Server Administration Guide

4. In the case of the P.C. Soft Tok en, the user only has to authenticate with the built in interface in the client. The SEED is automatically deploy ed with no user interv ention. (Please see P.C. Soft Tok en manual for more information)Mobile Phone Soft Token P.C. Soft Token” To prov ide support for a “Soft Tok en” the selected user can be deploy ed v ia SMS or email and then at the enrolment stage, the user can opt to use a “Soft Tok en”. If the user is selected to only use a “Soft Tok en”, an email address must be used to prov ide the enrolment details. The “Soft Tok en” can also be re- sy nched by entering two following passcodes. Page 51

Soft Token SecuritySecurEnv oy Soft tok en, is OATH TOTP compliant, but with additional security enhancements to theOATH specification. These are:Secure Copy protection lock s the Seed record for generating passcodes to the phone. The innov ativ eapproach allows the SecurEnv oy security serv er to generate the first part of the seed, the second partof the seed is generated from a “Fingerprint” from the phone when time the Soft Tok en application isrun for enrolment and each time the Soft Tok en application is run to generate a passcode.Protection of the Seed records. The Seed records are dy namically generated by the Serv er/phone areand are stored with a FIPS 140 approv ed encry ption algorithm, this encry pted data is generated andstored at the customer premise. SecurEnv oy do n ot store or k eep any sensitiv e customer seed records.Stored DATA. All stored authentication data is generated and encry pted with AES 256-bit encry ptionand is k ept within the customer LDAP serv er. SecurEnv oy support all LDAP v 2 and v 3 compliantdirectory serv ers, including:Microsoft Activ e Directory , Microsoft ADLDS. Nov ell e-Dir, Sun/Oracle One Directory serv er IBM andLinux Open LDAPSecurity WatermarkingThe SecurEnv oy Security Serv er deletes the used passcode and any prev ious passcodes from thesy stem, thereby allev iating any replay attack s from any used or any prev ious unused passcodes. Thisprocess is k nown as “Watermark ing”.A utomatic Time Re-syncWhen a user trav els ov erseas, ty pically their phone will sy nc to the new country time once they hav earriv ed at destination. The OATH compliant algorithm then deriv es passcodes based upon this newtime, which could be many hours forward or back wards in time. SecurEnv oy hav e a unique approachthat will handle users in this conundrum, where it allows complete unhindered World Wide trav el forthe user Page 52

Automated User ProvisioningChapter 7I Page 53

7 Automated User ProvisioningAutomated User Prov isioningSecurEnvoy Security Server has the ability to prov ision users. This can be completed with theDeploy ment wizard (recommended for first time user deploy ments) as it allows an extremely granularapproach to how users are deploy ed. Or with the Automatic Group Deploy ment within the admin GUI.This caters for ongoing deploy ments of users.The A utomatic Group Deployment is a new feature that allows simple ongoing prov isioning ofusers, a dedicated group of users (only one group per domain is supported) is monitored, any useradded to this group is automatically deploy ed with the options set in the GUI. If a user is remov edfrom the group, they are automatically unmanaged.Mass deploy ment of users can be automated with the use of a tool called the Deploy ment Wizard.The Deploy ment W izard is an embedded tool that allows enterprises to deploy Passcodes to a highnumber of users easily . It is customisable so that passcodes can be sent v ia SMS to users in oneseamless mechanism. The deploy ment wizard has the ability to allow users to Two Factor authenticateand enroll their mobile telephone number which is then stored encry pted within the Directory serv er(only SecurEnv oy Software or administrators will hav e access to these mobile numbers).This tool can be used in one of two way s, v ia a graphical user interface for manually deploy ments or incommand line mode for scripts or batch jobs to use.7.1 Deployment Wizard GUITo launch this tool go to Start  Programs  SecurEnv oy  Deploy ment Wizard The Deploy ment wizard has a simple flow chart operation of usage. The user account that runs this wizard MUST be a member of Administrators group. Page 54

Step 1 Set up the End User Deploy ment Defaults; select a One Time Code (default with Pre load) or Use Real Time deliv ery , a Day Code or an ICE user (In Case of Emergency ). Step 2 Select the Domain y ou wish to administer, then enter the LDAP search base or leav e blank . Common examples are: DC=SecurEnv oy , DC=com CN=Users, DC=SecurEnv oy , DC=com OU=IT, OU=HQ, SecurEnv oy , DC=com Not eIf the LDAP Search Base is blank, searching with include all objects (the top of the tree)Enter the LDAP User Search Filter information, by default the search filter will only look for useraccounts that hav e not already been activ ated with SecurEnv oy .The filter uses the following guidelines:Expressions can use the relational operators: <, <=, =, >=, and >Example 1 cn=a* Locate all users with “a” at the start on their common nameExample 2 lastName>=Dav is Locate all users with surnames between “Dav is” andExample 3 “zzzzz”Example 4 Compound expressions are formed with the prefix operators & and !.Example 5 (&(lastName=Dav is)) Locate Users that hav e the surname Dav is If both operators are required then & expressions must precede ! expressions. (&(lastname=a*)( !(building=42)(building=43))) Locate all users with lastname starting with “a” that are not in building 42 or 43. memberof=CN=RAS,CN=Users,DC=dev ,DC=com Locate all users that are a member of group CN=RAS,CN=Users,DC=dev ,DC=com Page 55

Nested Group SupportTo support searching of Nested Groups an OID v alue is used in the filter statement. Searching forNested Groups is only supported upon Microsoft Windows 2003 serv er with SP2 installed and MicrosoftWindows 2008 serv er.By adding the v alue: 1.2.840.113556.1.4.1941: to the filter statement all users who are members ofselected group will be returned. W hether they are a direct member of the selected group or aremembers of a nested group.Example memberof:1.2.840.113556.1.4.1941:=CN=RAS,CN=Users,DC=dev ,DC=comLocate all users that are a member of group CN=RAS,CN=Users,DC=dev ,DC=com Not eComputer accounts are ignoredClick on the \"Find Unmanaged Users\" button. The following screen is display ed.These users can then be listed to a file to allow additional check s before progressing. Click the \"Listselected users to a file\" button shown in step 2.Step 3 The next operation is to select which medium is to be used for the deploy ment, either SMS or Email. If email is chosen the SecurEnv oy serv er must be configured appropriately (see Section “4 Configuration”). In addition y our company SMTP serv er must be setup to relay from the SecurEnv oy serv er. Page 56

Click either \"Find mobiles\" or \"Find emails\" button. The following \"progress\" screen is display ed,There are numerous examples of different outcomes, the following are some examples:Example 1100 users are listed in step2, howev er only 60 users hav e a mobile from step3.Therefore users with missing mobile numbers can be listed by click ing \"List missing to file\" and thencheck ed and updated accordingly .The deploy ment can continue with only 60 users or can be restarted to allow for all 100 users to bedeploy ed.Example 2100 users are listed in step2, howev er only 0 users hav e a mobile from step3.Therefore users with missing mobile numbers can be listed by click ing \"List missing to file\" and thencheck ed and updated accordingly .Or the users with missing mobile can be deploy ed v ia email if they hav e a v alid email address. Theuser will receiv e an email with a URL and one time passcode.Step 4Select either \"Deploy v ia SMS\" or \"Deploy v ia email\" If deploy ing v ia email, y ou hav e the ability to change the default message that is emailed to selected users. Click upon the “Edit email message” The Deploy ment Wizard will now run. A ny errors will be display ed within the \"Failures\" screen. Page 57

