Server Administration Guide

SecurEnvoy Security Server Administration GuideSecurEnvoy Global HQMerlin House, Brunel Road, Theale, Reading. RG7 4ABTel: 0845 2600010 Fax: 0845 260014 www.SecurEnvoy.com

SecurEnvoy Security Server Administration and Configuration Guide v7.1The SecurEnvoy Security server is the main central component of the SecurEnvoy suite ofproducts. It has direct integration into a LDAP directory server (Microsoft Active Directory,Novell e-Dir, Sun One Directory Server and Linux Open LDAP Directory Server) for userinformation, controls and manages the authentication of SMS passcodes and the subsequentsending of them.This must be installed for SecurAccess, SecurPassword SecurICE and SecurMail Page 2

SecurEnvoy Administration and Configuration Guide v7.1© 2012 SecurEnvoyAll rights reserv ed. No parts of this work may be reproduced in any f orm or by any means - graphic, electronic, ormechanical, including photocopy ing, recording, taping, or inf ormation storage and retriev al sy stems - without thewritten permission of the publisher.Products that are ref erred to in this document may be either trademarks and/or registered trademarks of therespectiv e owners. The publisher and the author make no claim to these trademarks.While ev ery precaution has been taken in the preparation of this document, the publisher and the author assumeno responsibility f or errors or omissions, or f or damages resulting f rom the use of inf ormation contained in thisdocument or f rom the use of programs and source code that may accompany it. In no ev ent shall the publisherand the author be liable f or any loss of prof it or any other commercial damage caused or alleged to hav e beencaused directly or indirectly by this document. Publisher Printed: 2013 in United Kingdom SecurEnvoy PublishingPrinted: 2012 in United Kingdom Managing Editor SecurEnvoy Training DeptTechnical EditorsA Kemshall Technical DirectorP Underwood WW Pre – SalesCover DesignerSecurEnvoy MarketingRevisionv1.0 AK PU 10/5/2008V1.1 AK PU 21/12/2008V1.2 PU 7/7/2009V1.3 PU 3/11/2009V1.4 PU 18/1/2010V1.5 PU 16/6/2010V1.6 AS 12/1/2010V1.7 PU 11/5/2011V1.8 PU 29/6/2011V1.81 PU 30/11/2011V1.9 PU 20/4/2012V1.9.1 PU 28/6/2012V2.0 PU 10/5/2013 Page 3

ForewordSecurEnv oy is the trusted global leader of tokenless two-f actor authentication. As the pioneers of mobile phonebased tokenless authentication; SecurEnv oy leads the way with ground breaking solutions that others aspire too.Our innov ativ e approach to the tokenless market now sees thousands of users benef itting f rom our solutions allov er the world. With users deploy ed across f iv e continents, our customers benef it f rom a signif icant reduced timeto deploy and a zero f ootprint approach means there is no remote sof tware deploy ment and administrators enjoythe management tools allowing them to rapidly deploy up to 100,000 users per hour.Our design philosophy is based on re-using existing customer technology inv estments such as Microsof t Activ eDirectory , simplif y ing the end user authentication experience while enhancing the ov erall security .With no token manuf acturing costs the return on inv estment (ROI) is so much more acceptable to businesses andorganizations, and env ironmentally the green benef its of a zero carbon f ootprint also attract env ironmentallyresponsible purchasers. We are truly now prov iding solutions that hav e zero impact on our env ironment.SecurEnv oy distribute through the channel, prov iding customers the v alue added benef its of working with localpartners. We hav e now built up a technical and sales inf rastructure that supports most languages and culturesaround the world.The business was of f icially incorporated in 2003 af ter preliminary , coding and testing in our labs. Y ears on we nowhav e happy customers across the f iv e continents and regional s upport. Business lev els hav e more than doubledy ear on y ear due to our subscription sales model that is an acceptable route that allows our clients to budget moreef f ectiv ely . This model includes local support and annual subscriptions.Founded by Andrew Kemshall and Stephen Watts, the two f ounders work relentlessly to achiev e business growthworldwide. This massiv e growth has been possible through the quality of people and the experience within thecompany both f rom sales and technical expansion.SecurEnv oy continues to shape the way millions of people plan their authentication requirements and purchasingdecisions. Page 4

ContentsSecurAccess, SecurPassword, SecurICE and SecurMail1 Passcode D eliv ery Options................................................................................................................ 72 Domain model for LDAP...................................................................................................................143 Support for multi LDAP env ironments ..............................................................................................184 Configuration ...................................................................................................................................215 Adv anced Configuration ...................................................................................................................31 5.1 Multi Do main configuration...............................................................................................33 5.2 eM ail Gateway Configuration ............................................................................................38 5.3 IIS URL’s..........................................................................................................................39 5.5 Radius Serv er configuration..............................................................................................446 User Man agement settings...............................................................................................................46 6.1 Soft Tok en Support..........................................................................................................507 Automated U ser Prov isioning ...........................................................................................................54 7.1 Deploy ment W izard GUI ...................................................................................................54 7.2 Deploy ment W izard command line option s .......................................................................58 7.3 Automatic Group Deploy ment ...........................................................................................608 Configuring RADIUS clients ..............................................................................................................629 Migration .........................................................................................................................................6810 Resilience ......................................................................................................................................71 10.1 Resilience (B atch Serv er Logic).......................................................................................73 10.2 Resilience (RADIUS) .......................................................................................................73 10.3 Resilience (Serv er.ini) .....................................................................................................7411 Web SMS Templates ......................................................................................................................7612 SecurMail Administration ................................................................................................................8012.1 S ecurMail Virus Check ing Integration ..........................................................................................8112.2 S ecurMail Serv er Security Considerations ....................................................................................8313 Frequently Ask ed Questions ...........................................................................................................8514 Help Manual...................................................................................................................................9115 Recommended B ack up Procedure ..................................................................................................9416 Troubleshooting .............................................................................................................................9617 Appendix .......................................................................................................................................9918 SecurEnv oy Additional Tools ........................................................................................................106 18.1 Reporting W izard (GUI) ................................................................................................ 106 18.2 Reporting W izard (Cmd Lin e) ....................................................................................... 111 18.3 Reporting W izard (Admin GUI) ..................................................................................... 112 Page 5

Passcode Delivery OptionsIChapter 1 Page 6

1 Passcode Delivery OptionsSecurEnv oy utilise a self management interface k nown as \"Manage My Tok en\", this web portal allowsthe user to not only enrol themselv es initially , but thereafter can mange the life cy cle of their dev ice.For instance upgrading soft tok en from one phone ty pe to another, they simply v isit the “Manage MyTok en” portal, where they can reprov ision their new phone which automatically deletes their prev iousone.Consideration should be giv en as to whether this web portal is pu blished directly upon the Internet oronly allowed for internal use. SecurEnv oy recommend that this is published externally as the portal isprotected with Two-Factor authentication and will lead to significantly less support calls if user areallowed to manage their own dev ice.Email deliv ery is not end user selectable as SecurEnv oy recommend that this method of passcodedeliv ery is configured by Administrators who understand the implications of email. SMTP traffic is notan encry pted protocol, Administrators must be able to mak e decisions regarding email deliv ery , forexample it may be that a Black berry sy stem is in place with end to end secure email deliv ery .The users’ mobile phone can receiv e a one time passcode (OTP) v ia SMS, v oice call, or be generatedupon the phone with the SecurEnv oy Soft Tok en. Furthermore, SecurEnv oy patented approachprov ides a far greater range of tok enless ty pes including the following methods, the passcode sent v iaSMS can be deliv ered in real time, pre-loaded as an OTP, pre-loaded with 3 OTP or a reusableDay code.In addition SecurEnv oy hav e the ability to support VOICE tok ens, by sending a v oice call directly to aphy sical landline, DDI extension. The user first enters their pin or passcode, after which a six digitpasscode is display ed. At the same time a phone call is automatically made. The user answers thephone and enters this passcode on the phones k ey pad. This is recommended for users that only hav eaccess to a land line or don’t hav e a smart phone and can’t receiv e SMS reliably . This allows the userto k eep work ing ev en in the user may not be in an area of good GSM cov erage for when they requiretheir passcode.Understanding the v arious methods that SecurEnv oy support for deliv ering and managing Passcodes.For SMS this is “Real Time” passcodes v ersus “Pre-loading” passcodes as well as 3 passcodes per SMS.This methodology can also be applied to email deliv ery of passcode information. It will mimic exactlythe same user setting as SMS for passcode deliv ery , y et this will be ach iev ed by using a SMTP route,or v ia a secure email deliv ery mechanism, such as a Black berry solution. Page 7

