for GrIDsure
How To Configure Defender for GrIDsure Tokens The GrIDsure token can be used to protect any website hosted on Internet Information Server (IIS). Defender 5.6 and later supports the use of GrIDsure tokens with the Defender Desktop Login application. Please follow the configuration steps in this document and refer to the Defender Desktop Login & GrIDsure Token User Guide. This guide provides information for the administrator on how to configure Defender and IIS, using the Defender ISAPI Agent, for use with the GrIDsure token. The instructions in this guide assume that a working Defender system is in place with the required Defender components installed and configured, refer to System Requirements. For further information on Defender installation and configuration, refer to the Defender Installation Guide and the Defender Configuration Guide. 1 Defender How To Configure for Use with GrIDsure Tokens System Requirements Before configuring Defender to use GrIDsure tokens, ensure that the following components are installed and configured in your Defender system: • Defender Administration Console version 5.5.0.907 or higher • Defender Security Server version 5.5.0.907 or higher • Defender ISAPI Agent version 5.5.0.907 or higher. Licensing To enable GrIDsure tokens within Defender, you must first install a Defender Desktop Token License. To do this, from Active Directory Users & Computers select the Install Desktop Token License option from the Defender menu. The Defender menu is available when the Defender OU is selected. The Defender License Import Wizard starts: 1. Click Next to display the Defender Import Wizard (License Files) dialog. 2. Click Add File to add your license file to the Licenses to install list. 3. Click on the required file, then click Open. The selected file is added to the Licenses to install list. 4. Click Next twice to complete the procedure. How to Program a GrIDsure Token GrIDsure tokens can be programmed: • for a user by the Defender Administrator, or • created and registered by the users themselves through Auto-Enrollment. 2 Defender How To Configure for Use with GrIDsure Tokens Programming a GrIDsure Token via the Administration Console In Active Directory Users and Computers (ADUC), display the user properties page for the required user, then select the Defender tab. 1. Select Program to start the Defender Token Programming Wizard. 2. Select Next. The Token Types dialog is displayed: 3 Defender How To Configure for Use with GrIDsure Tokens 3. Select Defender Desktop Token, then select Next. The Defender Desktop Token Types dialog is displayed: 4. Select GrIDsure, then select Next. A user can have only one GrIDsure token assigned to them at any one time. If the user already has a GrIDsure token, the following dialog is displayed: You can choose to overwrite the user’s existing GrIDsure token or to leave the existing token. If you choose to overwrite the existing token, the user must register the new token before it can be used to authenticate. 4 Defender How To Configure for Use with GrIDsure Tokens 5. The Checking User License dialog is displayed: 6. Click Next. The Defender Token Programming Complete dialog is displayed: 5 Defender How To Configure for Use with GrIDsure Tokens 7. Click Finish. The GrIDsure token is displayed in the Token Management field on the username Proper- ties, Defender tab. 8. If GrIDsure authentication is enabled in the token policy assigned to this user (refer to Creating/Editing a Policy for GrIDsure Tokens), the user will be required to configure his PIP the first time the token is used for authentication through a GrIDsure aware client, i.e. the ISAPI Agent or Defender Desktop Login. 6 Defender How To Configure for Use with GrIDsure Tokens Creating/Editing a Policy for GrIDsure Tokens You now need to configure a Defender Policy to use GrIDsure tokens. You can either modify an existing policy or create a new policy. For information on how to create a new policy, please refer to the Defender Configuration Guide. To configure the policy for use with GrIDsure tokens where the tokens will be programmed by the Defender Administrator, perform the following steps: 1. Select the Defender OU from the Active Directory tree. 2. Select Policies. 3. Right-click on the required policy. 4. Select Properties from the menu. The policyname -Properties Policy dialog box is displayed: 5. On the Policy tab, in the Authentication methods, Use field, select Token. 7 Defender How To Configure for Use with GrIDsure Tokens 6. Select the GrIDsure tab: 7. Select Enable GrIDsure Tokens and set the pattern length as required. 8. Select OK. The policy is now configured for GrIDsure tokens. 9. Assign the policy to the relevant access node, Defender Security Server, user or user group as required. For information on how to assign a security policy, please refer to the Defender Configuration Guide. 8 Defender How To Configure for Use with GrIDsure Tokens GrIDsure Token Auto-Enrollment Mode To enable Auto-Enrollment, set the Authentication Method, Use field to Token (GrIDsure Auto-Enrollment Mode). The first time that the user attempts to authenticate using a GrIDsure enabled policy, the GrIDsure token will be created and configured. Enabling User Auto-Enrollment for GrIDsure Tokens To configure the policy that will enable GrIDsure tokens to be created and configured when the user first attempts to authenticate, perform the following steps: 1. Select the Defender OU from the Active Directory tree. 2. Select Policies. 3. Right-click on the required policy. 4. Select Properties from the menu.The policyname -Properties Policy dialog box is displayed: 5. On the Policy tab, in the Authentication methods, Use field, select Token (GrIDsure AutoEnrollment Mode). 