Set up LastPass Universal Proxy v5.x

In order to use LastPass Universal Proxy v5.x you need to download the LastPass Universal Proxy v5.x software, then install it on a server within your infrastructure and configure the settings.

About this task:

Important: LastPass Universal Proxy V5.x is incompatible with V4.x. If you are not upgraded to the 5.x version, contact customer support.

Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?

Before you begin:

Before setting up LastPass Universal Proxy v5.x, check that your system is prepared with the minimum software requirements for LastPass Universal Proxy.

Make sure you have Docker Desktop or Docker Engine installed on your infrastructure.

Operating System	Installer
Windows	IInstall Docker Desktop
Linux	IInstall Docker Engine
Mac	IInstall Docker Desktop

Important: The "Restrict access by country" policy is not supported by LastPass Universal Proxy. Enabling this policy in the LastPass new Admin Console will lead to authentication issues. To set a location restriction when using LastPass Universal Proxy, enable the following policies:

Restrict LastPass Authenticator usage by location
Accept only LastPass Authenticator login requests

Download the LastPass Universal Proxy v5.x docker image
Add your application to LastPass.
For the specific steps, see Add MFA Apps for LastPass users.
Configure the LastPass Universal Proxy settings using the command line interface (CLI).

Configure your application.

LastPass Universal Proxy works for any on-premises application that uses LDAP, LDAPS or RADIUS authentication protocols (for example, VPN gateway). You need to configure your application to forward authentication requests to the LastPass Universal Proxy.

Important: In order to use LastPass Universal Proxy 5.x, an Active Directory Connector must be installed and an Active Directory must be present.

The following table shows the supported VPN applications and the protocols they can use:

VPN Client	LDAP	LDAPS	RADIUS
Cisco ASA	X	X	X
F5 BIG-IP APM	X	X	X
Fortinet FortiGate	X	X	X
Meraki MX VPN configuration for LastPass Universal Proxy			X
OpenVPN Access Server	X	X	X
OpenVPN Community Edition	X		X
Palo Alto Networks GlobalProtect	X	X	X
Pulse Connect Secure	X	X	X
SonicWall	X		X
Sophos	X	X	X

Assign your users.
In order for the authentication prompts to be passed to your users, you need to assign your users permission to use the LastPass MFA and the application (for example, VPN) you have set up.
1. In LastPass, provision your users with a LastPass MFA account.
  
  Important: The username must be the same between the LastPass user record and your primary authentication server record.
2. In order for your users to log in using passwordless login, they must activate their individual user accounts. For more information, see How do I activate passwordless login for SSO apps and workstations?.
Test your configuration.
Once you have set up the Universal Proxy and configured your application, it is recommended that you test the authentication. To test, open your application, attempt to log in, then check for an authentication request. Request type will vary depending on the Server Modes you configured. When you have successfully authenticated with your user account, you are ready to roll it out to users within your organization.