Using Windows Authentication with MailMarshal (SEG) 10


This article applies to:

  • Trustwave MailMarshal (SEG) 10.0.1 and above
  • Windows Authentication for Management Console and Folder Access

Question:

  • How do I set up Windows or NTLM authentication in SEG?

Information:

MailMarshal (SEG) 10.0.1 and above allows use of Windows authentication to control access to the Management Console and folders. 

You must choose either Windows or SEG authentication. Only one authentication scheme will be active for the Management Console.

This article provides a general overview. For detailed guidance see Help for the user interfaces.

Prerequisite:

You must enable Windows Authentication in IIS on the SEG Array Manager/Management Console server.

New Installations and Upgrades from 10.x:

By default new installations of MailMarshal (SEG) 10 use SEG authentication only, and create a single SEG account named admin that has the superuser role (full privileges on the Management Console and all folders).

To enable Windows authentication in SEG:

  1. From the Start menu, run the SEG Config Service Admin Tool.
  2. On the Authentication tab, choose to enable Windows NTLM Authentication.
  3. Optionally select Windows groups for Administrator and Helpdesk access to the Management Console.
    • Members of these groups will be created as SEG users and added to SEG roles when they first browse to the Management Console. 
    • Removing members from these groups DOES NOT remove SEG access for the members. You must manage SEG access using the Authorized Users page in the Management Console.
  4. On the Users tab, add at least one Windows user. This user will have the superuser role in SEG, which allows access to grant permissions in the Management Console:
    • Use of the Authorized Users page
    • Use of Folder permissions tabs
  5. Manage permissions in detail by logging on to the Management Console with the superuser credential.
    • You can promote additional users to the superuser role from the Authorized Users page.
    • You can select Windows users and groups accessible on the server when setting folder security permissions.
  6. Trustwave recommends that you always maintain a SEG (non-windows) superuser for use with tools such as MMExportCFG and the Array Manager API.

Upgrades from 8.2.x:

The upgrade process enables use of Windows NTLM Authentication.
  1. As part of the upgrade, you must provide an initial superuser credential.
    • You can enter a Windows credential in domain\user format. Entry of a password is enforced but this password will not apply to Windows credentials.
    • The Windows user running the install will also be added as a superuser by default. If the install required privilege elevation, the elevated credential will be used.
    • If you choose not to add the current user as superuser, that user will still be added with Helpdesk role access. Be sure to manually add a Windows credential so that you have a superuser login.
  2. After upgrade is complete, you can use the SEG Config Service Admin Tool to select Windows groups for Administrator and Helpdesk access to the Management Console.
    • Members of these groups will be created as SEG users and added to SEG roles when they first browse to the Management Console. 
    • Removing members from these groups DOES NOT remove SEG access for the members. You must manage SEG access using the Authorized Users page in the Management Console.
  3. Manage permissions in detail by logging on to the Management Console with the superuser credential.
    • You can promote additional users to the superuser role from the Authorized Users page.
    • You can select Windows users and groups accessible on the server when setting folder security permissions.
  4. Trustwave recommends that you always maintain a SEG (non-windows) superuser for use with tools such as MMExportCFG and the Array Manager API.

Disabling Windows Authentication:

You can use the SEG Config Service Admin Tool to disable Windows NTLM Authentication. If you disable Windows Authentication for SEG, permissions for Windows accounts will not be used or shown in the Management Console, but they are remembered. If you later re-enable Windows NTLM Authentication, the detailed permissions for Windows accounts will be restored. (Likewise, detailed SEG account permissions are not used for the Management Console when Windows Authentication is enabled, but they are remembered.)


Last Modified 2/3/2021.
https://support.trustwave.com/kb/KnowledgebaseArticle21157.aspx