9 Defender How To Configure for Use with GrIDsure Tokens 6. Select the GrIDsure tab: 7. Check the Enable GrIDsure Tokens checkbox, then select OK to finish. For information on how to authenticate in GrIDsure Auto-Enrollment Mode, refer to Accessing the Protected Website. 10 Defender How To Configure for Use with GrIDsure Tokens Additional Configuration Options During configuration, the following options can be set on the GrIDsure tab if required: • Block consecutive patterns (horizontal, vertical and diagonal) Check this box to enforce additional complexity rules for the PIP. Use this option to prevent the use of horizontal, vertical and diagonal patterns. • Enable Pattern Expiry Check this box to force the user to provide a new pattern (PIP) after a set number of days. This option is similar to setting a password expiry limit for AD passwords. • Use numbers in grid The default configuration is to use numbers only within the grid. • Use letters in grid Check this box to use letters in the grid. 11 Defender How To Configure for Use with GrIDsure Tokens If both Use numbers in grid and Use letters in grid are selected then the grid will display a combination of both. • Grid Style Displays the GrIDsure Style dialog enabling you to change the size and style of the grid as required. 12 Defender How To Configure for Use with GrIDsure Tokens Installing the Defender ISAPI Agent The Defender ISAPI Agent can be used as an ISAPI filter to provide Defender authentication for the website. To install the Defender ISAPI Agent on the server hosting IIS, perform the following steps: 1. Run the installation file Defender ISAPI Agent x64 Installer.exe (for x64 platforms), or Defender ISAPI Agent Installer.exe (for x86 platforms). 2. Select Next. 3. Accept the License Agreement. 13 Defender How To Configure for Use with GrIDsure Tokens 4. Select Next. 5. Select Next to accept the default installation location, alternatively select Browse to choose a different location. 6. Select Next. 14 Defender How To Configure for Use with GrIDsure Tokens 7. The Defender ISAPI Agent installation starts and the Installation Progress dialog is displayed: 8. On completion of the installation, the Installation Complete dialog is displayed: 9. Select Finish. 15 Defender How To Configure for Use with GrIDsure Tokens Configuring the ISAPI Agent On completion of the ISAPI Agent installation, select Configure Defender ISAPI Agent Now. The Defender ISAPI Agent Configuration dialog is displayed: To configure the ISAPI Agent: 1. On the DSS Parameters tab, select Add. 2. Enter the name of the Defender Security Server where user authentication will be performed. 3. Enter the IP address of the Defender Security Server. 4. Enter the port number and shared secret configured on the access node that this connection will use. 5. Select the Protected Sites tab. 6. Select the site that you want to protect with Defender, then click OK to save the selection. 16 Defender How To Configure for Use with GrIDsure Tokens Accessing the Protected Website This section describes how to access the protected website using Defender authentication and a GrIDsure token. 1. From Internet Explorer, access the protected website. The Login page is displayed: 2. Enter your username and then select Login. 3. If you are using the GrIDsure Auto-Enrollment Mode and have no other token types assigned you will be prompted for your Active Directory Windows password to start the registration process for your GrIDsure token. 4. Enter your Windows password, then select Login. 17 Defender How To Configure for Use with GrIDsure Tokens If you have more than one token type assigned, you can choose which token to use for authentication. In the example below, the user can enter either the synchronous response from a Go-x token, or if the user has a registered GrIDsure token, or the administrator has programmed a GrIDsure token, the user can click Use GrIDsure to authenticate with a GrIDsure token. On first use, you are required to configure your GrIDsure pattern or PIP. The GrIDsure grid (as defined on the Defender security policy) is displayed. 5. Select a pattern using the letters within the grid and then enter these letters, without spaces, in the Configure your GrIDsure PIP: box. For example, the policy configured in Creating/Editing a Policy for GrIDsure Tokens, requires a pattern of between 4 and 8. Therefore a pattern, or PIP, such as AJBBBGAN would create a pattern using the top left square and then the first 3 squares from row 2. 18 Defender How To Configure for Use with GrIDsure Tokens If the PIP does not meet the complexity rules configured on the policy, the following dialog is displayed: Enter a PIP that meets the complexity requirements. 6. Select Login to save the PIP. 7. You are then prompted to authenticate using the PIP that was created for your token. 19 Defender How To Configure for Use with GrIDsure Tokens 8. Enter the PIP in the Use your GrIDsure PIP: box and select Login, e.g. 3305. 9. You will now be authenticated and allowed access to the protected website. 10. A GrIDsure token is now created for you. This can be viewed in the username Properties Defender tab in Active Directory Users and Computers. The next time you access the website, you will be prompted for your user name only and the PIP corresponding to your pattern. © 2012 Quest Software, Inc. ALL RIGHTS RESERVED. Quest, Quest Software, the Quest Software logo and iToken are trademarks and registered trademarks of Quest Software, Inc. in the United States of America and other countries. GrIDsure and the GrIDsure logos are trademarks and registered trademarks of Gridlock TS Limited. All other trademarks and registered trademarks are property of their respective owners. 20
© Copyright 2024