SecurEnv oy soft tok ens for y our phone or desk top can be used to generate one time passcode (OTP)for two factor authentication that can be check ed by y our companies SecurEnv oy serv er or Google’scloud login. Quick Response codes are an excellent method to display a bar code matrix for thedeploy ment of the “seed record” for the end users Soft Tok en. The user only has to scan the QR codewith their phones camera to ensure a fully automatic enrolment process to a Soft Tok enSoft Tok en’s are av ailable for all Smart phone applications as well as a P.C. and MAC OS soft tok en.With the adv ent of smart phones, SecurEnv oy lev erage all leading brands and prov ides an elegantsolution to prov ision a phone Soft Tok en. Users engaging in this approach do not require any GSM ordata connection as the OTP is generate directly upon the smart phone.Understanding the v arious methods that SecurEnv oy support for deliv ering and managing Passcodes.For SMS this is “Real Time” passcodes v ersus “Pre loading” passcodes. In addition SecurEnv oy hav ethe ability to support Soft Tok en’s, this is for both Mobile phone applications as well as a P.C. softtok en. Page 8

1.1 SMS delivery is delayedAlthough most SMS text messages are transmitted in seconds, it’s common to find them delay ed whennetwork s become congested. SMS traffic is not sent point to point, it is ‘queued’, and then sent on tothe required network cell where it is again queued and finally sent to the end users phone. Thisqueuing giv es rise to delay s at peak operator periods, Vodafone’s own sales literature claims that 96%of all SMS messages are deliv ered within 20 seconds. This means that 4% of users try ing toauthenticate will fail and will need to raise a help desk call to gain emergency access. Thus for adeploy ment of 5000 users authenticating each day , 200 help desk calls would be raised per day !1.2 Signal dead spotsMobile phone signals are not alway s av ailable, particularly in buildings with wide outer walls, inunderground basements or in computer rooms that giv e off high RF noise. Consider a user try ing toauthenticate in one of these locations. They would first enter their UserID and PIN and would then failto receiv e their authentication code. They would next need to mov e to a location that has a signal,receiv e their authentication code, mov e back to the original location to enter their passcode ALL with -in a timeout period of 2 minutes.Users located within these locations would hav e no alternativ e that to raise help desk calls to gainemergency access. Page 9

1.3 Mobile phone is used to connect to the InternetIn most cases when a mobile phone creates a data connection it can’t receiv e SMS messages. Userstry ing to utilize their mobile phone as a way of connecting to the Internet would not receiv e theirpasscode until they hang-up the data connection. End-users would need to start authenticating theUserID and PIN, hanging up the connection, wait for the SMS message, reconnect and re-enter theirUserID, Pin and Passcode all within 2 minutes.1.4 Why Pre Load PasscodesThe k ey strategy for successful use of SMS for deliv ering passcodes is resolv ing intermittent networkcov erage and SMS deliv ery delay s. SecurAccess is fundamentally designed to resolv e these issues byutilising: Pre-loaded one time passcodes (each authentication attempt sends the next required passcode) Three pre-loaded one time passcodes with each message (3 authentications before requiring the next message) Reusable session passcodes that change each day or multiple day s Optional self help web interface to allow users to request temporary passcodes Passcodes can be sent v ia email1.5 Real Time SMS DeliveryThere are times when a Pre Load SMS passcode is not acceptable for certain deploy ments, these tendto be ecommerce ty pe env ironments where a user logs on infrequently to the network or webresource.In these scenarios SecurEnv oy has the ability to allow a “Real Time passcode” deliv ery option. Theuser ty pically would log onto a resource with their UserID and password, at this point a SMS passcodeis sent to their registered mobile phone. The SMS passcode can be set with a time to liv e in minutes toprov ide additional security around the logon. Real Time Deliv ery can be enabled upon a per user basis Passcode \"time to liv e\" is configurable from 1-99 minutes Work s with existing SecurEnv oy IIS web agent and Radius clients that support \"Challenge-Response\"1.6 Soft TokensSecurEnv oy ’s approach to soft tok ens is based on zero management time for the IT or admin staff asthe end-user downloads and prov isions the apps themselv es without any interaction with the corporatehelpdesk or IT staff. Multiple tok en seeds can be stored in each soft tok en.More flexibility for the UserThe latest SecurEnv oy serv er V6 allows user far greater choice of security - either tok enless SMS twofactor authentication or a soft tok en downloaded as an app such as this. Av ailable free of charge tocurrent customers from either SecurEnv oy or Google Authentication, soft tok ens are suitable for mostty pes of mobile dev ices i.e. iPhones, iPad’s, Black berry ’s, Android phones, Mac and Windows operatingsy stems including Vista and W indows 7. Page 10

Support for Google A uthenticatorSecurEnv oy soft tok ens for y our phone or desk top can be used to generate one time passcode (OTP)for two factor authentication that can be check ed by y our companies SecurEnv oy serv er or Google’scloud login.A simple processFor the organisation there is nothing they need to do. It is all down to personal preference of the end -user to choose whether they want their two factor authentication passcode sent v ia SMS or v ia theirapp.The user simply :1. Visits the app store – either SecurEnv oy or Google, and downloads the app2. Logs into the SecurEnv oy enrolment page – clev erly they can authenticate themselv es with their current user name and passcode3. A barcode appears in the screen which the user scans with the camera button on their phone4. Within 60 seconds the user can be authenticated and start using their phone as a soft tok en.5. In the case of the P.C. Soft Tok en, the user only has to authenticate with the built in interface in the client. The SEED is automatically deploy ed with no user interv ention. (Please see P.C. Soft Tok en manual for more information)Mobile Phone “Soft Token” P.C. “Soft Token” Page 11

1.7 VOICE TokensSecurEnv oy ’s approach to VOICE tok ens is based on complete \"ease of use\" to the end user. Unlik eother industry methods where the user has to remember the passcode content of the pre recordedv oice message, then entering this into the logon screen. SecurEnv oy session lock s the the Internet andPhone session together, whilst prov iding a seamless logon experience, the user doesn’t hav e toremember the passcode, but only has to read the passcode from the logon screen and enter this uponthe phones k ey pad.This simple logon scenario can be accomplished v ia Web and also VPN ty pe connection s. The useraccesses the point of logon and enters their UserID and PIN (ty pically a domain password) they arethen confronted with the logon challenge. The user then receiv es a real time v oice call, at which pointthey then input the display ed passcode (OTP) v ia the phones k ey pad. Once complete the v oice callautomatically hangs up, the user then selects the \"Login\" button to complete the process. Page 12

