwart attacks from beyond the edge, at the edge, and inside your network.

MSA appliance range is the world’s most deployed platform for Microsoft TMG 2010. MSA appliances are built for rapid deployment, simplified management and high performance. The COMET software engine provides an intuitive and feature rich web UI that allows for advanced configuration for both TMG and the appliance.

Celestix provides numerous additional features that complement and enhance the use of TMG. Automated update services provide pre-screened alerts and patches through the web UI, and multiple back-up and restore options provide solutions for disaster recovery.

Because of Celestix’ purpose-built appliance hardware and Comet appliance engine software, MSA appliances have earned an international reputation for great performance and reliability. We engineered our 6th generation hardware platforms to optimize the performance of TMG using the latest high-speed components and architecture optimized for 64-bit operations. We harden our appliance hardware platforms by eliminating all hardware components not needed to run TMG. Eliminating extraneous hardware and drivers removes security vulnerabilities and potential points of failure. Simplified hardware also reduces power and cooling requirements for cost savings on energy.

MSA powered by Microsoft TMG, web based protection from Celestix business anywhere solutions.

Learn more about MSA Series

Unified Access Gateway:

Celestix provides numerous additional features that complement and enhance the use of  Unified Access Gateway.  Automated update services provide prescreened alerts and patches through the COMET web UI, and multiple backup and restore options provide solutions for disaster recovery. Celestix appliances are the de facto platform for the secure and risk-free deployment of Unified Access Gateway 2010, just ask the readers of Computing Security who voted WSA appliance the Network Security Product of the Year 2011.

Secure, anywhere access

Secure, web-based access to business critical applications and data.

• Differentiated and policy-driven access to network, server, and data resources.
• Flexible application-intelligent SSL VPN from any device or location.
• Highly granular access and security policy enforced at the session, application, and function levels.
• Comprehensive basic and form-based authentication through Active Directory, RADIUS, LDAP and HOTPin
• Customizable, identity-based web portal with single sign-on (SSO).
• Handles embedded browser applications.
• Connectivity and control for client/server and legacy applications.
• Management features for DirectAccess VPN.

Protect IT assets

Integrated application protection helps ensure the integrity and safety of network application infrastructure by blocking malicious attacks.

• Application-layer firewall blocks non-conformant requests, such as buffer overflow or SQL injection, on application protocols.
• Comprehensive protocol validation and deep content inspection with both positive and negative logic rule sets.
• URL cloaking and full functionality for remote users through dynamic URL rewrite and HTTP parameter filtering.
• Application optimizers provide out-of-the-box protection for high value applications such as SharePoint® Server, Microsoft® Outlook® Web Access
• Comprehensive monitoring and reporting; integrates with third-party risk and policy management platforms.
• Extensible infrastructure and tools for custom application publishing and scripting.

Simplified provisioning and management

Celestix WSA appliances provide a single platform through which to deliver and manage remote access. With built-in policies and configurations for common applications and devices, you can gain more control, more efficient management, greater visibility, and lower total cost of ownership.

• Multiple server array deployment provides high availability and failover capabilities.
• Supports Windows Server 2008 R2 (64-bit) operating system.
• Simple application publishing tools for core applications such as SharePoint.

Built for purpose appliance platform

Celestix WSA appliances provide an award winning, hardened turnkey platform for the deployment of  Unified Access Gateway 2010. Celestix optimizes both the hardware and software on the WSA appliance to ensure a risk-free “right first time” deployment. Celestix helps to lower the cost of ownership through reduced deployment timescales and increased hardware reliability.

• Rapid deployment with jog dial, LED display and intuitive interface.
• Simplified administration with COMET user interface.
• Automated patching and updates for application, OS and firmware.
• Out of band management.
• A range of appliance form factors for enterprises of all sizes.

WSA powered by Microsoft Unified Access Gateway: Secure remote access for a business anywhere solution from Celestix.

Learn more about WSA Series

Client Automation:

Keeping software updated in large pools of client devices such as laptops, PC’s, ATM’s, and kiosks is very time consuming and costly. The time it takes to manually deploy software patches and updates to vast numbers of clients impairs productivity. Clients that don’t have the latest patches are active security threats and hurt compliance. In large enterprises, automating client software management to improve speed and economy is a necessity.

BMC appliances from Celestix are the most cost-effective solution now available for providing the repeater function large enterprises need to deploy the BMC Marimba Client Automation system. Repeaters ensure that all managed client devices have current and compliant software. Celestix BMC appliances are the fast, easy, and economical way to insert repeaters into a BMC Marimba Client Automation infrastructure.

Learn more about BMC Series