Professional Documents
Culture Documents
PortWise Manual
PortWise Manual
7
Manual
Version: 1.5
II Copyright Notice
IMPORTANT NOTICE
PortWise 4.7 Manual
Version: 1.5
Copyright © 2009 PortWise AB. All rights reserved.
Warranty Disclaimer
This manual, as well as the software described in it, is furnished under license and may be used or copied only in accordance with the terms of such
license. The content of this manual is furnished for informational use only, is subject to change without notice, and should not be construed as a com-
mitment by PortWise AB. PortWise AB assumes no responsibility or liability for any errors or inaccuracies that may appear in this documentation. Except
as permitted by such license, no part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means,
electronic, mechanical, recording, or otherwise, without the prior written permission of PortWise AB.
Notice to U.S. government end users. The software and documentation are “commercial items” as that term is defined at 48 C.F.R.§2.101, consisting
of “commercial computer software” and “commercial computer software documentation”; as such terms are used in 48 C.F.R. §12.212 or 48 C.F.R.
§227.7202, as applicable. Consistent with 48 C.F.R. §12.212 or 48 C.F.R. §§227.7202-1 through 227.7202-4, as applicable, the commercial computer
software and commercial computer software documentation are being licensed to U.S. government end users (A) only as commercial items and (B) with
only those rights as are granted to all other end users pursuant to the terms and conditions set forth in the PortWise standard commercial agreement
for this software. Unpublished rights reserved under the copyright laws of Sweden.
PortWise and the PortWise logo are registered trademarks of PortWise AB. All other trademarks are the property of their respective owners.
Part Number: 700-180500-100
Table of Contents
Introduction.............................................................................................................................................17
PortWise 4.7 Manual......................................................................................................................................... 17
Target Audience........................................................................................................................................... 17
Other Resources.......................................................................................................................................... 17
Conventions Used in this Publication............................................................................................................ 18
Contacting PortWise Documentation Department........................................................................................ 18
References................................................................................................................................................... 18
Getting Started................................................................................................................................................. 18
Reading Suggestions......................................................................................................................................... 19
Customer Support............................................................................................................................................. 20
PortWise Overview..................................................................................................................................21
Product Overview.............................................................................................................................................. 21
Assessment................................................................................................................................................. 21
Authentication............................................................................................................................................. 22
Authorization.............................................................................................................................................. 23
Access......................................................................................................................................................... 23
Auditing...................................................................................................................................................... 23
Abolishment................................................................................................................................................ 24
Resources.................................................................................................................................................... 28
Standard Resources..................................................................................................................................... 28
Access Rules................................................................................................................................................ 28
Single Sign-On............................................................................................................................................. 29
Authentication Service...................................................................................................................................... 29
PortWise Authentication.............................................................................................................................. 30
PortWise Distribution Service............................................................................................................................ 30
Planning...................................................................................................................................................31
Define the Deployment Goals............................................................................................................................ 31
Initial Questions........................................................................................................................................... 31
Security Audit/Planning..................................................................................................................................... 32
System Architecture Review......................................................................................................................... 32
Public Key Infrastructure.............................................................................................................................. 32
Securing Your Operating System........................................................................................................................ 33
Securing the File System.............................................................................................................................. 33
Securing Shared Resources.......................................................................................................................... 34
File Auditing................................................................................................................................................ 34
Securing Disk Resources.............................................................................................................................. 34
User Management Strategy............................................................................................................................... 34
Analyzing Your Environment........................................................................................................................ 35
Directory Service Requirements.................................................................................................................... 35
Password Management............................................................................................................................... 35
Securing Microsoft Active Directory............................................................................................................. 36
Recommendations for DNS Management..................................................................................................... 36
Recommendations for the Active Directory Installation................................................................................. 36
Recommendations for Domain and OU Management................................................................................... 37
Recommendations for Tree and Forest Management.................................................................................... 37
Recommendations for Object Access Control Management.......................................................................... 37
Recommendations for Replication Management........................................................................................... 37
Recommendations for Operations Masters................................................................................................... 38
Recommendations for Auditing.................................................................................................................... 38
Resource Access................................................................................................................................................ 38
Access Strategies......................................................................................................................................... 38
Select Authentication Methods.................................................................................................................... 39
Pre-Installation Check List................................................................................................................................. 39
The PortWise 4.7 Network................................................................................................................................ 39
Recommended Network Layout................................................................................................................... 39
Default Listening Ports................................................................................................................................. 40
PortWise Installation.............................................................................................................................. 43
Overview........................................................................................................................................................... 43
PortWise User.............................................................................................................................................. 44
Upgrade Overview....................................................................................................................................... 44
Preparation....................................................................................................................................................... 45
License........................................................................................................................................................ 45
IP Addresses................................................................................................................................................ 45
Ports........................................................................................................................................................... 45
Time Synchronization................................................................................................................................... 45
Antivirus Programs...................................................................................................................................... 45
Installing on Windows....................................................................................................................................... 45
Installing Administration Service.................................................................................................................. 46
Installing Access Point................................................................................................................................. 46
Installing Policy Service................................................................................................................................ 47
Installing Authentication Service (Optional).................................................................................................. 47
Installing Distribution Service (Optional)...................................................................................................... 47
Installing PortWise Mobile ID (Optional)...................................................................................................... 48
Installing Access Client (Optional)................................................................................................................ 48
Installing on Linux............................................................................................................................................. 48
Installing Administration Service.................................................................................................................. 48
Setup System............................................................................................................................................... 49
Installing Access Point................................................................................................................................. 49
Installing Policy Service................................................................................................................................ 49
Installing Authentication Service (Optional).................................................................................................. 49
Installing Distribution Service (Optional)...................................................................................................... 50
Installing PortWise Mobile ID (Optional)...................................................................................................... 50
Installing PortWise Mobile ID on Mac OS X....................................................................................................... 50
Upgrading PortWise Services and Clients.......................................................................................................... 50
Upgrading on Windows................................................................................................................................51
Upgrading on Mac OS X...............................................................................................................................51
Upgrading on Linux..................................................................................................................................... 52
Reverting an Upgrade....................................................................................................................................... 53
PortWise Services........................................................................................................................................ 53
Starting and Stopping PortWise Services........................................................................................................... 53
On Windows................................................................................................................................................ 54
On Linux...................................................................................................................................................... 54
Uninstalling PortWise 4.7.................................................................................................................................. 54
On Windows................................................................................................................................................ 54
On Linux...................................................................................................................................................... 55
Setup System...........................................................................................................................................57
About Setup System.......................................................................................................................................... 57
Requirements and Preparation..................................................................................................................... 57
What Setup System Includes........................................................................................................................ 58
Starting the Setup System Wizard...................................................................................................................... 58
PortWise Administration Service Dashboard................................................................................................. 59
PortWise Administrator................................................................................................................................ 59
Upload License File............................................................................................................................................ 59
Select Directory Service..................................................................................................................................... 59
Configure Directory Service............................................................................................................................... 60
Super Administrator Credentials........................................................................................................................ 63
Set up Administration Service............................................................................................................................ 63
Set Up Access Point........................................................................................................................................... 63
Set Up Policy Service......................................................................................................................................... 64
Set Up Authentication Service........................................................................................................................... 64
Select PortWise Authentication Methods..................................................................................................... 64
Select Additional Authentication Methods................................................................................................... 65
Configure Authentication Methods.................................................................................................................... 66
Confirm Authentication Methods....................................................................................................................... 68
Configure User Storage..................................................................................................................................... 68
Select Additional Directory Service.................................................................................................................... 70
Configure Additional Directory Service.............................................................................................................. 71
Finishing the Setup System Wizard.................................................................................................................... 72
Administration.........................................................................................................................................73
Introduction...................................................................................................................................................... 73
About PortWise Administrator........................................................................................................................... 73
Top Menu.................................................................................................................................................... 74
Navigate in PortWise Administrator............................................................................................................. 75
Monitor System .......................................................................................................................................... 75
Manage Accounts and Storage.................................................................................................................... 75
Manage Resource Access............................................................................................................................. 76
Manage System........................................................................................................................................... 77
Monitor System........................................................................................................................................79
About Monitor System....................................................................................................................................... 79
Status Overview........................................................................................................................................... 79
Event Overview............................................................................................................................................ 79
System Status......................................................................................................................................... 83
About System Status......................................................................................................................................... 83
General Status............................................................................................................................................. 83
Access Points............................................................................................................................................... 83
Policys Services............................................................................................................................................ 83
Authentication Services............................................................................................................................... 83
User Sessions.......................................................................................................................................... 85
About User Sessions.......................................................................................................................................... 85
Log Viewer...............................................................................................................................................87
About Log Viewer............................................................................................................................................. 87
Diagnostics File............................................................................................................................................ 88
Log Viewer Settings..................................................................................................................................... 89
Logging....................................................................................................................................................91
About Logging.................................................................................................................................................. 91
Manage Logging............................................................................................................................................... 92
Log Level Filter............................................................................................................................................. 92
Log File Rotation.......................................................................................................................................... 92
Windows Event Log/Unix Syslog.................................................................................................................. 93
License.................................................................................................................................................... 95
About License................................................................................................................................................... 95
View License Details.......................................................................................................................................... 95
Upload New License.................................................................................................................................... 96
Alerts........................................................................................................................................................97
About Alerts..................................................................................................................................................... 97
Alert Events................................................................................................................................................. 97
Manage Alerts.................................................................................................................................................. 98
Alert Settings............................................................................................................................................... 98
Alert Event Settings..................................................................................................................................... 98
Alert Notification Receivers.......................................................................................................................... 98
Reports...................................................................................................................................................103
About Reports................................................................................................................................................. 103
User Linking...........................................................................................................................................123
About User Linking.......................................................................................................................................... 123
Manage User Linking...................................................................................................................................... 123
Manage User Link Repair............................................................................................................................124
User Import............................................................................................................................................125
About User Import...........................................................................................................................................125
User Accounts........................................................................................................................................129
About User Accounts....................................................................................................................................... 129
Add User Account...................................................................................................................................... 130
User Linking.............................................................................................................................................. 130
User Import................................................................................................................................................131
PortWise Authentication.............................................................................................................................131
Single Sign-On Domain Settings..................................................................................................................131
User Certificate...........................................................................................................................................132
Manage User Accounts.....................................................................................................................................132
Manage User Accounts...............................................................................................................................132
General Settings.........................................................................................................................................132
Manage SSO Settings................................................................................................................................ 134
User Certificate...........................................................................................................................................135
User Groups...........................................................................................................................................143
About User Groups.......................................................................................................................................... 143
About User Location Group....................................................................................................................... 143
About User Property Group....................................................................................................................... 143
About User Group in Directory Service....................................................................................................... 143
Manage User Groups....................................................................................................................................... 144
Manage User Property Groups................................................................................................................... 144
Manage User Location Groups................................................................................................................... 144
User Storage..........................................................................................................................................147
About User Storage......................................................................................................................................... 147
Search Rules.............................................................................................................................................. 147
Directory Mapping..................................................................................................................................... 147
Manage User Storage...................................................................................................................................... 147
General Settings........................................................................................................................................ 147
Manage Search Rules................................................................................................................................. 148
Member Attribute Name............................................................................................................................ 149
Manage Directory Mapping....................................................................................................................... 150
Self Service............................................................................................................................................151
About Self Service............................................................................................................................................151
Self Service Example...................................................................................................................................151
Manage Self Service.........................................................................................................................................152
Settings........................................................................................................................................................... 154
Standard Resources...............................................................................................................................167
About Standard Resources.............................................................................................................................. 167
Manage Standard Resources........................................................................................................................... 168
Citrix MetaFrame Presentation Server........................................................................................................ 169
Thinlinc Application Server..........................................................................................................................170
Domino Web Access 6.5.............................................................................................................................171
Terminal Server 2000 and 2003..................................................................................................................171
Outlook Web Access 2000/Outlook Web Access 2003/Outlook Web Access 2007/Outlook Web Access 5.5.172
Microsoft Outlook Client 2000/2003/2007................................................................................................ 173
POP3/SMTP............................................................................................................................................... 173
IMAP/SMTP............................................................................................................................................... 173
Windows File Share ...................................................................................................................................174
Access to Home Directory...........................................................................................................................174
Secure Remote Access to Administrator......................................................................................................174
SalesForce .................................................................................................................................................175
Web Resources.......................................................................................................................................179
About Web Resources..................................................................................................................................... 179
Single Sign-On........................................................................................................................................... 179
Manage Web Resource Hosts.......................................................................................................................... 180
General Settings........................................................................................................................................ 180
Access Rules.............................................................................................................................................. 185
Advanced Settings..................................................................................................................................... 185
Tunnel Resources...................................................................................................................................193
About Tunnel Resources.................................................................................................................................. 193
Manage Tunnel Resources............................................................................................................................... 193
Tunnel Resource Settings........................................................................................................................... 193
Alternative Hosts....................................................................................................................................... 194
Access Rules.............................................................................................................................................. 194
Advanced Settings..................................................................................................................................... 194
Tunnel Sets.............................................................................................................................................201
About Tunnel Sets........................................................................................................................................... 201
Static Tunnels............................................................................................................................................ 201
Dynamic Tunnels........................................................................................................................................ 201
Access Rules.............................................................................................................................................. 202
Access Client............................................................................................................................................. 202
Manage Tunnel Sets........................................................................................................................................ 202
Tunnel Set Settings.................................................................................................................................... 202
Startup Settings......................................................................................................................................... 205
Advanced Settings..................................................................................................................................... 206
Access Rules...............................................................................................................................................210
External DHCP Settings...............................................................................................................................210
Use External DHCP.....................................................................................................................................210
DHCP Server...............................................................................................................................................210
IP Address Pool...........................................................................................................................................210
DNS Server.................................................................................................................................................210
Client Firewalls......................................................................................................................................213
About Client Firewalls......................................................................................................................................213
Prevent Other Network Connections to be routed.......................................................................................213
Customized Resources...........................................................................................................................219
About Customized Resources...........................................................................................................................219
Manage Customized Resource Hosts................................................................................................................219
Customized Resource Host Settings............................................................................................................219
Access Rules.............................................................................................................................................. 220
Advanced Settings..................................................................................................................................... 220
Manage Customized Resource Paths............................................................................................................... 221
Customized Resource Path Settings........................................................................................................... 221
Access Rules.............................................................................................................................................. 222
Advanced Settings..................................................................................................................................... 222
SSO Domains..........................................................................................................................................225
About SSO Domains........................................................................................................................................ 225
Access Rules.............................................................................................................................................. 225
Domain Types............................................................................................................................................ 225
Manage SSO Domains..................................................................................................................................... 227
SSO Domain Settings................................................................................................................................. 227
Domain Attributes..................................................................................................................................... 227
Access Rules.............................................................................................................................................. 230
Identity Federation................................................................................................................................251
About Identity Federation................................................................................................................................251
Assertions..................................................................................................................................................251
Preconditions............................................................................................................................................. 252
Service Provider......................................................................................................................................... 252
Identity Provider ....................................................................................................................................... 252
Global Identity Federation Settings............................................................................................................ 252
Service Providers....................................................................................................................................... 252
Identity Providers....................................................................................................................................... 253
Manage System......................................................................................................................................257
About Manage System.................................................................................................................................... 257
Abolishment...........................................................................................................................................259
About Abolishment......................................................................................................................................... 259
Manage Abolishment...................................................................................................................................... 259
General Settings........................................................................................................................................ 259
Cache Cleaner........................................................................................................................................... 260
Advanced.................................................................................................................................................. 261
Administration Service..........................................................................................................................277
About Administration Service.......................................................................................................................... 277
Configuration............................................................................................................................................ 278
Manage Administration Service....................................................................................................................... 278
Administration Service Settings.................................................................................................................. 278
Assessment............................................................................................................................................281
About Assessment.......................................................................................................................................... 281
Manage Assessment....................................................................................................................................... 282
General Settings ....................................................................................................................................... 282
Advanced Settings..................................................................................................................................... 284
Plug-ins .................................................................................................................................................... 285
Authentication Methods.......................................................................................................................287
About Authentication Methods....................................................................................................................... 287
PortWise Authentication Methods............................................................................................................. 288
Additional Authentication Methods........................................................................................................... 290
Manage Authentication Methods.................................................................................................................... 291
General Settings........................................................................................................................................ 292
Authentication Method Server................................................................................................................... 296
RADIUS Replies......................................................................................................................................... 303
Extended Properties.................................................................................................................................. 304
Authentication Services........................................................................................................................311
About Authentication Services.........................................................................................................................311
Manage Authentication Services......................................................................................................................312
Authentication Service Settings..................................................................................................................312
RADIUS Authentication...............................................................................................................................314
Password/PIN.............................................................................................................................................315
E-mail Messages........................................................................................................................................ 320
SMS/Screen Messages............................................................................................................................... 324
Certificates.............................................................................................................................................329
About Certificates........................................................................................................................................... 329
Registered Server Certificates.................................................................................................................... 329
Registered Client Certificate....................................................................................................................... 329
Manage Certificates........................................................................................................................................ 330
Certificate Authority Settings..................................................................................................................... 330
Server Certificate Settings.......................................................................................................................... 331
Client Certificate Settings.......................................................................................................................... 332
Device Definitions..................................................................................................................................335
About Device Definitions................................................................................................................................. 335
Manage Device Definitions.............................................................................................................................. 335
Delegated Management........................................................................................................................337
About Delegated Management....................................................................................................................... 337
Directory Services.................................................................................................................................341
About Directory Services................................................................................................................................. 341
Manage Directory Services.............................................................................................................................. 341
General Settings........................................................................................................................................ 341
Communication Settings............................................................................................................................ 342
Advanced Settings..................................................................................................................................... 342
Policy Services.......................................................................................................................................351
About Policy Services.......................................................................................................................................351
Manage Policy Services................................................................................................................................... 352
General Settings........................................................................................................................................ 352
XPI: Web Services...................................................................................................................................... 353
Communication Settings............................................................................................................................ 354
RADIUS Configuration...........................................................................................................................357
About RADIUS Configuration.......................................................................................................................... 357
Manage RADIUS Configuration....................................................................................................................... 357
RADIUS Client Settings.............................................................................................................................. 358
Manage RADIUS Back-End Servers............................................................................................................ 359
About OATH Configuration.............................................................................................................................. 361
Glossary................................................................................................................................................ 365
Colophon.................................................................................................................................................... I
1
Introduction
Target Audience
This manual covers all aspects of PortWise 4.7 and is intended for both administrators and system integrators. For more
detailed information on essential reading, please see section Getting Started below.