Domain model for LDAPIChapter 2 Page 13

2 Domain model for LDAPSecurEnv oy hav e the ability to fully support direct integration with the following LDAP serv ers:Microsoft Activ e DirectoryMicrosoft ADAM (Activ e Directory Application Management)Nov ell eDirSun Directory serv erO penLDA PIn addition SecurEnv oy can support a fully heterogeneous env ironment, allowing v arious v endors LDAPserv ers to coexist and be managed by a single SecurEnv oy serv er. This allows companies exceptionalscope to manage a truly heterogeneous LDAP env ironment.Security Server scenariosSecurEnv oy can be deploy ed many way s into a network env ironment; these are discussed in the topicsbelow.There are three deploy ments to consider: Single security serv er Multiple security serv ers Multiple domain modelIt should be noted that v ersion 5 of SecurEnv oy can support any multi LDAP serv er env ironment withina network and is not limited to all LDAP serv ers of being the same ty pe.Single Security server SSL SecurEnvoy Any LDAP SecurAccess ServerVPN Any LDAP ServerA single SecurEnv oy security serv er instance is installed, although a v ery simple deploy ment there isno redundancy for the authentication as only one SecurEnv oy security serv er is installed andconfigured. Page 14

Multiple Security servers SSL Site 1 AD Domain One Domain AD Domain Site 2 SSL Controller or Controller orVPN SecurEnvoy other LDAP Authentication data other LDAP SecurEnvoy VPN SecurAccess server Replicated by server SecurAccess Active Directory SecurEnvoy AD Domain or other supported AD Domain SecurEnvoy SecurAccess Controller or LDAP server Controller or SecurAccess other LDAP other LDAP server serverIn a multiple SecurEnv oy security serv er example, each sites RADIUS or Web dev ice will be configuredto send authentication requests to one of two SecurEnv oy security serv ers. Each SecurEnv oy securityserv er will share the same config.db k ey across all installations. Each SecurEnv oy security serv er willbe paired to two LDAP serv ers. This prov ides a highly redundant authentication topology . Alternativ elyone SecurEnv oy serv er can be located at each site with each VPN using the other sites SecurEnv oyserv er as its second serv erMultiple Domain model SSL VPN Domain 1 SecurEnvoy Domain 2 Microsoft SecurAccess eDirectory AD Domain SecurEnvoy Novell LDAP Controller SecurAccess server AD Domain Novell LDAP Controller server SUN One SUN One LDAP server LDAP server Domain 3 Sun Page 15

Each SecurEnv oy security serv er can be configured with u p to two LDAP serv ers for each domain y ourcompany uses, with no limit on the number of domains. Each domain can be configured for any of thesupported LDAP serv er ty pes. The domain component of the UserID is used to dy namically switch thesecurity serv er to the relev ant domain. If no domain component is giv en in the UserID then a defaultdomain or search for first match can be used. Page 16

Support for multi LDAP environmentsIChapter 3 Page 17

3 Support for multi LDAP environmentsTo hav e the ability to being able to deal with v arious customer network s and associated user LDAPrepositories, SecurEnv oy can facilitate and manage disparate env ironments v ia a single administrationconsole. This reduces the burden on existing IT staff for ongoing management of users.Some of the most common deploy ment scenarios are discussed below:  Company with Internal users requiring 2FA A company who already has users stored within a LDAP serv er (Microsoft AD, Nov ell eDir, Sun One or OpenLDAP) requires v ery little configuration. All that is needed is a serv ice account upon the SecurEnv oy serv ers that has read and writes priv ileges to the “telex number” attribute. SecurEnv oy then reads in all user information without hav ing to recreate a separate user database to allow 2FA to be deploy ed into the network . As users are already configured, administration is reduced, as well as allowing a high lev el of end user acceptance. This is achiev ed as the end user is not required to remember any more authentication information. They can reuse their existing UserID and password complimented with a 6 digit OTP sent v ia SMS to their mobile phone.  Company requiring a Business to Business 2FA A company , who has to allow external users to connect to their internal network , but does not want to place these users into their own LDAP serv er, can use the “SecurEnv oy managed users” configuration. This utilises Microsoft ADAM, which is a cut down v ersion of the Activ e Directory , but all user management is conducted by the SecurEnv oy admin GUI. All user information is stored within Microsoft ADAM, to allow a greater control of external users separate MS ADAM instances can be configured to bring phy sical separation to how the external users are managed. E.g. multiple support companies who requir e network access.  Company requiring a Business to Consumer 2FA A company who wants to conduct business with consumers, but does not want to place these users into their own LDAP serv er, can use the “SecurEnv oy managed users” configuration. This utilises Microsoft ADAM, which is a cut down v ersion of the Activ e Directory , but all user management is conducted by the SecurEnv oy admin GUI. All user information is stored within Microsoft ADAM, to allow a greater control of external users separate MS ADAM instances can be configured to bring phy sical separation they want to mange v arious consumers. E.g. Bank ing and Finance may hav e different requirements for retail bank ing consumers when compared to priv ate clients bank ing. Page 18

 Company requiring 2FA for a ASP/ISP ty pe model Option 1A managed customer allows connectiv ity to their own LDAP serv ers for user management (2FA ,this requires read and write access to the telexnumber attribute).The adv antage of this option is that users information is already exist and is maintained in realtime by the customers own IT staff. In addition deploy ment is rapid as all user data is reused andusers can be deploy ed on mass v ia the SecurEnv oy deploy ment wizard. ( See 7.0 Automated UserProv isioning).All 2FA user information is effectiv ely stored within the customer own LDAP env ironment and thusreplication and back up is managed within the customers own network . Option 2A managed customer who does not allow access to their intern al LDAP serv ers or will not allowwriter access to the telexnumber attribute. This approach utilises Microsoft ADAM, which is a cutdown v ersion of the Activ e Directory , but all user management is conducted by the SecurEnv oyadmin GUI.All user information is stored within Microsoft ADAM, to allow a greater control of external usersseparate MS ADAM instances can be configured to bring phy sical separation to how the externalusers are managed. E.g. multiple companies who require network access to hosted applications. Page 19

ConfigurationIChapter 4 Page 20

4 ConfigurationStart the SecurEnv oy Admin GUI and select the “Config” menu.The Config page has fourteen sections that can be configured:These allow parameter changes to be made to the SecurEnv oy Security Serv er,all of these settings can be applied on a per Domain basis.All except \"Logging\" as this is a global setting for the whole Security Serv er.Start the SecurEnv oy Admin GUI and select the “Config” menu .The Config page has sixteen sections that can be configured:License Upgrade The current existing license can be upgraded easily by copy ing and pasting the new license string into the “upgrade license” window within the Config page. Confirm replacement by click ing “update”. Thereafter \"Enable Per Domain License Quota\" can be enabled, this allows a quota to be applied per domain. The LDAP domain can be selected from he drop down menu bar, once selected a quota of licensed users can then be applied to this domain.The quota's can be applied for SecurAccess/SecurPassword products as well as SecurICEToken Types There are two enable boxes for the Tok en ty pes, and each of these can be assigned upon a per domain basis. The first dictates what Tok en ty pes are av ailable for the relev ant domain. The second is for enabling the user to switch between different Tok en ty pes v ia the \"Manage My Token\" page (https://machine.domain.com/secenrol). Passcodes can be delivered via SMS. Passcodes be delivered via email, email setup is v ia the Adv anced config wizard. User is then setup for \"Passcodes v ia Email\" under the \"User\" tab of the admin GUI. SecurENv oy do n ot believ e that user should be giv en the option to select email, aa sSMTP is not an encry pted protocol and many not be user TLS. SecurEnv oy believ e that administrators shol be incontrol as to whether email is used for passcode dleiv ery . example Black berry sy stems encry pt email deliv ery to the end dev ice. Page 21