The “Other Tools” brings additional functionality to the “Deploy ment wizard”. It is made up of has four parts these areCount uncompleted user enrollments Find and display the number of users who hav e partResend email to uncompleted enrollments enrolled or who hav e not enrolled. Resend the email enrollment request to the users who hav e not enrolled or hav e part enrolled.Find managed users Find and display the number of users who are managedUnmanage selected users upon the sy stem for 2FA Unmanage selected user Not eWhen un-managing users, if you do not specify a search base or search filter than all SecurEnvoymanaged users will be unmanaged! Not eWarning: Caution should be used with this tool as hundreds of users can be unmanagedwithin one minute!7.2 Deployment Wizard command line optionsThe following command line options are av ailable/auto Must be set to use command line options/default=one, realtime, day or ice Optional, step 1 settings, default is one time code/day =(number of day s) Required if /default=day , number of day s between each code/domain=(Domain name) Optional, defaults to primary domain/base=(DN) Optional, location in tree to search, default top/filter=(filter text) Optional, the search filter, default is no filter/deploy =sms, email Optional, step 3&4 deploy ment method, default is sms/unmanage Optional, if set will un-manage all selected users/hidegui Optional, if set will hide the graphical interface/listtofile=(file name) Optional, if set will list selected users to this file/findmanaged Optional. finds managed users/debug Optional, if set will enable debugIt is strongly recommended that y ou check the setting and filter are correct with the deploy ment guibefore using the command line. Page 58

Example 1Deploy to all users that are a member of the Windows group RAS in the domain dev .comdeploy .exe /auto /filter=memberof=CN=RAS,CN=Users,DC=dev ,DC=com /deploy =emailExample 2Remov e all managed users that leav e the Windows group RASdeploy .exe /auto /filter=!memberof=CN=RAS,CN=Users,DC=dev ,DC=com /unmanageNote: “!” means not a member of the groupNested Group SupportTo support searching of Nested Groups an OID v alue is used in the filter statement. Searching forNested Groups is only supported upon Microsoft Windows 2003 serv er with SP2 installed and MicrosoftWindows 2008 serv er.By adding the v alue: 1.2.840.113556.1.4.1941: to the filter statement all users who are members ofselected group will be returned. W hether they are a direct member of the selected group or aremembers of a nested group.It is strongly recommended that y ou check the setting and filter are correct with the deploy ment guibefore using the command line.Example 3Deploy to all users that are a member of the Windows group RAS in the domain dev .comdeploy .exe /auto /filter=memberof:1.2.840.113556.1.4.1941:=CN=RAS,CN=User s,DC=dev ,DC=com/deploy =emailExample 4Remov e all managed users that leav e the Windows group RASdeploy .exe /auto /filter=!memberof:1.2.840.113556.1.4.1941: =CN=RAS,CN=Users,DC=dev ,DC=com/unmanageNote: “!” means not a member of the group Page 59

7.3 Automatic Group Deployment The A utomatic Group Deployment is an embedded feature that allows simple ongoing prov isioning of users, a dedicated group of users (only one group per domain is supported) is monitored, any user added to this group is automatically deploy ed with the options set in the GUI. If a user is remov ed from the group, they are automatically unmanaged. The following options are able to be set: Enable A utomatic Deployment Enables or disables the automatic deploy ment option, an additional setting allows a time in (n) minutes to be set. This is how often the Automatic Deploy ment should check for users being added or remov ed from a group. Deployment Type ICE (In Case of Emergency ) for emergency users, business continuity , disaster recov ery . Send Passcodes to Mobile / Email Example - User will stay explicit to the mode of deploy ment, if deploy ed with a passcode to mobile, they will alway s receiv e a passcode v ia SMS. As long as the mobile attribute is populated. If not the sy stem will check and then deploy the user by email, the user will then follow the enrolment instructions in the email to update their own mobile number into SecurEnv oy . If user deploy ed v ia email, they will alway s stay in this mode. One Time Code / Real time - Select users to hav e a Onetime passcode in \"Pre-Load\" mode or use \"Real time deliv ery \". Soft Token - Users are deploy ed with an enrolment message to setup their soft tok en. VOICE Token - Users are deploy ed with an enrolment message to setup their VOICE tok en. Day Code - Users are deploy ed with a Day Code, the code refresh in (n) day s can be set, this is global setting for all deploy ed users NOTE: Mobile or email attribute must be populated. NoteIf a group is declared in the Automatic Group deployment option, the user will be enabled and provisioned orunmanaged depending on whether they are a member of the declared group.If \"Allow any group\" is selected, all users in the domain will only be provisioned. Caution this could cause a highnumber of user to be provisioned. Page 60

SecurAccess RadiusChapter 8I Page 61

8 Configuring RADIUS clientsUse this window to define y our RADIUS client’s IP Address, shared secret, default domain and anydictionary profile settingSupported RA DIUS functions:Basic Password Authentication v ia the attribute \"User -Password\"Profiles that apply to all usersUnsupported RA DIUS functions:A cco untingProfiles that map to one or more users but not all of themMSChapV2 authentication Not eIf user profiles or accounting are required it is recommended that an additional third party Radiusserver such as funk’s Steel Belt RADIUS or Cisco’s ACS RADIUS server is used. Seehttp://www.funk.com/ or http://www.cisco.com . To authenticate users via Steel Belt or Cisco’s ProxyRadius, this will pass RADIUS authentication requests to SecurEnvoys RADIUS Server and allow you tomanage accounting and user profiles within Steel Belt or Cisco ACS.To Configure Radius Clients select the Radius Tab NA S IP A ddress This is the IP address of the RADIUS client that will be sending RADIUS authentication requests. It must be entered in the format xxx.xxx.xxx.xxx or default If \"default\" is used as the IP Address, all unk nown Radius client IP Addresses will use these settings. Not eIf the security server has more that one network interface card, SecurEnvoys Radius service will starta listener on each of them Page 62

Managed Shared SecretThis is a secret (password) that must be entered exactly the same at both the RADIUS client end andin this entry box.If this secret is not entered the same at both ends the SecurEnvoy Radius serv er will ignore incomingnetwork pack et. Not eSecurEnvoy support the use of ASCII 127 for the shared secret, extended characters (ASCII 128) like £signs are not supported. Also note that some RADIUS clients have limitations on the length of theshared secret.A uthenticate Passcode OnlyIf this check box is selected then only the 6 digit passcode will be authenticated. Th is option shouldonly be used if the Radius client has already authenticated a password or PIN and only requires thesecond factor to be check ed by this serv er.Handle all passcode types in the same way as “Real Time Codes”This setting will instruct the SecurEnv oy Radius serv er to challenge response all authentications. Theuser will then login with UserID and PIN/Password, after which they will then be challenged for thepasscode, irrelev ant of mode of operation – Pre Load OTP, Day code, TMP code. Not e This option will only work if “Real time passcodes” are enabled within the section 4 ConfigurationDefault DomainIf the UserID does not include a domain name then the selected domain name will be used.Alternativ ely y ou can select “search” SecurEnv oy will then process each v alid configured domain until amatch is found upon the UserID. This work s well in env ironments that hav e network equipment thatremov es the domain portion of the UPN or domain NetBIOS logon NoteSelecting “Search” as the default domain MUST only be used for up to 5 domains as each domainmay tak e up to 2 seconds to reply . The UserID must be unique across all domains being searchedA llow These DomainsIf this is set then users can only authenticate to the selected domain name(s). This is ideal formanaged serv ice prov iders that do not wish customers from one domain to cross ov er to othercustomer domains. Only A llow Users that are in the LDA P group SecurEnv oy can only authenticate users if they are a member of a specific LDAP group. Click the “Change Group” button to select the desired group from the av ailable LDAP domain groups. Settings allow for a single selected LDAP group or any LDAP group membership. Page 63

