Set up LastPass Universal Proxy v4.x

In order to use LastPass Universal Proxy you need to download the LastPass Universal Proxy software, then install it on a server within your infrastructure and configure the settings.

About this task:

Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?

Before you begin: Before setting up LastPass Universal Proxy, check that your system is prepared with the minimum software requirements for LastPass Universal Proxy.

Important: The "Restrict access by country" policy is not supported by LastPass Universal Proxy. Enabling this policy in the LastPass new Admin Console will lead to authentication issues. To set a location restriction when using LastPass Universal Proxy, enable the following policies:

Restrict LastPass Authenticator usage by location
Require use of LastPass MFA to accept only LastPass Authenticator login requests

Download the LastPass Universal Proxy software.
Add your application to LastPass.
For the specific steps, see Add MFA Apps for LastPass users.
Run the installer.
Configure the LastPass Universal Proxy settings using either the command line interface (CLI) or the server.properties configuration file.

Note: It is highly recommended to restrict access to the configuration file that has been created as a result of configuring the LastPass Universal Proxy. For the specific steps, see Restrict access to my configuration file for the LastPass Universal Proxy 4.x on Windows.

Configure your application.

LastPass Universal Proxy works for any on-premises application that uses LDAP, LDAPS or RADIUS authentication protocols (for example, VPN gateway). You need to configure your application to forward authentication requests to the LastPass Universal Proxy.

Important: In order to use LastPass Universal Proxy 4.x, an Active Directory Connector must be installed and an Active Directory must be present.

The following table shows the supported VPN applications and the protocols they can use:

VPN Client	LDAP	LDAPS	RADIUS
Cisco ASA	X	X	X
F5 BIG-IP APM	X	X	X
Fortinet FortiGate	X	X	X
Meraki MX VPN configuration for LastPass Universal Proxy			X
OpenVPN Access Server	X	X	X
OpenVPN Community Edition	X		X
Palo Alto Networks GlobalProtect	X	X	X
Pulse Connect Secure	X	X	X
SonicWall	X		X
Sophos	X	X	X

Assign your users.
In order for the authentication prompts to be passed to your users, you need to assign your users permission to use the LastPass MFA and the application (for example, VPN) you have set up.
1. In LastPass, provision your users with a LastPass MFA account.
  
  Important: The username must be the same between the LastPass user record and your primary authentication server record.
2. In order for your users to log in using passwordless login, they must activate their individual user accounts. For more information, see How do I activate passwordless login for SSO apps and workstations?.
Test your configuration.
Once you have set up the Universal Proxy and configured your application, it is recommended that you test the authentication. To test, open your application, attempt to log in, then check for an authentication request. Request type will vary depending on the Server Modes you configured. When you have successfully authenticated with your user account, you are ready to roll it out to users within your organization.