The default is to “pre-load” the SMS deliv ery , the passcode is sent when a user is first enabled andrefreshed at time of logon.The sy stem can be enabled so that either a single or three One Time Passcodes are sent withineach SMS message. This caters for users who are in an area that has weak or erratic mobile phonesignal.SecurEnv oy hav e the ability to send the passcode in “real time”. Once enabled the sy stem has theability to deliv er a “real time” passcode that the user requests. The passcode then has a certainamount of time to liv e before expiry (configured in minutes 1-99). To enable this function tick thecheck box and set the prompt that user should see (default = Enter y our 6 digit passcode). The realtime SMS deliv ery can be enabled upon a user basis or can be set globally for new users by enablingthe “New User hav e real time by default” check box.The Day Code mode automates the process of changing passcodes ev ery set number of day s, thiscan be in the range of 1-99 day s. Day codes are reusable passcodes that are automatically changedev er xx day s (Global Default User Day s) at a pre-defined day and time (Day Code Send Time). GlobalDefault User Day s is used on all new users as the default and can be changed for each user. Additionallogic can be applied where a new Day code is only sent is the prev ious one has been authenticated.To enable the use of Soft Tokens upon the SecurEnv oy serv er check the “Enable” box, this must becompleted for all SecurEnv oy serv ers that are to be used for “Soft Tok en” support.This will allow Soft Tok en to be used on Mobile phone to support a P.C. based Soft Tok en, enable thecheck box “Allow Laptops”.Please note that their is decreased security upon the \"Google\" Soft token, as it has no copyprotection at enrolment. SecurEnv oy recommend that the SecurEnv oy soft tok en be used wherepossible.Voice Call, brings the ability for a real time interactiv e v oice call for users who cannot receiv e a SMS.NOTES: Day Code usage NoteAll servers in all domains must have the same Day Code Send Time set (allowing for any time zonedifferences) such that they all run at the same timeThe next required passcode will be sent to this user’s mobile phone at 16:00 by default (Day CodeSend Time).If \"Only Send New Day Code If Used\" is selected then the next required Day Code is only sent if thecurrent or prev ious day codes hav e been used. NoteA valid passcode is the current or the previously sent code; this eliminates any SMS delays orintermittent signal loss within a 24 hour period. Page 22

NoteConfiguration changes that affect the batch serv er will only be seen when the batch server next runs.If you change the Day Code Send Time it may take up to 24 hours for this change to be set. If youre-start the SecurEnvoy Batch Service, these changes will take place immediately.TMP and Static Code This setting allows what should happen to a user when they hav e exhausted their temporary static code status; the global setting allows either rev erting to a One Time Passcode or a Day code. When testing is is beneficial to hav e the ability to allow a \"Static code\", as SMS or Voice gateway s may not be ready or av ailable. This feature allows end to end testing prior to the gateway s going liv e.All of these settings can be assigned upon a per domain basisPin Management Pin Management will setup the Security serv er to either use Microsoft Windows password as the Pin for each respectiv e user enabled upon the sy stem, or will use SecurEnv oy to separately manage it. If set to SecurEnv oy , the Pin can be between 4-8 numeric or alphanumeric. The Pin can be set by the administrator or the user v ia the enrolment process. All of these settings can be assigned upon a per domain b a si sMobile Number Settings The sy stem can be setup to v alidate the mobile number that is entered into the sy stem. The first check is to mak e sure the mobile number is of a certain length (length 5- 18), in addition any number that is entered that is not recognised can be automatically preceded with a set number. All of these settings can be assigned upon a per domain b a si s. NoteExample number entered 345289, this would be seen as unknown and if the “unknown numbersstart with” is set to 07945 the number stored would be 07945345289. Page 23

Direct Password Control Integrated Desktop is achiev ed by generating a new day code (or week code) for enabled users and sending it to the users registered mobile phone. This is used in combination with the users secret PIN. The PIN can be alphanumeric to surpass any Windows security policy that requires an amount of upper and lower case characters. The day code is written in real time to the Activ e Directory at time of generation. Sophos SafeGuard Support allows SecurEnv oy to prov ide 2FA support for Sophos Safeguard, to enable tick the sy nc to Sophos SafeGuard box, then enter SophosSecurity Officer credentials click “update” when complete. For more details on Sophos SafeGuardintegration, please see the following integration guide:http://www.securenv oy .com/integrationguides/sophossafeguardsecuraccess.pdfAll of these settings can be assigned u pon a per domain basisUnderstanding Direct Password ControlPassword Automation will change and send out the new Domain password v ia SMS to all enabledusers. This is the dy namic component of the Domain login; a separate static Pin is required to mak e upand complete the Domain authentication, which is managed by SecurEnv oy . Setting the correct lev el ofupper and lower case characters as well as numeric’s allows the passcode to meet Domain Securitypolicy requirements. Enabling Password Automation is on p er user basis. Not eSecurEnvoy recommends that Integrated desktop mode uses SSL over LDA P (SDLA P 636)to fully meet all of the above stated requirements of a password reset.To meet a domain password policy , it is recommended that the PIN is a combination of both upperand lower case. Example PIN = Se12, Passcode =234765, Domain password = Se12234765Integrated Desk top Management is only supported when using a Day code, one time passcodes are notsupported.To enable the integrated desk top mode of SecurEnv oy , we first need to understand the passwordreset process.LDAP Password ModificationThe first technique that is alway s attempted is an LDAP -based password modification. The core of thistechnique inv olv es modify ing the unicodePwd attribute directly . SetPassword does one modificationwith the Replace modification ty pe specified, and ChangePassword does two modifications with aDelete and an Add specified, in that order. Activ e Directory enforces a restriction that any modificationto the unicodePwd attribute must be made ov er an encry pted channel with a cipher strength of 128bits. Otherwise, the serv er will reject the attempted modification. This helps ensure that the plaintextpassword is not intercepted on the network . Page 24

Therefore with this in mind there are only two way s to accomplish an encry pted tunnel for passwordmodification:Activ e Directory supports two mechanisms for channel encry ption: S SL and Kerberos. Howev er, onlySSL supports the minimum 128-bit cipher strength on all Activ e Directory platforms. Kerberos-basedencry ption has been strengthened to meet this requirement on Windows Serv er 2003, but not onWindows 2000 Serv er. Because the function attempts to work with either v ersion of Activ e Directory , italway s selects only SSL for the channel encry ption technique.This is unfortunate, because Kerberos-based encry ption work s out of the box with Activ e Directory , butSSL requires additional configuration steps including the acquisition of proper SSL certificates for eachparticipating domain controller.A ccount Lockout Settings This can be set between 3-10 concurrent bad authentications since the last good authentication before the user is disabled. Once disabled, no more passcodes are sent and the user is denied access. If using SMS the use is sent an alert SMS explaining that their account is now lock ed. User accounts can be automatically disabled if their is no authentication activ ity for (xx) number of day s (configurable, default is 90).User accounts that do not complete an enrolment request are disabled, (configurable, default is 30day s).All of these settings can be assigned upon a per domain basisA dmin GUI The administration interface is configurable, so that only certain elements are display ed. Use the check box's to configure the Admin interface. These are as follows: Display priv ate mobile check box Priv ate mobile Check box is display ed or hidden in admin GUI Radius attribute settings Configure and control Radius settings Offline laptops settings Enable / disable offlinepasscodes for Integrated Desk top LogonAll of these settings can be assigned upon a per domain basis Page 25

Emergency Helpdesk Self Helpdesk allows users to assign themselv es a temporary code or change their mobile number in the ev ent that they hav e no phone signal or no access to their mobile phone. This section controls whether this is enabled, and whether the user can set their own mo bile number, the maximum number of day s a temporary code can be assigned and how often the helpdesk can be used within a period of time. All of these settings can be assigned upon a per domain b a si sTo use the Self Helpdesk , a user must first enrol and p rov ide answers to two security questions. Theenrolment request is sent automatically when a user is first enabled. (This will only occur if the “AllowHelpdesk To Be Used” check box has been enabled).The security questions are read from a template file to allow for customisation. The file path is SecurityServ er\Data\ENROLMENTTEMPLA TE\questions.txt within the SecurEnv oy installation directory (e.g. for32 bit installationsC:\Program Files\SecurEnv oy \Security serv er\Data\ENROLMENTTEMPLA TE\questions.txt ).For 64 bit installationsC:\Program Files (x86)\SecurEnv oy \Security serv er\Data\ENROLMENTTEMPLA TE\questions.txt ). NoteEnable helpdesk by ticking checkbox and then set parameters of what the user can do, examplechange own mobile number. When a user is deployed they are sent a URL link to “Enroll”. This caneither be sent via email or SMS.SecurPassword SecurPassword allows a user to rest their Microsoft Domain or other LDAP password using Two Factor Authentication. In addition to the passcode, up to three attributes of data can be used to help v alidate the authentication request for a password reset. Also the user can use security questions that were answered within the enrolment process. Any data that is held within the Directory Serv er can prov ide further check s to the user’s credentials. Attributes lik e employ ee number, department etc can prov ide additional authentications parameters.User can be automatically alerted by SMS a set number of (xx) day s (configurable) prior to theirpassword expiring.Password parameters can be assigned such as age, minimum length and complexity .All of these settings can be assigned upon a per domain basis Page 26

User can be automatically sent a “Password expiry warning” v ia SMS, this feature will send out a SM Swarning message at x day s before their user password expires. (Default is 7 day s)The prompt for each attribute is a text string that is presented in the password logon web page.To enable SecurPassword a v alid license must be installed. Enable the Allo w SecurPassword check boxmust be tick ed. The only decision is to either use existing attributes to check for authentication, or usethe security questions a user has enrolled with. (See Self Helpdesk abov e) NoteIf the “secret questions” box is left un-ticked and no attributes are populated, a user will be able toreset their password with just the passcode. NoteSecurEnvoy recommends that SecurPassword uses SSL over LDA P (LDA PS 636) to fullymeet all of the above stated requirements of a passwor d reset.Enable the SSL option using the A dvanced Configuration WizardMigration (Unmanaged User Proxy A uthentication) The Migration feature allows users to be migrated to a SecurEnv oy solution from an existing password -only or tok en solution. Once configured, users can be migrated in stages as required, allowing a smoother transition. All of these settings can be assigned upon a per domain b a si sMigration from Password-OnlyUsers that hav e not been enabled within SecurEnv oy will need to be members of a group named“sepasswordonly ”. This group must be configured within the directory serv er prior to deploy ment.These users will then be allowed to authenticate using only their username and password. Oncemigrated to SecurEnv oy , they can be remov ed from this group and hav e a full 2FA experience.Migration from Third-party Two Factor Token ServerRADIUS authentication is configured to use the SecurEnv oy serv er. If the user is not enabled withinSecurEnv oy , the SecurEnv oy serv er will act as a proxy , and forward the RADIUS request to theconfigured third party tok en serv er.Up to two configured third party tok en serv ers are supported. IP address, port, shared secret, andtimeout information is required. Once configured the test button will initiate an interactiv e logon. Page 27

A utomatic Group DeploymentSecurEnvoy Security Server has the ability to prov ision users. This can be completed with theDeploy ment wizard (recommended for first time user deploy ments) as it allows a extremely granularapproach to how users are deploy ed. Or with the Automatic Group Deploy ment within the admin GUI.This caters for ongoing deploy ments of users.The Deployment Wizard is a tool that allows enterprises to carry out an initial deploy ment to a highnumber of users easily . It is customisable so that passcodes can be sent v ia SMS or Emailed to users inone seamless mechanism. This tool can be used in one of two way s, v ia a graphical user interface formanually deploy ments or in command line mode for scripts or batch jobs to use. This is a separateSecurEnv oy tool, that is accessed from \"Start\" - \"Programs\" - \"SecurEnv oy \" - \"Deploy ment Wizard\"The A utomatic Group Deployment is an embedded feature that allows simple ongoing prov isioningof users, a dedicated group of users (only one group per domain is supported) is monitored, any useradded to this group is automatically deploy ed with the options set in the GUI. If a user is remov edfrom the group, they are automatically unmanaged. SecurEnv oy has the ability to automatically prov ision users with its Automatic Group Deploy ment option. All of these settings can be assigned upon a per domain basis The following optionsare able to be set: Enable Automatic Deployment Enables or disables the automatic deployment option, an additional setting allowsa time in minutesto be set. This is how often the Automatic Deployment should check for users being added or removed from a group. Deployment Type ICE (In Case of Emergency) for emergency users, business continuity, disaster recovery. Send Passcodes to Mobile / Email Example - User will stay explicit to the mode of deployment, if deployed with a passcode to mobile, they will always receive a passcode via SMS. As long as the mobile attribute ispopulated. If not the system will check and then deploy the user by email, the user will then follow the enrolment instructions in the email to update their own mobile number into SecurEnvoy. If user deployed via email, they will always stay in this mode. NOTE: Mobile or email attribute must be populated.One Time Code / Real time Select users to have a One time passcode in \"Pre -Load\" mode or use \"Real time delivery\".Soft Token Users are deployed with an enrolment message to setup their soft token.Day Code Users are deployed with a Day Code, the code refresh in (n) days can be set, this is global setting for all deployed users NoteIf a group is declared in the Automatic Group deployment option, the user will be enabled andprovisioned or unmanaged depending on whether they are a member of the declared group.If \"Allow any group\" is selected, all users in the domain will only be provisioned. Caution this couldcause a high number of user to be provisioned. Page 28

Logging SecurEnv oy has three supported options for logging information they are –  SecurEnv oy log file. This resides locally upon the machine  Microsoft Ev ent Log. SecurEnv oy writes log information to the Application Log  Sy slog serv er. Enter the details of y our Sy slog serv er.In Case of Emergency ICE (In Case Of Emergency ) allows the ability to turn on strong, two-factor authentication, for all users in the ev ent of an emergency . The user’s existing Microsoft password is the first factor, and a passcode sent to the user’s mobile phone is the second. There is no need for the user to enrol and remember an additional PIN, and no need for extra tok ens or smart cards. The ICE message content can be directly edited in the admin GUI.Thereafter a \"return to work \" message can be configured, once the emergency is ov er, this is sentwhen ICE is turned off.All of these settings can be assigned upon a per domain basis Page 29

Advanced Configuration WizardIChapter 5 Page 30

5 Advanced ConfigurationThe SecurEnv oy “Adv anced Configuration Wizard” controls all configuration data of the SecurEnv oySecurity serv er. To launch this tool go to:Start/Programs/SecurEnv oy /Adv anced Configuration WizardBy default the wizard will alway s launch to the IIS and LDAP tab, y ou can step through each tabautomatically after mak ing changes to each relev ant section. Or y ou can go directly to the section ofy our choice by selecting the correct tab required.LDA P tabEnter details for the W eb serv er (machine that will run the SecurEnv oy admin GUI) and select theDirectory serv er ty pe either \"MS Activ e Directory Nov ell E-dir, Sun One Directory serv er, LINUXOpenLdap or MS ADAM\".Select Directory Type - First step is to select the Directory Ty pe either \"MS Activ e Directory , Nov elle-Directory , SecurEnv oy Managed Users – MS ADAM, OpenLDAP – Linux, Sun Directory serv er\". Primary Domain 1 - The Domain Name is the domain where the activ e directory resides and user information is stored and retriev ed. Directory A dministrator A ccount Distinguished Name - Use the Tab key to step into the Search for DN section and into the field Enter UserID. Type the name of the account that will run the SecurEnv oy serv er. Click Get DN of UserID this will automatically populate the DN account details prov iding y ou are currently logged on as a domain administrator of this domain. If correct enter the password for the User ID account. Using the button Example will prov ide a real example of the administrator DN directly from Activ e Directory . Directory Server Details - Finally enter the names of y our Directory serv ers. If certificates hav e been deploy ed upon y our directory serv ers, LDAPS (port 636) can be utilised by enabling the \"Use SSL\" check box, note that LDAPS generally requires the serv er name to be fully qualified.Test – after completing the required details, the connection can be tested by click ing Test Serv er 1 orTest Serv er 2. If OK is returned then click Continue. If OK is not returned, errors should be rectifiedbefore proceeding. Not eLDAPS generally requires the server name to be fully qualified.If “Use SSL” is selected the server name MUST be the same name as set in the common name of theDirectory's server certificate Page 31

If y ou wish to add an additional domain, click the \"Add New Domain” button and enter the LDAPSettings for each new domain. The web serv er is the machine that the security serv er software wasinstalled upon, this does not require changing.The domain name is the additional domain where user informatio n will be stored and retriev ed. TheNet Bios Name is optional and only needs setting if UserID logons use Net Bios Domain names forexample \"SECURENVOY\john smith\".Once the abov e information has been entered and a successful test established, click Continue. Awarning will be display ed in the W izard that confirms that the batch serv ices are being installedClick Sav e and Continue. Not eAny combination of Vendor LDAP server is supported in any order, each domain can be configuredwith its own SecurEnvoy administration account for read and write permissions.Each Domain MUST share the same SecurEnvoy administration account or secondary servers in thesame domain will elevate to batch master causing the batch server to affectively run many timesresulting in multiply day codes being sent. Page 32

5.1 Multi Domain configurationStart/Programs/SecurEnv oy /Adv anced Configuration Wizard , select LDAP tab.Additional Microsoft AD, click “Add New Domain” and then select domain ty pe and populated withrequired information.Adding additional Microsoft AD domain, click “Add Adding Nov ell e-Dir domain, click “Add NewNew Domain” and then select domain ty pe and Domain” and then select domain ty pe andpopulated with required information. populated with required information.Click Update or continue when complete Click Update or continue when complete Page 33

Adding OpenLDAP domain, click “Add New Adding Sun Directory serv er domain, click “AddDomain” and then select domain ty pe and New Domain” and then select domain ty pe andpopulated with required information. populated with required information.Click Update or continue when complete Click Update or continue when completeA dding Microsoft A DA M / A D/LDS (SecurEnvoy Managed Users) Selecting “SecurEnv oy Managed Users” allows the creation of a user database when no corporate directory serv er exists or can be used. This utilises Microsoft ADAM (Windows Serv er 2003) / AD/LDS (Windows Serv er 2008), and allows user creation and management to be completed v ia the SecurEnv oy Admin GUI. To create a Microsoft ADAM / AD/LDS instance, select “SecurEnv oy Managed Users”, then select whether this is the first or subsequent replica ADAM instance (for redundancy ) and populate the domain name required for these users e.g. “Sales”. The “passcode only ” check box controls whether SecurEnv oy will authenticate both the PIN and passcode of the authentication request or just the passcode. Follow steps 1-4, which will install Microsoft ADAM / AD/LDS, configure the instance and test that it is operational. Page 34

Not eThe port number for MS ADAM is automatically configured and incremented for each individualinstance. This can be manually changed to suit the requirements of each environment that it isinstalled upon.A dding Microsoft A DA M Replica (SecurEnvoy Managed Users)To install an ADAM replica, run the SecurEnv oy “Adv anced Config Wizard”, select: Not eTo facilitate ADAM replicas, the machine that is to have ADAM replica installed, must be a member ofthe same domain as the ADAM master. Also you must be logged in with “Domain Admin” rights for theADAM replica install to succeed. LDAP tab select SecurEnv oy Managed Users (Microsoft ADAM) and select Replica Serv er on Microsoft ADAM Setup window. Enter details for the port in TCP Port, enter details for “Serv er To Replicate From” This must be in a FQDN format. Not e The port number should be the same for each Microsoft ADAM Master and Replica instance. Not e The Server To Replicate From must be in a FQDN format. IP addresses are not supported. Not e The ADAM domain name can only support characters 0-9 and A -ZEnter the domain name information for the ADAM instance. Page 35

Enter the password details for the SecurEnv oy admin Password. These should be the same as theADAM master.Then follow steps 2-4 to complete the install.When complete click “Update or C ontinue”Points to note regarding A DA M or A D LDS replication1. Windows Firewall seems to block update notifications to replicas so y ou need to create a customrule on both serv ers to trust all inbound communications from the other serv ers IP address.2. If these serv ers are not in the same domain, change the windows serv ice SecurEnv oy ADAM*** torun under a user account that is a member of administrators group (not the default sy stem account).3. On the second serv er, create the replica v ia SecurEnv oy A dv anced Config and change the windowsserv ice SecurEnv oy ADAM*** to run under a user account that is a member of administrators group(not the default sy stem account). Not e The ADAM replica instance will take up to 10 minutes before it is fully replicated and published.A dding and editing SecurEnvoy Managed Users (Microsoft A DA M / A D/LDS)ExampleWithin the SecurEnv oy Admin GUI, select the ADAM domain c reated “Demo”.To add a new user: Populate Naming information and then select the “Create User” button Not eAn additional button is created within the SecurEnvoy admin Gui, this allows user creation. Userinformation is typed into the “search Directory window Page 36

The user screen for the created user will now be display ed. Additional information regarding the account can now be populated. Not eSecurEnvoy recommend that if a PIN is required it is managed by SecurEnvoy as it is stored encrypted(Default action for all SecurEnvoy data. “ADAM passwords are not supported as they are not as secureas SecurEnvoy PIN’s” Page 37

5.2 eMail Gateway ConfigurationStart/Programs/SecurEnv oy /Adv anced Configuration Wizard , select eMail Gateway tab.The eMail gateway settings are display ed below: For the eMail Gateway configuration, enter details of the SMTP serv er that should be used for the sending of emails and the associated email account y ou wish to use. There are two further options, for SMTP serv ers that require authentication, enable the check box and enter account details. To support SMTP serv er that utilise TLS, enable the check box. Once setup a test email can be sent to a recipient to test if the configuration is correct. Not ePlease ensure that your SMTP server has been setup to allow relaying from the SecurEnvoy server. Not eThe SecurEnvoy Advanced Configuration Wizard can be exited at any time after configuration s havebeen made. Page 38

5.3 IIS URL’sStart/Programs/SecurEnv oy /Adv anced Configuration Wizard , IIS URL’s tab. The URL configuration can be v iewed and maintained from this tab. If the serv er supports HTTPS, then this can be selected, this setting will be inherited in the URL v alues that are display ed when selecting Manage My URLs. These URL v alues are included in sy stem generated Emails sent to users. For example user enrolment Email. Click Sav e and Continue. Not eThe SecurEnvoy Advanced Configuration Wizard can be exited at any time after configurations havebeen made. Page 39

5.4 SMS / Voice GatewayStart/Programs/SecurEnv oy /Adv anced Configuration Wizard , select SMS / Voice Gateway tab. Multiple gateway s can now be setup and maintained v ia this Tab. It is possible to setup as many gateway s as required to meet the operational requirements of the organisation. SecurEnv oy can support v arious gateway ty pes from Web SMS, SMPP, Voice through to Serial or TCP/IP Modems. The gateway s can also be setup in priority order and can also be disabled as required v ery easily from with this wizard. The priority ordering of the gateway s in controlled using the “Up” and “Down” buttons. The gateway s can be restricted to per country and per LDAP domain, to allow the administrator more control as to which serv ice is used in certain countries. This is used to ov ercome difficulties sending SMS into countries that might not support adv anced SMS features such as flash message and SMS ov erwrite. Once complete priority can then be assigned for multiple gatewaysthat will support the same countries/ domains.For Web SMS gateway option a suitable prov ider account MUST already be setup and accountdetails MUST be entered.Restrict to Country / Domain allows the administrator to define what SMS gateway s are used, this canbe assigned per domain or by country code. Enter dialling codes for countries or domain that shouldbe serv ed by this SMS gateway , this can be selected from the radio button drop down menu. W hendealing with country codes, for a particular SMS gateway , multiple country codes can be assigned, bycoma separating.Finally a test connection button allows the SMS gateway to be tested that it is operational and anyuser account information is correct. If a proxy serv er is being utilised upon the network , then proxy information can be entered Click Update if any changes hav e been made or Continue when complete, this will then sav e all SMS Gateway information. SecurEnv oy can connect to many Web based SMS prov iders. A new template may be required – Security Serv er Administration Guide for more details Page 40

To \"Add\" a GSM Modem, select Add then check the Modem radial button Then select the connection ty pe Either Serial/USB or TCP/IP If USB/Serial enter Comm port and baud rate settings fo r the connected GSM modem. If TCP/IP select the IP address and port number. The abov e two options allow a corporation to use its own SIM chip from their Telco and tak e adv antage of any free or group SMS call rates. The following are configurable options: Send Simple text When enabled allows a SMS to be sent in simple mode. Use this if the Telco operator does not support message ov erwrite (PDU mode). Enter dialling codes for countries or domain that should be serv ed by this SMS gateway , this can be selected from theradio button drop down menu. W hen dealing with country codes, for a particular SMS gateway ,multiple country codes can be assigned, by coma separating.When complete click the OK button to test. The test will carry out an ATI and signal streng th test.Version information will be shown as well as signal strength information. Signal strength is measuredfrom 0-31. An acceptable figure is 16 or abov e.Click Update if any changes hav e been made or Continue when complete, this will then sav e allGateway information. To \"Add\" a Voice Gateway, select Add then check the Voice radial button. Select the appropriate v oice prov ider from the drop down menu list. For Voice gateway option a suitable prov ider account MUST already be setup and account details MUST be entered. Restrict to Country / Domain allows the administrator to define what SMS gateway s are used, this can be assigned per domain or by country code. Enter dialling codes for countries or domain that should be serv ed by this Voice gateway , this can be selected from the radio button drop down menu. When dealing with country codes, for a particular SMS gateway , multiple country codes can be assigned, by coma separating.Click Update if any changes hav e been made or Continue when complete, this will then sav e all SMSGateway information. Page 41

To \"Add\" a Mail SMS Gateway, select Add then check the Mail SMS radial button. This apporach prov ides a facility to send a SMS v ia a SMTP serv er, a gateway can be setup and included in the prioritised list of gateway s. The Address format which should be #MOBILENUMBER#@aty ourprov ider.com If the Telco prov ider allows user modifications to Subject and Body formats, please set these. Enter dialling codes for countries or domain that should be serv ed by this Voice gateway , this can be selected from the radio button drop down menu. When dealing with country codes, for a particular SMS gateway , multiple country codes can be assigned, by coma separating.Click Update if any changes hav e been made or Continue w hen complete, this will then sav e all SMSGateway information.To \"Add\" a SMPP Gateway, select Add then check the SMPP radial button. For organisations that wish to use existing SMPP prov iders as the SMS gateway , this can be configured and tested when adding the SMPP gateway . Templates for Vodacom and Orange SMPP are prov ided. Additional SMPP templates can easily be configured, by copy ing the SMPP_protocol.txt file, renaming the file to be prov ider_control.txt. Edit the file so that a new name tag refers to this prov ider. Enter serv er addresses, port, TON, NPI and source address information (this is prov ided by y our prov ider). Sav e changes to file and mak e sure it resides in SecurEnv oy \Data\WEBSMSTEMPLA TE directory . Enter dialling codes for countries o r domain that should be serv ed by this Voice gateway , this can be selected from the radio button drop down menu. When dealing with country codes, for a particular SMS gateway , multiple country codes can be assigned, by coma separating.Click Update if any changes hav e been made or Continue when complete, this will then sav e allGateway information. Page 42

Proxy for Web Services If the organisation requires the use of a Proxy Serv er, this must be setup using the Proxies button: Once the properties for the proxy serv er hav e been sav ed, the user can select to use the Proxy when setting up the indiv idual gateway s for web serv ices such as Web SMS or Voice. Prioritiescan be tested to check that the correct priority has been applied for each gateway method. Select \"Test Priorities\" button. Select \"Request type\", options are SMS, VOICE Select the Domain and finally select the country code. Once \"Test\" is invoked, an output will show the priority order for the selected gateway method. Click close when complete. Not e SecurEnvoy support proxy servers - enable the checkbox and populate proxy settings Not eThe SecurEnvoy Advanced Configuration Wizard can be exited at any time after configuration s havebeen made. Page 43

5.5 Radius Server configurationStart/Programs/SecurEnv oy /Adv anced Configuration W izard, select Radius tab. Radius server (if the check box is enabled) will install the Radius component to allow integration with any network access dev ices that can utilise the Radius protocol i.e. SSL appliance, Firewall or VPN. To setup the Radius Serv ice, enter port information to reflect the network env ironment the SecurEnv oy Security serv er is to operate within. Click Sav e and Finish. Not eIf the SecurEnvoy Security server has multiple IP Addresses and or N etwork Interface Card’s a RADIUSlistener will be started on each individual IP address. Page 44

User management settingsIChapter 6 Page 45

6 User Management settingsTo start the adminGUI locally :Start/Programs/SecurEnv oy /Local Security Serv er Administration.Or click the desk top shortcutTo start the GUI remotely open a Microsoft web browser and enter the followinghttp(s)://(secur ity_ser ver _ hos t_ na me)/s eca d mi nBy default the page will alway s open at the Local Users page.This menu allows y ou to search and administer y our LDAP (Directory Serv er) based users. You canenable users for two factor authentication; manage PIN’s, manage mobile numbers and emailaddresses, resend passcodes and set static passcodesIn the left side window, select the domain y ou wish to interrogate (Only required if y ou hav e multipledomains configured). if y ou leav e the fields blank , all of y our LDAP users will be display ed.To restrict this list enter one or more characters in First Name, Last Name or Login ID.For example if y ou want to manage the user QA, enter “Q” in the Login ID field and press search.A list of all users with a Login ID starting with \"Q\" will be display ed.Select the user y ou want to manage and y ou will see the following screen optionsUnmanaged / Enabled / Disabled / ICEThe first option is to set the user’s relationship with SecurEnv oy . Unmanaged means that theSecurEnv oy serv er has no data for this user, and the user is not consuming a license. Disabled meansthere is data for this user, and the user is consuming a license, but cannot authenticate. Enabledmeans there is data for this user, the user is consuming a license and can authenticate. ICE is onlydisplay ed if y ou are license for ICE users. Selecting ICE means that the user will consume an ICElicense and will be able to authenticate if Emergency access mode is set. Page 46