Override Customer name in SMS messageEnter the text that y ou wish to supply within the passcode message. Leav e blank for default message.Passback data to Radius client in A ttributeConfigure Single sign and group membership v ia RADIUS attribute 25 (Default port); please see y ournetwork v endor documentation for use of this RADIUS attribute.Settings are: No information passed back Password is passed back LDAP group members are passed back , this can be the FQDN or the short NetBIOS naming conv ention. User UPN can be passed back , this allows user to application mapping.Trusted networksDeclare trusted network s that do not require a 2FA logon experience, Space separated IP's (Example10.* 192.168.1.1) NAS must send IP address in attribute 31.Blocked networksDeclare blocked networks, that are not allowed to authenticate against the SecurEnvoy RADIUSserver, this could be due to a brute force attack or DOS attack a gainst RADIUS. ANy request fromthese networks is dropped and not processed. Space separated IP's (Example 10.* 192.168.1.1) NASmust send IP address in attribute 31.A ttributes (Not displayed by default)To Display Attribute setting, select Config from the menu and Check \"Radius Attributes\" in the AdminGUI section.The RADIUS standard uses lists of agreed settings called Dictionary ’s; SecurEnv oy is installed with alist of the main dictionaries. This can be v iewed by selecting the link radius.dct.The main file is RADIUS.dct. Also included are most manufacturers published extensions.See the following examples for details of how to enter Attributes.Example 1You wish to add the standard Attribute “Framed-Protocol” and set it to “PPP”For 32 bit installations:Open the file Program Files\SecurEnv oy \Security Serv er\Data\RADIUS\DICT\RADIUS.dctFor 64 bit installations:Open the file Program Files(x86)\SecurEnv oy \Security Serv er\Data\RADIUS\DICT\RADIUS.dctLocate the line that contains Framed-Protocol - This line defines the Number (7) and Ty pe (number)Below this line are the v alues that can be set, PPP has a VALUE of 1In the GUI admin window enter the following:At the column Number enter 7 Ignore the Column VendorIDAt the column Ty pe select NumberAt the column Value enter 1 Page 64

Example 2You wish to add the v endor specific ascend attribute “Ascend -VSA -PPP-Circuit-Name” and set it to “No-C ircuit”For 32 bit installations:Open the file Program Files\SecurEnv oy \Security Serv er\Data\RADIUS\DIC T\ ascend_VSA.dctFor 64 bit installations:Open the file Program Files(x86)\SecurEnv oy \Security Serv er\Data\RADIUS\DICT\ ascend_VSA.dctLocate the line that contains Ascend-VSA -PPP-Circuit-NameThis line defines the Number (26), VendorID (529-6) and Ty pe (String)Below this line is the VALUE No-Circuit, with a v alue of 0In the GUI admin window enter the following:At the column Number enter 26At the Column VendorID enter 529-6At the column Ty pe select StringAt the column Value enter 0 Not eIn general all vendor specific data should start with Number 26 however some vender’s dictionariesoverride RADIUS.dct and should be entered in the same way as Example 1Example 3 Configuration of Routing and Remote A ccess - RRA SWindows 2003 serv er SP1 - IPSec VPN1. Install Routing and remote access serv ice if not already installed2. Launch Routing and remote access MMC, select serv er and click “configure and enable Routing andremote access”3. Follow wizard and setup for VPN access, set up for IPSec VPN. Start RRAS serv ice4. Select the serv er within RRAS MMC, go to properties5. Select Security , select Radius for Authentication prov ider, select configure. Po pulate with Radiusinformation. Timeout should at least be 10 seconds.6. Select Authentication methods, deselect all, and only enable PAP protocol.7. Restart RRAS serv ice.Client Windows XP SP21. Create new network connection wizard, select VPN2. Go to properties, select Security tab, select Adv anced, and go to settings.3. Change Data encry ption to “Optional encry ption”, and only select PAP for protocols.4. Enter Pre shared k ey for IPSec settings.Configuration of SecurEnvoyTo help facilitate an easy to use env ironment, SecurEnv oy can utilise the existing Microsoft passwordas the PIN. This allows the users to only remember their Domain password. SecurEnv oy supplies thesecond factor of authentication, a dy namic one time passcode (OTP) which is sent to the user’s mobilephone. Page 65

Launch the SecurEnv oy admin interface, by executing the Local Security Serv er Administration link onthe SecurEnv oy Security Serv er.Click “Config” Select W indows – Microsoft Password is the PIN under PIN ManagementThis will now use the users existing password as the PIN. Click “Update” to confirm the changesClick the “Radius” ButtonEnter IP address and Shared secret for each Serv er that has Routing and Remote Access installed andwishes to use SecurEnv oy Two-Factor authentication.Click “Update” to confirm settings.Click “Logout” when finished. This will log out of the Administrativ esession.Test LogonEnter the UserID in the Username fieldEnter password and passcode in the password field.E.g. P4ssw0rd678123 Page 66

MigrationChapter 9I Page 67

9 MigrationSecurEnv oy has the ability to prov de a “Migration” path from exitsing authenication methods.Two ty pes of “Migration” are supported, existing passwords and existing third party tok ens.Migration of PasswordsTo support user’s with existing passwords, the VPN/SSL dev ice is reconfigured to pass allauthentication requests to SecurEnv oy serv er. If the user is not configured upon SecurEnv oy and is amember of the “sepasswordonly ” group, the user cred entials are check ed against the existing LDAPaccount.Supported LDAP ty pes are (Microsoft Activ e Directory , Nov ell e-Dir, Sun Directory serv er, Linux OpenLDA P)A group called sepasswordonly must be created upon thedirectory serv er.User who are required to authenticate with a username andpassword must be added to the sepasswordonly group.See section 4 forconfiguration settings EXISTING PASSWORD DEPLOYMENT DMZ INTERNAL LANInternet VPN /SSL Username and password All User authentication is authentication passed to SecurEnvoy, if Microsoft Domain user is not configured Controllers upon SecurEnvoy, and Microsoft Exchange user is part of the Mail servers “sepasswordonly” group File and Print the request is servers authenticated using existing credentials. Page 68

Migration of existing third party Token ServerTo support user’s with existing third party Tok en serv er, the VPN/SSL dev ice is reconfigured to pass allauthentication requests to SecurEnv oy serv er. If the user is not configured upon SecurEnv oy , therequest will then be forwarded to the configured “Tok en serv er”. Only the Radius protocol is supportedfor existing third party tok en serv er.Supported Tok en serv ers: any Tok en serv er that uses the Radius protocol for authentication. SECURENVOY MIGRATION SUPPORT DMZ INTERNAL LANIntIenrtneertnet VPN /SSL VPN /SSL reconfigured to send all authentication requests to SecurEnvoy server SecurEnvoy Microsoft Domain Server Controllers Existing Token Microsoft Exchange server Mail servers All User authentication is File and Print passed to SecurEnvoy, if servers user is not configured upon SecurEnvoy, the request is forwarded to the existing Token server via Radius.See section 4 for configuration settings Page 69