Other Resources
PortWise Technical Note Library covers a large number of topics that extends the coverage presented in this manual.
Special Fonts
This publication uses several typographical conventions. All code listings, reserved words, and the names of actual data
structures, constants, fields, parameters, and routines are shown in monospaced font (this is monospace). Words
that appear in boldface are menu items and/or settings in the PortWise Administrator.
Type of Notes
This publication uses two types of notes.
Information
A note like this contains information that is interesting but possibly not essential to an
understanding of the main text.
Important
A note like this contains information that is essential for an understanding of the main
text.
References
Referenced documents, such as technical notes, are included with your product and can be located on the product
distribution, or if the product is already installed, in the Documentation folder where the product was installed. It is also
possible to access the documentation directly from the PortWise Administrator Dashboard.
Getting Started
The PortWise 4.7 Manual covers all areas related to PortWise 4.7. Below is an outline of the main parts and what each
part covers.
Information
The PortWise 4.7 Administration Service, PortWise 4.7 Access Point, PortWise 4.7 Policy
Service, and PortWise 4.7 Authentication Service will be referred to as the Adminis-
tration Service, Access Point, Policy Service, and Authentication Service respectively
throughout the manual.
• Introduction
The reference manual starts with this introduction, outlining notation conventions, references, and presents a
comprehensive road map.
• Planning
This chapter deals with preparations that you need to perform before installing PortWise 4.7. It also contains
recommendations for a successful PortWise 4.7 deployment.
• Installation
This chapter covers the installation and initial setup of your PortWise system. This chapter should be read in
detail, and contains specific instructions on how to install PortWise 4.7.
• Setup System
The Setup System section details all steps necessary to configure and set up your PortWise system. This sec-
tion is most important, and should be read carefully.
• Administration
This chapter is a general introductory overview of how to navigate in PortWise 4.7.
• Monitor System
This chapter covers all aspect of the Monitor System section in the PortWise Administrator.
• Manage Accounts and Storage
This chapter covers all aspects of the Manage Accounts and Storage section in the PortWise Administra-
tor.
• Manage Resource Access
This chapter covers all aspects of the Manage Resource Access section in the PortWise Administrator.
• Manage System
This chapter covers all aspects of the Manage System section in the PortWise Administrator.
• Glossary
This chapter presents a comprehensive glossary of terms.
Reading Suggestions
Be sure to read the following items.
• PortWise 4.7 Release Notes
Contains important information about the PortWise 4.7 release. Available on the product distribution.
• PortWise 4.7 Online Help
Contains context sensitive help and in-depth conceptual information. Available in the PortWise 4.7 Adminis-
trator.
• Technical Notes
Available on the PortWise Administrator Dashboard.
Customer Support
When you register your product, you may be entitled to technical support. Terms may vary depending on the country of
residence. For more information, refer to technical support at http://support.portwise.com, or contact your local sales
representative.
2
PortWise Overview
Product Overview
Users today rely on access to applications and information from any location using any device, for maximum business
productivity and return-on-investment. By implementing a security strategy immediately, organizations can ensure that
customer trust is kept, profits are not lost, and the brand image is not damaged by malicious attacks.
PortWise covers entry-to-exit security by following the six core principles of security, also known as the six A’s. The six
A’s follows a holistic approach to security to ensure that users and organizations are completely protected using best of
breed technologies:
• Assess
Inspection of user device (laptops and desktop computers, PDAs, smart-phones) to ensure it complies with a
corporate security policy
• Authenticate
Identify that users are who they claim to be
• Authorize
Determine which applications users gain access to
• Access
Creates a secure encrypted network link between users’ devices and the desired application or information
• Audit
Audits who accessed which application, when did they do it, and what did they download
• Abolish
Removes all traces of access to the corporate network on completion of the session
Assessment
PortWise 4.7 inspects, or assesses, client devices to ensure compliance with your corporate security policy.
Requirements may include assessment of:
Authentication
Authentication in PortWise 4.7 is a seemingly easy process for the user.
All requests flow through a web of specialized servers: the Access Point, the Policy Service, the Authentication Service,
and back again. But for the user, the single point of contact is a Web browser when accessing resources.
To put it simply, the Access Point verifies the identity of the user by forwarding the user credentials via the Policy Service
to the Authentication Service, which in turn compares the information with credentials stored in the user storage. When
the control is completed, a Request Accept is sent to the Access Point which allows the user to enter.
The Authentication Service supports five authentication methods relying on the RADIUS protocol:
• PortWise Mobile Text
• PortWise Web
• PortWise Challenge
• PortWise Password
• PortWise Synchronized
• PortWise OATH
Also supported are other RADIUS authentication methods such as SafeWord and SecurID.
One feature in PortWise 4.7 is the management of Certificate Authorities. It provides, among other things, the opportu-
nity to specify several parameters concerning certificate revocation: Certificate Authority Revocation List and Certificate
Revocation List retrieval.
Access control is specified by means of roles that link user groups with resources. A number of authentication methods
can be set for each resource and it is also possible to specify multiple authentication methods for a specific resource.
Examples of authentication methods are client certificates, business rules, and RADIUS compliant methods. All authen-
tication methods can be used in combination.
Authorization
Access rules are defined to allow users access to resources. All resources are associated with at least one access rule,
consisting of requirements such as authentication methods, date or time restrictions, or user-group memberships.
PortWise 4.7 also provides access control in conjunction with firewalls and access control in the internal systems. The
firewall access control is performed when users interact with the system. The access control is performed on the same
level of security as the firewall, which is on both IP and port level.
Behind the scene, a complex chain of events verifies the identity of the user, secure the protection of the resource, and
log all activities surrounding its access. Resources are typically applications, either Web-enabled applications or files
accessible from the Web, or client-server applications accessed through tunnels.
Access
Any kind of resource, usually an application, can be accessed through the Application Portal and the Access Client.
Resources include Web, Client Server, Terminal Server, and File Server applications. By using the Application Portal the
complexity of how access is granted is hidden from the user.
The Access Client creates a secure encrypted network tunnel between the user device and the application.
You may define possible limitations for user access. PortWise 4.7 is designed for 24/7 access.
Auditing
Auditing in PortWise 4.7 provides:
• Central capture of all access to corporate applications
• Real-time and historical reports covering all of the six A’s, plus system and performance reports
• Permanent record of application access
The advanced auditing features in PortWise 4.7 provide organizations with the tools to meet strict industry, government,
and corporate compliance regulations.
Abolishment
With PortWise 4.7 all traces of access to the corporate network on completion of the session can be removed.
Browsers are renowned for creating a “snail trail” of information during an access session, including:
• Cookies
• URL history
• Cached Pages
• Registry Entries
• Downloadable Components
Please refer to the PortWise 4.7 Online Help and the Manage Abolishment section in the Manage
System chapter, for detailed information.
Administration Service
From a systems administrator’s point of view, the Web user interface PortWise Administrator is PortWise 4.7, but as the
illustration above clearly demonstrates, that is not the case. PortWise 4.7 is a complete network of services, with the
Administration Service as the natural connecting point, or hub, and the PortWise Administrator its interface.
You publish all updates in the PortWise Administrator to the different services, and monitor and manage all user activity
in real-time.
Please refer to the PortWise 4.7 Online Help for detailed information on how to configure and manage the different
services, directory services, and resources.
Information
You can only configure one Administration Service server per PortWise network. Regu-
lar backups of the configuration file are therefore strongly recommended.
Access Point
As the gatekeeper for all resource and access requests, the Access Point is on constant alert, listening for incoming
communication.
All requests are logged, filtered, encrypted, and forwarded to the Policy Service or a resource host depending on the
type of request.
Information
It is recommended that you dimension the Access Point as it is subject to the heaviest
load in the PortWise network.
Load Balancing
Load balancing is the distribution of client sessions between two or more Access Points to handle situations with large
numbers of requests.
PortWise Access Points can be load balanced with a third-party solution to gain redundancy and handle heavy activity.
Load balancing enables Access Points to share sessions among each other, so that requests may be processed correctly
no matter which server receives the request.
Trusted Gateways
A client connecting to the Access Point may not have a secure connection, but incoming traffic from the trusted gateway
(a specified IP address and port) is assumed to have a specified level of security.
Cipher Suites
When an SSL connection is initialized, the client and server determine a common cipher value to be used for key ex-
change and encryption. Various cipher values offer different types of encryption algorithms and levels of security.
Policy Service
An important part of PortWise 4.7 is the authentication, authorization, and auditing server — the Policy Service. It
provides for policy management, authentication, authorization, and log services regardless of service or communication
channel.
All authentication methods are configured in the Policy Service, so when a request comes in, the Policy Service evaluates
the appropriate access rules and forwards the request to its destination.
Resources
In PortWise 4.7, applications, folders and files, and URLs are registered as Web or tunnel resources. Web-enabled ap-
plications are registered as Web resources, and client-server applications that are not Web enabled are registered as
tunnel resources.
You then protect the resources with access rules, authorization settings, and encryption levels to create seamless, secure
access control. Users access the resources through the Web-based PortWise Application Portal, the Access Client, or
directly in a Web browser using shortcuts.
In order for users to be able to access a resource, you need to configure a resource host and specify if it will be available
in the Application Portal or not. A resource host can have one or several paths.
There are three different types of resource hosts:
• Web Resources
• Tunnel Resources
Tunnel Resources are collected into Tunnel Sets where each tunnel in the set points to a tunnel resource.
• Customized Resources
Standard Resources
We have collected several of the most frequently used resources as Standard Resources. The purpose of this is to mini-
mize your configuration time.
The standard resources are:
• Outlook Web Access 2003
• Outlook Web Access 2000
• Domino Web Access 6.5
• Citrix MetaFrame Presentation Server
• Terminal Server 2003
• Terminal Server 2000
• MS Outlook Client 2000/2003
• File Sharing
• Access to Home Directory
You can edit the standard resource settings just as easily as any other type of resource. Please refer to the PortWise 4.7
Online Help and the Manage Standard Resources section in the Manage Resource Access chapter.
Access Rules
PortWise 4.7 authorization makes the access decisions using access rules.
These rules rely on:
• who wants access
• what resource or service is requested
• what communication channel (or device) is used
• which authentication methods are most suitable
Access rules protect resources by allowing or denying access, and specify the requirements for a particular user, re-
source group, or communication channel. Additionally, business related conditions can be customized for services. For
example, only customers who are allowed credit are able to use the ordering function.
Access Control Lists (ACLs) stored in existing systems such as mainframes and databases can be reused by PortWise 4.7.
ACL is a list of security protections that apply to an entire object, a set of the object’s properties, or an individual prop-
erty of an object. In Microsoft Active Directory for example, there are two types of ACLs: discretionary and system.
Please refer to the PortWise 4.7 Online Help and the Manage Access Rules section in the Manage Resource Ac-
cess chapter, for detailed information on how to add and use Access Rules.
Single Sign-On
Single Sign-On (SSO) permits users to enter their credentials once, which then gives them access to several resources
without the need to re-authenticate when accessing each resource.
All resources using the same user credentials can be defined in a SSO domain. When user credentials are modified, the
changes apply to all resources in the SSO domain.
When using the system for the first time, users are prompted for SSO credentials (user ID and password). The SSO cre-
dentials are stored per user account and retrieved whenever the user accesses resources registered in a SSO domain. If
credentials are changed, the user will be prompted for authentication.
SSO domains are divided into two domain types:
• Text
• Cookie
Depending on which type you choose, different domain attributes can be associated with the SSO domain. Both types
can be protected by access rules.
To use form based logon for an SSO domain, you need to design a Web form for access to each resource in the SSO
domain.
Cookie-based Authentication
Cookie-based authentication is used to send authentication information in HTTP headers. A common use of cookie SSO
is when back-end applications only want to read the authentication information at the very first request.
Text-based Authentication
Text-based authentication is used to send authentication information as text, with different attributes defining the
information needed.
When adding all domain attributes for the domain type text (user name, password, and domain), the Microsoft au-
thentication method NTLM is used. When the attributes user name and password are added, the Basic authentication
method is used. It is the most commonly used authentication method for Web environments.
Authentication Service
The Authentication Service provides mobile users with strong authentication methods that can be used regardless of
device and location.
The Authentication Service can act as a RADIUS proxy, that is, proxy the authentication request to another RADIUS
server.
PortWise Authentication
PortWise authentication refers to the Authentication Service using the PortWise authentication methods Mobile Text,
Web, Challenge, Password, Synchronized, and OATH.
All methods can be used on your laptop or desktop computer.
When using the Synchronized or Challenge methods, users install Mobile ID client applications on the device being used.
When using the Web authentication method, the client is either an ActiveX component or a Java applet.
All supported authentication methods are described in the chapter Manage System, in the Manage Authentica-
tion Methods section.
To choose the authentication method, you need to consider your users’ needs: mobility, device flexibility, and level of
security. Refer to each authentication method for more detailed information.
All PortWise authentication methods can be used in combination or singularly to access any type of resource.
Please refer to the PortWise 4.7 Online Help and the Manage Authentication Methods section in the Manage
System chapter for detailed information on how to configure and use the different authentication methods.
Please refer to the PortWise 4.7 Distribution Service Online Help for detailed information on how to setup the Distribu-
tion Service and for end-user assistance.
Planning
In this section, a few general security recommendations that should be considered are presented.
The sections covered include:
• Define deployment goals
• Security planning
• Securing your operating system
This section contains specific recommendations for environments using Windows 2000.
• User management strategy
• Resource access
Installation planning is especially important when you are preparing to set up multiple servers.
Initial Questions
• What are the day-to-day requirements PortWise 4.7 needs to address?
• What are the user management requirements PortWise 4.7 needs to meet?
• What shape is your existing network in? Do you need to upgrade power supplies, switches, and other network
components?
Make sure the required hardware is available in time for the deployment.
Security Audit/Planning
You need to make decisions about your security architecture. This involves creating accounts in the operating system (or
with other authentication providers), organizing your users into groups, and planning for access control.
These are the phases in the security planning process:
• Define your security goals
• Make some preliminary decisions about your security architecture
• Determine which users need which permissions to which resources, and develop a strategy for creating access
rules
If your organization does not currently have a public key infrastructure, begin the process of designing a new PKI by
identifying the certificate requirements for your organization.
If your organization already uses a PKI, you can manage all of your internal security requirements, as well as security
requirements for business exchanges with external customers or business partners.
Designing a PKI for your organization involves defining your certificate requirements, creating a design for your infra-
structure, creating a certificate management plan, and deploying your PKI solution.
A PKI consists of the following basic components:
• Digital certificates
Electronic credentials, consisting of public keys, which are used to sign and encrypt data. Digital certificates
provide the foundation of a PKI.
To secure Access Control Lists (ACL), use the least privilege principle when deciding how to implement ACLs. That is,
only allow access to users that absolutely require permission for certain levels.
Data Remanence relates to images of data remaining on the platform after it should no longer be available. This includes
data left in the system page file and the recycle bin.
File Auditing
Auditing is not enabled by default, but set on a per-system basis. Each Windows 2000 system includes auditing with
logs collecting information on applications, system, and security events.
• User Account auditing
• File System auditing
• System Registry auditing
• Auditing can consume large amounts of processor time and disk space. It is highly recommended to check,
save, and clear audit logs daily/weekly to reduce the chances of system degradation or save audit logs to a
separate machine.
• File Auditing
• Auditing specific directories or files can prove useful in identifying a system compromise or unauthorized use
of resources.
In this section, a few general security recommendations regarding user management that should be considered are
presented.
The Securing Microsoft Active Directory section contains specific recommendations for environments using Mi-
crosoft Active Directory.
Password Management
There are no default passwords or pre-configured encryption keys in PortWise 4.7. All encryption keys and passwords
are set or generated by the systems administrator at installation.
PortWise 4.7 does not store passwords or encryption keys in unprotected configuration files, LDAP directories, or other
system storages.
It is not recommended that encryption keys are set by manual configuration. Encryption keys not derived from a pass-
word are automatically generated by the system. A minimum key length of 128 random bits is used for stream and block
ciphers. For RSA, a minimum of 1024 bits is used.
Block ciphers use cipher-block-chaining to avoid cut-and-paste attacks.
Encryption keys that are not automatically generated use a “secure encryption key generation function” to derive the
key from a password.
Resource Access
An authorization strategy enables you to effectively manage users’ access to different resources.
Access Strategies
The first part of this process is identifying your users by workgroup, job function, or a combination of workgroup and job
function. You can then identify the different types of resources that users access, such as departmental or job-specific
data.
You should consider policies that determine who is allowed to create user groups, how they are named, and how they
are administered.
In PortWise 4.7, the basic strategy for controlling access to resources is to create access rules. Based on the decisions you
make regarding how to identify different users and resources, access rules are created to support these decisions.
Information
Reminder: Access Rules protect resources by combining requirements such as user group
memberships or date and time ranges, and authentication methods such as PortWise
Web or Challenge.
Using Groups
An example: all users in the HR department might need access to privileged personnel records. To protect these, group
every member of the HR department into a user group that is authorized to access those files and create access rules of
the type User Group.
The rule of thumb is to assign permissions to groups, rather than to individual accounts.
Naming Conventions
Without a naming convention, the potential for simple mistakes when adding or removing user accounts and selecting
the correct group increases.
The consequences of granting access to the wrong group can be serious, causing members to have access to restricted
resources or to be denied access to resources that are necessary for job tasks.
When establishing a security group naming convention for your organization, ensure that names:
It is recommended that the Access Point reside on the DMZ. It interacts with the Policy Service to validate queries and
authorize access. The Access Point does not communicate directly with the Authentication Service.
The Policy Service and the Authentication Service are placed on the internal LAN. A directory service (the user storage)
is used for authorization and authentication purposes.
The table below describes default listening ports used for traffic to and from the services in the PortWise network.
Information
Note that all registered services must be able to communicate with the Administration
Service.
3
PortWise Installation
This chapter provides detailed information regarding the installation of PortWise 4.7. It covers the entire installation
process, from preparation to installation, on Windows, and Linux.
For optimal results, installation and use of PortWise 4.7 is preceded by thorough directory service and network security
planning as well as various technical preparations.
The following areas are described in detail below:
• Overview
• Preparation
• Installing on Windows
• Installing on Linux
• Installing PortWise Mobile ID on Mac OS X
• Upgrading PortWise Services and Clients
• Reverting an Upgrade
• Starting and Stopping PortWise Services
• Uninstalling PortWise 4.7
Overview
A default installation of PortWise 4.7 includes the following services:
• Administration Service
• Access Point
• Policy Service
The following services and clients are optional and available for installation when included in the license:
• Authentication Service
• Distribution Service
• Mobile ID
• Access Client
Information regarding installation of all available services and clients are included in this chapter.
PortWise User
In PortWise 4.7, we introduce the PortWise user (pwuser). PortWise services are executed as this user, who has limited
privileges.
Information
The pwuser is created according to the server’s user account policy. One possible side
effect of this is for example, if the “Maximum password age” option is set to a limited
value, that the pwuser password will expire.
Upgrade Overview
When upgrading from a previous release, the installers automatically detect that an upgrade rather than installation is
required and subsequently performed.
These are the steps performed by the installers during upgrade:
• Backup of configuration files
• Previous version is uninstalled
• New version is installed
• Restore of configuration files
• Upgrade script is run (Administration Service only)
Preparation
The preparations we recommend that you make before installing PortWise 4.7 are described below. Follow these recom-
mendations to avoid any unnecessary problems during or subsequent to installation.
License
Ensure that you have a valid PortWise 4.7 license at hand. The license is uploaded in the PortWise Administrator in the
first step of the Setup System wizard.
IP Addresses
Ensure that you have the IP addresses of the machines on which you install the different services at hand.
Ports
Ensure that ports used in the PortWise 4.7 network are available (refer to the Default Ports section for details).
Time Synchronization
It is recommended that you perform time synchronization between the different services, to avoid any future problems
in PortWise 4.7 caused by differing timestamps.
Antivirus Programs
Some antivirus programs may display warnings during installation of the PortWise 4.7 services. For example, this can oc-
cur due to parameters being replaced in a file installed by the installation program. The antivirus program may interpret
this activity as usage of a malicious script. If this occurs, allow the script or temporarily disable the antivirus program.
Installing on Windows
Installation of PortWise 4.7 on Microsoft Windows 2003 Server includes the following procedures:
• Installing Administration Service
• Running Setup System wizard
• Installing Access Point
• Installing Policy Service
• Installing Authentication Service (Optional)
• Installing Distribution Service (Optional)
• Starting the services
All installation log files are placed in the %APPDATA% folder. %APPDATA% is usually located in the Application Data
folder in your home directory.
Important
If all services are installed on the same machine, 127.0.0.1 can be used for internal com-
munication. However, if the services are distributed on multiple machines, 127.0.0.1
cannot be used for any of the services.
Setup System
A wizard in the Web based administration interface allows you to perform a basic configuration of the system. The Setup
System wizard must be completed before remaining PortWise services can be used.
Information
The PortWise Administration Service must be started to run the Setup System wizard.
If you install all services on a single machine, you must not use port 8080 or 8443 for the Access Point since they are
used by default for the PortWise Administrator.
The host to be used for the external traffic to the Access Point must be specified as a DNS name in the license. By default,
the DNS name 127.0.0.1 is included in the license.
When defining the directory service, select a clean location (a location without LDAP objects) in the directory service
to store user accounts.
Information
You need to enter the server ID (default for the Access Point is 2) during the installation
process.
The Access Point is executed as “Local System” by default, to make full network access available “out of the box”.
During installation of the Access Point, the PortWise Access Point Virtual Client Driver required for full network access
is also installed. This will prompt a number of security warnings since the driver is not signed. Choose to continue with
the installation.
If you have decided not to run full network access, and therefore have no need for the PortWise Access Point Virtual
Client Driver, or if you experience serious problems during installation you have the option to install the Access Point
without the PortWise Access Point Virtual Driver.
Use the following command on the command line to install the Access Point without the PortWise Access Point Virtual
Client Driver:
“Install Access Point.exe” /v”INSTALLDRIVERS=NO”
Information
You need to enter the server ID (default for the Policy Service is 3) during the installa-
tion process.
Information
You need to enter the server ID (default for the Authentication Service is 4) during the
installation process.
Information
A self-signed test certificate used for HTTPS is supplied with the Distribution Service.
The certificate is located at conf/servercert.p12. For instructions regarding replacing
the test certificate, please refer to Technical Note Replacing Distribution Service Test
Certificate.
Installing on Linux
Installation of PortWise 4.7 on Red Hat Enterprise Linux 5 or SUSE Linux Enterprise Server 10 includes the following
steps:
• Installing Administration Service
• Running Setup System wizard
• Installing Access Point
• Installing Policy Service
• Installing Authentication Service (Optional)
• Installing Distribution Service (Optional)
• Starting the services
Important
If all services are installed on the same machine, 127.0.0.1 can be used for internal com-
munication. However, if the services are distributed on multiple machines, 127.0.0.1
cannot be used for any of the services.
Setup System
A wizard in the Web based administration interface will allow you to perform a basic configuration of the system. The
Setup System wizard must be completed before remaining PortWise services can be used.
Information
The PortWise Administration Service must be started to run the Setup System wizard.
If you install all services on a single machine, you must not use port 8080 or 8443 for the Access Point since they are
used by default for the PortWise Administrator.
The host to be used for the external traffic to the Access Point must be specified as a DNS name in the license. By de-
fault, the DNS name 127.0.0.1 is included in the license.
When defining the directory service, select a clean location (a location without LDAP objects) in the directory service
to store user accounts.
To check that the Authentication Service is installed, use rpm -qi authentication-service.
Information
A self-signed test certificate used for HTTPS is supplied with the Distribution Service.
The certificate is located at conf/servercert.p12. For instructions regarding replacing
the test certificate, please refer to Technical Note Replacing Distribution Service Test
Certificate.
Upgrading on Windows
Important
Stop all PortWise services in Control Panel>Administrative Tools>Services before
upgrading.
Always back up your entire PortWise installation directory before upgrading, so that
you can revert to the previously installed release if necessary.
And always make a backup of all PortWise accounts in the Directory Service.
PortWise Mobile ID
Close PortWise Mobile ID before upgrading.
1. Start the upgrade by double-clicking the PortWise Mobile ID installer (PortWise Mobile ID.msi).
2. Follow the instructions in the installer to perform the upgrade.
Upgrading on Mac OS X
PortWise Mobile ID
Close PortWise Mobile ID before upgrading.
1. Start the upgrade by double-clicking the PortWise Mobile ID installer (PortWise Mobile ID.pkg).
Upgrading on Linux
Important
Stop all PortWise services before upgrading:
/etc/init.d/administration-service stop
/etc/init.d/access-point stop
/etc/init.d/policy-service stop
/etc/init.d/authentication-service stop
/etc/init.d/distribution-service stop
Always back up your entire PortWise installation directory before upgrading, so you can
revert to the previously installed release if necessary.
Example:
cp -r /opt/portwise /opt/portwise.old
IMPORTANT
Always make a backup of all PortWise accounts in the Directory Service
Reverting an Upgrade
Follow these instructions to revert the PortWise upgrade.
PortWise Services
Follow these instructions to revert the PortWise services’ upgrade:
1. Stop the PortWise services
2. Uninstall PortWise 4.x
3. Install the previous PortWise version without starting the services
4. Replace the installation folders with your backup folders
5. Restore your PortWise accounts in Directory Service from its backup
6. Start the PortWise services
PortWise Clients
Follow these instructions to revert the PortWise clients’ upgrade:
PortWise Mobile ID
1. Uninstall PortWise Mobile ID 4.x
2. Install the previous PortWise Mobile ID
On Windows
On Windows, you use the Services window (Control Panel->Administrative Tools) to start and stop the PortWise
services. Select the applicable service in the list and click the Start or Stop link respectively to start and stop the
services.
On Linux
You start and stop the PortWise services at the command prompt.
Starting Services
To start the PortWise services, enter the following:
/etc/init.d/administration-service start
/etc/init.d/access-point start
/etc/init.d/policy-service start
/etc/init.d/authentication-service start
/etc/init.d/distribution-service start
Stopping Services
To stop the PortWise services, enter the following:
/etc/init.d/administration-service stop
/etc/init.d/access-point stop
/etc/init.d/policy-service stop
/etc/init.d/authentication-service stop
/etc/init.d/distribution-service stop
Starting Mobile ID
Start Mobile ID at the command prompt:
/opt/portwise/mobile-id/bin/mobile-id
On Windows
Follow the instructions below to uninstall PortWise 4.7 on Microsoft Windows.
1. Stop the PortWise services in the Services window (Control Panel->Administrative Tools)
2. Use Add or Remove Programs in the Control Panel to remove the services from Windows Services as well
as to remove installed files
Information
Some files, including log files, will remain after uninstalling PortWise 4.7.
On Linux
Follow the instructions below to uninstall PortWise 4.7 on Linux.
1. Stop the PortWise services
2. At the command prompt, use rpm –e to remove the services as well as installed files:
rpm –e administration-service
rpm –e access-point
rpm –e policy-service
rpm –e authentication-service
rpm –e distribution-service
Information
Some files, including log files, remain after uninstalling PortWise 4.7.
4
Setup System
Information
This chapter describes all available steps in the Setup System wizard, as provided when
using a full PortWise 4.7 license. Please refer to the Getting Started with Setup Sys-
tem in the PortWise 4.7 Online Help for detailed information including examples on
how to run the Setup System wizard.
If you leave the Setup System wizard before finishing it, the information you have entered is saved in the system. This
enables you to quit Setup System and resume setup at a later stage, if necessary, without the need to re-enter informa-
tion.
The following sections describe the configuration options set during the Setup System wizard in detail.
Information
The PortWise Administration Service must be running to access the PortWise Admin-
istration Service dashboard. If you did not select to start the PortWise Administration
Service during installation, start it from the Services window (Control Panel > Adminis-
trative Tools > Services) on Windows or by running the start script /opt/portwise/
administration-service/bin/administration-service.sh from the command prompt
on Linux.
PortWise Administrator
At this point, the PortWise Administrator only consists of the Setup System wizard. When you access it from the Ad-
ministration Service dashboard, the start page of the Setup System wizard is displayed. There you upload your license
file to start the wizard.
Settings
Label Mandatory Description
Upload License File No Name of your license file for upload
Uploaded No Name of previously uploaded license file
The directory service is configured in the following step in the Setup System wizard. If you select not to use a directory
service, super administrator credentials are configured in the following step.
Directory Service
Host (IP address or DNS name) for the directory service and port for the directory service. This is set to port 389 by
default. When SSL is selected it is recommended to use port 639, which is the default port for LDAP/S.
Distinguished name (DN) of the location in the directory service where PortWise user accounts will be stored (see
Browsing for Location DN below).
Account, DN, ID or similar depending on type of directory service (user name and password) with read and write permis-
sions in the OU where PortWise user accounts will be stored. A DN is a string of entries, or collected attribute types with
values. Such as “ou” for organizational unit or “dc” for domain control.
Example
ou=nnw,dc=thesecurecompany,dc=com
Location DN
The full DN of the location in the Directory Service where PortWise user accounts will be stored. This does not have to
be an existing OU. When a new OU is entered in the Location DN this is automatically created. An example of this could
be ou=test,ou=portwise,dc=thecurecompany,dc=com.
SSL
Option to use SSL in communication with the directory service. This can be used to support the user change of an Active
Directory password when logging on to the Application Portal using the Active Directory authentication method.
Option to upload CA certificate to validate the server certificate presented by the directory service.
Super Administrator
User name and password (see Super Administrator Password Policy below) to create a super administrator ac-
count. The super administrator has full privileges in the PortWise Administrator. If Delegated Management is included
in the license, the super administrator can add additional administrators with privileges for resource and user account
management. Note that the super administrator credentials do not need to correspond to existing user credentials in
your directory service.
It is possible to change the password of the super administrator in PortWise Administrator (in the Monitor System
section using the Settings link at the bottom of the Monitor System page) after completing the Setup System
wizard.
Test Connection
Link to check whether a connection to the specified directory service can be established. Host, port, and credentials for
the account are checked.
Information
If you have not previously created a dedicated organizational unit for the purpose of
storing PortWise user data, it is possible to create a new OU by specifying the DN of a
non-existing OU. The OU will be created when you click Next in the wizard.
Settings
Label Mandatory Description
Host Yes IP address or DNS name of the directory service.
Port Yes Listening port.
Account Yes DN, ID or similar (depending on type of directory service).
Password Yes Directory service password.
Location DN Yes The full distinguished name (DN) of the location in the Directory Service where
PortWise user accounts will be stored.
Use SSL No Not selected by default.
CA Certificate No Certificate Authority certificate.
User Name Yes Logon name for the PortWise super administrator.
Password No Logon password to the PortWise Administrator.
Verify Password No Verification of Password.
Settings
Label Mandatory Description
User Name Yes Logon name for the PortWise super administrator.
Password Yes User logon password.
Verify Password Yes Verification of Password.
Settings
Label Mandatory Description
Internal Host Yes IP address or DNS name of the Administration Service.
Information
If you install all services on a single machine, you must not use ports 8080 or 8443 for
the Access Point since they are used by default for the PortWise Administrator.
The host to be used for the external traffic to the Access Point must be specified as a DNS name in the license. By default
the DNS name 127.0.0.1 is included in the license.
Settings
Label Mandatory Description
Display Name Yes Unique name used in the system to identify the Access Point.
Host Yes IP address or DNS name of the Access Point.
Information
Extensible Programming Interface (XPI) is automatically initialized for the Policy Service
when configuring the Policy Service in the Setup System wizard.
Settings
Label Mandatory Description
Display Name Yes Unique name used in the system to identify the Policy Service.
Host Yes IP address or DNS name of the Policy Service.
Settings
Label Mandatory Description
Display Name Yes Unique name used in the system to identify the Authentication Service.
Host Yes IP address or DNS name of the Authentication Service.
PortWise Mobile Text Yes Selected by default.
PortWise Web No Selected by default.
PortWise Challenge No Selected by default.
PortWise Password No Selected by default.
PortWise Synchronized No Selected by default.
Selected authentication methods are configured in the following steps of the Setup System wizard.
For reference, additional authentication methods available in PortWise Administrator are:
• General RADIUS
• Extended User Bind
• Form-based Authentication
• E-ID
• E-ID Signer
• Custom-defined authentication method
Settings
Label Mandatory Description
Display Name Yes Unique name used in the system to identify the authentication method.
Host Yes IP address or DNS name of the Authentication Service.
Port Yes Port of the Authentication Service.
Default values are retrieved from the General Settings for Directory Service page in the Setup system wizard.
Label Mandatory Description
Root DN No DN for the root node in the Active Directory.
Information
This step in the wizard is not mandatory. You can configure the user storage after com-
pleting Setup System wizard. If you choose to configure the user storage in the wizard,
all fields are mandatory.
After Setup System wizard is completed you can also apply additional filters on the search rules. For example to specify
that only users belonging to certain group are accepted when creating user accounts or that only users from a specific
domain will be accepted.
Settings
Label Mandatory Description
Display Name Yes Unique name used in the system to identify the user storage location.
The directory service is configured in the following step in the Setup System wizard.
After having configured the additional directory service used for user storage, you return to the Configure User Stor-
age step to continue by specifying the display name for the user storage and defining the search rules.
Settings
Label Mandatory Description
Host Yes IP address or DNS name of the directory service.
Port Yes Listening port for the directory service. This is set to port 389 by default.
Account Yes
Password Yes Defines the Password for the directory server Administrator.
Use SSL No Not selected by default.
Upload CA Certificate No CA certificate used to validate the server certificate presented by the directory
server.
5
Administration
Introduction
This is a general introduction to PortWise Administrator.
The basic features in PortWise Administrator include:
• Web-based administration interface
• Task-oriented approach
• Wizards for common tasks
• Interface adapted to features included in the license
• Context-sensitive online user assistance
The Main menu is divided into four sections: Monitor System, Manage Accounts and Storages, Manage Re-
source Access, and Manage System. Each section has a left-hand menu, allowing you to manage your configuration
in a flexible and structured environment. Use the Navigate in PortWise 4.7 section below to acquaint yourself with
PortWise Administrator.
The Administrator is task oriented. When you click an Add… link, a wizard guides you through the process of adding
user accounts, resources, and so on. You can always cancel a wizard by selecting a different menu item or by simply
closing your browser. No changes are saved until you click Finish Wizard.
You can always step backwards in a wizard, using the Previous link.
Top Menu
Use the Publish button to distribute changes in the configuration to the entire PortWise network. When updates in the
PortWise services are ready for publishing, the Publish button is highlighted. This includes added or edited resources,
access rules, services and so on.
Information
Note that there is no need to publish updated user settings.
Use the Restore button to revert to a previous configuration. The last ten configurations are displayed, sorted by date.
You can select any configuration but once restored, you cannot revert the process.
Use the Browse button to browse the centrally stored files. In the Browse dialog, schema, templates, and applets
stored in the Administration Service is displayed.
A browser allows you to create directories, and create, move, and copy files in the PortWise directory structure.
Use the Help button to access help topics by using a table of contents, or to search the entire PortWise 4.7 Online Help.
Each page in the PortWise 4.7 Administrator has a corresponding help page.
The followoing tabs are available in the online Help:
• Use the Glossary tab to browse terms used in PortWise 4.7.
• Use the Search tab to find specific topics, the help pages for specific Administrator pages, or terms in their
context.
• Use the Index tab to search for key concepts in PortWise 4.7.
Getting Started
The Getting Started section of the PortWise 4.7 Online Help contains instructions for how to complete a basic setup
and an initial configuration of PortWise 4.7.
The section also contains instructions for getting started with different features in PortWise 4.7.
How To
The How To section of the PortWise 4.7 Online Help contains help pages containing detailed instructions for various
tasks performed in PortWise Administrator. The subjects cover common tasks as well as configuration that can be a bit
tricky to achieve. The instructions are sorted in alphabetical order.
Monitor System
Use the Settings link to enable/disable Event Monitoring and to edit the Super Administrator logon credentials. In
Status Overview, current user, resource, and system information is displayed. Event Overview lists events occurred
since last logon.
System Status
System Status contains status information presented on four tabs: General Status, Access Points, Policy Ser-
vices, and Authentication Services.
User Sessions
Search for sessions using all or specific authentication methods to view or delete current user sessions.
Log Viewer
Search for specific log events or download a diagnostics .zip file containing all logs and configuration files for all serv-
ers.
Logging
Manage settings for logging of all or specific servers in the PortWise network. You can set log collection interval, debug
mode, and which time zone to use for timestamps.
License
View contents of the current license.
Alerts
Create alerts used to notify administrators of different types of events.
Reports
Generate reports containing statistics and run-time information on access, authentication, authorization, accounts,
and system.
User Accounts
Add user accounts using the Add User Account wizard. To edit settings for a specific user account, you can search
for registered user accounts and users.
User Linking
Create user accounts by linking from user storage.
User Import
Create user accounts by importing a file with existing user information.
User Groups
Add user groups using the Add User Group wizard. To edit settings for a specific user group, you can search for
registered user groups.
User Storage
Add user storage locations using the Add User Storage Location wizard. To edit settings for a specific user storage,
you can search for registered user storage locations.
Standard Resources
Use the Standard Resource wizard to add standard resources.
Web Resources
Add Web resources using the Add Web Resource wizard. To manage settings for a specific Web resource host or path,
use the + sign to display detailed resource information.
Tunnel Resources
Add tunnel resources using the Add Tunnel Resource wizard. To manage settings for a specific tunnel resource host
or path, use the + sign to display detailed resource information.
Tunnel Sets
Add tunnel sets using the Add Tunnel Set wizard. To edit settings for a tunnel set, select tunnel set in the list.
Client Firewalls
Add client firewalls consisting of Internet firewall configurations. An Internet firewall configuration is a collection of rules
that control traffic to and from the Access Client. Each configuration is connected to a corresponding tunnel set.
Customized Resources
Add customized resources using the Add Customized Resource Host wizard. To manage settings for a specific
customized resource host or, use the + sign to display detailed resource information.
Access Rules
Add access rules available for several resources and/or SSO domains using the Add Access Rule wizard. To edit set-
tings for an access rule, select access rule in the list.
Application Portal
Add Application Portal items using the Add Application Portal Item wizard. To edit settings for a specific item,
select item in the list.
SSO Domains
Add SSO domains using the Add SSO Domain wizard. To edit settings for a specific SSO domain, select SSO domain
in the list.
Identity Federation
Add SAML 2.0 identity and service providers.
Manage System
The main Manage System page does not contain any functionality. It describes what you can do in the Manage
System section of the system: add, edit and delete services, certificates, authentication methods, RADIUS back-end
servers and clients, as well as configure directory service settings. It is also possible to enter global settings which ap-
ply to all Access Points, Policy Services, and Authentication Services, and general settings for notifications and SMS
distribution.
Authentication Methods
Add authentication methods using the Add Authentication Method wizard. To edit settings for extended properties
and/or RADIUS replies for a specific authentication method, select authentication method in the list.
Add Certificate Authorities and Server Certificates using the applicable wizard.
To edit settings for a specific CA and/or server certificate, select item in the appropriate list.
Abolishment
Define actions performed on a client computer when using an abolishment access rule. Actions include the monitoring
of downloaded files and deleting of internet browser history and browser cache.
Assessment
Define user client computer assessment activities. Activities include: client scan, setup of reference machines, and use
of plug-ins in assessment access rules.
RADIUS Configuration
Add RADIUS clients using the Add RADIUS Client wizard. To edit settings for a specific RADIUS client, select client in
the list. Click the Manage RADIUS Back-end Servers link to add and edit RADIUS back-end servers. These RADIUS
clients and back-ends servers are used by the Authentication Service.
Notification Settings
Manage settings for notification message channels: SMS, e-mail, and/or E-mail/Screen. The notification channel setting
are also used for alerts.
Device Definitions
Manage definitions of how HTTP headers in requests are interpreted to identify devices by the Access Point. Add defini-
tions using the Add Device Definition wizard. To edit the definition of a specific device, select device in the list.
Delegated Management
Manage administrative roles with different privileges and responsibilities.
Access Points
Add Access Points using the Add Access Point wizard. To edit settings for a specific Access Point, select Access Point
in the list.
Click the Manage Global Access Point Settings link to display Client Access, Performance, Trusted Gate-
ways, Cipher Suites, and Advanced settings. Furthermore, use the Configure Load Balancing link to enter set-
tings for load balancing and to manage mirrored Access Points.
Policy Services
Add Policy Services using the Add Policy Service wizard. To edit settings for a specific Policy Service, select Policy
Service in the list. Click the Manage Global Policy Service Settings link to edit default global communication set-
tings.
Authentication Services
Add Authentication Services using the Add Authentication Service wizard. To edit settings for a specific Authentica-
tion Service, select Authentication Service in the list. Click the Manage Global Authentication Service Settings
link to display global default RADIUS authentication and password and/or PIN settings.
Administration Service
Manage internal (in the PortWise network) and external (with the client) communication settings.
Directory Service
Manage general settings for the directory service. You can change type of directory service here, and also enable SSL
communication.
6
Monitor System
Status Overview
In the Status Overview section, you view status of the registered number of concurrent users and user accounts. Also
listed are the number of registered resource hosts and Single Sign-On (SSO) domains.
System information includes PortWise 4.7 release and build number and the license type registered, which in turn
defines what services and features are included in your installation.
Administrators lists the Display Name of the user currently logged on to PortWise Administrator. Also listed is the
number of administrators logged on to the PortWise Administrator.
Event Overview
Event Overview provides you with a snapshot of the PortWise network status. It is updated in real time every 15
seconds.
Listed events include:
• Failed connection to the directory service or any of the configured user storage locations
• Restored connection to the directory service or any of the configured user storage locations
• Failed connection to any of the services included in the PortWise network
• Restored connection to any of the services included in the PortWise network
• Activated or deactivated debug logging
Enable Event Monitoring for polling of your directory service and user storage on the Monitor System page.
Status Overview
Users
The following user information is displayed:
• Concurrent Users
Number of concurrent users is displayed.
• Registered User Accounts
Number of registered user accounts is displayed.
• Logged-on Users
Number of logged-on unique users is displayed.
• Active Users
Number of users that have made a request within the last 15 minutes is displayed. This time-out value is
configured in Manage Global Account Settings.
Resources
The following resource information is displayed:
• Registered Resources
Number of registered resources is displayed.
Only resource hosts are counted, not paths.
• Registered SSO Domains
Number of registered SSO domains is displayed.
System information
The following system information is displayed:
• Software Version
PortWise 4.7 release number is displayed.
• License Version
License version is displayed.
• License Type
License type is displayed. Available options are evaluation and production license.
Administrators
The following administrator information is displayed:
• Display name of the currently logged in administrator
• Number of logged on administrators
Follow the View Administrator Activities link to view a list of time and date for the last logon per administrator, as
well as time and date for the last action taken. Note that action is any action performed in the PortWise Administrator
by the administrator: clicked links as well as saved updates or completed wizards.
Event Overview
Each PortWise network event is listed with the date and time according to the browser locale setting.
Events that have occurred since the last time you were logged on are listed. If new events occur while you are logged
on, they are added to the list in real time.
The Event Overview list is updated every 15 seconds.
The following events can be listed:
• Lost connection to the directory service or any of the configured user storage locations
• Restored connection to the directory service or any of the configured user storage locations
• Lost connection to any of the PortWise network services
• Restored connection to any of the PortWise network services
• Activated debug logging
• Deactivated debug logging
Manage Settings
Enables event monitoring of the directory service and user storage to check the connection to the directory service
every 15 seconds. Since each check results in an event in the directory service log, unselecting this option may enhance
performance.
Information
If you disable event monitoring, the Alert and Reporting events concerning Directory
Service and User Storages will not function properly.
You can enable the PortWise password policy to ensure that passwords are used to log on to PortWise Administrator
following certain requirements.
The following requirements must be met if the PortWise password policy is enabled:
• The password is at least six characters long
• The password contains characters from at least three of the following four categories
–– English uppercase characters (from A through Z)
–– English lowercase characters (from a through z)
–– Base 10 digits (from 0 through 9)
–– Non-alphanumeric characters (for example: !, $, #, or %)
The current password for logon to the PortWise Administrator is not shown in clear text. This password was set during
the Setup System wizard.
Enter a new password for the Super Administrator to change the password. The new password is not shown in clear
text. If the Enable password policy option is selected, the password must meet the password policy requirements.
Settings
Label Mandatory Description
Enable event monitoring of directory No Selected by default.
service and user storage This option can be disabled to enhance performance.
System Status
General Status
On the General Status tab, all registered services in the PortWise network, Directory Services, user storage locations,
and RADIUS clients are listed with Display Name and DNS name or IP address.
Furthermore, host, current server time, and version of the Administration Service is presented.
Configured notification channels are listed as enabled and/or disabled.
Access Points
On the Access Points tab, all registered Access Points are listed displaying Display Name and Host.
Policys Services
On the Policy Services tab, all registered Policy Services are listed displaying Display Name and Host.
Authentication Services
On the Authentication Services tab, all registered Authentication Services are listed displaying Display Name and
Host.
User Sessions
Settings
Label Mandatory Description
User ID No N/A
Authentication Method No N/A
Log Viewer
Example
logon userA
This example will list all logons made by the user userA.
It is also possible to enter the following:
Example
logon and userA
Both types will display all log entries containing the words logon and userA.
Searches are not case sensitive and the search criteria can consist of several words. For an exact match, all entered
words must exist. Note that a search can be time consuming if there is a large number of logs to filter.
For an OR search, use the special word ‘or’. OR operations have precedence over AND operations.
Example
fatal or warning
Example
fatal or warning and sql
Displays all messages with the FATAL or WARNING severity levels containing the word SQL.
Example
-info
Displays all severity levels except the INFO level (i.e. only the FATAL and WARNING levels).
Example
fatal or warning -sql
Displays all lines with the FATAL or WARNING severity levels, except for SQL messages.
The wildcard characters ‘*’ and ‘?’ are allowed. * signifies any number of characters, and ? signifies exactly one char-
acter.
Example
abc*def
Displays all lines where the text “abc” can be found before the text “def”.
Example
abc?def
Displays all lines where the text “abc” can be found, followed by exactly one character, and then followed by the text
“def”.
Quoted searches can be used to search for whole sentences or for the wildcard characters.
Example
fatal or warning -lcp -”tc5 system”
Displays all lines that have the FATAL or WARNING severity levels, but does not contain any LCP messages or the string
“tc5 system”.
Example
“ info “
Displays lines with the string “info” with spaces on each side (as a separate word).
Diagnostics File
You can download a .zip file containing all System, Audit, Billing, HTTP, and RADIUS logs for the selected servers.
The diagnostics file also contains all configuration files and message logs, as well as the debug logs (including the Ac-
cess Point raw external and internal logs, raw proxy interchange log, form based log, and hyperlinks log).
By selecting Enable debug logging on the Manage General Logging Settings page, the debug logs are auto-
matically enabled.
Settings
Label Mandatory Description
Log Type No Set to System log by default.
Servers Yes Set to All servers by default.
Search Criteria No Searches are not case sensitive and the search criteria can consist
of several words.
For an exact match, all entered words must exist.
Time Range No Set to Last 1 hour by default.
Logging
About Logging
All registered servers in the PortWise network generate several individual logs. You can manage each server’s log set-
tings individually.
Another important factor of logging is that both the Report and Alert functionality depend on the log collecting.
If the Log Collection Interval is set too high (this is done on the Manage Global Logging Settings page), the ability
to view real-time reports diminishes. Alerts are not sent until logs with this information are collected.
PortWise 4.7 include five types of logs:
Log Type Log Level Description
System Logs Fatal Logs run-time events
Warning
Info
Audit Logs Warning Logs user activity, such as log on, log out, and session events.
Info All PortWise Administrator user activities are also logged here
Billing Logs Info Logs events required for billing
HTTP Logs Info Logs HTTP server requests
RADIUS Logs Info Logs RADIUS server requests
In the Administrator it is possible to filter the severity level of the logged messages. It is also possible to turn logging
off. The following table shows the possible log level filtering:
Log Level Filter Description
Off Logs nothing, the log is disabled
Fatal Logs only fatal messages
Warning Logs warning and fatal messages
Info Logs info and above messages
Manage Logging
You manage logging settings for each registered service on individual tabs representing each log type.
The different services generate separate log types:
• Administration Service
Log types: System, Audit, Billing, and HTTP logs
• Access Point
Log types: System, Audit, and HTTP logs
• Policy Service
Log types: System, Audit, Billing, and HTTP logs
• Authentication Service
Log types: System, Audit, Billing, and RADIUS logs
You can configure the same kind of settings for all log types, these are described below.
Information
Note that the Access Point audit log includes more settings than the other services’
audit logs. You can enable settings on the accessing client, session, and access request
settings such as requested path and resource, protocol used, and response information.
Information
Note that log level filter is set to Off by default.
Information
Note that if the Log Collection Interval option is set to high, the ability to view real-time
reports diminishes. Alerts are not sent until logs with this information are collected.
Select the Enable debug logging option to automatically enable the debug logs including the Policy Service End-
Point Security log, the Access Point raw external log, raw internal log, raw proxy interchange log, hyperlinks log, and
form-based log.
Settings
Label Mandatory Description
Log Directory Yes Set to logs by default.
License
About License
You initially uploaded the license file in Setup Wizard. PortWise 4.7 scans the license and adjusts the PortWise Admin-
istrator to included products and features.
The license format supports both concurrent users and named users. You decide which type of users the license should
be based on when requesting the license.
You can upload a new license file if you have purchased additional features, if your license file has expired, or if it is
corrupt.
All licensed DNS names, authentication methods, and features are listed in separate sections.
Settings
Label Mandatory Description
License File No N/A
Alerts
About Alerts
Alert notifications are messages sent to selected receivers when specified events have occurred in the system. Selected
receivers can either be a selection of roles, managed in the Delegated Management section, or listed e-mail ad-
dresses or cell phone numbers.
Alert notification messages are distributed by e-mail and/or SMS. You need to configure the appropriate channels for
each service respectively. This is done in the Manage System section on the Notification Settings pages.
You can select and combine a number of pre-defined alert events. Alert events include lost and restored connections to
the directory service or services in the PortWise network, or user activity such as exceeded number of access requests.
One example is if the Administration Service is unable to communicate with the directory service an alert event is
triggered. An alert is created and configured to notify selected alert receivers of the Lost connection to Directory
Service event. An alert message containing event specific information is created and distributed using SMS, e-mail,
or both.
Alert Events
A number of pre-defined alert events are configured for you to select from:
• User accounts
Alerts can be triggered when accounts are locked and unlocked for access, authentication, and time-locks.
• Resources
Alerts can be triggered when resources are offline and online.
• PortWise network
Alerts can be triggered when the connection to services in the PortWise network are lost and restored.
• Directory service
Alerts can be triggered when the connection to the directory service is lost and restored.
• Authentication method server
Alerts can be triggered when the connection to the authentication method server is lost and restored.
Manage Alerts
Registered alerts are listed on the Manage Alerts page in the Monitor System section of PortWise Administrator.
You can add, edit, and delete alerts.
Alert Settings
All alerts consist of an alert event that triggers an alert notification.
You specify which type of notification channel to use for the alert notification messages. You can specify an SMS chan-
nel, an e-mail channel, or both. You can only specify channels that have been configured.
Notification channels are configured on the Notification Settings pages in the Manage System section of PortWise
Administrator.
Settings
Label Mandatory Description
Enable alert No Selected by default.
Display Name Yes Unique name used in the system to identify the alert.
Description No
sage is designed, but a recommendation is to keep in mind the selected receiving method: SMS messages for example
can usually only display a limited number of characters.
When editing or designing alert messages regarding user accounts, resources, and PortWise services, another variable
is used to indicate the specific event trigger.
Example
{0}: User {1} has been locked for authentication.
In this example alert message, {0} will be replaced with the exact date and time of the event, and {1} will be replaced
with an actual user ID. The resulting alert message that will be received will be presented like this:
2005-09-01 09:11:31: User Joe Smith has been locked for authentication.
You cannot change any formatting such as usage of bold text or italics in alert messages.
Settings
Label Mandatory Description
Subject Yes Set to An alert has been triggered by default.
Reports
About Reports
In addition to the Log Viewer, you also have the possibility to generate reports in PortWise 4.7. The reports can be
snapshots of activity at any given time, or statistics showing for example the behavior of users or usage of resources.
You can select to generate reports from seven report groups:
• Abolishment reports
• Assessment reports
• Access reports
• Authentication reports
• Authorization reports
• Account Statistics reports
• System reports
The option Complete Report generates a complete report containing statistics from all available report types.
Each report group consists of one or several reports, and each report contains one or several charts.
Reports are divided in three information parts:
• Time range
• Filters
• Graphics
Time Range
You can specify three types of time ranges:
• Last
When you specify a time range of the type Last, time is counted from the current time, when generating the
report, to the specified time (in hours, days, weeks, months, or years).
For example, if you select Last 2 Days at 02:15 PM, data is collected for 24 hours + 02:15 hours from now.
• From - To date
When you specify a time range of the type From - To date, time is collected from and to a specific date. For
each day, a 24-hour period starting at 00:00 and ending at 24:00 is calculated.
• All Available
When you specify time range of the type All Available, time is collected from the time when the database
was created. If there is not any data from this start time, the time gap (from no data to data) will show in the
reports.
When selecting large ranges the time to generate reports increases drastically.
Filters
You can specify filters to select the data included in different reports. Report groups have different available filters.
These filters are available for most reports:
• Access Points
Specifies one or several Access Points.
You make the selection from all registered Access Points.
• Policy Services
Specifies one or several Policy Services.
• Authentication Services
Specifies one or several Authentication Services.
• Client IP
Specifies one or a range of IP addresses.
You make the selection from all client IP addresses.
• User ID
Specifies users and user accounts.
You make the selection from all registered users, both PortWise user accounts and users stored in user storage.
• Devices
You make the selection from all registered devices.
• Web resource hosts
You make the selection from all registered Web resource hosts.
• Tunnel resource hosts
You make the selection from all registered Tunnel resource hosts.
• Tunnel Protocol
Select UDP, TCP or both.
• Tunnel IP
Specify the IP range for the tunnels.
• Tunnel Port
Specify the port range for the tunnels.
Graphics
You specify two types of graphics: Chart Types and Styles.
Each report can be presented using different chart types. For example, when you select to generate an Assessment
report, you can select the chart types Failed over Time, Succeeded over Time, Failed by Reason, and Failed by User. You
need to select at least one chart type to generate the report.
Each chart type is then presented using different styles: Bar, Line, or Pie in 2D or 3D.
PortWise 4.7 suggests a chart type and style by default per report, but you can change and combine any report with
any chart type and style.
Statistics
Statistics are presented in reports in PortWise Administrator. The reports are available in real time and historically.
PortWise 4.7 reports the following statistics:
• Response Time (after workload)
• Device Usage
• User resource usage
• Session trend
• Current Workload
• Bandwidth Usage
• Free memory space
• Free Disk Space
Information
Free disk space information is not available from Access Points
The statistics are available in different formats at the current status, averages, etc.
The reporting format will also support third-party products. PortWise 4.7 can provide reports that can be used in Mi-
crosoft Excel and Crystal Reports.
Data Retrieval
All reporting information is collected and stored in a database. Queries are run both to the database and the directory
service. The result is then graphically presented in PortWise Administrator with the possibility to store the result in a
text file or export it to a .zip file.
Limitations
The HSQLDB database is allowed to grow to a maximum size of 250 MB. This is a limitation enforced by PortWise to
ensure acceptable startup and shutdown times for the Administration Service. If statistics data needs to be stored for a
longer time period, it is recommended to use another database.
The HSQLDB database is suitable when having up to 5000 authentication attempts per day; this would allow statistics
for up to a period of 50 days.
If the workload exceeds 5000 authentications per day, it is recommended to use another high-performing database, for
example MySQL. It is possible to change the database to any kind that supports JDBC and the dialect of SQL defined
by SQL standards 92.
Schedule Cleanup
Scheduled cleanup is not enabled by default to ensure no loss of report statistics data. If you enable scheduled cleanup,
you need to specify how old events need to be in order for them to be removed. When selected, scheduled cleanup is
performed once every midnight.
If enabled, and the HSQLDB database grows to its limit before cleanup is executed, it is recommended to decrease
number of logged days in the system log file.
Forced Cleanup
Forced cleanup is performed once every midnight. The cleanup is performed when the database is greater than 250
MB.
Forced cleanup removes all events from the oldest date in the database; this process is then repeated until the database
is equal to, or less than 250 MB.
Database Growth
When the database size is 250 MB it holds approximately 1,750,000 events, each event takes an average of 150
bytes.
If we assume that each successful authentication attempt generates a total of 7 events, the following is true:
• 1 Authentication event
• 1 Assessment event
• 1 Abolish event
• 1 Session Created event
• 3 Authorization request (assuming request is cached in Access Point)
Each authentication event takes 1,050 bytes, so 5,000 authentication event takes 5 MB; this workload allows report
statistics data for a period of 50 days.
Manage Reports
Available report types are listed on the Manage Reports page in the Monitor System section of PortWise Admin-
istrator. You can generate several types of reports using different filters and graphics.
All reports can be generated using the default configuration
Input Value
Hours Entered value must be in the range 1 to 24.
Days Entered value must be in the range 1 to 7.
Weeks Entered value must be in the range 1 to 4.
Months Entered value must be in the range 1 to 12.
Years Entered value must be in the range 1 to 30.
• From – To dates
The time range to collect data is defined by a from and to date. For each day, the system calculates a 24-hour
period starting at 00:00 and ending at 24:00.
• All available
The time range depends on the available data stored in the database.
For an assessment report, you can also specify the report specific filter Assessment Access Rule, which defines if all or
a selection of assessment access rules will be included in the report.
For assessment reports, you can select one, several, or all of the following chart types:
• Failed assessment attempts over time
By default presented as a bar chart
• Succeeded assessment attempts over time
By default presented as a bar chart
• Failed assessment attempts sorted by reasons
By default presented as a bar chart
• Failed assessment attempts sorted by users
By default presented as a bar chart
• Access Points
• Client IP
• User ID
• Devices
For an abolishment report, you can also specify the report specific filter Abolishment Access Rule, which defines if all or
a selection of abolishment access rules will be included in the report.
For abolishment reports, you can select one, several, or all of the following chart types:
• Failed abolishment attempts over time
By default presented as a bar chart
• Succeeded abolishment attempts over time
By default presented as a bar chart
• Failed abolishment attempts sorted by users
By default presented as a bar chart
For access reports, you can select one, several, or all of the following chart types:
• Access Requests by User
By default presented as a bar chart.
The number of access requests is calculated once per user session.
• Access Requests Over Time
By default presented as a bar chart.
The number of access requests is calculated once per resource request and not per user.
• Access Requests by Web Resource Host
By default presented as a pie chart.
The number of access requests is calculated once per resource request and summarized for each host.
The report also includes the name of the most frequently accessed resource host.
• Access Requests by Tunnel Resource Host
By default presented as a pie chart.
The number of access requests is calculated once per resource request and summarized for each tunnel
resource host.
The report also includes the name of the most frequently accessed tunnel resource host.
For an authentication report, you can also specify the report specific filter Authentication Method, which defines if all
or a selection of authentication methods will be included in the report.
For authentication reports, you can select one, several, or all of the following chart types:
• Failed Authentication Attempts over Time
By default presented as a bar chart.
• Succeeded Authentication Attempts over Time
By default presented as a bar chart.
• Failed Authentication Attempts by Reason
By default presented as a bar chart.
• Failed Authentication Attempts by User
By default presented as a bar chart.
• Authentication Method Usage
By default presented as a bar chart.
This chart displays the most frequently used authentication methods.
• Day Trend
By default presented as a bar chart.
This chart displays the average number of authentication attempts at specific hours in a specified period of
time.
Note that the number is calculated once per resource request and not per user.
All authentication requests for the time range is presented for each hour of the day (0..23). The value for each
hour is divided with number of days set in Time Range.
Time range must be equal to or greater than one day for any values to be presented on the report.
For an authorization report, you can also specify the report specific filter Web Resource Hosts, which defines if all or a
selection of Web resource hosts will be included in the report.
For authorization reports, you can select one, several, or all of the following chart types:
• Failed Authorization Attempts over Time
By default presented as a bar chart.
• Succeeded Authorization Attempts over Time
By default presented as a bar chart.
• Failed Authorization Attempts by Reason
By default presented as a bar chart.
• Failed Authorization Attempts by User
By default presented as a bar chart.
• Day Trend
By default presented as a bar chart.
The number of authorization requests is calculated once per resource request and not per user.
All authorization requests for the time range is presented for each hour of the day (0..23). The value for each
hour is divided with number of days set in Time Range.
Time range must be equal to or greater than one day for any values to be presented on the report.
For account statistics reports, you can select one, several, or all of the following chart types:
• User Access Attempts by Web Resource Host
By default presented as a pie chart.
For each web host, the number of users is presented both as an actual amount and as a percentage of the
total number of users.
The number is calculated once per user ID.
• User Access Attempts by Tunnel Resource Host
By default presented as a pie chart.
For each tunnel host, the number of users is presented both as an actual amount and as a percentage of the
total number of users.
The number is calculated once per user ID.
Settings
Label Mandatory Description
All No All registered filter data is displayed.
Selection No A search is performed and a selection can be made.
Available No List of available filter data.
Selected No Selected from the Available list.
7
Manage Accounts and Storage
User Accounts
In the PortWise vernacular, users and user accounts are separate terms. PortWise user accounts are required for access
to registered resources, and the accounts are connected to actual users. But not all users in your directory service need
to have registered PortWise user accounts.
PortWise user accounts are linked to user information already stored in your directory service. A user storage link estab-
lishes a connection to your local user information.
User accounts are managed in the Manage User Accounts section.
In the Global User Account Settings section, you manage global default settings used in authentication, for time-
outs, when using user linking (described below), and to setup automatic repair of user links.
Please refer to the About Creating User Accounts section for detailed information on different methods of creating
user accounts.
User Groups
There are three types of user groups available in PortWise 4.6:
• User groups defined in directory service
• User location groups
• User property groups
User Storage
The user storage is the external location where users are stored and used by the Policy Service as part of the authori-
zation process. To automatically add references (when authenticating a user, for example) to existing users and user
groups in the directory service, you need to configure user storage.
It is recommended that the user accounts are linked to the user storage, to enable reuse of user information.
When configuring user storage, you specify the host for the directory service and define a set of search rules to find
users and user groups.
You can specify several user storage locations in directory services of different brands and different vendors. For infor-
mation on supported directory services, please see the PortWise 4.6 Release Notes.
A user storage location was added to the system during the Setup System wizard.
User storage locations are managed in the Manage User Storage section.
Information
Changes made in settings for specific user accounts override the global default configu-
ration.
To repair broken links, missing users are searched for in the user storage location and when found the link is re-
established.
Link repair can be performed using two methods:
• Use the User Link Repair wizard to check directory links, and repair or delete user accounts with broken
links.
• Use the default global setting Auto Repair to repair user links automatically when users access the system.
When Auto Repair is used, the directory link is automatically updated when the user attempts to access the
system using .
General Settings
You configure the default number of maximum retries for user access for all accounts. You can, however, re-configure
this number for specific user accounts, using the Number of retries setting. When set to 0, the user account is never
locked. This setting is used for both default account configuration and for PortWise authentication.
You specify the number of days a user account is valid. This is used as default when a new user account is created. When
set to 0, the user account never expires.
Optional default account settings for PortWise authentication include:
• Use groups
When selected, user group names are supported. If supported, a group name can be connected to a user
when managing user accounts. This group information is sent to the RADIUS client. The RADIUS client can
then be configured to use this attribute for authorization.
• Framed IP
When a framed IP address has been configured, this IP address is sent to a network access point from the
Authentication Service upon successful authentication. This information can be used in authorization decisions
made by the access point.
• Time-lock
You can set a time-out time for authentication time-lock, meaning the length of time users are locked out from
attempting logon after failed logon the number of times set in Time-lock Interval.
Time-out settings are used as default values when a Web resource is created. To edit or specify any or all of these set-
tings for a specific resource, go to the Web Resource Host Advanced Settings page.
You set the maximum user inactivity time before re-authentication is required, validity time for a session in the system,
time since the user was last authenticated with required authentication method before re-authentication is required,
and time before users are warned and prompted to re-authenticate.
Default global settings for user linking per PortWise authentication method are configured. These default settings
include:
• Enable authentication method after user linking
• Generate password/PIN
When selected, the password/PIN is created automatically when user linking is used
Password/PIN can be retrieved automatically if a user storage attribute has been specified on the Directory
Mapping tab in the Manage User Storage section.
Select Generate Password for an automatically created password. When selected, directory mapping is not
performed.
• Password/PIN never expires
When selected, the password/PIN does not expire when user linking is used
• User cannot change password/PIN
When selected, users cannot change the password/PIN when user linking is used
• User must change password/PIN at next logon
When selected, users are required to change password/PIN at next logon when user linking is used
• Use password from directory service
This option is only available for the authentication methods: PortWise Mobile Text and PortWise Password.
When selected, the password used in the applicable directory service is used for authentication when user
linking is used
Information
Password and PIN can be retrieved automatically if a user storage attribute has been
specified on the Directory Mapping tab in the Manage User Storage section.
Settings
General Settings
Label Mandatory Description
Max Retries Yes Maximum number of invalid login attempts allowed (1-999) before
the user account is locked for authentication.
Set to 10 by default.
Account Expires In No Number of days a user account with enabled PortWise Mobile ID
authentication is valid.
Set to 0 by default.
Auto Repair
Label Mandatory Description
Auto repair user links when the users No Selected by default.
access the system
User Linking
Label Mandatory Description
Enable PortWise Authentication when No Not selected by default.
manually linking the user
Enable PortWise Authentication when No Not selected by default.
automatically linking the user
Notification No Available options are: By E-mail and By SMS.
Set to By SMS by default.
User Linking
You have the option to specify a message set. A message set is a set of all PortWise authentication notification mes-
sages.
The Default message set includes all messages specified on the Global Authentication Service Settings page.
To create additional message sets, please refer to the Technical Note available from the PortWise Technical Library.
When the wizard is completed, a repair result is displayed. The user accounts included in the link repair are listed ac-
cording to applicable repair result:
• Link Repaired User Accounts
• Removed User Accounts
• Ignored User Accounts
Settings
Label Mandatory Description
Update user link and repair all remaining No If the user has been moved or modified, the user storage location
user accounts automatically and directory link information are updated.
Update user link and check next user No When selected, the system updates the user storage location and
account directory link information with the new link information.
Remove user account and check next No When selected, the system removes the user account.
user account
Remove user account and remove all No When selected, the system controls and removes all remaining user
remaining user accounts accounts with broken links.
Ignore user account and check next user No When selected, the system does not update the user storage loca-
account tion and directory link information.
Cancel No When selected, the repair is cancelled.
User Import
The formatting rules are applied to the following import file items:
Item Description Comment
Heading Description
String A string containing any character
Integer Non-negative numeral
Boolean True or false
Password Password in clear text or {SHA}+ Make sure the date format in the file
[base64-encoded SHA hashed password] matches your browser settings
Date Date format complies to your browser’s
language settings
Settings
Label Mandatory Description
Separator in File No Available options are: Comma, Semicolon, and Tab.
Set to Comma by default.
Import File No Imported file.
User Accounts
These three options are designed to meet different administrative requirements, but all result in user accounts. The only
difference in the end result can be the level of detail in account settings. In edit mode, applicable account settings are
available for configuration regardless of how the user account was created.
Using the Add User Account wizard is the standard way to create user accounts, and the way that presents you with the
largest number of options. It is suitable when the majority of user accounts are already registered in the Administrator.
User Linking is used when you quickly want to create a basic user account based on an existing user in user storage. If
you want to create user accounts for users not stored in user storage, or if you want to create multiple user accounts
simultaneously, use User Import to create user accounts by importing a file containing user information.
• Time-Lock Authentication
When selected, the system has time-locked the user account from access to the PortWise network and its
resources according to the time configured on the Global User Account Settings page. You can un-lock
user accounts here in this list.
User Linking
Creating a user account through User Linking requires a user storage location, since the user account is created by link-
ing to an existing user in user storage.
User Import
Creating a user account through User Import on the Manage User Import page does not require user storage. Mul-
tiple user accounts are created simultaneously by importing a file containing user information separated by commas,
semi-colons, or tabs.
The minimum user information in the file required to create a user account is user ID and display name.
The following settings are automatically created for the user accounts (only if the corresponding information is not
specified in the imported file):
• Max Retries for Access (default value is set according to Manage Global User Account Settings)
• Max Retries for PortWise Authentication (default value is set according to Manage Global User Account
Settings)
• Account Expires Within (default value is set according to Manage Global User Account Settings)
As opposed to User Linking, authentication methods enabled on the User Linking tab in Manage Global User Ac-
count Settings and their corresponding settings are not retrieved when creating user accounts through user import.
PortWise Authentication
PortWise Authentication includes use of the PortWise authentication methods Web, Mobile Text, Challenge, Synchro-
nized, and Password.
To disable PortWise authentication for a user account, you need to disable all PortWise authentication methods for
that user account.
When configuring SSO domain settings for user accounts, all Domain Attributes associated with a specific SSO domain
are automatically retrieved.
There are two types of SSO domains: Text and Cookie. For detailed information on SSO domains, please refer to the
About SSO Domains section.
User Certificate
Certificates can be bound to specific users to be used for authentication with the authentication method User Certifi-
cate.
General Settings
On the General Settings page, you specify general configuration settings for the user account.
Display Name can be retrieved automatically if a user storage attribute has been specified on the Directory Map-
ping tab in the Manage User Storage section.
You can link the user account to an existing user in user storage. A link to the correct location (DN) to the user in the user
storage is created. The user’s display name, e-mail address, and cell phone number is retrieved when available.
You can also define attributes that are specific for the user account. These attributes can for example be used when creat-
ing user property groups.
You can select to temporarily disable a user account, or to specify a time period for the user account’s validity. The default
value here is retrieved from the Global User Account Settings page.
Information
Format complies with your browser’s language settings.
When portWise authentication has been enabled on the PortWise Authentication tab, you can specify the user’s noti-
fication settings. Both E-mail Address and SMS can be retrieved automatically if a user storage attribute has been
specified on the Directory Mapping tab in the Manage User Storage section.
Manage Authentication Settings
On the PortWise Authentication Settings page, you configure the number of retries allowed for users, lock and
un-lock settings, and time-lock of PortWise authentication.
Notification settings include configuration of e-mail and SMS channels.
Password/PIN settings for each enabled authentication method include:
• Generate password/PIN
• Password never expires
• User cannot change password/PIN
• User must change password/PIN on next logon
• Use password from directory service
This option is only available for the authentication methods: PortWise Mobile Text and PortWise Password.
• Generate seed
• Clear password/PIN
Information
Password and PIN can be retrieved automatically if a user storage attribute has been
specified on the Directory Mapping tab in the Manage User Storage section.
You also select how the new password or PIN used for PortWise authentication will be distributed to the user when the
user account has been created.
Available options depend on the system configuration for notification and SMS distribution configuration.
Available notification options are:
• By e-mail
• By screen
• By SMS
• By e-mail and screen
• By SMS and screen
• To e-mail address configured on the Global Authentication Service Settings page, on the E-mail Mes-
sages tab.
You have the option to specify a message set. A message set is a set of all PortWise authentication notification mes-
sages.
The Default message set includes all messages specified on the Global Authentication Service Settings page.
To create additional message sets, please refer to the Technical Note available from the PortWise Technical Library.
Specify Group Name when Use Groups is selected as default for user accounts on the Global User Account Set-
tings page. When a group name is entered, only that group can be associated with that specific user. The group
information is then sent to the RADIUS client and the RADIUS client can be configured to use this information (managed
as an attribute) for authentication. Group Name can be retrieved automatically if a user storage attribute has been
specified on the Directory Mapping tab in the Manage User Storage section.
Edit the setting Framed IP when Use Framed IP is selected as default for user accounts on the Global User Ac-
count Settings page. See that section for more information. Framed IP can be retrieved automatically if a user storage
attribute has been specified on the Directory Mapping tab in the Manage User Storage section.
User Certificate
Certificates can be bound to specific users to be used for authentication with the authentication method User Certifi-
cate.
You can replace or remove the certificate bound to the user account. To search for certificates, you can use one of two
methods:
• Browse for the certificate in a file system, using the Browse button
• Enter the user attribute that holds the user’s certificate and search for the certificate in the user storage loca-
tion
Settings
Label Mandatory Description
User ID Yes User account in PortWise 4.6.
Search Criteria No Set to All user accounts by default.
User Groups
Example
ou=sweden,dc=thesecurecompany,dc=com
The advantage of using User Location Groups is high performance, since no additional catalogue control is performed,
however with decreased flexibility.
The advantage of this approach is high flexibility with low administration, however with decreased performance com-
pared with the other types.
Information
This type cannot be added or modified.
Settings
Label Mandatory Description
Display Name Yes Unique name used to identify the user group inside the system.
User Storage
Search Rules
Define the search rules that your directory service uses to match users and user groups. What rules that are the best
for your organization depend on the directory structure your organization has selected and what user objects you want
to use in your rules.
Directory Mapping
Directory mapping is used to retrieve existing information in user storage using specified attributes.
When used, you can reuse information such as passwords or e-mail addresses without specifying them in the PortWise
Administrator when creating or linking user accounts, for example.
General Settings
You specify a host and secondary host, and an account (Distinguished Name (DN), ID or similar, depending on type of
directory service) to an administrative account with read- and write permissions on the user storage. A DN is a string of
entries, collected attribute types with values. Such as “cn” for common name or “dc” for domain controller.
Example
cn=admin,dc=thesecurecompany,dc=com
Example
admin
When SSL is enabled, you can select a CA Certificate from a list of registered CA Certificates.
You can specify the time in seconds before the request to user storage is time-outed. When Follow referrals is se-
lected, referrals, i.e. links between different directory services or within the same directory service are followed.
Root DN
The distinguished name of the search root from where the system will start to search for objects (users or user groups).
If you want to use a specific sub-tree in your directory service, you can specify the sub-tree as the search root.
Example
ou=people,dc=thesecurecompany,dc=com
Use the Show Tree link to browse for the location DN, the root DN of the directory service is displayed in the browse
window. You can also select root DN in a drop-down list.
The DN is displayed with a + sign. If you click the + sign, you can navigate to the appropriate location in the directory
service.
Attribute Name
The attribute name to be used when searching for users. The values differ depending on directory service used: Active
Directory uses samaccountname, other directory services use uid. Refer to your directory service documentation for
additional information.
Example
cn set to samaccountname when using Active Directory.
Example
member
Search Scope
Use the search scope when searching for users.
Available options are:
• Object Level
Searches for objects located on base level only
• One Level
Searches for objects located directly below base, not including the base
• Sub-tree level
Searches for objects located below base, not including the base
Settings
Label Mandatory Description
User Root DN Yes Distinguished Name of the start base, when searching for objects in
the user storage.
Table 7-41: User Search Rule when Using Other Directory Service
Information
All default mapping attributes are standard LDAP attributes.
Settings
Label Mandatory Description
Display Name No Set to the standard LDAP attribute displayName by default.
Group Name No Set to the standard LDAP attribute sn by default.
Framed IP No
Notification E-mail Address No Set to the standard LDAP attribute mail by default.
Notification SMS No Set to the standard LDAP attribute mobile by default.
Mobile Text Authentication Password No Set to the standard LDAP attribute userPassword by default.
Web Authentication Password No Set to the standard LDAP attribute userPassword by default.
Challenge Authentication PIN No Set to the standard LDAP attribute userPassword by default.
Synchronized Authentication PIN No Set to the standard LDAP attribute userPassword by default.
Password Authentication password No Set to the standard LDAP attribute userPassword by default.
Self Service
To be able to do this in a secure way the system will request a number of control answers from the end user that will
firmly establish the end-users identity. The control questions are referred to as Challenges. There are three different
types of challenges defined in the system:
• Internal Challenges: These challenges are used by the system to identify the user and cannot be changed.
An example of an internal challenge is the Portwise UserID, which is created automatically and used when the
userid is requested. This is currently only used in Request Forgotten Password.
• System Challenges: These challenges are managed by the administrator and can be any control question
that can be confirmed by information stored in an attribute in the user storage. For example, if the drivers li-
cense number is stored in an attribute in the user storage for every end user, the system will request this from
the end user and verify this against what is stored in the attribute in the user storage for that user.
• User Challenge: This is a control question which is defined by the end user. Note that there can be only one
User Challenge. When creating this challenge the user will select a question to which only the user knows
the answer. For example, the brand of my first car, or what was my mother’s maiden name. The user will
provide the answer to this question which will be used when confirming the identity of the user. This is used
in Request Forgotten Password and Request Forgotten User ID.
If all answers are correct, corresponding to the information stored on this particular user, the challenge phase will be
successful and the system distributes the new password to the end user using the preferred channel.
Information
Self Service requires that you have purchased the Self Service license option. If you do
not see the Self Service menu item in the left-hand menu, please verify that you have
the Self Service license option.
After selecting the Self Service menu item, the PortWise Administrator displays the Manage Self Service pane. You are
now presented with three choices:
• Yes - help me with the settings…
If you self the Yes option, the system will configure default settings that will work for the most common
setups.
• No - I will do the configuration myself…
If you select the No option, the system will only configure the most basic settings and leave the rest of the
configuration to you.
• Leave it as it is…
You can also select the Leave option, which will leave Self Service inactivated.
If you select the Yes option, the pane will be updated and show the Self Service Enabled checkbox selected. You are
instructed to update some of the pre-configured settings before the system works correctly. Select the Modify System
Challenges link to update these settings.
Information
For Internal Challenges and User Challenge, the Attribute Name can not be updated
since it is only used internally.
You should always remove the [Update this] label once you have edited the challenge. This will give you a visual cue that
this challenge has been updated.
This means that the end user will be prompted to enter an e-mail address, which must be registered in User Storage.
After that the user will be challenged with the defined System Control Challenge, for example the drivers license number.
If a user can be found in the system using this e-mail address and with the corresponding answer to the control chal-
lenge, then the Auto Activation sequence is initiated.
Request Forgotten Password
The Request Forgotten Password function has the following challenges defined by default:
• User Name
• System control challenge
Needs to be updated before use
• User Challenge
• System e-mail
Needs to be updated before use
This means that the end user will be prompted to enter the User Name as defined in the Auto Activate process. After that
the user will be challenged with the defined System Control Challenge, for example the drivers license number. Then the
user will be prompted to answer the User Challenge control question defined in the Auto Activation step andfinally the
user will be requested to enter the e-mail as defined in the system.
As a control mechanism the administrator can select to send a message to the alternative channel when a new password
has been requested and generated. That means, that if the user selects to receive the password by e-mail, a message
will be issued to the SMS channel, if present, indicating that a new password has been issued. The administrator can
also select what message should be delivered, if this is the case.
If a user can be found in the system using this User Name and with the corresponding answer to the System Control
Challenge, the User Defined Challenge and the system e-mail, the Request Forgotten Password sequence is initi-
ated.
Request Forgotten User Name
The Request Forgotten User Name function has the following challenges defined by default:
• User Name
• System control challenge
Needs to be updated before use
• User Challenge
• System e-mail
Needs to be updated before use
This means that the end user will be prompted to enter the User Name as defined in the Auto Activate process. After that
the user will be challenged with the defined System Control Challenge, for example the drivers license number. Then the
user will be requested to answer the User Challenge control question defined in the Auto Activation step and finally the
user will be requested to enter the e-mail as defined in the system.
As a control mechanism the administrator can select to send a message to the alternative channel when a new password
has been requested and generated. That means, that if the user selects to receive the password by e-mail, a message
will be issued to the SMS channel, if present, indicating that a new password has been issued. The administrator can
also select what message should be delivered, if this is the case.
If a user can be found in the system using this User Name and with the corresponding answer to the System Control
Challenge, the User Challenge and the system e-mail, the Request Forgotten User Name sequence is initiated.
General Settings
To circumvent the possibility to request a user name and immediately request a password for that user, the default value
for the minimum amount of time between user name request and a password request is set to 24 hours. This amount
can be changed, but it is strongly advisable not to configure a lower value.
Settings
Label Mandatory Description
Self Service Enabled No Enables or disables Self Service
8
Manage Resource Access
Access Rules
Access rules consist of detailed requirements that users must conform to in order to be allowed access to resources.
Available access rules range from authentication methods, user group membership, and date period, to client IP ad-
dress, client assessment, and client device. You can specify general access rules available for all resources or SSO
domains, access rules that apply to individual resources, as well as a global access rule that automatically applies to all
resources and SSO domains.
Standard Resources
In PortWise 4.7, a number of applications are available as pre-configured standard resources. The purpose of the stan-
dard resources is to facilitate registration. You create a standard resource using a wizard, which creates the applicable
Web and/or tunnel resources for you.
Information
All DNS names must also be registered in a public DNS server, or written to the hosts file
on the client machine that uses the system.
When a user makes a request using a registered mapped DNS name, the Access Point looks up which server to connect
to and which protocol to use and sends the request towards this server.
In PortWise 4.7, three methods of DNS mapping are supported:
• URL mapping
The resource is mapped to a path instead of using a mapped DNS name
• Reserved DNS mapping
The resource is mapped to a specific DNS name
• Pooled DNS mapping
The resource is assigned a DNS name on first Access Point request towards an internal server
You specify which method of DNS mapping to use when adding or editing a resource.