Permanent or Temporary UserWhen enabling a user, the account can be setup as a permanent account or a temporary account. Ifset to be a temporary account, then a maximum number of day s can be applied, the range is 1-999day s. At the end of this time the user is automatically unmanaged.When a user is enabled and Self Helpdesk or SecurPassword is active, users are sent anenrolment message. Enable the \"Enrol Secret questions checkbox\" if you wish users to be able to usethe Self Helpdesk or SecurPassword secret questions. (See 4 Config)A dministratorSelect either None, Helpdesk , Config or Full administration rights for this user. This controls whatremote management capabilities the user has. Full allows full access to all areas. Config allows a userto change Config and Radius settings and access the Log Viewer, but cannot see or change users.Helpdesk allows access to the Users and Log Viewer sections only . (The users they can see andchange will be restricted by their domain and Helpdesk group if configured).PinThe PIN component can either be the existing Domain password or a traditional static numeric PINthat the user will use when authenticating. This traditional PIN can be up to 8 digits. (See 4 Config)Mobile NumberIf this user already has a mobile phone number defined in LDAP, this field will b e populated. If not y ouMUST enter one if y ou want to send passcodes v ia SMS.EmailThis option is display ed if passcodes are allowed v ia email (See 4 Config)Send Simple SMSThis option allows a RAW (simple) SMS to be sent, this caters for some countries or carriers that donot support the PDU mode of SMS.Failed LoginDisplay s the number of failed logins since the last good authentication. This can be set to hav ebetween 3-10 bad authentications before the user is disabled. Once disabled no more passco des aresent. You can reset this count back to 0 by check ing ResetOne Time CodeIf this mode is selected, passcodes can only be used once. This mode is the most secure as anyattempt to re-use passcodes will fail. Further options include the ability to h av e 3 passcodes in eachSMS message. Or the ability to use a \"real time\" deliv ery of the SMS message.Day CodeThis mode automates the process of changing passwords ev ery xxx day s. Day codes are reusablepasscodes that are automatically changed ev er (x) d ay s (Configurable see Chapter 4.0) . At a pre-defined day and time (Configurable see Chapter 4.0) the next required passcode is sent to this user’smobile phone. A v alid passcode is the current or the prev iously sent code.Select this option if y our security requirements only need passwords to change ev ery xx day s. Page 47

NoteDay codes can be set up so that they are not sent over a weekend. Also new Day code's will only be sent ifthe old one has been used (Configurable see Chapter 4.0)Pin & day codes can be used to automatically update user Microsoft Active Directory passwords(Configurable see Chapter 4.0) Soft Token This modes support the use of a \"Soft Tok en\", this will be av ailable for main stream smart phones such as Apple’s iPhone, Black berry , Android and Windows 7 phone, Windows 7 desk top will also be supported. Please see Apple App Store, OVI, Black berry Shop or SecurEnv oy web site for more details. SecurEnv oy can also support the Google Authenticator. Please see link below for more info rmation: http://www.google.com/support/accounts/bin/answer.py ?answer=1066447 When a user is deploy ed, they can select to use a soft tok en, the phone will then scan a QR code upon the enrolment page to configure the \"seed\" record and activ ate the user for \"Soft tok en\" mode. No additional user ov erhead is required. The “Soft Tok en” can also be re-sy nched by entering two following passcodes. Please see section 6.1 for more information VOICE Token For users who wish to use a Voice tok en, select this option, w hen the user logs on with UserID and PIN (password) they will receiv e a real time v oice call and will then follow instructions in the v oice message. At the same time their log screen will present a OTP. To use this feature requires a v ersion 7 IIS agent or RADIUS with challenge-response supported. Tmp Static Code Passcodes of up to 14 characters can be entered. The user can use this agreed static passcode multiple times for up to the number of day s entered. After this time has passed, this user is automatically switched back to One Time Code’s and sent their next required passcode. This mode is intended for users that hav e lost their mobile phone or will be out of contact of a mobile signal for a number of day s. Static Passcode This is a reusable static passcode; it can be up to 14 characters long. Select this option if this user doesn’t hav e a mobile phone. Update User Press this button to update this user with any entered/amended setting Resend Passcode Press this button to resend a passcode and update any changes to this user. Note Users being enabled will automatically be sent a passcode. When using default of “Pre Load for SMS deliv ery Page 48

RefreshPress the button to cause a manual refresh of the display ed user information.ExampleDeploying Users via A dmin GUI 1. Launch the SecurEnv oy admin GUI v ia the desk top shortcut or program link 2. Click upon search to find any user within the domain, select y our user by click ing upon appropriate link 3. Enable user, assign a mobile number (if required) and select One Time passcode, click “update” when complete 4. Sy stem will return an OK message, user will receiv e a passcode (default pre- load) if user set to receiv e a real time, no code will be sent. 5. Test logon with either Radius based connection or with IIS web Agent. Page 49

6.1 Soft Token SupportSecurEnv oy now prov ides soft tok ens for y our phone to generate one time passcodes (OTP) for twofactor authentication that can be check ed by y our company 's SecurEnv oy serv er. End -users hav e totalflexibility with zero admin or ov erhead costs prov iding a mobile security solution to suit the user.Multiple soft tok ens can be enrolled and used within the same app for multiple SecurEnv oy serv erseliminating the need to carry multiple hardware tok ens or install multiple soft tok en apps. T he latestSecurEnv oy serv er v 6 allows user far greater choice of security - either tok enless SMS two factorauthentication or now with this soft tok en.Users can simply log on to y our company 's SecurEnv oy serv erenrolment portal and can switch themselv es to use the softtok en. Then they simple scan the presented QRCode to transfertheir unique seed record to the app. SecurEnv oy Soft Tok ensprov ide an innov ativ e and simple solution to end users requiringa flexible method of two factor tok enless authentication withoutfuss or administration ov erhead.Support for Google A uthenticatorSecurEnv oy soft tok ens for y our phone or desk top can be used to generate one time passcode (OTP)for two factor authentication that can be check ed b y y our companies SecurEnv oy serv er or Google’scloud login.Please note that there is decreased security upon the \"Google\" Soft tok en, as it has no copy protectionat enrolment. SecurEnv oy recommend that the SecurEnv oy soft tok en be used where possible.More flexibility for the UserThe latest SecurEnv oy serv er V6 allows user far greater choice of security - either tok enless SMS twofactor authentication or a soft tok en downloaded as an app such as this. Av ailable free of charge tocurrent customers from either SecurEnv oy or Google Authentication, soft tok ens are suitable for mostty pes of mobile dev ices i.e. iPhones, iPads, Black berry ’s,Android phones, Mac and W indows operating sy stemsincluding Vista and W indows 7.A simple processFor the organisation there is nothing they need to do. It isall down to personal preference of the end-user to choosewhether they want their two factor authenticationpasscode sent v ia SMS or v ia their app.The user simply :1. Logs into their companies SecurEnv oy serv er’senrolment page (/secenrol) – clev erly they canauthenticate themselv es with their current user name andpasscode2. A barcode appears in the screen which the userscans with the camera button on their phone3. W ithin seconds the user is authenticated andcan start using their phone as a soft tok en. Page 50