Considerations for a Clean Installation of FIM 2010 R2 SSPR

Considerations for a Clean Install of FIM 2010 R2 SSPR

The following are considerations that must be taken into account when installing FIM 2010 R2 SSPR. These considerations deal strictly with a new install and not with upgrading. For Upgrade Considerations see Considerations when Upgrading to FIM 2010 R2 SSPR earlier in this document.

This section is comprised of the following:

Environmental Considerations

There are several pre-requisites required to implementing Self-Service Password Reset. These can be found here: Environmental Pre-requisites. These pre-requisites should be considered prior to planning your deployment so you can assess your environment and see what other teams/divisions may need to be engaged to ensure a successful deployment.

Supported Deployment Topologies

When planning a deployment of Forefront Identity Manager 2010 R2 Self-Service Password Reset you can design a topology that ranges from a single-server to a distributed deployment. Each of these, in turn, can be intranet-only or intranet/extranet. If a topology that has an extranet component is chosen, these may sit directly on an extranet or they can be published using a reverse-proxy such as Forefront Threat Management Gateway 2010.

Intranet / Extranet Consideration

One of the first things that need to be determined is whether or not any or all of the portals will be accessible via the intranet or via the intranet and extranet. If you choose to have both the registration and reset portals only available on the intranet, then users will not be able to reset their passwords externally. Users will have to be connected to your corporate environment to use the portals.

It is possible to specify that only one portal is accessible through an extranet while making the other one only available via the intranet. For instance, you can choose to deploy the portals in such a fashion as to have the registration portal be intranet facing and the reset portal be intranet/extranet facing. With this option, users must be logged on to the corporate network to register for password reset but once this is done they can reset their passwords from anywhere.

Single Server vs. Distributed

Depending on how much of Forefront Identity Manager 2010 R2 you plan to implement, you may choose a single-server option over a distributed one. With a single server option all of the features of Forefront Identity Manager 2010 R2 are installed on a single sever. This includes the FIM Service, the FIM Portal, the Synchronization Service, the Registration and Reset portals as well as SQL and SharePoint 2010. If you wish to deploy the FIM 2010 R2 Reporting Feature you will need to use minimum distributed deployment, as the SCSM pieces require two additional servers. The single-server option may be best suited for a very small deployment of FIM 2010 R2 or for a test environment. That is, for example, if you plan to only use SSPR and your AD environment is relatively small.

A distributed, scaled out deployment is the most common in the enterprise. The most common deployment of this type sees the FIM Service and the Synchronization Service residing on servers other than the SQL servers that house their databases. In fact, the FIM Service, the Synchronization Service and their two databases may actually all be on separate servers. From a security stand point this is a better solution in that, if you are going to have the password registration and password reset portals externally facing and sitting on the internet, you would not want to expose your FIM Service and Synchronization Service, or their databases to the internet.

Reverse Proxy in a DMZ

The Password Reset and Registration Portals are publishable to the internet using a reverse proxy such as Forefront Threat Management Gateway 2010 and other 3rd party reverse-proxy servers. A reverse proxy configuration is supported under the following conditions:

  • The reverse proxy is domain joined and is publishing either or all of the password portals externally.

  • The reverse proxy is not domain joined and is publishing either or all of the password portals externally.

Reverse Proxy

Authentication Gate Considerations

Forefront Identity Manager 2010 R2 includes several authentication gates that can be configured for use with Self-Service Password Reset. These gates can be setup as part of an Authentication workflow. There are a few considerations depending upon the type of Gate you select. For additional information on Authentication Gates see SSPR Authentication Gates later in this document.

QA Gate Considerations

The QA gate provides a mechanism for users to authenticate to the FIM Service. During registration it accepts answers to various configurable questions and during reset it prompts for these answers. With regard to the QA Gate there are several considerations that need to be taken into account. The following is a list of these considerations:

  • Easily Remembered – Are the security questions you are implementing easy for users to remember answer to?

  • Relevant to everyone – Are the security questions you are implementing relevant to everyone? Not everyone has a cat or a dog or even a sibling.

  • Not easy to guess – Are the answers to the security questions you are implementing difficult to guess? Do they have hundreds or thousands of possible answers?

  • Not on Facebook – Are the answers to the security questions you are implementing things that you would not post on Facebook?

  • Number of Questions – How many questions do you plan to implement? Are users required to register for all of these?

  • Number of Answers – How many questions will users be required to answer correctly to change their password? Will you have them register for say 10 questions but then only randomly give them 3 that they need to answer correctly?

  • Duplicate – Will you allow duplicates or not?

OTP Email Gate Considerations

The One-Time-Password (OTP) Email Gate is a new Authentication gate that is being introduced in FIM 2010 R2. This gate provides a way for a user’s identity to be verified by sending a one-time-password to the user’s email address. With regard to the OTP Email Gate there are a couple of considerations that need to be taken into account. The following is a list of these considerations:

  • Valid E-mail Address – Does your environment have a mail attribute that is populated with a valid email address for your users or will the users need to specify this when registering.

  • OTP Email and FIM 2010 R2 Client – If you are implementing an OTP Email gate and a user attempts to reset their password via the client because they are locked out of their laptop or desktop will they be able to access this email? Should the OTP Email gate be used for just extranet requests?

OTP SMS Gate Considerations

The One-Time-Password (OTP) SMS Gate is a new Authentication gate that is being introduced in FIM 2010 R2. This gate provides a way for a user’s identity to be verified by sending a one-time-password to the user’s mobile phone via an SMS provider. With regard to the OTP SMS Gate there are few considerations that need to be taken into account. The following is a list of these considerations:

  • An SMS Provider – An SMS (Short Message System) provider is required to use the OTP SMS gate.

  • Valid Mobile Phone number – Does your environment have an attribute that is populated with a valid mobile phone number for your users or will the users need to specify this when registering.

  • Code Experience – In order to implement the SmsServiceProvider.dll a small amount of code will need to be written based on how you connect with your SMS service provider.

Application Pool Accounts

You will need at least one account, possibly two if you want to run each site under a different application pool account. These accounts should be regular domain user accounts.

Configuring the FIM Portal for Password Reset only

If you are using FIM only for password resets, you can remove the other elements from the FIM home page. For information about how to update the FIM home page, see Introduction to Configuring the FIM Portal in the FIM 2010 documentation.

Show: