aXsGUARD Gatekeeper Single Sign-On Utility (SSO) - Vasco
aXsGUARD Gatekeeper Single Sign-On Utility (SSO) - Vasco
aXsGUARD Gatekeeper Single Sign-On Utility (SSO) - Vasco
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong><br />
<strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Legal Notice<br />
VASCO Products<br />
VASCO Data Security, Inc. and/or VASCO Data Security International GmbH are referred to in this document as<br />
'VASCO'. VASCO Products comprise Hardware, Software, Services and Documentation. This document<br />
addresses potential and existing VASCO customers and has been provided to you and your organization for the<br />
sole purpose of helping you to use and evaluate VASCO Products. As such, it does not constitute a license to<br />
use VASCO Software or a contractual agreement to use VASCO Products.<br />
Disclaimer of Warranties and Limitations of Liabilities<br />
VASCO Products are provided ‘as is’ without warranty or conditions of any kind, whether implied, statutory, or<br />
related to trade use or dealership, including but not limited to implied warranties of satisfactory quality,<br />
merchantability, title, non-infringement or fitness for a particular purpose.<br />
VASCO, VASCO DISTRIBUTORS, RESELLERS AND SUPPLIERS HAVE NO LIABILITY UNDER ANY<br />
CIRCUMSTANCES FOR ANY LOSS, DAMAGE OR EXPENSE INCURRED BY YOU, YOUR ORGANIZATION OR ANY<br />
THIRD PARTY (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS<br />
INTERRUPTION OR LOSS OF DATA) ARISING DIRECTLY OR INDIRECTLY FROM THE USE, OR INABILITY TO USE<br />
VASCO SOFTWARE, HARDWARE, SERVICES OR DOCUMENTATION, REGARDLESS OF THE CAUSE OF THE<br />
LOSS, INCLUDING NEGLIGENCE, EVEN IF VASCO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH<br />
DAMAGES, OR IF THEY WERE FORESEEABLE. OUR MAXIMUM AGGREGATE LIABILITY TO YOU, AND THAT OF<br />
OUR DISTRIBUTORS, RESELLERS AND SUPPLIERS SHALL NOT EXCEED THE AMOUNT PAID BY YOU FOR THE<br />
PRODUCT. THE LIMITATIONS IN THIS SECTION SHALL APPLY WHETHER OR NOT THE ALLEGED BREACH OR<br />
DEFAULT IS A BREACH OF A FUNDAMENTAL CONDITION OR TERM, OR A FUNDAMENTAL BREACH. THIS<br />
SECTION WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW SPECIFICALLY<br />
REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND LIMITATIONS.<br />
Intellectual Property and Copyright<br />
VASCO Products contain proprietary and confidential information. VASCO Data Security, Inc. and/or VASCO<br />
Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products,<br />
updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights,<br />
database rights and all other intellectual and industrial property rights. No part of these Products may be<br />
transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or<br />
otherwise, for any purpose, except as expressly permitted by VASCO or its authorized licensee in writing.<br />
This document is protected under US and international copyright law as an unpublished work of authorship. No<br />
part of it may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic,<br />
mechanical or otherwise, for any purpose, except as expressly permitted in writing by VASCO or its authorized<br />
licensee.<br />
Trademarks<br />
VASCO®, Vacman®, IDENTIKEY®, <strong>aXsGUARD</strong>®, DIGIPASS®, and ® are registered or unregistered<br />
trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other<br />
countries. Other company brand or product names or other designations, denominations, labels and/or other<br />
tags, titles, as well as all URLs (Internet addresses) linked to such designations or communications (irrespective<br />
of whether protected by intellectual property law or not), mentioned in VASCO Products may be the trademarks<br />
or registered trademarks or be part of any other entitlement of their respective owners.<br />
Radius Disclaimer<br />
Information on the RADIUS server provided in this document relates to its operation in the <strong>aXsGUARD</strong><br />
<strong>Gatekeeper</strong> environment. We recommend that you contact your NAS/RAS vendor for further information.<br />
Copyright © 2009 VASCO Data Security, Inc, VASCO Data Security International GmbH All rights reserved.<br />
© 2009 - VASCO Data Security 2
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Table of Contents<br />
Table of Contents<br />
1 Introduction...............................................................................................................................................8<br />
1.1 Audience and Purpose of this document.............................................................................................8<br />
1.2 What is the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong>?.................................................................................................10<br />
1.3 About VASCO..................................................................................................................................10<br />
2 Concept and Features..............................................................................................................................11<br />
2.1 Overview.........................................................................................................................................11<br />
2.2 Supported Operating Systems..........................................................................................................11<br />
2.3 Features and Advantages.................................................................................................................11<br />
2.4 Purpose and Concept......................................................................................................................12<br />
2.5 Installation Modes...........................................................................................................................13<br />
2.5.1 Domain Mode............................................................................................................................13<br />
2.5.2 Workgroup Mode........................................................................................................................13<br />
2.6 SSL Secured Connection..................................................................................................................14<br />
2.7 Auto Adjustment of Proxy Settings....................................................................................................14<br />
2.8 Automatic Updates..........................................................................................................................15<br />
2.9 User Profiles...................................................................................................................................15<br />
2.10 Particular Cases with Terminal Servers.............................................................................................16<br />
2.10.1 Without Virtual IP Support...........................................................................................................16<br />
2.10.2 With Virtual IP Support................................................................................................................17<br />
3 Installation...............................................................................................................................................18<br />
3.1 Overview.........................................................................................................................................18<br />
3.2 Windows Domain Settings................................................................................................................18<br />
3.3 <strong>SSO</strong> <strong>Utility</strong> Installation......................................................................................................................20<br />
3.3.1 Downloading..............................................................................................................................20<br />
3.3.2 Windows XP...............................................................................................................................21<br />
3.3.3 Windows Vista............................................................................................................................26<br />
3.3.4 Linux.........................................................................................................................................29<br />
3.4 Upgrading.......................................................................................................................................32<br />
3.5 Uninstalling.....................................................................................................................................32<br />
4 Configuration and Use..............................................................................................................................33<br />
4.1 Overview.........................................................................................................................................33<br />
4.2 Getting Started................................................................................................................................33<br />
4.3 Creating User Profiles......................................................................................................................34<br />
© 2009 - VASCO Data Security 3
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Table of Contents<br />
4.4 <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Proxy server.................................................................................................36<br />
4.5 Setting a Default User Profile............................................................................................................37<br />
4.6 Activating a User Profile...................................................................................................................38<br />
4.7 Editing and Deleting User Profiles.....................................................................................................39<br />
4.8 Linux Configuration..........................................................................................................................40<br />
4.9 Advanced Configuration...................................................................................................................40<br />
5 Troubleshooting.......................................................................................................................................42<br />
6 Support....................................................................................................................................................46<br />
6.1 Overview.........................................................................................................................................46<br />
6.2 If you encounter a problem...............................................................................................................46<br />
6.3 Return procedure if you have a hardware failure................................................................................46<br />
© 2009 - VASCO Data Security 4
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Table of Contents<br />
Illustration Index<br />
Image 1: Transparent User Authentication.....................................................................................................................................................................12<br />
Image 2: SSL Secured Connection................................................................................................................................................................................14<br />
Image 3: <strong>SSO</strong> <strong>Utility</strong> Update Notification........................................................................................................................................................................15<br />
Image 4: <strong>SSO</strong> User Profiles...........................................................................................................................................................................................15<br />
Image 5: Terminal Server without Virtual IP Support.......................................................................................................................................................16<br />
Image 6: Terminal Server with Virtual IP Support...........................................................................................................................................................17<br />
Image 7: Setting the Allowed Domains..........................................................................................................................................................................18<br />
Image 8: Windows Domain used by Windows XP...........................................................................................................................................................19<br />
Image 9: Downloading the <strong>SSO</strong> Installer........................................................................................................................................................................20<br />
Image 10: <strong>SSO</strong> <strong>Utility</strong> Windows XP – Installation Start....................................................................................................................................................21<br />
Image 11: Selecting the Installation Mode.....................................................................................................................................................................22<br />
Image 12: Selecting the Installation Folder....................................................................................................................................................................22<br />
Image 13: Copying the Files to your Computer...............................................................................................................................................................23<br />
Image 14: Creating a Default User Profile......................................................................................................................................................................23<br />
Image 15: Entering Profile Information..........................................................................................................................................................................24<br />
Image 16: Completing the <strong>SSO</strong> <strong>Utility</strong> Installation...........................................................................................................................................................25<br />
Image 17: Windows Vista Security Warning...................................................................................................................................................................26<br />
Image 18: Enabling UAC in Windows Vista....................................................................................................................................................................26<br />
Image 19: Windows Vista Installation............................................................................................................................................................................27<br />
Image 20: Administrator Password...............................................................................................................................................................................27<br />
Image 21: User Installation...........................................................................................................................................................................................28<br />
Image 22: GNOME Integration......................................................................................................................................................................................30<br />
Image 23: KDE Integration............................................................................................................................................................................................31<br />
Image 24: Successfull Authentication............................................................................................................................................................................33<br />
Image 25: Starting <strong>SSO</strong> Manually.................................................................................................................................................................................33<br />
Image 26: Creating a User Profile.................................................................................................................................................................................34<br />
Image 27: Creating a New Profile.................................................................................................................................................................................34<br />
Image 28: <strong>SSO</strong> Password Window................................................................................................................................................................................35<br />
Image 29: Proxy Server Settings...................................................................................................................................................................................36<br />
Image 30: Firefox Specific............................................................................................................................................................................................36<br />
Image 31: Setting a Default User Profile........................................................................................................................................................................37<br />
Image 32: Activating a User Profile...............................................................................................................................................................................38<br />
Image 33: Deleting a User Profile..................................................................................................................................................................................39<br />
Image 34: Linux <strong>SSO</strong> Configuration File........................................................................................................................................................................40<br />
Image 35: Advanced Settings.......................................................................................................................................................................................40<br />
Image 36: Login Error..................................................................................................................................................................................................42<br />
© 2009 - VASCO Data Security 5
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Table of Contents<br />
Image 37: Stat-Sec Firewall Policy................................................................................................................................................................................42<br />
Image 38: Connection Restored....................................................................................................................................................................................43<br />
Image 39: Invalid User or Password..............................................................................................................................................................................43<br />
Image 40: Domain Error...............................................................................................................................................................................................44<br />
Image 41: Windows Logon...........................................................................................................................................................................................44<br />
© 2009 - VASCO Data Security 6
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Table of Contents<br />
Index of Tables<br />
Table 1: Entering Post Installation Profile Settings..................................................................................................................................24<br />
Table 2: Not specifying a password.......................................................................................................................................................35<br />
Table 3: <strong>SSO</strong>: Advanced Settings..........................................................................................................................................................41<br />
© 2009 - VASCO Data Security 7
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Introduction<br />
1 Introduction<br />
1.1 Audience and Purpose of this document<br />
This <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 serves as a reference source for<br />
technical personnel and / or system administrators. It explains the installation and configuration of the<br />
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> (<strong>SSO</strong>) Authentication utility.<br />
An in-depth description of the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Authentication concepts is available in a separate<br />
document, the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Authentication How To, which is accessible by clicking on the<br />
permanently available Documentation button in the Administrator Tool.<br />
In sections 1.2 and 1.3, we introduce the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> and VASCO.<br />
In section 2, we explain the concept and features of the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong> Authentication <strong>Utility</strong>.<br />
In section 3, we explain how to download and install the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong> Authentication <strong>Utility</strong> on<br />
Windows and Linux.<br />
In section 4, we explain the use and configuration of the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong> Authentication <strong>Utility</strong>.<br />
In section 5, we provide some solutions to solve difficulties.<br />
In section 6, we explain how to request support, and return hardware for replacement.<br />
© 2009 - VASCO Data Security 8
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Introduction<br />
Other documents in the set of <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> documentation include:<br />
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Installation Guide, which explains how to set up the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong>, and is<br />
intended for technical personnel and / or system administrators.<br />
'How to guides', which provide detailed information on configuration of each of the features available as<br />
'add-on' modules (explained in the next section). These guides cover specific features such as:<br />
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Authentication<br />
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Firewall<br />
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> VPN<br />
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Reverse Proxy<br />
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Directory Services<br />
Access to <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> guides is provided through the permanently on-screen Documentation<br />
button in the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Administrator Tool.<br />
Further resources available include:<br />
Context-sensitive help, which is accessible in the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Administrator Tool through the<br />
Help button. This button is permanently available and displays information related to the current screen.<br />
Training courses covering features in detail can be organized on demand. These courses address all levels<br />
of expertise. Please see www.vasco.com for further information.<br />
Welcome to <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> security.<br />
© 2009 - VASCO Data Security 9
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Introduction<br />
1.2 What is the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong>?<br />
The <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> is an authentication appliance, intended for small and medium sized enterprises.<br />
In addition to strong authentication, the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> has the potential to manage all of your Internet<br />
security needs. Its modular design means that optional features can be purchased at any time to support, for<br />
example, e-mail, Web access and VPN management. The <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> can easily be integrated into<br />
existing IT infrastructures as a stand-alone authentication appliance or as a gateway providing both<br />
authentication services and Internet Security.<br />
Authentication and other features such as firewall, e-mail and Web access, are managed by security policies,<br />
which implement a combination of rules, for example, whether a user must use a DIGIPASS <strong>On</strong>e-Time<br />
Password in combination with a static password for authentication. Security Policies are applied to specific<br />
users or groups of users and can also be applied to specific computers and the entire system.<br />
1.3 About VASCO<br />
VASCO is a leading supplier of strong authentication and Electronic <strong>Sign</strong>ature solutions and services<br />
specializing in Internet Security applications and transactions. VASCO has positioned itself as a global software<br />
company for Internet Security serving customers in more than 100 countries, including many international<br />
financial institutions. VASCO’s prime markets are the financial sector, enterprise security, e-commerce and egovernment.<br />
Over 50 of VASCO’s client authentication technologies, products and services are based on the VASCO’s one<br />
and unique core authentication platform: VACMAN . VASCO solutions comprise combinations of the VACMAN<br />
core authentication platform, IDENTIKEY authentication server, <strong>aXsGUARD</strong>® authentication appliances,<br />
DIGIPASS client Password and Electronic <strong>Sign</strong>ature software and DIGIPASS PLUS authentication services. For<br />
further information on these security solutions, please see www.vasco.com.<br />
© 2009 - VASCO Data Security 10
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Concept and Features<br />
2 Concept and Features<br />
2.1 Overview<br />
The <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> (<strong>SSO</strong>) Authentication utility is designed to securely and<br />
transparently authenticate users with an <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> from a client PC in the LAN. After successful<br />
authentication, the users are granted Firewall and Web Access rights based on the provided credentials.<br />
Topics covered in this section include:<br />
Supported Operating Systems.<br />
The features and advantages of the <strong>SSO</strong> Authentication <strong>Utility</strong>.<br />
The <strong>SSO</strong> purpose and concept.<br />
Possible installation modes.<br />
Special cases involving Terminal Servers.<br />
2.2 Supported Operating Systems<br />
The <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong> Authentication <strong>Utility</strong> can be installed on the following platforms:<br />
Microsoft: Windows 2000, XP, 2003 and Vista (32-bit and 64-bit versions).<br />
Linux: All 32-bit distributions of Linux. 64-bit versions are only available on demand.<br />
2.3 Features and Advantages<br />
The main advantages and features of the <strong>SSO</strong> Authentication <strong>Utility</strong> are:<br />
It is available for Microsoft Windows as well as Linux.<br />
The installation is quick, easy and straight forward.<br />
The <strong>SSO</strong> <strong>Utility</strong> can be installed in Domain (Active Directory environment) or in Workgroup mode.<br />
You have the possibility to create multiple user profiles per user account on a single PC, making the PC<br />
location independent.<br />
Users only have to provide and remember their Windows logon, making <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Firewall<br />
and Web Access Authentication transparent.<br />
The <strong>SSO</strong> <strong>Utility</strong> automatically starts after login.<br />
Automatic configuration of the Internet browser settings (Microsoft Windows only).<br />
Automatic detection of the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong>.<br />
Automatic notification of <strong>SSO</strong> <strong>Utility</strong> software updates.<br />
The <strong>SSO</strong> <strong>Utility</strong> uses SSL encryption to communicate with the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong>.<br />
© 2009 - VASCO Data Security 11
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Concept and Features<br />
2.4 Purpose and Concept<br />
The purpose of the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong> Authentication <strong>Utility</strong> is to make Firewall and Web Access<br />
authentication transparent to users.<br />
Users only have to provide and remember a single set of credentials, for instance their Active Directory user<br />
name and password (see the image below). When successfully authenticated, users are granted <strong>aXsGUARD</strong><br />
<strong>Gatekeeper</strong> Firewall and Web Access rights. Detailed information about Firewall and Web Access rights is<br />
provided in the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Firewall, Authentication and Web Access How To guides, which can be<br />
accessed by clicking on the permanently available Documentation button in the Administrator Tool.<br />
The <strong>SSO</strong> Authentication <strong>Utility</strong> supports multiple user profiles. A profile contains a user's <strong>aXsGUARD</strong><br />
<strong>Gatekeeper</strong> preferences and credentials, e.g. you can create a profile for the office in Boston and one for the<br />
office in New York.<br />
As explained in section 2.3, the <strong>SSO</strong> <strong>Utility</strong> can be configured to automatically adjust the user's Internet<br />
browser connection settings (Microsoft Windows only), so that the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> proxy server is used<br />
for Internet access. The <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Firewall and Web Access rights of the user are applied<br />
automatically and transparently.<br />
Image 1: Transparent User Authentication<br />
© 2009 - VASCO Data Security 12
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Concept and Features<br />
2.5 Installation Modes<br />
2.5.1 Domain Mode<br />
The <strong>SSO</strong> Authentication <strong>Utility</strong> can be installed using the following modes:<br />
The Windows Domain Mode: <strong>On</strong>ly applies to Windows clients.<br />
The Workgroup Mode: Applies to Windows and Linux clients.<br />
The <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong> Authentication <strong>Utility</strong> is designed to be integrated with a Microsoft Windows<br />
Domain. <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Firewall and Web Access rights are granted based on the provided Windows<br />
Domain (AD) credentials. The user is automatically authenticated with the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> after<br />
successfully logging on to the Domain. The Windows Domain has to be be listed in the <strong>aXsGUARD</strong><br />
<strong>Gatekeeper</strong>'s allowed domains (see section 3.2). The Domain Mode can only be used on Windows clients.<br />
Note<br />
2.5.2 Workgroup Mode<br />
In Domain Mode, the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> user name has to be identical to the Active<br />
Directory user name.<br />
The <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong> Authentication <strong>Utility</strong> can also be used without a Microsoft Domain on<br />
Windows and Linux clients. This is referred to as Workgroup Mode. The <strong>SSO</strong> <strong>Utility</strong> allows you to create<br />
multiple profiles for different users and / or locations. You can set a default user profile, which is automatically<br />
activated after logging on to the PC. The Workgroup Mode offers several possibilities:<br />
You can store the user credentials in a user profile: The <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> user credentials are<br />
stored locally on the PC.<br />
Enforce Password Authentication: If you company policy prevents you from storing passwords locally, you<br />
can leave the password field blank. As a result, the user is required to authenticate after logging on to<br />
Windows (see section).<br />
Enforce VASCO Digipass Authentication: Rather than using a regular password as explained above, it is<br />
much more secure to use a <strong>On</strong>e-Time Password (OTP) generated by a DIGIPASS. For more information<br />
about Digipass Authentication, consult the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Authentication How To, which can be<br />
accessed by clicking on the permanently available Documentation button.<br />
Caution<br />
Do not store the password in a user profile when using Digipass Authentication.<br />
© 2009 - VASCO Data Security 13
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Concept and Features<br />
2.6 SSL Secured Connection<br />
The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of message<br />
transmissions on a network.<br />
For additional security, <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong> Authentication <strong>Utility</strong> uses SSL to communicate with the<br />
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong>. The aim is to prevent sensitive information, such as user credentials, from being<br />
intercepted when they are transmitted over the local network between the user's client PC and the <strong>aXsGUARD</strong><br />
<strong>Gatekeeper</strong> (see the image below). SSL is enabled by default when the <strong>SSO</strong> <strong>Utility</strong> is installed.<br />
2.7 Auto Adjustment of Proxy Settings<br />
The <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong> Authentication <strong>Utility</strong> offers the possibility to automatically adjust the user's<br />
Internet browser's proxy server settings after authentication. When the user signs off or when closing his/her<br />
laptop without signing off or shutting down (a.k.a. suspend mode), the initial browser settings are restored.<br />
This is a major convenience for users as well as the system administrator(s), as the browser settings never<br />
have to be manually adjusted.<br />
Note<br />
Image 2: SSL Secured Connection<br />
This feature only applies to Windows platforms. It is not available for Linux until further<br />
notice.<br />
© 2009 - VASCO Data Security 14
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Concept and Features<br />
2.8 Automatic Updates<br />
2.9 User Profiles<br />
Your <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> automatically checks the VASCO back office for new versions of the software.<br />
As soon as an update becomes available, it is downloaded to your <strong>aXsGUARD</strong> <strong>Gatekeeper</strong>. In turn, the <strong>SSO</strong><br />
Authentication <strong>Utility</strong> periodically checks your <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> and notifies the user when a new version<br />
is available for installation by displaying a message in the system tray (see below). This makes system<br />
administration easier and also saves Internet bandwidth. The <strong>SSO</strong> Authentication <strong>Utility</strong> Windows installer is<br />
compressed in a zip file. The Linux version is compressed in a tgz file.<br />
Image 3: <strong>SSO</strong> <strong>Utility</strong> Update Notification<br />
A user profile holds the <strong>SSO</strong> Authentication <strong>Utility</strong> configuration for a specific <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> user. The<br />
advantage is that you can define multiple profiles per user account, e.g. a profile per office location as shown<br />
below.<br />
Image 4: <strong>SSO</strong> User Profiles<br />
© 2009 - VASCO Data Security 15
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Concept and Features<br />
2.10 Particular Cases with Terminal Servers<br />
In this section, we describe some particular cases of the <strong>SSO</strong> <strong>Utility</strong> when authenticating with the <strong>aXsGUARD</strong><br />
<strong>Gatekeeper</strong> via a Terminal Server. Two important distinctions have to me considered:<br />
Terminal Servers without Virtual IP address support.<br />
Terminal Server which provide Virtual IP addresses.<br />
2.10.1 Without Virtual IP Support<br />
The <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong> Authentication <strong>Utility</strong> cannot be used when connecting through a terminal<br />
server which does not support Virtual IP addresses, as each user / IP pair needs to be unique (see image<br />
below). This applies to older versions of the Citrix Metaframe Presentation Server.<br />
For more detailed information, consult the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Authentication How To, which is accessible<br />
by clicking on the permanently available Documentation button in the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> administrator<br />
tool.<br />
Image 5: Terminal Server without Virtual IP Support<br />
© 2009 - VASCO Data Security 16
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Concept and Features<br />
2.10.2 With Virtual IP Support<br />
When users log on to a thin client, which depends on a central server such as a Citrix Presentation Server or<br />
an MS Terminal Server, any outgoing traffic generated by the thin client shows the Terminal Server's IP<br />
address as the source IP address. If multiple users are coming from a single IP address, e.g. in older versions<br />
of the Citrix Presentation Server, the <strong>SSO</strong> Authentication <strong>Utility</strong> cannot be used (see section 2.10.1).<br />
As of version 4.0 and above, the Citrix Metaframe Presentation Server offers a Virtual IP feature where it can<br />
assign a unique virtual IP address to each user who logs in. As such, it is possible to differentiate each user's<br />
traffic based on their Virtual IP address. In other words, each user / IP pair is unique.<br />
The Virtual IP Addresses are bound to the Citrix Presentation Server NIC and can be consulted via the Windows<br />
ipconfig command.<br />
Image 6: Terminal Server with Virtual IP Support<br />
© 2009 - VASCO Data Security 17
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Installation<br />
3 Installation<br />
3.1 Overview<br />
This chapter covers the steps to successfully install and configure the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong><br />
Authentication <strong>Utility</strong>. Topics covered in this chapter include:<br />
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Windows Domain configuration settings.<br />
The <strong>SSO</strong> Authentication <strong>Utility</strong> installation.<br />
3.2 Windows Domain Settings<br />
If you are not in a Microsoft Domain, you may skip to section 3.3.<br />
<strong>On</strong>ly authentication requests coming from registered domains are accepted. You also should add any<br />
subdomain(s), if any.<br />
Before installing the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong> Authentication <strong>Utility</strong>, you need to verify the Microsoft<br />
Domain(s) used in your network:<br />
1. Log on to the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> as explained in the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> System<br />
Adminstrator How To, which is accessible by clicking on the permanently available Documentation<br />
button in the Administrator Tool.<br />
2. Navigate to Authentication > General.<br />
3. Add / verify your Windows Domain(s) and as shown below.<br />
4. Click on Update if you have modified any settings.<br />
Image 7: Setting the Allowed Domains<br />
© 2009 - VASCO Data Security 18
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Installation<br />
Tip<br />
To find the Domain used by your computer:<br />
Windows XP: Click on Start > Control Panel. Right-click on System and Select Properties.<br />
Click on the Computer Name Tab.<br />
Windows Vista: Click on Start > Control Panel > System and Maintenance > System. If your<br />
computer is connected to a domain, under Computer name, domain, and workgroup settings,<br />
you will see the name of the domain your computer belongs to.<br />
Image 8: Windows Domain used by Windows XP<br />
© 2009 - VASCO Data Security 19
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Installation<br />
3.3 <strong>SSO</strong> <strong>Utility</strong> Installation<br />
3.3.1 Downloading<br />
In this section, we explain how to download and install the <strong>SSO</strong> Authentication <strong>Utility</strong> on Windows XP, Windows<br />
Vista and Ubuntu Linux, respectively.<br />
There are two methods to install the <strong>SSO</strong> Authentication <strong>Utility</strong>:<br />
A system-wide installation: Requires Administrator privileges and installs the <strong>SSO</strong> Authentication <strong>Utility</strong> for<br />
all users.<br />
A non-privileged user installation: Can be performed while logged on as a regular user and installs the<br />
<strong>SSO</strong> Authentication <strong>Utility</strong> for this user only.<br />
The <strong>SSO</strong> <strong>Utility</strong> needs to be downloaded from the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> prior to installation:<br />
1. Log on to the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> as explained in the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> System<br />
Adminstrator How To, which is accessible by clicking on the permanently available Documentation<br />
button in the Administrator Tool.<br />
2. Navigate to Add-ons (see the image below).<br />
3. Click on the appropriate installer for your system (Windows or Linux) to start the download.<br />
4. Save the zip file containing the installer to the location of your choice.<br />
5. Click on Logout.<br />
Image 9: Downloading the <strong>SSO</strong> Installer<br />
© 2009 - VASCO Data Security 20
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Installation<br />
3.3.2 Windows XP<br />
Tip<br />
If you are upgrading the <strong>SSO</strong> Authentication <strong>Utility</strong>, skip to section 3.4.<br />
System-Wide Installation (for all users)<br />
Caution<br />
If you are running the msi installer from a network share, Windows XP will ask you for an<br />
extra confirmation before proceeding to the actual installation.<br />
Click on Run to start the installation process.<br />
To install the <strong>SSO</strong> Authentication <strong>Utility</strong> in Windows XP:<br />
1. Log on to Windows XP with administrator privileges.<br />
2. Extract the downloaded zip file to the location of your choice (see section 3.3.1).<br />
3. Double-click on the msi installer to start the Installation. A screen similar to Image 10 is displayed.<br />
4. Click on Next.<br />
5. Read and accept the terms in the license agreement.<br />
6. Click on Next.<br />
Image 10: <strong>SSO</strong> <strong>Utility</strong> Windows XP – Installation Start<br />
© 2009 - VASCO Data Security 21
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Installation<br />
7. Check Install for all users of this machine as shown below.<br />
8. Click on Next.<br />
Image 11: Selecting the Installation Mode<br />
9. Click on Next to select the default Destination Folder or Click on Change to install the <strong>SSO</strong><br />
Authentication <strong>Utility</strong> in another folder.<br />
Image 12: Selecting the Installation Folder<br />
© 2009 - VASCO Data Security 22
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Installation<br />
10. Click on Install.<br />
11. After a few moments, you will be asked to create a default user profile (see section 2.9).<br />
Note<br />
Image 13: Copying the Files to your Computer<br />
If you have profiles from a previous version, click on No and proceed to step 12 (page 25).<br />
If no profile information is present, click on Yes (see Table 1).<br />
Image 14: Creating a Default User Profile<br />
If you do not create a default profile, the user is automatically prompted to authenticate with<br />
the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> after logging on to Windows or Linux (pop-up window).<br />
© 2009 - VASCO Data Security 23
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Installation<br />
12. Enter the profile settings, as shown below and explained in Table 1.<br />
Table 1: Entering Post Installation Profile Settings<br />
Label Description<br />
Use Windows Domain Mode<br />
for this profile<br />
Name The label of the user profile.<br />
Check this option if the PC sits in a Windows Domain. The<br />
username and password fields are grayed out when this option is<br />
checked, since the Windows Domain credentials are used to<br />
authenticate with the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong><br />
(see sections 2.4 and 2.5.1).<br />
Uncheck this option if the PC is not connected to a Windows<br />
Domain (Workgroup Mode, see section 2.5.2).<br />
Description An optional description of the user profile, e.g. Paris office, Boston office.<br />
<strong>aXsGUARD</strong>@ The LAN IP address of the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong>. The <strong>SSO</strong> Authentication<br />
<strong>Utility</strong> attempts to complete the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> LAN IP address by<br />
performing a DNS lookup of the default DNS name axsguard. If the DNS<br />
name is not found, the <strong>aXsGUARD</strong>@ field needs to be completed manually.<br />
Username<br />
(Workgroup Mode only)<br />
Password<br />
(Workgroup Mode only)<br />
Image 15: Entering Profile Information<br />
The <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> user name.<br />
The <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> password.<br />
© 2009 - VASCO Data Security 24
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Installation<br />
13. Click on Finish to complete the setup.<br />
User Installation (non-administrators)<br />
When you are logged on to Windows XP as a regular user (without administrator privileges), you can only<br />
install the <strong>SSO</strong> Authentication <strong>Utility</strong> for your own Windows XP user account. The installation procedure is<br />
identical to the System-Wide installation (see page 21).<br />
1. Log on to Windows XP as a regular user.<br />
2. Download the installer as explained in section 3.3.1.<br />
3. Extract the zip file to the location of your choice.<br />
4. Double-click on the msi installer.<br />
5. Follow the on screen instructions.<br />
Image 16: Completing the <strong>SSO</strong> <strong>Utility</strong> Installation<br />
© 2009 - VASCO Data Security 25
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Installation<br />
3.3.3 Windows Vista<br />
Cautions<br />
If you are running the installation batch file (instwrapper.bat) from a network share, Windows<br />
Vista will ask you an extra confirmation (see the image below). Click on Run to start the<br />
installation process.<br />
The installation, as explained in this How To, has been executed while the Windows Vista<br />
User Account Control option is enabled (see the on the bottom of this page).<br />
The <strong>SSO</strong> Authentication <strong>Utility</strong> installation behavior in Windows Vista may vary depending on<br />
your local user policy settings.<br />
Tip<br />
Image 17: Windows Vista Security Warning<br />
To verify if the User Account Control (UAC) option is enabled:<br />
Go to the Control Panel and click on User Accounts > User Accounts.<br />
Image 18: Enabling UAC in Windows Vista<br />
© 2009 - VASCO Data Security 26
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Installation<br />
System-Wide Installation (for all users)<br />
1. Download the installer as explained in section 3.3.1.<br />
2. Extract the zip file to the location of your choice.<br />
3. Right-click on the batch file (instwrapper.bat) and select Run as administrator. If you are logged<br />
on as the administrator (The user name 'Administrator'), double-click on the batch file.<br />
Image 19: Windows Vista Installation<br />
4. Enter an administrator password if requested. (When you are already logged on as the administrator,<br />
Windows Vista will not ask for a password, only a confirmation to continue the installation).<br />
Image 20: Administrator Password<br />
5. Follow the same procedure as explained for Windows XP (see 3.3.2).<br />
© 2009 - VASCO Data Security 27
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Installation<br />
User Installation (non-administrators)<br />
The installation procedure is almost identical to the System-Wide installation. The <strong>SSO</strong> Authentication <strong>Utility</strong><br />
will be installed for the current user only (see the image below).<br />
1. Log on to Windows Vista with as a regular user.<br />
2. Download the installer as explained in section 3.3.1.<br />
3. Extract the zip file to the location of your choice.<br />
4. Double-click on the batch file (instwrapper.bat) to start the installation process.<br />
6. Enter an administrator password when requested.<br />
5. Follow the same procedure as explained for Windows XP (see 3.3.2).<br />
Image 21: User Installation<br />
© 2009 - VASCO Data Security 28
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Installation<br />
3.3.4 Linux<br />
To install the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong> Authentication <strong>Utility</strong> on Linux systems, you first have to extract the<br />
Linux binary from the tgz archive. <strong>On</strong>ce the extraction is complete, you can integrate the <strong>SSO</strong> Authentication<br />
<strong>Utility</strong> with your preferred Window Manager, e.g. GNOME or KDE.<br />
Notes<br />
An automated installer for Linux is not available until further notice.<br />
As there are many Linux distributions, we have limited the instructions in this manual to<br />
Ubuntu Jaunty (9.04).<br />
To install the <strong>SSO</strong> Authentication <strong>Utility</strong> in Ubuntu Jaunty:<br />
1. Log on to Ubuntu.<br />
2. Download the binary for Linux, as explained in section 3.3.1.<br />
3. Extract the Linux binary from the tgz file to the location of your choice.<br />
To start the <strong>SSO</strong> Authentication <strong>Utility</strong> in Ubuntu Jaunty:<br />
1. Open the directory where you extracted the Linux binary.<br />
2. Double-click on the <strong>aXsGUARD</strong><strong>SSO</strong>v2 binary.<br />
3. Configure the <strong>SSO</strong> Authentication <strong>Utility</strong> as explained in chapter 4.<br />
© 2009 - VASCO Data Security 29
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Installation<br />
GNOME Integration<br />
1. Navigate to System > Preferences > Startup Applications.<br />
2. Click on Add.<br />
3. Enter a name for the application, e.g. <strong>SSO</strong>.<br />
4. Click on Browse to locate and add the Linux binary.<br />
5. Enter a description (optional).<br />
6. Click on Close.<br />
Image 22: GNOME Integration<br />
© 2009 - VASCO Data Security 30
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Installation<br />
KDE Integration<br />
1. Open a console, e.g. xterm.<br />
2. Create a symbolic link in $HOME/.kde/Autostart which points to the <strong>aXsGUARD</strong><strong>SSO</strong>v2 binary<br />
(see the image below).<br />
Image 23: KDE Integration<br />
© 2009 - VASCO Data Security 31
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Installation<br />
3.4 Upgrading<br />
Caution<br />
If you upgrade from version 1.0 to version 2.0 or higher, you should uninstall the old version<br />
before upgrading (see section 3.5).<br />
Make sure to fully exit the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong> Authentication <strong>Utility</strong> prior to an<br />
upgrade or removal (uninstall).<br />
Upgrades of the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong> Authentication <strong>Utility</strong> are announced via:<br />
The changelogs sent with <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> revision and version updates.<br />
A one-time notification message in the Windows, GNOME or KDE system tray (see section 2.8).<br />
Notes<br />
3.5 Uninstalling<br />
This notification message can be disabled (see section 4.9), Advanced Configuration<br />
Settings).<br />
As of version 2.0, the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong> Authentication <strong>Utility</strong> automatically<br />
attempts to remove the previous version when you start the installation procedure. A manual<br />
uninstall is no longer required.<br />
Windows XP<br />
1. Open the Windows Control Panel.<br />
2. Click on Add or Remove Programs.<br />
3. Select the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Authentication <strong>Utility</strong>.<br />
4. Click the Change/Remove button.<br />
Windows Vista<br />
1. Navigate to Computers.<br />
2. Click on Uninstall or change a program.<br />
3. Select the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Authentication <strong>Utility</strong>.<br />
4. Click on Uninstall.<br />
© 2009 - VASCO Data Security 32
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Configuration and Use<br />
4 Configuration and Use<br />
4.1 Overview<br />
Topics covered in this chapter include:<br />
4.2 Getting Started<br />
Starting the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Authentication <strong>Utility</strong>.<br />
How to configure the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Authentication <strong>Utility</strong>.<br />
In Microsoft Windows, the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong> Authentication <strong>Utility</strong> automatically starts after a<br />
successful login. An icon appears in the system tray.<br />
Image 24: Successfull Authentication<br />
Moving your mouse pointer over the tray icon provides the Authentication Status.<br />
Alternatively, the <strong>SSO</strong> utility can be started manually in Windows XP and Vista:<br />
Navigate to Start > Programs > <strong>aXsGUARD</strong> <strong>SSO</strong> Tool. Click on the <strong>aXsGUARD</strong> <strong>SSO</strong> Tool Icon.<br />
Image 25: Starting <strong>SSO</strong> Manually<br />
© 2009 - VASCO Data Security 33
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Configuration and Use<br />
4.3 Creating User Profiles<br />
Right-clicking on the tray icon will show a context menu allowing a user to activate, create, delete or edit a<br />
user profile. Other menu options include logging off from the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> and shutting down the<br />
<strong>SSO</strong> Authentication <strong>Utility</strong>.<br />
A user can create different user profiles corresponding to his/her current location and/or specific network<br />
resource needs (see section 2.9).<br />
1. Right-click on the tray icon to display the context menu.<br />
2. Select Create new profile.<br />
3. Enter the profile settings as explained on page 24. (The Proxy Server and Default Profile settings are<br />
explained further in this chapter).<br />
4. Click on Save.<br />
Image 26: Creating a User Profile<br />
Image 27: Creating a New Profile<br />
© 2009 - VASCO Data Security 34
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Configuration and Use<br />
A user profile consists of a unique name and a short (optional) description, for instance home office, followed<br />
by the IP address of the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong>.<br />
The <strong>SSO</strong> Authentication <strong>Utility</strong> attempts to complete the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> LAN IP address by performing<br />
a DNS lookup of the default DNS name axsguard. If the DNS name is not found, the <strong>aXsGUARD</strong>@ field needs<br />
to be completed manually.<br />
In Domain Mode (see section 2.5.1), the <strong>SSO</strong> Authentication <strong>Utility</strong> also attempts to detect the username and<br />
the Windows Domain.<br />
Note<br />
In Workgroup Mode the domain field will is grayed out.<br />
There are three instances in which the password field in a user profile may be left blank.<br />
These are described in the table below:<br />
Table 2: Not specifying a password<br />
Instances in which the password field may be left blank<br />
Windows Domain Mode When working in Windows Domain Mode, the username and password<br />
fields cannot be edited by the user, since he/she authenticates with the<br />
Windows Domain server (see section 2.5.1).<br />
Workgroup Mode If your company policy prevents the storage of <strong>aXsGUARD</strong> <strong>Gatekeeper</strong><br />
user passwords locally (When not using the <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> feature), users<br />
will be prompted to authenticate whenever required (see image below).<br />
VASCO Digipass For <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> systems which are configured for<br />
authentication with a VASCO Digipass, a password window appears<br />
whenever a user is required to authenticate (see image below).<br />
Image 28: <strong>SSO</strong> Password Window<br />
© 2009 - VASCO Data Security 35
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Configuration and Use<br />
4.4 <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Proxy server<br />
You can also select the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> as your Proxy Server for Internet browsing. The Proxy Server<br />
provides security against viruses and other malware. It allows you to implement Web Access Control policies at<br />
the user level, to prevent access to unauthorized and undesired websites. More information about the<br />
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Proxy Server (Web Access Module) is available in section 2.7 and the <strong>aXsGUARD</strong><br />
<strong>Gatekeeper</strong> Web Access How To, which is accessible by clicking on the permanently available Documentation<br />
button in the Administrator Tool.<br />
Selecting the option Use <strong>aXsGUARD</strong> as Proxy server will automatically change the browser's proxy settings<br />
after successful authentication with the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong>. This feature only works with Firefox and<br />
Microsoft Internet Explorer on Microsoft Windows platforms.<br />
1. Right-click on the tray icon to display the context menu.<br />
2. Navigate to Edit/Delete profiles.<br />
3. Select the appropriate profile.<br />
4. Check the Use <strong>aXsGUARD</strong> as Proxy server option.<br />
5. Click on Save.<br />
Image 29: Proxy Server Settings<br />
Note<br />
Image 30: Firefox Specific<br />
For Firefox, check the Change Firefox proxy settings, as shown in Image 30: Right-click on<br />
the tray icon and navigate to Settings. Click OK to save your settings.<br />
© 2009 - VASCO Data Security 36
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Configuration and Use<br />
4.5 Setting a Default User Profile<br />
If you have configured more than one user profile (see section 4.3), you can select which profile should be the<br />
default after logging on to you computer. The default user profile can be changed at any time.<br />
1. Follow the same steps as explained on page 34.<br />
2. Check the Use this profile as your default profile option (see below).<br />
Note<br />
Image 31: Setting a Default User Profile<br />
<strong>On</strong>ly one profile can be set as the default.<br />
© 2009 - VASCO Data Security 37
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Configuration and Use<br />
4.6 Activating a User Profile<br />
To manually log on with a specific profile, a user has to select Activate profile from the tray icon menu. A list<br />
with the available profiles will appear. The profile currently in use will be marked as active (see below).<br />
To manually activate a user profile:<br />
1. Right-click on the tray icon to display the context menu.<br />
2. Select Activate profile.<br />
3. Click on the desired user profile.<br />
Image 32: Activating a User Profile<br />
© 2009 - VASCO Data Security 38
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Configuration and Use<br />
4.7 Editing and Deleting User Profiles<br />
The Edit/Delete profiles option allows you to modify or delete a user profile.<br />
To edit or delete a user profile:<br />
1. Right-click on the tray icon.<br />
2. Select Edit/Delete profiles.<br />
3. Select the desired profile.<br />
4. Modify the settings and click on Save or click on Delete to remove the user profile.<br />
Image 33: Deleting a User Profile<br />
© 2009 - VASCO Data Security 39
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Configuration and Use<br />
4.8 Linux Configuration<br />
<strong>On</strong> Linux systems, the configuration settings for the <strong>SSO</strong> Authentication <strong>Utility</strong> are stored in the user's home<br />
directory in the .aXsguard<strong>SSO</strong>v2 file (see the image below). The file can be edited with a standard text editor.<br />
Caution is advised when editing the file.<br />
The configuration menus of the Linux version are identical to the ones used in the Windows version.<br />
4.9 Advanced Configuration<br />
Caution<br />
it is not recommended to change these settings, unless you are fully aware about the<br />
intended program behavior and possible results.<br />
This section covers the advanced configuration settings of the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>SSO</strong> Authentication<br />
<strong>Utility</strong>.<br />
1. Right-click on the tray icon.<br />
2. Click on Settings. (See Table 3).<br />
3. Click on OK to save the settings.<br />
Image 34: Linux <strong>SSO</strong> Configuration File<br />
Image 35: Advanced Settings<br />
© 2009 - VASCO Data Security 40
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Configuration and Use<br />
Table 3: <strong>SSO</strong>: Advanced Settings<br />
Setting Description<br />
Enable secure Login The <strong>SSO</strong> tool uses an SSL (encrypted) connection<br />
towards the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong>. This option is<br />
enabled by default.<br />
Change Firefox proxy settings Enables the automatic configuration of Firefox proxy<br />
settings when the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> is used as a<br />
proxy server. This option is enabled by default and only<br />
affects Microsoft Windows systems (see section 4.4).<br />
Notify user when new versions becomes<br />
available<br />
If enabled, a notification will automatically be displayed<br />
for about ten seconds, advising the user of available <strong>SSO</strong><br />
Authentication <strong>Utility</strong> software updates. This option is<br />
enabled by default.<br />
Enable Debug output Enables debug output to a logfile axsguard.log in the<br />
directory where the <strong>SSO</strong> Authentication <strong>Utility</strong> is installed.<br />
This option is disabled by default.<br />
© 2009 - VASCO Data Security 41
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Troubleshooting<br />
5 Troubleshooting<br />
I cannot install the <strong>SSO</strong> Authentication <strong>Utility</strong> in Windows Vista<br />
If you encounter problems during installation, for instance error messages when writing to the registry or file<br />
system, install the <strong>SSO</strong> Authentication <strong>Utility</strong> as an Administrator.<br />
Connection to server fails<br />
If you encounter the following error message:<br />
Verify the following:<br />
Image 36: Login Error<br />
1. Is the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> LAN IP address correctly entered in the given user profile? Right-click the<br />
system tray icon and edit the profile to verify this.<br />
2. Is it possible to 'ping' the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> LAN IP address? If it cannot be pinged, the network<br />
connectivity should be checked: is the computer still physically connected to the LAN ? Verify whether the<br />
network cables are still connected, replace the network cable if necessary.<br />
3. Check the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Firewall to verify whether the sec-auth Firewall Rule is present and<br />
activated in the stat-sec static Firewall Policy (Firewall > Policies > Static > stat-sec, as shown below).<br />
Image 37: Stat-Sec Firewall Policy<br />
© 2009 - VASCO Data Security 42
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Troubleshooting<br />
If the error occurs because of a temporary network outage, the <strong>SSO</strong> Authentication <strong>Utility</strong> displays a message<br />
as soon as the connection is restored.<br />
Unknown user or password invalid<br />
If the following error message appears when signing on:<br />
Verify the following:<br />
Image 38: Connection Restored<br />
Image 39: Invalid User or Password<br />
1. Check the allowed Microsoft domains in the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Administrator Tool (see section 3.2).<br />
This field must be left empty if no domains are used in your network.<br />
2. Is the username/password combination entered correctly and valid in the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> user list?<br />
3. Edit the user profile to make sure the correct username has been entered and re-enter the according<br />
password. Save and reactivate the profile.<br />
© 2009 - VASCO Data Security 43
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Troubleshooting<br />
Login not allowed from domain or computer<br />
If the following error message appears when signing on:<br />
Verify the following:<br />
Image 40: Domain Error<br />
1. Check the allowed Microsoft domains in the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Administrator Tool and make sure that<br />
it matches the domain as defined in your profile (see section 3.2).<br />
2. Make sure you are logged on to the Windows domain and not locally (see image below). When using<br />
Workgroup mode, no domain should be specified in the <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> Administrator Tool.<br />
Image 41: Windows Logon<br />
© 2009 - VASCO Data Security 44
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Troubleshooting<br />
Digipass Authentication fails<br />
1. Make sure you did not store a password in the user profile (see section 2.5.2).<br />
2. Test the DIGIPASS in the Administrator Tool.<br />
3. Check if the DIGIPASS is correctly assigned to the user.<br />
4. Check the user's Web Access and Firewall Policy settings.<br />
Detailed information about Authentication and DIGIPASS configuration settings is available in the <strong>aXsGUARD</strong><br />
<strong>Gatekeeper</strong> Authentication How To, which can be accessed by clicking on the permanently available<br />
Documentation button in the Administrator Tool.<br />
© 2009 - VASCO Data Security 45
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Support<br />
6 Support<br />
6.1 Overview<br />
In this section we provide instructions on what to do if you have a problem, or experience a hardware failure.<br />
6.2 If you encounter a problem<br />
If you encounter a problem with a VASCO product, please follow the steps below:<br />
1. Check whether your problem has already been solved and reported in section 5 or in the Knowledge<br />
Base at the following URL: http://www.vasco.com/support.<br />
2. If there is no solution in the Knowledge Base, please contact the company which supplied you with the<br />
VASCO product.<br />
3. If your supplier is unable to solve your problem, they will automatically contact the appropriate VASCO<br />
expert. If necessary, VASCO experts can access your <strong>aXsGUARD</strong> <strong>Gatekeeper</strong> remotely to solve any<br />
problems.<br />
6.3 Return procedure if you have a hardware failure<br />
If you experience a hardware failure, please contact your VASCO supplier.<br />
© 2009 - VASCO Data Security 46
<strong>aXsGUARD</strong> <strong>Gatekeeper</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Utility</strong> (<strong>SSO</strong>) How To v1.6 Support<br />
Alphabetical Index<br />
Accessing Documents..................................................................................................................................................................................................9<br />
Active Directory.....................................................................................................................................................................................................11pp.<br />
Authentication...............................................................................................................................................8pp., 20pp., 24pp., 28p., 32pp., 40pp., 45<br />
aXs GUARD <strong>Gatekeeper</strong>..............................................................................................................................................................................................10<br />
Citrix.......................................................................................................................................................................................................................16p.<br />
Digipass....................................................................................................................................................................................................................13<br />
DIGIPASS.............................................................................................................................................................................................2, 10, 13, 35, 45<br />
Directory Services........................................................................................................................................................................................................9<br />
Documents..................................................................................................................................................................................................................9<br />
Domain Mode............................................................................................................................................................................................................35<br />
Firewall......................................................................................................................................................................................................9p., 12p., 42<br />
GNOME............................................................................................................................................................................................................29p., 32<br />
KDE..................................................................................................................................................................................................................29, 31p.<br />
Microsoft Domain........................................................................................................................................................................................13, 18, 43p.<br />
Proxy Server............................................................................................................................................................................................12, 14, 36, 41<br />
Proxy Settings............................................................................................................................................................................................................14<br />
Return Procedure.......................................................................................................................................................................................................46<br />
Reverse Proxy..............................................................................................................................................................................................................9<br />
Secure Sockets Layer.................................................................................................................................................................................................14<br />
SSL...........................................................................................................................................................................................................2, 11, 14, 41<br />
Support.....................................................................................................................................................................................................................46<br />
suspend mode...........................................................................................................................................................................................................14<br />
Suspend Mode...........................................................................................................................................................................................................14<br />
Terminal Servers..................................................................................................................................................................................................11, 16<br />
Training Courses..........................................................................................................................................................................................................9<br />
UAC...........................................................................................................................................................................................................................26<br />
User Account Control..................................................................................................................................................................................................26<br />
user profile.............................................................................................................................................................................................15, 34p., 37pp.<br />
user profiles...............................................................................................................................................................................................................12<br />
Virtual IP.................................................................................................................................................................................................................16p.<br />
VPN.............................................................................................................................................................................................................................9<br />
Web Access...............................................................................................................................................................................................................12<br />
Windows Domain Mode..............................................................................................................................................................................................13<br />
Workgroup Mode.......................................................................................................................................................................................................13<br />
© 2009 - VASCO Data Security 47