What is Rublon Access Gateway and what can it be used for?
Rublon Access Gateway works as a web application that allows to secure the login process using Two-Factor in the form of additional Rublon authentication performed after logging in through an authentication source. The application allows to use one of two authentication sources (LDAP or Radius). Rublon Access Gateway allows to define integrations with common web applications like Office 365, G Suite, Freshdesk etc. The data between Rublon Access Gateway and added applications are transferred using the SAML 2.0 standard.
Step 1: Prepare your environment, it is recommended to install IIS HTTP Server. Next please install ASP.NET and CGI module from Server Manager.
Step 2: Install PHP by using e.g. Microsoft Web Platform Installer. The recommended version is 7.2+ For IIS Express.
Step 3: Download package of Rublon Access Gateway and unzip files into a root C:/inetpub/wwwroot directory.
Step 4: Purchase an SSL certificate for your server (using fully qualified domain name) from a commercial Certificate Authority (CA) and add it in IIS Manager (Server Certificates icon). It is also possible to generate a free certificate with Let’s Encrypt, but you will need to demonstrate control of the domain. Certificates generated from Let’s Encrypt will have to be manually renewed every 90 days.
Step 5: Create a Website for Rublon Access Gateway – in IIS Manager please use right click on Sites submenu and choose Add Website…
Step 6: The physical path should point to the rag/www directory. In a Binding section you should set HTTPS protocol, your domain host name and select your SSL certificate, which has been added within the third step.
Step 7: Open a terminal in a root rag directory and run start script to configure your Rublon Access Gateway`s environment:
groupName parameter should contain a local group name, which must have set write permissions for all files related to Rublon Access Gateway. Once the script is finished you will get a message regarding configuration process state.
Example of results message after the start.bat script has been executed:
Step 8: Download and add the cacert.pem file into your PHP SSL directory (PHP\version\extras\ssl). It contains the certificates in PEM format and is directly used with php_curl library.
Step 9: Modify your php.ini file. Rublon Access Gateway needs the following changes to run:
- Set curl.cainfo parameter, it should looks like:
curl.cainfo=”C:\Program Files\iis express\PHP\v7.2\extras\ssl\cacert.pem”
- To the extension list add php_ldap.dll file:
Step 10: Using the Microsoft Web Platform Installer you have also ability to install Url Rewrite module which could be used to force HTTPS requests. This additional module is optional, but recommended.
Step 11: Your Rublon Access Gateway should be configured to run on your domain name (previously defined/configured during IIS installation process).To check if Rublon Access Gateway is working properly please type your domain URL or FQDN in your browser.
Step 12: Default password for the administrator panel is:
In the next steps you can change the password to your own.
Rublon Access Gateway configuration
Step 1: Sign in to the Rublon Access Gateway`s administrator panel.
Step 2: Go to the Settings tab and choose Rublon subtab.
Step 3: Set required data and next save all changes.
- Company token (required) – you should copy a company token from Rublon Admin Console (Settings tab->Management data section).
- Admin e-mail (required) – it is an email address of the owner of the organisation created within Rublon Admin Console.
- RAG URL address (optional) – you can set a static URL for the Rublon Access Gateway application. It is used for SAML communication between Rublon Access Gateway and your application. You should set this address when, for example, your domain has alias(es) or is available on the http and https protocols.
- Rublon Two-Factor (required, default: bypass) – set behaviour of Rublon in the case of a lack of connection to the Rublon Server.
Step 4: Security subtab. This section provides an option to import your own certificate file with a private key for the Identity Provider. It is recommended for security reasons. Certificate is used for signing SAML requests and responses, however the private key for encrypting SAML responses. All imported files must have the extension *.crt.
Step 5: SAML session subtab. It provides an option to change the default SAML session duration time (in seconds). SAML session is initialized during the authentication process of your applications. It is worth to configure the application so that after logging out the SAML session will also be disconnected. If you log out without disconnecting your SAML session, the next login will use this session. For people who share one computer, the appropriate configuration is recommended.
Step 6: Admin password subtab. It provides an option to change default administrator’s password for your Rublon Access Gateway. For security reasons it is recommended to change the default password right after first login. Anyone who has access to the domain and knows the specified password will be able to access the administration panel.
Step 7: Logging subtab. If any issue occurs within Rublon Access Gateway application the checking the option Verbose logging will provide more detailed log entries.
To read the log file please follow the steps below:
- Go to the location: rag/log
- Read a RAG.log file by using any text editor.
1. Installation of IIS and PHP (points 1.1 and 1.2):
2. Installation of URL Rewrite module to force HTTPS on a website (How to redirect HTTP to HTTPS in IIS section):