SecTrail MFA Installation Guide
SecTrail MFA is offered as a virtual appliance in OVA format. This guide details all steps, from deploying the OVA file to initial configuration.
System Requirements
Hardware Requirements
To ensure SecTrail MFA runs successfully, you must meet the following minimum system requirements:
| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 4 Core | 8 Core |
| RAM | 8 GB | 16 GB |
| Disk | 100 GB | 200 GB |
| Network | 1 Gbps | 1 Gbps |
It is recommended to use the recommended values for high user counts and processing intensity.
Pre-Installation Preparation
1. Deploying the OVA Image to the Virtualization Environment
You can deploy the SecTrail MFA OVA image to your virtualization environment. After deployment, you can proceed by granting the necessary permissions to the server.
2. Network and Integration Requirements
The following requirements must be met for SecTrail MFA to be successfully integrated.
3.1. Access Permissions from Integrated Devices/Services to SecTrail MFA
Access permission must be defined on the following ports from the integrated devices and services towards the SecTrail MFA server:
| Port | Protocol | Purpose | Description |
|---|---|---|---|
| 1812 | UDP | RADIUS Integration | For RADIUS authentication from devices like VPN, Firewall, RDP Gateway |
| 443 | TCP | Web Service Integration | For API calls and web service integrations |
| 443 | TCP | Interface Access | For secure access to the management interface over HTTPS |
3.2. Access Permissions from SecTrail MFA to External Services
Access permission must be provided on the following ports from the SecTrail MFA server towards the servers it will communicate with:
Mandatory Access:
| Port | Protocol | Service | Description |
|---|---|---|---|
| 389 | TCP | LDAP | For Active Directory/LDAP user authentication |
| 636 | TCP | LDAPS | For secure LDAP connection |
| 123 | UDP | NTP | For time synchronization |
Optional Accesses (If they are to be used):
| Port | Protocol | Service | Description |
|---|---|---|---|
| 514 | UDP/TCP | Syslog | For sending logs (optional) |
| 443 | TCP | SMS Gateway | For accessing the SMS service provider (if SMS OTP is to be used) |
| 443 | TCP | Push Notification | For push notification services (cs.sectrail.com) |
| 25 | TCP | SMTP | For sending email (if Email OTP is to be used) |
| 465 | TCP | SMTPS | For secure email sending (if Email OTP is to be used) |
| 587 | TCP | SMTP (TLS) | For email sending with TLS (if Email OTP is to be used) |
3.3. Active Directory / LDAP Integration
The following information must be prepared and shared for Active Directory or LDAP integration:
Required Information:
- ✅ User DN: User Distinguished Name for the LDAP connection
- ✅ User Password: LDAP user password
- ✅ Base DN: LDAP search base
- ✅ Mobile Attribute: LDAP attribute containing the phone number (e.g.,
mobile,telephoneNumber) - ✅ Mail Attribute: LDAP attribute containing the email address (e.g.,
mail,userPrincipalName)
Required Permissions:
- The LDAP user must have read permission on Active Directory
- Access permission to user information and related attributes is required
This information must be shared with the SecTrail MFA support team and added to the configuration during installation.
3.4. SMS Gateway Integration
Integration requirements with your SMS service provider for SMS OTP:
Pre-Installation Requirements:
- 📄 SMS Service Document: API documentation of your SMS service provider
- 🔌 API Information: Connection details such as username, password, API endpoint
- 🌐 Network Access: Access from the SecTrail MFA server IP to the SMS service provider over port 443
Integration Process:
- Integration is performed according to the format supported by your SMS service provider
- SecTrail MFA supports various SMS gateways
- Customization can be done for specific formats
3.5. Push Notification Integration
For using push notifications via the mobile application:
Required Access:
- 🌐 Target Address:
cs.sectrail.com - 🔌 Port:
443(HTTPS) - 📱 Purpose: Communication between the SecTrail Authenticator mobile app and the push notification service
Access permission must be defined from the SecTrail MFA server to the cs.sectrail.com address over port 443.