ResilienceChapter 10I Page 70

10 ResilienceSecurA ccessEach SecurAccess Agent or Radius Client can be configured for up to 2 Security Serv ersEach Security Serv er can be configured for up to two LDAP serv ersThe following diagram illustrates a ty pical resilient design with two VPN Serv ers (Radius Clients)For most large user deploy ment, only 2 serv ers are required. Additional serv ers are only requiredwhere limited network connectiv ity exists to the Radius Client.SMS Gateway ResilienceWhen two security serv ers are installed with one SMS phone gateway modem or one SMS W ebGateway on each serv er the following failov er logic occurs:If one of the web gateway s or phone modem fails to connect, this serv er will failov er incomingauthentication requests to the next configured security serv er and it’s work ing SMS gateway . Thefailed SMS gateway will be polled ev ery 60 seconds to see if the fault has cleared. Once the fault hasbeen resolv ed the gateway will automatically detect that the w eb or modem is now work ing and allowauthentication requests.If the Phone SMS gateway and W eb SMS gateway are both installed on the same security serv er thenpriority can be giv en to the phone or web gateway s and if one of them fails the other gateway serv icewill automatically become enabled. Page 71

Setting up Multiple Security ServersMultiple security serv ers must share the same security encry ption k ey (config.db)To Install additional security serv ers do the following: - 1 Run the Security Serv ers setup.exe install program on the next required serv er, 1.1 Select \"Additional serv er\" 2 Press the “Upload config.db” button and browse to the config.db file on the first security serv er y ou installed, default location for this file is for 32 bit installations: C:\Program Files\SecurEnv oy \Security Serv er\ And 64 bit installations C:\Program Files(x86)\SecurEnv oy \Security Serv er\ Carry out the same task for the \"serv er.ini\" file. Note Each SecurEnvoy security server will use a local.ini file and a server .ini file, this has been created to assist deployments with multiple SecurEnvoy servers exist. The local.ini file stores data regarding local configuration details The server.ini file stores data that are global configuration details3 Start the Admin GUI on this new serv er and select the menu “config”.Match any changes made so that all serv ers hav e the same configuration settings.Additional serv ers MUST share the same SecurEnv oy administration account for each domain theymanageThe Batch serv er start times must be set to start at the same time allowing for any local time zonechanges.Multiple batch serv er processes must run within 10 minutes of each other or multiple day codes maybe sent to end users. Not eAdditional servers MUST share the same SecurEnvoy administration account for each domain theymanage Page 72

10.1 Resilience (Batch Server Logic)SecurEnvoy Batch ServerThis Windows serv ice is only required for SecurAccess, SecurMail Product and SecurPassword.It handles users set to TMP MODE and DAY MODE and carries out an absolute license count check .Ev ery 24 hours at a defined time, it check s all users in LDAP and if required sends them the nextrequired passcode. In the case of TMP MODE, it counts down the number of day s this user is allowedto be in TMP MODE. W hen zero is reached, the user is automatically switched back to ONE TIME CODEand sent a new passcode.The Batch Serv er can also delete any Emails that hav e resided upon the SecurMail serv er. If the emailmessage is older than defined limit, it will be deleted. (Controlled in x day s)Multiple Batch Server LogicMultiple security serv ers that hav e more than one batch serv er run ning hav e additional logic built intothe operation. It work s in the following description. Each serv er first check s the last run date from theLDAP attribute Primary TelexNumber for the Admin user’s account.If a serv er has not run in the last 15 minutes it then requests a lock by generating a unique 8 digitlock code and writing it to the abov e LDAP attribute for the Admin user. It then waits a 30 secondperiod to allow Activ e Directory (LDAP) to replicate completely . If the same lock code is read back thenthe batch serv er runs, if it reads a different lock code then one of the other serv ers has also requesteda lock and will run instead.Multiple Batch Server Pre-requisitesAll Batch Serv er's that manage the same domain and search base of users MUST hav e the same runtime and period set.The clock 's time of these serv ers should not be more that 10 minutes adrift between them.10.2 Resilience (RADIUS)SecurEnvoy Radius ServerTo prov ide resilience for RADIUS clients, the NAS folder can be copied fro m the first SecurEnv oy serv erto each subsequent SecurEnv oy serv er that is deploy ed. Mak e sure that each RADIUS client is updatedwith the correct IP address of each SecurEnv oy replica serv er.The NAS folder can be located at the following location:For 32 bit installations:Open the file Program Files\SecurEnv oy \Security Serv er\Data\RADIUS\DICT\RADIUS\NASFor 64 bit installations:Open the file Program Files(x86)\SecurEnv oy \Security Serv er\Data\RADIUS\DICT\RADIUS\NAS Page 73

10.3 Resilience (Server.ini)Server.ini - Global settingsIf any configuration changes are made upon one of the SecurEnv oy serv ers, it may be necessary thatthese changes are replicated around each of the SecurEnv oy serv ers that are deploy ed.One example is if a new domain was added into the configuration.As the serv er.ini file only holds global information, this allows the file to be copied to each SecurEnv oyserv er. Not e All SecurEnvoy servers should be at the same software revision levelThe serv er.ini file is located at:For 32 bit installations:Open the file Program Files\SecurEnv oy \Security Serv er\For 64 bit installations:Open the file Program Files(x86)\SecurEnv oy \Security Serv er\The configuration changes are automatically detected and used. Page 74

Web SMS TemplatesIChapter 11 Page 75

11 Web SMS TemplatesA web template allows configuration to any third party web SMS prov ider, all that is required is theweb SMS prov ider accepts an http(s) POST or GET statement or an XML POST.RequirementsThe selected third party gateway MUST support https as encry pted passcode SMS messages sentacross the internet is mandatory .In addition for an enhanced end user experience, messag e ov erwrite (Protocol ID 61-67) should alsobe supported. Message ov erwrite allows new passcode messages to ov erwrite old SMS messages fromthe same senders address. This feature remov es the burden of deleting used SMS passcode messagesfrom the end users phone.File LocationMain control file MUST end in _control.txt and should be located in Data\WEBSMSTEMPLA TEControl File SelectionThe registry k ey “HKLM\Software\SecurEnv oy \WebSMS Gateway \TemplateFile” should be set to thefile name of the control fileControl File SettingsInit File (POST Data)The following dy namic strings will be replaced: #USERID# UserID for Authenticating With Gateway #PASSW ORD# Password for Authenticating With GatewaySend File (POST Data)The following dy namic strings will be replaced: #USERID# UserID for Authenticating With Gateway #PASSW ORD# Password for Authenticating With Gateway #MOBILENUMBER# Mobile Number #SOURCEADDRESS# Source Address #MESSA GE# SMS Message to Send #10DIGITID# Unique 10 Digit Code #OVERW RITE# Ov erwrite String For Setting Ov erwrite Last Message #FLA SH# Flash String to flash message on screen (Real Time Passcodes Only )InitURIThe following dy namic strings will be replaced: #USERID# UserID for Authenticating With Gateway #PASSW ORD# Password for Authenticating With Gateway Page 76

SendURIThe following dy namic strings will be replaced:#USERID# UserID for Authenticating With Gateway#PASSW ORD# Password for Authenticating With Gateway#MOBILENUMBER# Mobile Number#SOURCEADDRESS# Source Address#MESSA GE# SMS Message to Send#10DIGITID# Unique 10 Digit Code#OVERW RITE# Ov erwrite String For Setting Ov erwrite Last MessageCertificate Enrolment 1. create a policy request file caller c:\certpol.txt and add the following:- [NewRequest] Subject=\"cn=SecurEnv oy ,o=SecurEnv oy,ou=SecurEnv oy\" RequestTy pe=pk cs10 Exportable=TRUE2. Create the pk cs#10 certificate request in a cmd window certreq –v –New c:\certpol.txt c:\certreq.txt3. After third party SMS Gateway CA hav e signed this request import the user certificate and root certificate4 Mov e the cert and priv ate k ey to the local machine store as follows: - W ith ie6 export cert and priv ate k ey to cert.pfx Start mmc with certificate plug-in for local machine Right click “personal/certificates” “All Task s/Imports” Import cert.pfx5. W ith mmc certificate plug-in, select this cert and export the cert without the priv ate k ey : For 32 bit installations: c:\program files\SecurEnv oy \Security Serv er\DATA \WEBSMSTEMPLATE\clientcert.cer For 64 bit installations: c:\program files(x86)\SecurEnv oy \Security Serv er\DATA \WEBSMSTEMPLA TE\clientcert.cerMessage Text EncodingSMS messages can be encoded before they are replaced in the #MESSAGE# stringLeav e blank for no encodingURLCharacters are URL encoded with UTF8HexIA 5Characters are conv erted to a 2 digit hex Ascii code and the follows are conv erted to IA5 @ = 00 $ = 02 LineFeed = 0A CR = 0D Page 77

XMLGSMThe following characters are conv erted then the message is urlencoded ‘ = &apos; \" = &quot; & = &amp; > = &gt; < = &lt; LineFeed = &#x000A; CR = &#x000D;XMLO NLYThe following characters are conv erted (not url encoded) ‘ = &apos; \" = &quot; & = &amp; > = &gt; < = &lt; LineFeed = &#013;Document EncodingPost document data can be encoded, v alid options (URL)URLCharacters are URL encoded with ISO -8859-1 Page 78

SecurMail AdministrationChapter 12 Page 79

12 SecurMail Administration Launch the SecurEnv oy Admin GUI and select the SecurMail tab. The following screen is display ed. Searching for “Senders” will display all users who are configured and hav e sent a SecurMail. Users that are display ed after searching can be deleted and remov ed from the sy stem. Searching for “Recipients” will display users who hav e been sent a SecurMail in “Auto Enrol and Store” mode. Click ing a Recipient search result will display their associated mailbox and prov ide additional management options –  The Mailbox can be enabled and disabled  The mobile number can be updated  The Failed login can be reset, as after 10 consecutiv e bad authentications the mailbox is lock ed.  The passcode can be resent v ia SMS  A static password can be applied to the mailbox Page 80

12.1 SecurMail Virus Checking IntegrationEmail send v ia the “Send Secure” button in Outlook are uploaded to the Security Ser v er and stored inan encry pted state. Virus software deploy ed on the security serv er would not be able to check thesemessages as there are encry pted so any v irus check ing must be integrated into the security serv er.If v irus check ing is enabled, the message subject, body and any attachments are submitted to a thirdparty v irus scanning engine after they are uploaded and before they are encry pted.If a v irus is found a warning message is display ed at the Outlook agent and sending this email isaborted.SecurMail can integrate with any third party v irus software that supports a command line interface andwill delete infected files.The following products hav e been tested: Sy mantec Scan Engine V4.30 Trend Micro Office Scan Corporate Edition 6.5Integration procedureStep 1 Install the third party Virus check er on the Security Serv erStep 2 Start a command window (cmd)Step 3 Test the third party ’s recommend commend line program with a test document and note theresponse for a clean file.Step 4 Test the third party program with a test infected file. Note non -harmful test v iruses can bedownloaded from www.rexswain.com/eicar.html Check that file is deletedStep 5 Update setting in serv er.ini file as detailed below:Step 6 If disk v irus check ing is preformed; change the v irus check er’s configuration to ignore theDATA directory located by default: For 32 bit installations: c:\program files\SecurEnv oy \Security Serv er\DATA For 64 bit installations: c:\program files(x86)\SecurEnv oy \Security Serv er\DATAStep 7 Recipient reply emails. Reply emails are forwarded as is with no check ing. Mak e sure the MailHost configured in is set such that emails still pass through any email v irus check ing gateway that y ou hav e installed. Page 81

The v irus settings of SecurMail are location in the serv er.ini file in:For 32 bit installations: c:\program files\SecurEnv oy \Security Serv er\ For 64 bit installations: c:\program files(x86)\SecurEnv oy \Security Serv er\SecurMail settings are located in the SecurMail SectionVirus_Check ing Can be set to True or False If set to True will run the program Virus_Command with argumentsVirus_C o mmand Virus_Command_Args after the Outlook agent has uploaded theVirus_C o mmand_A rgs message body or attachments.Virus_Return Default: False The full path to the third party v irus check ing program The arguments required to pass to the check ing program defended in Virus_Command. Note that $FILENAME$ must be used in place of the test document y ou check ed The return message display ed if execution work ed and no v iruses are foundExample 1Integration with Sy mantec’s Scan Engine V4.30Virus_C o mmand= For 32 bit installations: c:\program files\Sy mantec\Scan Engine\sav secls\sav secls.exe For 64 bit installations: c:\program files(x86)\Sy mantec\Scan Engine\sav secls\sav secls.ex eVirus_Command_Args=-v erbose $FILENAME$Virus_Return= 0Example 2Integration with Trend Micro’s Office Scan Corporate Edition 6.5 with the v irus definition filelpt$v pn.335 For 32 bit installations:Virus_C o mmand= c:\program files\Trend Micro\OfficeScan\PCCSRV\Engine\v scanwin32.com For 64 bit installations: c:\program files(x86)\TrendMicro\OfficeScan\PCCSRV\Engine\v scanwin32.comVirus_Command_Args=/D /NM /NB /C /PFor 32 bit installations:c:\program files\Trend Micro\OfficeScan\PCCSRV\lpt$v pn.335\" $FILENAME$For 64 bit installations:c:\program files(x86)\Trend Micro\OfficeScan\PCCSRV\lpt$v pn.335\" $FILENAME$Virus_Return=1 files hav e been check ed Page 82

