S e ttin g u p S tro n g A u th e n tica tio n - eSecurityToGo
S e ttin g u p S tro n g A u th e n tica tio n - eSecurityToGo
S e ttin g u p S tro n g A u th e n tica tio n - eSecurityToGo
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
C H A P T E R 3<br />
S e t t in g u p S t r o n g<br />
A u t h e n t ic a t io n<br />
About <strong>th</strong>is chapter This chapter provides informa<strong>tio</strong>n on config u ring <strong>th</strong>e S afeW ord<br />
ag ent(s) y ou selected du ring installa<strong>tio</strong>n.<br />
This chapter inclu des <strong>th</strong>e follow ing topics:<br />
� “The S afeW ord Internet A u <strong>th</strong>en<strong>tica</strong><strong>tio</strong>n S ervice (IA S ) A g ent” on<br />
pag e 3 -2<br />
� “The S afeW ord A g ent for W eb Interface” on pag e 3 -6<br />
� “S afeW ord S ecu re A ccess M anag er (S A M ) A g ent” on pag e 3 -8<br />
� “The O u tlook W eb A ccess (O W A ) A g ent” on pag e 3 -1 1<br />
� “A g ent config u ra<strong>tio</strong>ns” on pag e 3 -1 4<br />
� “C onfig u ring alternative g rou p policies” on pag e 3 -1 9<br />
3<br />
Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n 3- 1
3<br />
The SafeWord Internet Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Service (IAS) Agent<br />
The Saf eW ord<br />
Internet<br />
Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
Serv ice ( IAS)<br />
Agent<br />
3-2 Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
SafeWord's IAS Agent works wi<strong>th</strong> Microsoft’s IAS R AD IU S to provide<br />
SafeWord s<strong>tro</strong>ng-au<strong>th</strong>en<strong>tica</strong>ted remote access <strong>th</strong>rough <strong>th</strong>e Microsoft<br />
IAS R AD IU S server. Once configured, users who access <strong>th</strong>eir network<br />
remotely will be req uired to enter a SafeWord token-generated<br />
passcode in order to access <strong>th</strong>e network.<br />
The SafeWord IAS Agent is available as one of <strong>th</strong>e SafeWord<br />
installa<strong>tio</strong>n op<strong>tio</strong>ns, and supports <strong>th</strong>e following password protocols:<br />
� PAP<br />
� CH AP<br />
� MS-CH AP version 1<br />
� MS-CH AP version 2<br />
The agent comes wi<strong>th</strong> an administra<strong>tio</strong>n tool <strong>th</strong>at is used for<br />
configuring <strong>th</strong>e au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n engine, logging parameters, group<br />
au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n policies, and MP P E support. This sec<strong>tio</strong>n describes<br />
how to configure <strong>th</strong>e au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n engine, change logging se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs,<br />
set au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n policies, and configure Microsoft P oint-To-P oint<br />
E ncryp<strong>tio</strong>n (MP P E ) support.<br />
Important: To configure a us er for SafeWord s <strong>tro</strong>ng- au<strong>th</strong>en<strong>tica</strong>ted rem ote acces s us ing<br />
<strong>th</strong>e SafeWord IAS Agent, y ou m us t change <strong>th</strong>e us er’s rem ote acces s perm is s ions to <strong>th</strong>e<br />
Allow_access op<strong>tio</strong>n. R em ote acces s privileges are s et on <strong>th</strong>e us er’s P roperties w indow .<br />
The w indow can b e acces s ed b y launching <strong>th</strong>e Active D irectory U s ers and C om puters tool,<br />
and <strong>th</strong>en choos ing <strong>th</strong>e D ial- in tab . Start <strong>th</strong>e tool b y s electing S t ar t - > P r og r am s - ><br />
Ad m in ist r at iv e T ools - > Act iv e D ir ect or y U ser s an d C om p u t er s.
IAS Agent default configura<strong>tio</strong>ns<br />
The SafeWord Internet Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Service (IAS) Agent<br />
If <strong>th</strong>e SafeWord IAS Agent was installed as part of <strong>th</strong>e SafeWord<br />
installa<strong>tio</strong>n, its default configura<strong>tio</strong>n op<strong>tio</strong>ns were set as follows:<br />
Table 3-1. Default IAS Agent se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs<br />
Attrib ute D efault s e<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g<br />
Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Engine On host machine chosen during installa<strong>tio</strong>n<br />
Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n G roup P olicy All users au<strong>th</strong>en<strong>tica</strong>te using S afeW ord<br />
M P P E S up p ort Enab led<br />
L ogging D isab led<br />
Note: E rrors are logged to <strong>th</strong>e Windows E vent<br />
V iewer, even if logging func<strong>tio</strong>ns are disabled.<br />
Y ou can change any of <strong>th</strong>ese se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs using <strong>th</strong>e administra<strong>tio</strong>n tool as<br />
described in <strong>th</strong>e following sec<strong>tio</strong>ns.<br />
Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n 3-3
The SafeWord Internet Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Service (IAS) Agent<br />
Figure 3-1. IAS Agent<br />
Conf igura<strong>tio</strong>n window<br />
3-4 Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
L aunching <strong>th</strong>e adm inistra<strong>tio</strong>n tool<br />
To launch <strong>th</strong>e administra<strong>tio</strong>n tool, do <strong>th</strong>e following:<br />
Important: Y ou must configure <strong>th</strong>e SafeWord IAS Agent from <strong>th</strong>e machine where it is<br />
installed. Y ou cannot configure it remotely.<br />
1. Go to <strong>th</strong>e machine on which <strong>th</strong>e agent is installed.<br />
2. Select Start -> Programs -> Secure Computing -> SafeWord -> IAS Agent<br />
-> Configure IAS Agent.<br />
T he SafeWord IAS Agent C onfigura<strong>tio</strong>n window appears.<br />
T o configure <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Engine, Logging, and Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
Policy for <strong>th</strong>is agent, see “Agent configura<strong>tio</strong>ns” on page 3 -1 4 .
Figure 3-2. Configure<br />
M PPE for IAS Agent<br />
window<br />
Configuring M PPE<br />
The SafeWord Internet Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Service (IAS) Agent<br />
The IAS Agent supports <strong>th</strong>e MPPE protocol when using MS-CHAP<br />
version 1 or version 2 to au<strong>th</strong>en<strong>tica</strong>te. MPPE is enabled by default for<br />
SafeWord users. N on-SafeWord users will still use <strong>th</strong>e corresponding<br />
SafeWord Policy MPPE se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs. To configure MPPE support, do <strong>th</strong>e<br />
following:<br />
1. On <strong>th</strong>e IAS Agent Configura<strong>tio</strong>n window, click <strong>th</strong>e MPPE button. The<br />
Configure MPPE for IAS Agent window appears wi<strong>th</strong> MPPE enabled.<br />
2. To disable MPPE, clear <strong>th</strong>e check box , <strong>th</strong>en click OK.<br />
To configure <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Engine, Logging, and Group<br />
Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Policies for <strong>th</strong>is agent, see “Agent configura<strong>tio</strong>ns” on<br />
page 3-14.<br />
Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n 3-5
The SafeWord Agent for Web Interface<br />
The SafeWord<br />
Agent for Web<br />
Interface<br />
3-6 Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
The SafeWord Agent for Web Interface is <strong>th</strong>e s<strong>tro</strong>ng au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
component you install on your Citrix Web Interface server. It provides<br />
<strong>th</strong>e link to <strong>th</strong>e SafeWord server by routing user access requests to <strong>th</strong>e<br />
Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Engine, which verifies user names and passcodes.<br />
Once au<strong>th</strong>en<strong>tica</strong>ted, users are allowed access, o<strong>th</strong>erwise access is<br />
denied.<br />
Configuring <strong>th</strong>e SafeWord Agent for Web Interface<br />
In order for your Citrix users to s<strong>tro</strong>ngly au<strong>th</strong>en<strong>tica</strong>te wi<strong>th</strong> SafeWord,<br />
you must configure <strong>th</strong>e SafeWord Agent for Web Interface. When <strong>th</strong>e<br />
SafeWord Agent is installed on Citrix Web Interface 2.0 or 2.1, <strong>th</strong>e<br />
SafeWord configura<strong>tio</strong>n op<strong>tio</strong>ns for <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Engine,<br />
L ogging, and Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Policy are a part of <strong>th</strong>e Web Interface<br />
Administra<strong>tio</strong>n tool.<br />
Important: You can only configure <strong>th</strong>e SafeWord Agent for Web Interface at <strong>th</strong>e<br />
machine where Citrix is installed. You cannot configure <strong>th</strong>ese se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs remotely. If <strong>th</strong>e<br />
SafeWord Agent is installed on Citrix Web Interface 3 .0 , <strong>th</strong>e SafeWord configura<strong>tio</strong>n<br />
op<strong>tio</strong>ns for <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Engine, L ogging, and Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Policy are not part of<br />
<strong>th</strong>e Web Interface Administra<strong>tio</strong>n tool.<br />
To set up s<strong>tro</strong>ng au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n, do <strong>th</strong>e following:<br />
1. Launch <strong>th</strong>e administra<strong>tio</strong>n tool by starting Internet Explorer on <strong>th</strong>e<br />
computer where you hav e installed <strong>th</strong>e Citrix component.<br />
Important: You must use Internet Ex plorer to configure <strong>th</strong>e Web Interface for Citrix<br />
Administra<strong>tio</strong>n tool. You cannot configure it using N etscape Communicator.<br />
2. B rowse to <strong>th</strong>e Web Interface Admin page.<br />
3. Select Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n.<br />
The Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs window appears.<br />
4. Scroll down to <strong>th</strong>e Explicit login se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs pane.<br />
Note: All SafeWord au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n configura<strong>tio</strong>n is set wi<strong>th</strong>in <strong>th</strong>e Ex plicit login<br />
se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs pane of <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs window.
5. Enable <strong>th</strong>e following:<br />
The SafeWord Agent for Web Interface<br />
a. F or Web Interface 2 .0 / 2 .1, enable (check) Use SafeWord for s<strong>tro</strong>ng<br />
au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n.<br />
b. F or Web Interface 3.0 , enable E nforce 2 -factor au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n and<br />
select <strong>th</strong>e SafeWord op<strong>tio</strong>n.<br />
6. To configure <strong>th</strong>e loca<strong>tio</strong>n of <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Engine <strong>th</strong>at <strong>th</strong>e agent<br />
will use, click <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n engine button.<br />
Note: If you are using Citrix Web Interface version 3.0, access <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
Engine configura<strong>tio</strong>n op<strong>tio</strong>ns by selecting Start -> All Programs -> Secure<br />
Computing -> SafeW ord -> Configure W eb Interface Agent. O n <strong>th</strong>e window <strong>th</strong>at<br />
displays, click <strong>th</strong>e Au<strong>th</strong> en<strong>tica</strong><strong>tio</strong>n engine button.<br />
To configure <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Engine, Logging, and Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
Policy, see “Agent configura<strong>tio</strong>ns” on page 3-14.<br />
Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n 3-7
SafeWord Secure Access Manager (SAM) Agent<br />
SafeWord Secure<br />
Access Manager<br />
(SAM) Agent<br />
Figure 3-3. SAM Agent<br />
Configura<strong>tio</strong>n window<br />
3-8 Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
The SafeWord SAM Agent is an op<strong>tio</strong>nal add-on component used wi<strong>th</strong><br />
SafeWord for Citrix and <strong>th</strong>e Secure Access Manager. The agent installs<br />
directly on top of your SafeWord for Citrix installa<strong>tio</strong>n.<br />
SAM Agent default configura<strong>tio</strong>ns<br />
When you installed <strong>th</strong>e agent, its default se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs were as follows:<br />
Table 3-2. Default SAM Agent se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs<br />
Attribute Default se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g<br />
Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Engine On host machine chosen during installa<strong>tio</strong>n<br />
Logging Disabled<br />
Important: You must configure <strong>th</strong>e Secure Access Manager Agent from <strong>th</strong>e machine<br />
where it is installed. You cannot configure it remotely.<br />
Launching <strong>th</strong>e administra<strong>tio</strong>n tool<br />
Note: Errors are logged to <strong>th</strong>e Windows Event<br />
Viewer, even if logging func<strong>tio</strong>ns are disabled.<br />
Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Policy All users au<strong>th</strong>en<strong>tica</strong>te using SafeWord<br />
To launch <strong>th</strong>e administra<strong>tio</strong>n tool, select Start -> Programs -> Secure<br />
Computing -> SafeWord -> Configure Secure Access Manager Agent. The<br />
SAM Agent Configura<strong>tio</strong>n window appears.<br />
To configure <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Engine, Logging, and Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
Policy for <strong>th</strong>is agent, see “Agent configura<strong>tio</strong>ns” on page 3-14.
Figure 3-4. Access Server<br />
Farm Properties window<br />
Configuring SAM 4.0<br />
SafeWord Secure Access Manager (SAM) Agent<br />
If you are running SAM 4.0, and want to enable SafeWord<br />
au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n for a given logon point, <strong>th</strong>e configura<strong>tio</strong>n process is as<br />
follows:<br />
1. Launch <strong>th</strong>e Management Console by selecting Start -> Programs -><br />
Citrix -> Management Consoles ->Access Suite Con<strong>tro</strong>l.<br />
2. In <strong>th</strong>e left pane of <strong>th</strong>e Management Console, right-click on <strong>th</strong>e SAM<br />
F arm icon, <strong>th</strong>en select Edit farm properties.<br />
3. In <strong>th</strong>e Access Server Farm Properties window, select Adv anced<br />
Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n in <strong>th</strong>e left pane (see Figure 3-4).<br />
4. Select <strong>th</strong>e Enable adv anced au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n configura<strong>tio</strong>n check box,<br />
<strong>th</strong>en select SafeWord tw o-factor au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n.<br />
5. Click Apply , <strong>th</strong>en click OK.<br />
This enables advanced au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n for <strong>th</strong>e given server farm, and<br />
specifies <strong>th</strong>at SafeWord will be used for au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n. N ext, you will<br />
specify <strong>th</strong>at SafeWord au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n will be used to protect a given<br />
logon point.<br />
Note: Any logon point req uiring SafeWord advanced au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n must have <strong>th</strong>e<br />
SafeWord SAM Agent present on <strong>th</strong>e machine <strong>th</strong>at you want to protect.<br />
6. In <strong>th</strong>e Management Console left pane, expand <strong>th</strong>e Policies node, <strong>th</strong>en<br />
expand <strong>th</strong>e Logon Points node.<br />
Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n 3-9
SafeWord Secure Access Manager (SAM) Agent<br />
Figure 3-5. Logon Point<br />
Properties page<br />
3-10 Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
7. Highlight <strong>th</strong>e default (user -assigned) Logon node, <strong>th</strong>en select Edit<br />
L ogon Point.<br />
8. On <strong>th</strong>e Logon Point Properties window, highlight Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n in <strong>th</strong>e<br />
left pane, <strong>th</strong>en select Advanced au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n.<br />
9. Click OK to complete <strong>th</strong>e configura<strong>tio</strong>n.
The O utlook Web<br />
Access (O WA)<br />
Agent<br />
The Outlook Web Access (OWA) Agent<br />
SafeWord's OWA Agent works wi<strong>th</strong> <strong>th</strong>e Microsoft Exchange Server to<br />
provide s<strong>tro</strong>ng au<strong>th</strong>en<strong>tica</strong>ted access <strong>th</strong>rough <strong>th</strong>e Microsoft Exchange<br />
OWA component. When installed, users who access <strong>th</strong>eir e-mail<br />
remotely using OWA will be prompted for a SafeWord tokengenerated<br />
passcode in order to access <strong>th</strong>e network.<br />
Note: When installing <strong>th</strong>e OWA Agent in an Exchange front-end back-end network<br />
topology, only <strong>th</strong>e front-end server needs to have <strong>th</strong>e OWA Agent installed on it.<br />
The SafeWord OWA Agent uses an administra<strong>tio</strong>n tool for<br />
configura<strong>tio</strong>n, and installs on <strong>th</strong>e same machine hosting Exchange<br />
OWA (typically a Windows 2000/2003-based Web server).<br />
Important: The SafeWord OWA Agent does not currently support Microsoft Exchange<br />
2 003's native forms-based au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n mode.<br />
O WA Agent default configura<strong>tio</strong>ns<br />
When you install <strong>th</strong>e SafeWord OWA Agent, its default configura<strong>tio</strong>ns<br />
are set as follows:<br />
Table 3-3. Default OWA Agent se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs<br />
Attribute Default se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g<br />
Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Engine On host machine chosen during installa<strong>tio</strong>n<br />
Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Policy All users au<strong>th</strong>en<strong>tica</strong>te using SafeWord<br />
Session and idle timeouts Enabled at 36 00 and 300 seconds respectively<br />
Logging Disabled<br />
R eq uire SSL connec<strong>tio</strong>ns Enabled by default<br />
Note: Errors are logged to <strong>th</strong>e Windows Event<br />
Viewer, even if logging func<strong>tio</strong>ns are disabled.<br />
Agent parameters are configured using <strong>th</strong>e administra<strong>tio</strong>n tool. The<br />
following sec<strong>tio</strong>ns explain how to reconfigure <strong>th</strong>ese se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs.<br />
Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n 3-11
The Outlook Web Access (OWA) Agent<br />
Figure 3-6. OWA Agent<br />
Configura<strong>tio</strong>n window<br />
3-12 Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
Launching <strong>th</strong>e administra<strong>tio</strong>n tool<br />
Important: You must configure <strong>th</strong>e SafeWord OWA Agent from <strong>th</strong>e machine where it is<br />
installed. You cannot configure it remotely.<br />
1. Go to <strong>th</strong>e machine on which <strong>th</strong>e agent is installed.<br />
2. Select Start -> Programs -> Secure Computing -> SafeWord -> OWA Agent<br />
-> Configure OWA Agent. The Agent Configura<strong>tio</strong>n window appears.<br />
To change <strong>th</strong>e time values and <strong>th</strong>e security op<strong>tio</strong>ns for <strong>th</strong>e OWA agent,<br />
continue to <strong>th</strong>e next sec<strong>tio</strong>n, “Configuring <strong>th</strong>e OWA Agent”. The<br />
Outlook Web Access Agent’s logging, au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n engine, and<br />
au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n policy configura<strong>tio</strong>n procedures vary slightly from <strong>th</strong>e<br />
procedures for <strong>th</strong>e o<strong>th</strong>er agents. OWA Agent-specific processes are<br />
included in “Agent configura<strong>tio</strong>ns” on page 3-14.
Figure 3-7. Configure<br />
SafeWord OWA Agent<br />
window<br />
Configuring <strong>th</strong>e OWA Agent<br />
To configure <strong>th</strong>e OWA Agent, do <strong>th</strong>e following:<br />
The Outlook Web Access (OWA) Agent<br />
1. In <strong>th</strong>e Agent Configura<strong>tio</strong>n window, click <strong>th</strong>e OWA Agent Configure<br />
button. The Configure SafeWord OWA Agent window appears.<br />
2. Modify <strong>th</strong>e following fields as needed:<br />
� Enable Timeouts (selected by default – click to clear): enables or<br />
disables time limits for an active or idle (inactive) session<br />
� Session Timeout (3600 seconds default): <strong>th</strong>e dura<strong>tio</strong>n (in seconds)<br />
for a single session<br />
� Idle Timeout (300 seconds default). <strong>th</strong>e dura<strong>tio</strong>n (in seconds) of an<br />
idle (inactive) session<br />
� R eq uire SSL Connec<strong>tio</strong>ns (selected by default): requires <strong>th</strong>at all<br />
login attempts are via SSL (https) connec<strong>tio</strong>n<br />
Note: The Require SSL Connec<strong>tio</strong>ns op<strong>tio</strong>n is enabled only if a certificate is present<br />
in <strong>th</strong>e Exchange OWA site, in which case <strong>th</strong>e op<strong>tio</strong>n will automa<strong>tica</strong>lly be turned on at<br />
installa<strong>tio</strong>n time.<br />
S ec u rity A lert: Operating an Exchange OWA site wi<strong>th</strong>out a server certificate and SSL is<br />
not recommended.<br />
3. When modifica<strong>tio</strong>ns are complete, click OK.<br />
4. Restart <strong>th</strong>e IIS service.<br />
F or details on obtaining and installing a server certificate, please refer<br />
to <strong>th</strong>e IIS and Microsoft Exchange OWA documenta<strong>tio</strong>n.<br />
Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n 3-13
Agent configura<strong>tio</strong>ns<br />
Agent<br />
configura<strong>tio</strong>ns<br />
Figure 3-8. Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
Engine window<br />
3-14 Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
This sec<strong>tio</strong>n contains informa<strong>tio</strong>n on configuring <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
Engine, changing logging se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs, and changing <strong>th</strong>e au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
policy. Specific details for configuring <strong>th</strong>e OWA Agent vary slightly<br />
from <strong>th</strong>ose for <strong>th</strong>e IAS Agent, <strong>th</strong>e WI Agent, and <strong>th</strong>e SAM Agent.<br />
Where <strong>th</strong>e process differ, OWA-specific details are included.<br />
Configuring <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Engine<br />
1. For <strong>th</strong>e IAS Agent, <strong>th</strong>e WI Agent, and <strong>th</strong>e SAM Agent, click <strong>th</strong>e<br />
Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n engine Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n engine button on <strong>th</strong>e Agent<br />
Configura<strong>tio</strong>n window. For <strong>th</strong>e OWA Agent, click <strong>th</strong>e Configure button<br />
on <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Policy por<strong>tio</strong>n of <strong>th</strong>e Agent Configura<strong>tio</strong>n<br />
window. The Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Engine window appears.<br />
2. In <strong>th</strong>e H ost name/ IP address field, enter <strong>th</strong>e host name or IP address of<br />
<strong>th</strong>e machine to which <strong>th</strong>e agent will send au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n requests.<br />
3. In <strong>th</strong>e Port field, enter <strong>th</strong>e port number on which <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
Engine will listen for requests. This port number must match <strong>th</strong>e port<br />
number specified for <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Engine.<br />
4. Click Save. The server appears in <strong>th</strong>e Configured Loca<strong>tio</strong>ns list.<br />
5. Click OK.<br />
Removing servers To remove servers from <strong>th</strong>e Configured Loca<strong>tio</strong>ns list, select <strong>th</strong>e server<br />
name from <strong>th</strong>e list, click <strong>th</strong>e Remove button, and <strong>th</strong>en click OK.<br />
Important: If you are configuring multiple servers, repeat <strong>th</strong>e same steps for each<br />
server you are configuring.
Changing IAS, WI, and SAM<br />
logging se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs<br />
Changing OWA logging<br />
se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs<br />
Changing logging se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs for agents<br />
Agent configura<strong>tio</strong>ns<br />
You may view log records, manage log records, and modify <strong>th</strong>e<br />
messages <strong>th</strong>at are logged using <strong>th</strong>e Windows Event V iewer or any text<br />
editor. B y default, logging func<strong>tio</strong>ns are disabled, al<strong>th</strong>ough errors are<br />
logged to <strong>th</strong>e Windows Event V iewer, even when logging func<strong>tio</strong>ns<br />
are disabled. You must enable logging before you can reconfigure <strong>th</strong>e<br />
se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>gs.<br />
If you are configuring logging for <strong>th</strong>e IAS Agent, <strong>th</strong>e WI Agent, or <strong>th</strong>e<br />
SAM Agent, click <strong>th</strong>e Logging button on <strong>th</strong>e Agent Configura<strong>tio</strong>n<br />
window. When <strong>th</strong>e Configure Logging window appears, skip to step 1<br />
on page 3-16.<br />
If you are configuring logging for <strong>th</strong>e OWA Agent, click <strong>th</strong>e Configure<br />
button on <strong>th</strong>e Logging pane of <strong>th</strong>e Agent Configura<strong>tio</strong>n window. The<br />
Configure SafeWord OWA Agent Logging window appears.<br />
The SafeWord OWA agent logging func<strong>tio</strong>n records two types of logs,<br />
extension logs and filter logs. Extension logs are generated when a<br />
non-credentialed user attempts to access an Exchange resource and is<br />
required to au<strong>th</strong>en<strong>tica</strong>te. Filter logs are created every time a user<br />
accesses an Exchange resource.<br />
Click <strong>th</strong>e SafeWord IIS Extension Log button to log non-credentialed user<br />
attempts to access an Exchange resource. Click <strong>th</strong>e SafeWord IIS Filter<br />
log button to log when users gain access to an Exchange resource.<br />
You may choose one or bo<strong>th</strong> op<strong>tio</strong>ns. When <strong>th</strong>e Configure Logging<br />
window appears, skip to step 1 on page 3-16.<br />
Note: Under certain circumstances, only one set of logs will be created for <strong>th</strong>e OWA<br />
Agent. In <strong>th</strong>is case, bo<strong>th</strong> <strong>th</strong>e F ilter and Extension logs will be combined into one file.<br />
Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n 3-15
Agent configura<strong>tio</strong>ns<br />
Figure 3-9. Configure<br />
Logging windows<br />
3-16 Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
1. Select <strong>th</strong>e Enable Logging check box to activate <strong>th</strong>e window.<br />
Note: B y default, IAS, WI, and SAM Agent logs are stored in<br />
< Installa<strong>tio</strong>n_ Directory> / SafeWord/ Agentlogs. OWA Agent logs are stored in<br />
< Installa<strong>tio</strong>n_ Directory> / OWAAgent/ Logs.<br />
2. Select <strong>th</strong>e types of messages to log from <strong>th</strong>e following op<strong>tio</strong>ns:<br />
� Errors<br />
� Errors and informa<strong>tio</strong>n<br />
� Errors, informa<strong>tio</strong>n, and diagnostics<br />
Important: Logging diagnostic informa<strong>tio</strong>n may result in extremely voluminous<br />
output. Unless you are <strong>tro</strong>ubleshooting a problem, diagnostic logging should be disabled.<br />
3. Click OK, <strong>th</strong>en do a service restart as follows:<br />
Table 3-4 . Agent/service restarts<br />
Agent Restart<br />
IAS Agent IAS Service<br />
Web Agent IIS Service<br />
SAM Agent None required<br />
OWA Agent IIS Service<br />
Note: If Routing & Remote Access Server (RRAS) is on <strong>th</strong>e same machine, stop <strong>th</strong>e IAS<br />
service and RRAS, restart RRAS, <strong>th</strong>en restart IAS.
Figure 3-10. Required<br />
Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n G roup<br />
Policy window<br />
Configuring <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Policy<br />
Agent configura<strong>tio</strong>ns<br />
SafeWord allows you to designate special groups of users who will be<br />
required to log on to <strong>th</strong>e system using a SafeWord token. While you<br />
could force all your users to use tokens when logging in, <strong>th</strong>is<br />
approach may not be flexible enough for your environment. Instead,<br />
you can force a specific Windows group to log in using tokens by<br />
using <strong>th</strong>e native Windows user and group management tools to create<br />
a global group called SAFEWORD_ USERS (see Figure 3-10). This is<br />
<strong>th</strong>e group into which you would assign specific users to log in using<br />
SafeWord tokens.<br />
Important: You must create global groups before you can apply au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n policies<br />
to specific users.<br />
Once users are placed in <strong>th</strong>is special group, you must tell <strong>th</strong>e agent<br />
what <strong>th</strong>e group is, and how to treat users in it. The following<br />
instruc<strong>tio</strong>ns describe how <strong>th</strong>is is done.<br />
Note: This configura<strong>tio</strong>n only affects <strong>th</strong>e groups associated wi<strong>th</strong> <strong>th</strong>e SafeWord Agents.<br />
1. For <strong>th</strong>e IAS Agent, <strong>th</strong>e WI Agent, or <strong>th</strong>e SAM Agent, click <strong>th</strong>e Groups<br />
button on <strong>th</strong>e Agent Configura<strong>tio</strong>n window. For <strong>th</strong>e OWA Agent, click<br />
<strong>th</strong>e Configure button on <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Policy pane of <strong>th</strong>e Agent<br />
Configura<strong>tio</strong>n window.<br />
The Required Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Group Policy window appears.<br />
Important: Windows 2000 can be installed in ei<strong>th</strong>er Windows 2000 native mode or pre-<br />
2000 compatibility mode. If <strong>th</strong>e operating system was installed in Windows 2000 native<br />
mode, <strong>th</strong>e group Domain Users must be added to <strong>th</strong>e global group called pre-2000<br />
Compatible Access in order for domain queries to be successful.<br />
Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n 3-17
Agent configura<strong>tio</strong>ns<br />
3-18 Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
2. Designate users from specific groups and/or domains who will use<br />
SafeWord tokens:<br />
� To require all users au<strong>th</strong>en<strong>tica</strong>te using SafeWord s<strong>tro</strong>ng<br />
au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n, select All users au<strong>th</strong>en<strong>tica</strong>te using SafeWord, <strong>th</strong>en<br />
continue to step 3<br />
� If <strong>th</strong>e group’s domain is different from <strong>th</strong>e one displayed in <strong>th</strong>e<br />
Domain field, enter <strong>th</strong>e group’s domain in <strong>th</strong>e from domain field,<br />
<strong>th</strong>en<br />
— Select a Group from <strong>th</strong>e G roup list. This will most likely be <strong>th</strong>e<br />
global group you created for <strong>th</strong>is purpose<br />
— Select whe<strong>th</strong>er <strong>th</strong>is group au<strong>th</strong>en<strong>tica</strong>tes using SafeWord<br />
3. Click OK.
Configuring<br />
alternative group<br />
policies<br />
Figure 3-11. Typical<br />
network setup<br />
Figure 3-12. Alternative<br />
network topology<br />
Configuring alternative group policies<br />
SafeWord’s default configura<strong>tio</strong>n should suit <strong>th</strong>e majority of network<br />
topologies and use cases. The SafeWord Agent is responsible for<br />
checking group membership and submi<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n requests<br />
to <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Engine (see Figure 3-11).<br />
DMZ<br />
SafeWord<br />
Agent<br />
Occasionally, <strong>th</strong>e default configura<strong>tio</strong>n may not fit a particular<br />
network topology or management policies. If computers in a network<br />
DMZ do not have anonymous access to Active Directory, <strong>th</strong>e<br />
SafeWord Agent is unable to contact Active Directory and read group<br />
membership informa<strong>tio</strong>n in order to determine which users require<br />
SafeWord au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n. You can configure SafeWord to handle such<br />
a scenario (see Figure 3-12).<br />
DMZ<br />
Typical<br />
Alternative<br />
SafeWord<br />
Agent<br />
Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
Group checking<br />
Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
Inside<br />
In <strong>th</strong>is configura<strong>tio</strong>n, group membership checking is done by <strong>th</strong>e<br />
SafeWord server (ra<strong>th</strong>er <strong>th</strong>an <strong>th</strong>e agent). Since <strong>th</strong>e server will typically<br />
be running inside <strong>th</strong>e trusted network, it should have no difficulty<br />
obtaining <strong>th</strong>e necessary informa<strong>tio</strong>n from Active Directory.<br />
AAA<br />
AD<br />
AAA<br />
AD<br />
Inside<br />
SafeWord<br />
Server<br />
SafeWord<br />
Server<br />
Group<br />
Checking<br />
Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n 3-19
Configuring alternative group policies<br />
Figure 3-13. Group<br />
Discrimina<strong>tio</strong>n<br />
configura<strong>tio</strong>n page<br />
3-20 Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
To configure <strong>th</strong>e alternative network topology, do <strong>th</strong>e following:<br />
1. On <strong>th</strong>e computer in <strong>th</strong>e DMZ running <strong>th</strong>e SafeWord Agent, use <strong>th</strong>e<br />
group configura<strong>tio</strong>n window (refer to “Configuring <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
Policy” on page 3-17 ) to force all users to au<strong>th</strong>en<strong>tica</strong>te using SafeWord.<br />
This will forward ALL au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n requests to <strong>th</strong>e SafeWord server.<br />
2. On <strong>th</strong>e computer inside <strong>th</strong>e network running <strong>th</strong>e SafeWord server,<br />
locate <strong>th</strong>e file Installa<strong>tio</strong>n_Directory\SERV ERS\Sh ared \sccserv ers.ini.<br />
3. Locate <strong>th</strong>e line <strong>th</strong>at starts wi<strong>th</strong><br />
#GroupsAu<strong>th</strong>en<strong>tica</strong><strong>tio</strong>nRequiredClass=securecomputing.yellowst<br />
one...<br />
4. Modify <strong>th</strong>e line by removing <strong>th</strong>e “# ” sign from <strong>th</strong>e beginning of <strong>th</strong>at line.<br />
5. Navigate to<br />
Installa<strong>tio</strong>n_Directory\SERV ERS\A A A Serv er\G rou p Discrim ina<strong>tio</strong>n.<br />
6. Locate and open <strong>th</strong>e HTML file called C onfig u reG rou p P olicy.h tm l.
Configuring alternative group policies<br />
7. Change <strong>th</strong>e logging and au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n policies as needed. Refer to<br />
“Configuring <strong>th</strong>e Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Policy” on page 3-17 for addi<strong>tio</strong>nal<br />
informa<strong>tio</strong>n.<br />
8. Restart <strong>th</strong>e SafeWord Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n Engine service.<br />
Note: Please note <strong>th</strong>at in <strong>th</strong>is topology it is vital <strong>th</strong>at your SafeWord Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n<br />
Engine service is up and running constantly; o<strong>th</strong>erwise, nei<strong>th</strong>er <strong>th</strong>e SafeWord nor <strong>th</strong>e non-<br />
SafeWord users will be able to log onto your system. The best way to ensure <strong>th</strong>is is to set up<br />
your system wi<strong>th</strong> multiple SafeWord servers, as described in sec<strong>tio</strong>n “ Configuring multiple<br />
servers” on page 4 -23.<br />
Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n 3-21
Configuring alternative group policies<br />
3-22 Se<s<strong>tro</strong>ng>ttin</s<strong>tro</strong>ng>g up S<strong>tro</strong>ng Au<strong>th</strong>en<strong>tica</strong><strong>tio</strong>n