3.6. ADFS / OWA (Outlook Web Access) Integration
Requirements for ADFS integration:
Installation Requirements:
- 💻 SecTrail MFA Adapter Installation: The SecTrail MFA adapter needs to be installed on the server where ADFS is running
- 🔧 Installation Support: The SecTrail MFA support team will assist you during the adapter installation process
- 🔌 Network Access: Communication between the ADFS server and the SecTrail MFA server
Integration Scope:
- Federation-based authentication
- MFA protection for Outlook Web Access (OWA)
- Claims-based authentication support
3.7. Windows RDP / Logon Integration
MFA protection for Windows desktop and RDP sessions:
Installation Requirements:
- 💻 End-User Application: Installation of the SecTrail MFA Credential Provider on Windows systems
- 🖥️ Supported Systems: Windows Server and Windows Desktop systems
- 🔐 Integration Type: MFA for Windows Logon and RDP sessions
Application Areas:
- Local Windows logon
- Remote Desktop (RDP) connections
- Terminal Server sessions
3.8. Google reCAPTCHA Integration (Optional)
If Google reCAPTCHA is to be used on the Admin Panel and Registration Portal:
Required Access:
Outbound (outward) access from the SecTrail MFA server to Google services is required:
| Target Domain | Port | Protocol | Description |
|---|---|---|---|
*.google.com | 443 | HTTPS | Main Google services |
*.gstatic.com | 443 | HTTPS | Google static content service |
*.recaptcha.net | 443 | HTTPS | reCAPTCHA service |
*.googleapis.com | 443 | HTTPS | Google API services |
Configuration:
- 🔑 Google reCAPTCHA site key and secret key must be obtained
- 🌐 HTTPS access must be provided from the SecTrail MFA server to the domains above
- 🤖 Used for bot protection and security verification
SecTrail MFA supports Google reCAPTCHA v2 and v3.
3.9. Cluster (Redundant Structure) Requirements
If servers are to be set up in a cluster structure for high availability:
Cluster Ports:
| Port | Protocol | Purpose | Access Direction |
|---|---|---|---|
| 4444 | TCP | Galera Cluster SST | Bi-directional (between nodes) |
| 4567 | TCP | Galera Cluster Replication | Bi-directional (between nodes) |
| 4568 | TCP | Galera Cluster IST | Bi-directional (between nodes) |
Defining bi-directional access permission to ports 4444, 4567, and 4568 between cluster nodes is mandatory.
Installation Steps
Step 1: Deploying the OVA File
You can deploy the SecTrail MFA OVA image to your virtualization environment. Afterwards, the necessary resources and permissions can be defined.
Step 2: Initial Login and Network Configuration
After the VM starts, follow the steps below from the console screen:
Login Credentials
Use the following username for the initial login:
- Username:
stadmin - Password: The password will be shared with you
Network Configuration
After logging in, start the network configuration:
config
When the command is executed, the SecTrail MFA Configurator will start.
2.1. IP Address Configuration
Please enter a valid IP Address in CIDR Notation (e.g. 192.168.1.10/24)
IP Address: 192.168.1.100/24
- Enter the IP address and subnet mask in CIDR notation (e.g.:
192.168.1.100/24) - Confirm by pressing Enter
2.2. Gateway Address Configuration
Please enter a valid Gateway Address
Gateway IP Address: 192.168.1.1
- Enter the default gateway IP address
- Confirm by pressing Enter
2.3. DNS Server Configuration
How many DNS servers do you want to configure? (1-3)
1
Please enter a valid DNS Server Address
DNS Server IP Address: 192.168.1.150
- Enter the number of DNS servers you want to configure (between 1-3)
- Enter the IP address for each DNS server
2.4. Configuration Summary and Confirmation
IP: 192.168.1.100/24 -- GW: 192.168.1.1 -- DNS SERVERS: 192.168.1.150
Network Configuration will be set. Do you want to continue? (y/n)y
- Review the information you entered
- If correct, press
yto continue
2.5. Configuration Activation
Activating Network Configuration
Setting IP Address
IP Address Set
Setting Default Gateway
Default Gateway Set
DNS Servers Set
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
Settings Saved
Network Configuration Completed Successfully
You will see the above messages when the network configuration is completed successfully.
Step 3: Application Key Generation (Optional)
After the network configuration is completed, the option to generate a SecTrail MFA application key is offered:
SecTrail MFA Application Key Generator
regenerate Application Key
Do you want to generate SecTrail MFA Application Key (y/n)?y
- Press
yto generate a new application key - Press
nto keep the existing key
Application key set successfully.
Step 4: Web Management Panel Access and License Activation
After the network configuration is completed, navigate to the IP address you configured from your browser:
https://your-server-ip
SSL Certificate Warning
On first access, your browser may give a security warning due to the self-signed SSL certificate. It is recommended to use a certificate signed by a corporate CA in production environments.
Initial Login Credentials
Default administrator account for the web interface's first login:
- Username:
admin - Password:
admin
You must change the administrator password after the first login!
Post-Installation - License Activation
You need to perform license activation on the first login. Follow the steps below for license activation:
License Activation
- When you first log into the web interface, you will be greeted with the license activation screen
- Share the App Key and Dossier information displayed on the screen with the SecTrail MFA support team
- Enter the License Key provided to you by the support team in the relevant field
- License verification will be performed automatically
After license activation is completed, you can view your license details:
Obtaining a License
You can obtain your license key by sending your App Key and Dossier information to destek@sectrail.com or sdg-dev@bntpro.com.
Support
If you experience any issues during installation:
- 📧 Email: destek@sectrail.com
- 📞 Phone: +90 850 222 0268