12.2 SecurMail Server Security ConsiderationsVirtual Directory SecurityIIS Virtual Directory SecmailThe serv er should be hardened according to Microsoft's recommendations Once installed only onev irtual directory requires being published externally , this is Secmail. This can be controlled v ia IISproperties, a firewall or rev erse proxy serv er.It is recommended that any other SecurEnv oy v irtual directory is not exposed to the Internet, unlessespecially required.Microsoft IIS ServerIt is recommended that a dedicated instance of SecurEnv oy SecMail security serv er be installed forbeing public facing on the Internet ideally within the DMZ env ironment. A rev erse proxy such asMicrosoft ISA 2006 or v arious v endor SSL VPN are capable of prov iding this functionality .For SecurMail access, it is strongly recommended that a trusted public web serv er certificate isinstalled in the IIS serv er.The only Virtual directory that should be accessible from the internet is the \"secmail\" as this is the onlyone needed by the recipients. All other v irtual directories should be set to be accessible from theinternal network .Recipients must access the secmail directory ov er https. Therefore the serv er (or the rev erse proxy inthat case) must use a public trusted certificate.It is considered more secure to use the rev erse proxy method, because there is only a single point ofaccess and y ou share the certificate with other content using the rev erse proxy .Microsoft W indows 2003 Security resourcehttp://technet.microsoft.com/en-us/library /cc163140.aspxMicrosoft W indows 2008 Security resourcehttp://technet.microsoft.com/en-us/library /cc514539.aspxLoad Balancing and RedundancyIt is recommended that two SecurMail serv ers should b e installed for redundancy . These serv ers caneither be software or hardware clustered, alternativ ely the data directory can be installed upon NAS ora SAN dev ice. The data directory path will be the same upon both SecurEnv oy SecurMail serv ers.The IIS serv er needs to be configured so that they are activ e-activ e or activ e passiv e to each other.Lay er 7 switches are one way to load balance across multiple IIS serv er running SecurMail.Alternativ ely install Microsoft network load balancing (NLB) on both serv ers. Using NLB, the same datais stored on multiple serv ers, so if one becomes unav ailable, the client is redirected to another serv erwith the same information. Please see http://technet.microsoft.com/en-us/library /cc770558.aspx Page 83

Frequently Asked QuestionsChapter 13I Page 84

13 Frequently Asked QuestionsQ: Which SMS gateways do you support?You can send SMS messages v ia a connected Wav ecom or Siemens modem or v ia an In ternet SMSgateway prov ider see SMS Gateways for more information.Q: Should the onetime passcode be sent in real time as I am authenticating?This approach is fundamentally flawed because of the following problems: 1. SMS deliv ery is delay edAlthough most SMS text messages are transmitted in seconds, it’s common to find them delay ed whennetwork s become congested. SMS traffic is not sent point to point, it is ‘queued’, and then sent on tothe required network cell where it is again queued and finally sent to the end users phone. Thisqueuing giv es rise to delay s at peak operator periods, Vodafone’s own sales literature claims that 96%of all SMS messages are deliv ered within 20 seconds. This means that 4% of users try ing toauthenticate will fail and will need to raise a help desk call to gain emergency access. Thus for adeploy ment of 5000 users authenticating each day , 200 help desk calls would be raised per day ! 2. Signal dead spotsMobile phone signals are not alway s av ailable particularly in buildings with wide outer walls, inunderground basements or in computer rooms that giv e off high RF noise. Consider a user try ing toauthenticate in one of these locations. They would first enter their U serID and PIN and would then failto receiv e their authentication code. They would next need to mov e to a location that has a signal,receiv e their authentication code, mov e back to the original location to enter their passcode ALL with -in a timeout period of 2 minutes.Users located within these locations would hav e no alternativ e but to raise help desk calls to gainemergency access. 3. Mobile phone is used to connect to the internetIn most cases when a mobile phone creates a data connection it can’t receiv e SMS messages. Userstry ing to utilize their mobile phone as a way of connecting to the Internet would not receiv e theirpasscode until they hang-up the data connection. End-users would need to start authenticating theUserID and PIN, hanging up the connection, wait for the SMS message, reconnect and re-enter theirUserID, Pin and Passcode all within 2 minutes.The SecurAccess product does not require on -demand SMS messages. The end user first enters theirUserID, then enters their windows password and ap pends their 6 digit passcode that is already storedon their mobile phone as it was sent to them when they last authenticated. An approach that pre-loadsthe next required passcode each time a user authenticates resolv es all the issues relating to SMSdelay s or short term signal loss and data connectiv ity .This technique eliminates any problems with SMS deliv ery delay s as ty pically an end user does notrequire their next passcode until the next work ing day . This length of time is more that adequate toallow for any SMS delay s and giv es plenty of time for the end user to mov e to a location that has asignal for example when they commute to or from their place of work . SecurEnv oy also supportsending 3 v alid passcodes within each SMS passcode. This technique allows for up to 3 v alidauthentications before requiring the next SMS message to be receiv ed. Page 85

Q: What is the difference between a One Time Code and a Day Code?In \"One Time\" mode, the entered passcode can only be used once in exactly the same way as tok encompanies such as RSA. A new one time code is sen t to the user after ev ery authentication attempt,good or bad. Any attempt to replay the entered code will fail as the authenticated passcode is lock edand can only be entered once. This mode of oper ation is ideal for remote users on \"malicious\"sy stems, home PC or in v iew of the public when authenticating. These users are only authenticating toa VPN which uses a session k ey so would ty pically only authenticate once or twice a day at the most.On av erage remote access users authenticate twice per week as some users may only authenticateonce per month or less. Not eThese users would not be authenticating their local PC‘s screen lock as it maybe a third party systemor home PC .In \"Day Code\" Mode, a reusable passcode is sent each day (or any number of day s for example ev eryweek ), this code can be reused for that day or the following day so the risk o f replay attack is limitedto two day s which is significantly stronger that a 30 day password (week ends can be sk ipped). If theuser does not use a day code it isn’t k nown publicly and therefore cannot hav e been intercepted so areplacement day code is only send if prev iously used. This mode of operation is ideal for in -housedesk top users that authenticate many times a day as it only requires one SMS passcode per day or lessif the user is on holiday and not using their day code. So basically y ou can tailo r the risk , ease of useand cost of SMS to suite each user’s requirement depending on their env ironment.Q: Some of my users do not have mobile phones how can I use this solution?These users may not hav e a company supplied phones, but they almost certainly hav e their ownmobile phones as statistics say that there are nearly twice as many liv e handsets as people in the UK.Ev en if they don't hav e a personal mobile phone, SecurAccess can still send a passcode to a landlinetelephone or ev en a DDI number behind a PBX.Q: What if end users do not want to use their personal mobile phone?The question is why don’t they want to use their own phones? You will not be putting any software ontheir phone. You will simply be sending them an SMS message which will n ot cost the end userany thing. In some cases it’s simply that they don't want to receiv e phone calls from other employ ees.Personal mobile numbers are stored encry pted so that only the SecurEnv oy administrators can read itwhich prev ents other staff try ing to call it. What is more inconv enient to the user, using up pock etspace for a tok en or using v irtual space on their mobile phone?Q: How good is the GSM phone coverage?GSM network consists of ov er 860 network s in 220 countries/areas of the world. Cov erage Maps canbe found at: http://www.gsmworld.com/roaming/gsminfo/index.shtmlQ: I live in a bad or no GSM coverage how do you manage this?If y ou frequent a place that has intermittent cov erage, it is possible to utilise the day code optionwithin the software. This means that a passcode can be reused for between 1 and 99 day s. A sSecurEnv oy work s on pre-loaded methodology the user will alway s hav e a work ing code on theirphone. Alternativ ely the security serv er can be configured to send 3 one time cod es with-in each SMSmessage. Finally it is possible for SecurAccess to send a passcode to a landline telephone or DDInumber behind a PBX. Page 86

Q: How does the server send the SMS messages?There are two options on how to send the SMS messages. First option is to use a Wav ecom outboundonly commercial strength GSM modem. This option allows the client to utilise their existing contractwith their mobile telecom carrier. The telecom carrier may offer either a pack age where inter -calls(and SMS) between the companies phone are free, or they hav e a significant number of minutes andSMS per month included in the contract. Using this method the client can almost run the serv ice fornothing. Alternativ ely they can pick up a single user contract. Most leading prov iders hav e pack agesthat ty pically include 3000 SMS for around £20 per month. The second option is to sign up with one ofthe Web SMS gateway s. This is basically a HTTPS connection to the Web SMS gateway , and theprov ider then sends the messages for y ou. This option is faster and more scalable than the GSMmodem option, but can be more expensiv e.Q: How well can the SecurEnvoy server scale?The answer is v ery well. SecurEnv oy scales directly with Activ e Directory as this is its database,therefore the question should be \"how well can y our existing AD scale?\". Microsoft has spent muchtime and money perfecting the replication between domain controller serv ers. SecurEnv oy benefit fromthis replication as it directly integrates with AD or other LDAP serv ers su ch as eDirectory .Q: What happens if the user deletes the SMS?Simply enter y our username and complete the logon process without the passcode, the sy stem will seethis as a bad logon and send a new passcode. This will work as long as y ou hav e not gone p assed theset number of concurrent failed logons, otherwise the account will be disabled.Q: How do I know what passcode to use?When y ou are enabled on the sy stem, y our first passcode will be automatically sent, pre-loading thecodes caters for any delay with the SMS deliv ery . A fter authentication a new passcode will be sent, thisnew code on most mobile phones will ov erwrite the old one. Therefore only one code will be seen onthe mobile phone.Q: How do I know if a hacker is trying to guess my login details?If a hack er tries a guessed login with y our correct UserID then y ou will receiv e the next requiredpasscode. Receiv ing this SMS message will act as an alert to y ou that someone is try ing to break intoy our account.Q: What Integration does SecurEnvoy have with RA S and NA S type network devices?SecurEnv oy hav e implemented a Radius serv er therefore we can support any application that supportsbasic password RADIUS authentication. In addition SecurEnv oy hav e integration guides for themajority of common SSL/VPN, IPsec VPN and dial up v endors. Web based applications hosted onMicrosoft IIS web serv er for example OWA and Citrix can be authenticated v ia the SecurEnv oy IISA gent.Q: Do you have any reference sites or case studies?There are multiple case studies on our web site, these cov er v arious mark et v erticals.Q: I've deleted my passcode from my phone, what do I do?Simply enter y our username and complete the logon process without the passcode, the sy stem will seethis as a bad logon and send a new passcode. This will work as long as y ou hav e not gone passed theset number of bad logons, otherwise the account will be lock ed. Page 87

Q: I have no signal in some areas of the office, how do I receive a passcode?By pre-loading the passcodes before y ou require them, allows plenty of time to receiv e y our passcodewhen there is a signal. Alternativ ely y ou can use day codes, which allows a single code to be used fora set number of day s or the security serv er can be configured to send 3 one time codes with-in eachSMS message.Q: How do a upgrade from a trial license to live license?This is v ery simple, Start the Admin GUI and select the menu \"Config\" then paste the new liv e licensek ey into the field mark ed License. If y ou plan to use a Web SMS Gateway then run \"Adv anced Config\"sk ip to W eb SMS Gateway and enter a v alid UserID and Password that was allocated to y ou from y ourchosen W eb SMS Gateway Company .Q: How do I setup multiple SecurEnvoy Security Servers for redundancy?Multiple security serv ers must share the same security encry ption k ey (config.db) each time y ou installa new copy of the security serv er y ou will be prompted with the question \"Is this the first serv er or anyadditional serv er?\" If y ou select additional y ou will then be prompted to upload the config.db file fromthe first serv er.Q: Phone Gateway1 Fails to Initialise?1. Check that the W av ecom Modem has a flashing red LED If the LED isn’t flashing, check the powerand SIM.2. Stop the SecurEnv oy Phone Gateway 1 serv ice Open Microsoft’s Hy per term(Start/Programs/Accessories/Communications) Open the Com port that the modem is connected to.Change com port, baud rate, as required to get a connection. Note Wav ecom defaults to 9600 8 NoStop Bits 1. Enter ATI y ou should get \"WAVECO M MODEM\"3. Check signal strength, start Hy per term. Enter AT+CSQ y ou should get +CSQ: 22,0 where 22 is anumber between 0 and 31 that defines the signal strength.4. Remov e the SIM from the W av ecom and place in a normal GSM phone. Check the SIM can sendSMS messages to International Numbers.5. Check the Setting in the Registry HKLM\SOFTWARE\SecurEnv oy\Phone Gateway 1Restart SecurEnv oy Phone Gateway 1 after changes6. Check that no other program is using the serial COM port before starting the SecurEnv oy PhoneGateway 1 Serv iceQ: My SecurEnvoy Radius Server fails with \"Error Opening Local Port\", How do I fix this?Check that no other program is using the Radius port (1812).Stop the SecurEnv oy Radius Serv ice andwait 60 seconds. In a CMD window run \"netstat –a –p UDP\" You should NOT see the line \"UDPxxxx:radius *:*\" where xxxx is the sy stem name. If y ou do it may be that Microsoft's InternetAuthentication Manager (IAM) is Installed, if so on some window v ersions there is a Microsoft bug thatcauses IAM to still use the Radius port ev en when stopped or uninstalled! If is recommended that thedefault ports in IAM are changed thus releasing the Radius port.Q: If I use IE7 for local administration, start help and then exit the help window, why am Iprompted to re-authenticate?This is a k nown bug with Microsoft IE7. The session cook ies are getting deleted when y ou close a 2ndwindow. At the moment no Microsoft fix exists. Howev er the following work around generally resolv esthis problem. Change y our IE7 settings in Tools/Internet Options/General/Browser History Settings to\"Ev ery time I v isit the web page\". Page 88

Q: Why does local administration re-authenticate every page?Both IE6 and IE7 browsers fail to return the authentication cook ie if there is an _ in the host name.Rename the host or use Firefox as the default browser.Q: Do you support 64bit OS serversYes, both the serv er and IIS agent support 64bit operating sy stems. Page 89

HelpChapter 14I Page 90

14 Help ManualTo v iew the help files, click upon the button within the Admin GUI.This will launch the Help, which will open in a separate browser window.The Help page is made up of a nav igation pane on the left hand side, where y ou can locateinformation on administration based task s. The rig ht hand side will display selected information. Bydefault the help page display ed is link ed to the Admin GUI menu, i.e. if in “Config” menu will display“Config” Help page.The top bar within the Help window has four quick link s, three of these are link s to the SecurEnv oyweb site to prov ide up to date information regarding SecurEnv oy , product integration guides andonline FaQ’s. The last link will launch y our email client so that a “support email” can be sent. When sending a “support email” please include the Customer ID (this is listed on y our license certificate) with all correspondence. Page 91

Search CapabilityIncluded with the Help Manual is the “Search Capability ”, click upon the “search” link within the left-hand nav igation pane. Enter search criteria and click “submit”All results are then display ed, they are shown in order with complete matches and a score associatedwith the search. You can then select and click upon the relev ant link to display the information. Page 92

Recommended Backup procedureIChapter 15 Page 93

15 Recommended Backup ProcedureAfter the initial installation is complete or after re-installation of the security serv er software.The Master Encry ption k ey and configuration files are located by default for 32bit installations:in C:\Program Files\SecurEnv oy \Security Serv er\for 64 bit installations:in C:\Program Files(x86)\SecurEnv oy \Security Serv er\The following files should be back ed upconfig.db, configpre54.db, local.ini and serv er.ini should all be back ed up.It is also recommended that y ou back up the following regularly –The DATA subfolder located in the SecurEnv oy installation folder. This contains the followinginformation –  LOG files  RADIUS configuration Data  SMS Message Queue and Controls  SecurMail messages  SecurMail mailbox authentication data  W eb Templates (Local SecurEnv oy serv er)  SMS Message TemplatesThe SecurEnv oy serv er data stored in LDAP (in the telexnumber attribute on Nov ell eDir, SunDirectory , OpenLDAP; In the Primary TelexNumber and TelexNumberOther attributes on Activ eDirectory ).For Microsoft ADAM / AD/LDS please see Microsoft article number 737702 on Tech Net for therecommended procedure. A ll SecurEnv oy ADAM / AD/LDS files are stored in the DATA \Adam subfolderof the SecurEnv oy installation folder. Page 94

TroubleshootingChapter 16I Page 95

16 TroubleshootingPhone Gateway1 Fails to Initialise1.Check that the W av ecom Modem has a flashing red LEDIf the LED isn’t flashing, check the power and SIM.2. Check SIM ty pe, if Vodafone PDU mode must be set to False in theHKLM\software\SecurEnv oy \PhoneGateway 1Try setting to false ev en if it’s not a Vodafone SIM3.Stop the SecurEnv oy Phone Gateway 1 serv iceOpen Microsoft’s Hy perterm (Start/Programs/Accessories/C ommunications)Open the Com port that the modem is connected toChange com port, baudrate, as required to get a connection. Not eWavecom defaults to 9600 8 No Stop Bits 1Enter A TI y ou should get “WA VECOM MODEM” or \"SIEMENST C3 5 i\"4. Check signal strength, start Hy perterm.Enter A T+CSQ y ou should get +CSQ: 22,0 where 22 is a number between 0 and 31 that defines thesignal strength.5. Check for a GSM connectionEnter AT+CREG? y ou should get OK6. Try sending an SMS message manuallyEnter AT+CMGF=1Enter AT+CMGS=\"4479xxxx\" where 4479xxxx is y our mobile number in international format without a+Enter HELLO then press Ctrl Z7. Remov e the SIM from the W av ecom and place in a normal GSM phone. Check the SIM can sendSMS messages to International Numbers.8. Check the Setting in the RegistryHKLM\SOFTW ARE\SecurEnvoy\Phone Gateway 1Restart SecurEnv oy Phone Gateway 1 after changes9. Check that no other program is using the serial COM port before starting the SecurEnv oy PhoneGateway 1 Serv ice Page 96

SecurEnvoy Radius Server Fails with “Error Opening Local Port”Check that no other program is using the Radius port (1812) Stop the SecurEnvoy Radius Serv ice and wait 60 seconds. In a CMD window run “netstat –a –p UDP”You should NOT see the line “UPD xxxx:radius *:*” where xxxx is the sy stem name.If y ou do it may be that Microsoft’s Internet Authentication Serv ice (IA S) is installed. On some windowv ersions there is a Microsoft bug that causes IA S to still use the Radius port ev en when stopped oruninstalled!It is recommended that the default ports in IA S are changed thus releasing the Radius port.Log file displays Windows password incorrect when using Radius and Windows Passwordas the PINIf the Windows password is correct, fault lies with an incorrect Radius \"Pre shared k ey \". SecurEnv oysupport ASCII 127 characters.A dmin GUI does not run or SecurPassword does not runThis can occur for the following reasons:1. There is another web instance using ports 80 and or 4432. There aren't enough priv ileges to allow the ADMIN GUI to run, on IIS 6.0 go to IIS Manager,Application pools, default app pool, properties and change the identity to use a \"Network Serv ice\" oruse a pre defined account, usually the SecurEnv oy Admin account. On IIS 5.0 go to IIS Manager,default W eb site, secadmin, select properties, Directory Security , Anony mous Access click edit. Underanony mous access click edit and enter details of the SecurEnv oy Admin account.When executing the Set Pin program, error if unable to set the user PINCheck within IIS manager that the anony mous web account has enough priv ileges to run the set pinprogram.How do I setup multiple SecurEnvoy Security Servers for redundancy?Multiple security serv ers must share the same security encry ption k ey (config.db)Each time y ou install a new copy of the security serv er y ou will be prompted with the question \"Is thisthe first serv er or any additional serv er?\" If y ou select additional y ou will then be prompted to uploadthe config.db file from the first serv er.How do a upgrade from a trial license to live license?This is v ery simple, Start the Admin GUI and select the menu \"Config\" then paste the new liv e licensek ey into the field mark ed License.If y ou plan to use a W eb SMS Gateway then run \"Adv anced Config\" sk ip to Web SMS Gateway andenter a v alid UserID and Password that was allocated to y ou from y our chosen Web SMS GatewayC o mp any Page 97

AppendixChapter 17I Page 98

17 AppendixSetting Up SSL on IIS Web ServersSetting up SSL on IIS (KB299875)http://support.microsoft.com/default.aspx?sc id=k b; en-us;299875SMS Gateway OptionsSecurEnv oy support two options for sending SMS messages:Option1A Directly connected Wavecom O r M utlitech modem.This options uses a mobile phone S IM card and w ill sendS M S messages in the same way as a mobile phoneP ar ts List For Wavecom (Serial Only) ( SecurEnvoy P ar ts List For Mutlitech ( USB or Serial Modem)pr eferred solution) 1. M odem M odel:MTCBA-G-U-F4 (USB Modem)1. Wav ecom F asttrack 1. M agnetic M ount A rial w ith SMA male 3M lead Vendor1. 12v M ains P SU information her e1. S erial Data C able 15D to 9D (P C S erial P ort)1. M agnetic M ount A rial w ith SMA male 3M leadV endor information hereNote: can support U S B via a serial adapter cableor S iemens modemP ar ts List For Siemens TC35i (Serial Only)1. S iemens TC35it Pack B N ote that P ack B contains a TC35 Modem, Mains PSU,S erial C able and a 2 meter magnetic mount aerial. Vendorinformation her e Page 99

Option2An Internet based SMS gateway prov ider. SMS messages are sent v ia the Internet to a company thathosts a gateway connection to worldwide mobile phone network prov iders.SecurEnv oy currently support the following third party s:AQL (www.aql.com) (recommended for UK and Europe)PSW inC o m (www.pswin.com)V- F irst (w w w .v first.co m)T-Mobile (www.tmobile.co.uk )O2 (www.infracast.com)Silv er Street (www.silv erstreet.com)HSL SMS (www.hslsms.com)Click atel (www.click atell.com)m:science (www.m-science.com)2SMS (www.2sms.com)smsglobal (www.smsglobal.com)end2end (www.promessaging.net)Mollie (www.mollie.nl)Sy sorVest (www.sy storv est.no) Not eAny other third party provider that supports https can be added for 2 days consultancy. Page 100