About Filters
In PortWise 4.7, you can use filters to change content in specific pages or in requests for resources.
You can apply a filter to a specific resource host or to all resource hosts. You apply the filter to requests or responses
and to content or headers. For general filters, you can use variables instead of hard-coded values. You can add one or
several variables, specified using name-value pairs, to each filter.
The filters are written using scripts in a proprietary script language called WASCR and have the file suffix .wascr.
Scripts provided with PortWise 4.7 are located in
Paths
Microsoft Windows
<PortWise installation folder>\Access Point\built-in files\scripts\
Linux
/opt/portwise/access-point/built-in-files/scripts/
Solaris
/opt/portwise/access-point/built-in-files/scripts/
Example
<APPLET code=”com.function.class” archive=”applet.jar”>
<param name=”address” value=”1.2.3.4”>
</APPLET>
In the example above, the value of the parameter “address” should be replaced with another value, depending on
what path this page is downloaded from. If it is downloaded from the path /telnet.html, the parameter value
should be replaced with ”192.168.0.7”. If the page is downloaded from the path /ftp.html, the value should be
”192.168.0.23”.
Follow the steps below to set up your WASCR script to handle this.
1. Use a script that replaces the value with a variable called ip_address.
2. Add a filter and configure the path to /telnet.html. Add a variable to the filter, with variable name ip_
address and value “192.168.0.7”.
3. Add another filter with the path /fpt.html, and add a variable with variable name ip_address and value
“192.168.0.23”.
As a result, when accessing the /telnet.html the address parameter is replaced with “192.168.0.7”, and when
accessing the /ftp.html page the address parameter is replaced with “92.168.0.23”.
General Settings
General settings include the addresses used for internal proxies. These are defined by specifying host and port.
Internal proxies available for configuration are:
• Internal HTTP proxy
• HTTPS proxy
• TCP proxy
Filters
Define which script to use in the filter by specifying the applicable script name, excluding the file ending .wascr. Note
that the file must be stored in one of the following folders:
• <PortWise installation folder>/files/access-point/built-in-files/scripts
• <PortWise installation folder>/files/access-point/custom-files/scripts
The filter can be applied to individual resources, or all resource hosts. Optionally, you can define if the filter should be
applied to requests or responses, as well as if it should be applied to content or headers.
Path
When specifying path to the files to be filtered, the wildcard character * can be used.
Example
/exchange/*
/index.html
*
Content Type
When defining which content type to filter, the wildcard character * can be used.
Example
text/html
application/x-javascript
text/*
*
Link Translation
In the Link Translation section of the global resource settings, you specify which headers and content types that will be
filtered and checked for link translation.
Available headers and content types are:
• Request headers
• Response headers
• Request content types
• Response content types
Request Headers
Defines the request headers that should be filtered and checked for link translation before sending the request to the
internal host. Headers listed must be one-valued. If not, the first value is translated and the second is deleted.
Set to the following headers by default:
• Destination
• Referrer
Response Headers
Defines the response headers that should be filtered and checked for link translation before sending the request to the
client. Headers listed must be one-valued. If not, the first value is translated and the second is deleted.
Set to the following headers by default:
• Location
• Content-Base
• Content-Location
• Content Location
• text/html
• application/x-javascript
• text/vnd.wap.wml
• text/xml
• text/css
Example
The first DNS name in the example above is pre-configured in the system and available by default. It cannot be edited
or deleted.
Example
vpn1.thesecurecompany.com
vpn2.thesecurecompany.com
www1.company.com
www2.company.com
Settings
Filters
Label Mandatory Description
Script Name Yes The name of the filter file, stored in the folder files/custom-files/
scripts or files/built-in-files/scripts or files/custom-files/scripts or
files/custom-files/scripts
Type of filter No Available options are: Request and Response.
Set to Request by default.
Resource Host Yes Set to All Resource Hosts by default.
Path Yes Path to the files to be filtered. The wildcard character * is sup-
ported.
Set to * by default.
Content Type Yes Filtered content type. The wildcard character * is supported.
Apply Filter To No Available options are: Headers and Content.
Set to Content by default.
Internal proxy
Label Mandatory Description
Host No IP address or the DNS name of the HTTP proxy or cache
Port No Proxy port connection via the HTTP protocol
Link Translation
Label Mandatory Description
Request Headers No Request headers that are filtered and checked for link translation if
the destination host is configured to translate request headers.
Set to Destination and Referrer by default.
Response Headers No Response headers that are filtered and checked for link translation
if the host sending the response is configured to translate response
headers.
Set to Location, Content-Base, and Content-Location by
default.
Request Content Types No Defines the content types filtered for requests.
Set to text/html, application/x-javascript, text/vnd.wap.
wml, text/wml, and text/css by default.
Response Content Types No Defines the content types filtered for responses.
Set to text/html, application/x-javascript, text/vnd.wap.wml,
text/xml, and text/css by default.
Standard Resources
Special Settings
These are the settings that differ between the Standard Resources. Please see the Standard Resources Settings section
below for instructions on how to define each Standard Resource Type.
Access Rules
See Manage Access Rules
Example
citrixweb.portwise.com:8080
If the default port (80) is used, make sure the alternative host contains the server name without port.
Example
citrixweb.portwise.com
The alternative host is registered as an IP address or DNS name on the General Settings tab on the Edit Resource
Host page.
Example
thinlincweb.portwise.com:443
If the default port (443) is used, make sure the alternative host contains the server name without port.
Example
thinlinc.portwise.com
The alternative host is registered as an IP address or DNS name on the General Settings tab on the Edit Resource
Host page.
General Settings
You specify host and HTTP or HTTPS ports for Domino Web Access. Host defines the IP address or DNS name of the
Domino Web Access host.
HTTP Port is set to 80 by default for Web resource hosts. Either HTTP Port or HTTPS Port is mandatory. When the
Web resource uses a non-default HTTP port (other than 80) or HTTPS port other than 443, the port must be added to
registered alternative hosts.
Example
www.portwise.com:8080
If the default port is used, make sure the alternative host contains the server name without port.
Example
www.portwise.com
The alternative host is registered as an IP address or DNS name on the General Settings tab on the Edit Resource
Host page.
Special Settings
You specify host and port for the Terminal Server 2000 or 2003. Host defines the IP address or DNS name of the Termi-
nal Server host. Port defines the port for Terminal Server TCP. Several port numbers or a range of port numbers can be
entered, separated with a comma sign. Default port is 3389.
You can also select to use Dynamic or Static tunnels. Please see the Tunnel Configuration Settings for further informa-
tion on the difference between Dynamic and Static Tunnels
Outlook Web Access 2000/Outlook Web Access 2003/Outlook Web Access 2007/
Outlook Web Access 5.5
Configuration of standard resources for Microsoft Outlook Web Access 2000, Microsoft Outlook Web Access 2003
,Microsoft Outlook Web Access 2007 , and Microsoft Outlook Web Access 5.5 includes the settings described below.
Special Settings
You specify host and HTTP or HTTPS ports for Outlook Web Access. Host defines the IP address or DNS name of the
Outlook Web Access host.
HTTP Port is set to 80 by default for Web resource hosts. Either HTTP Port or HTTPS Port is mandatory. When the
Web resource uses a non-default HTTP port (other than 80) or HTTPS port other than 443, the port must be added to
registered alternative hosts.
Example
mail.portwise.com:8080
If the default port is used, make sure the alternative host contains the server name without port.
Example
mail.portwise.com
The alternative host is registered as an IP address or DNS name on the General Settings tab on the Edit Resource
Host page.
Special Settings
You specify host and port for the Microsoft Outlook Client 2000/2003/2007. Host defines the IP address or DNS name
of the Exchange Server host. Port defines the port for the MAPI Exchange. Several port numbers or a range of port
numbers can be entered, separated with a comma sign. Set to 1-65535 by default.
POP3/SMTP
Configuration of a standard resource for a POP3/SMTP mail server includes the settings described below.
Special Settings
You specify host and port for the POP3/SMTP mail server. Mail Server Address defines the IP address or DNS name of
the POP3/SMTP mail server. Startup command is the command used to start the local mail client.
You can also select to use Dynamic or Static tunnels. Please see the Tunnel Configuration Settings for further informa-
tion on the difference between Dynamic and Static Tunnels
IMAP/SMTP
Configuration of a standard resource for a IMAP/SMTP mail server includes the settings described below.
Special Settings
You specify host and port for the IMAP/SMTP mail server. Mail Server Address defines the IP address or DNS name of
the IMAP/SMTP mail server. Startup command is the command used to start the local mail client.
You can also select to use Dynamic or Static tunnels. Please see the Tunnel Configuration Settings for further informa-
tion on the difference between Dynamic and Static Tunnels
Special Settings
You specify host, share, and drive letter for the standard resource. Host defines the IP address or DNS name of the host.
Share defines the share to connect to on the file server. Drive letter (optional) defines the preferred drive to map on to
the client.
Special Settings
You specify the host for the standard resource. The host defines the IP address or DNS name of the host.
Special Settings
You specify host and HTTP or HTTPS ports for Secure Remote Access to Administrator. Host defines the IP address or
DNS name of the Administration Service host.
HTTP Port is set to 80 by default for Web resource hosts. Either HTTP Port or HTTPS Port is mandatory. When the
Web resource uses a non-default HTTP port (other than 80) or HTTPS port other than 443, the port must be added to
registered alternative hosts.
Example
www.portwise.com:8080
If the default port is used, make sure the alternative host contains the server name without port.
Example
www.portwise.com
The alternative host is registered as an IP address or DNS name on the General Settings tab on the Edit Resource
Host page.
SalesForce
Configuration of a standard resource for SalesForce includes the settings described below.
Special Settings
No special settings are required for this Standard Resource. It will use the default HTTP connection towards the Sales-
Force servers..
Settings
Label Mandatory Description
Enable Resource No Selected by default.
Make resource available in Application No Selected by default.
Portal
Web Resources
Example
Host: https://www.portwise.com
Path: https://www.portwise.com/securefolder/securepage.htm
When using Web resource paths, you can set your own security levels with access rules for specific applications and
files. As of PortWise 4.7, you can also choose to allow Web resource paths to derive its authorization settings (consisting
of access rules and advanced settings) from the parent Web resource host or path.
Single Sign-On
When SSO is enabled and used, it performs a POST or a GET request to a URL. The form data usually contains a user
name and a password together with some static fields. The variables [$username], [$password], and [$domain] are
replaced by the stored user name, password and NTLM domain from the SSO database. If the back-end server requires
the logon request to contain specific headers, these can be supplied as additional headers.
Example
User-Agent: Mozilla/4.7 Enterprise Edition (compatible; MSIE 6.0; Windows NT 5.1;
.NET CLR 1.1.4322)
Accept: */*
General Settings
Configuration of a Web resource host includes settings described below.
Important
The Web resource host Display Name is also used for link translation in the Access
Point, that is as part of the translated, or rewritten, link. Because of this, Display Name
cannot contain characters such as commas or semi-colons, for example.
Example
www.portwise.com:8080
If the default port is used, make sure the alternative host contains the server name without port.
Example
www.portwise.com
Single-Sign On
If you have registered Single Sign-On domains, you can enable SSO for the Web resource host. Depending on the do-
main types of the registered SSO domains, you can select SSO domain type text, cookie (text is selected by default) or
Adaptive SSO and then select which SSO domain to use. If you select Adaptive SSO you can also select to create a new
SSO Domain that will be used for this Resource. See more Information about Adaptive SSO below.
If you select domain type text and will use form-based SSO, additional configuration regarding the logon form to the
resource host and the form response message is required.
The logon form is added to the resource host to enable form-based SSO. Configuration of the logon form includes
whether SSO should perform POST or GET when triggered, the URL to GET or POST data to, as well as form data sent
to the server.
A form response message can be used to determine whether a logon was successful or not. Configuration of the form
response message, that will appear when the user has logged on or failed to log on, includes a URL to which the re-
sponse from the form should be sent, and a text string form response used to decide if the authentication is successful
or unsuccessful.
Adaptive Single-Sign On
Adaptive SSO is a new version of Form Based SSO (from PortWise 4.7 and later) that does not need to be configured
but learns it’s configuration by itself. You only need to apply it on a resource and choose a SSO-domain to use - exactly
the same way as you do with text based SSO.
The functionality of Adaptive SSO differs from the old Form Based SSO in the following ways:
• First time a user accesses the resource, the system will learn the configuration of it. The user will never be present-
ed the PortWise standard form “Additional Authentication Required”, as with Text and old Form Based. Instead,
the user will see the original HTML form as if there where no SSO configured.
• Second time the same user accesses the resource, he or she will not see the login page but be forwarded directly
as if he/she had filled in the username/password and pressed Submit.
• When another user that lacks SSO credentials accesses the resource he/she will also see the backend server’s form,
as if no SSO was configured, but when he/she has filled in the credentials on the page, they will be stored in his/
her SSO-domain in the directory.
• The first time a user is timed out or presented a relogin page, the system learns the new URL that is likely to pres-
ent a relogin page.
• The second time a user is timed out, he will not see it but be automatically re-logged in.
• The detailed configuration is automatically detected by the Access Point as the first user accesses the resource.
This information is collected in a file located at the Access Point: config/FormBasedLearning.txt. In load balanced
mode, this file is synched between the Access Points in the system, using the native load balancing protocol that
Access Point uses to mirror sessions. The file is not synched with the Administration Service.
• If a user is timed out from the backend server, Access Point will hide the re-authentication form from the user and
automatically relogin the user.
• If the form contains hidden state parameters, Access Point will merge those state parameters into the POST
request. This is not possible with the old Form Based SSO. For example, if a user tries to access a perl-desk URL
targetting a special PD ticket, Perldesk redirects the user to a login page with a hidden parameter telling where
the user where about to go before login was requested. With Adaptive SSO, this information will be taken care of
in the auto-generated POST request so that the user gets redirected to the requested PD ticket.
Limitations
Access Point makes the best effort to find out which parameter is username, password and eventually domain, and
stores the autoconfigurated parameters in the FormBasedLearning.txt file. However, some HTML pages uses javascripts
to copy contents from one form to another or from a password field into a hidden field before the actual submit is per-
formed. In those cases, Access Point’s autoconfigurated FormBasedLearning will be incorrect and the SSO will only work
for one single user, or for no user at all. It is therefore recommended to test the SSO by logging in with two different
accounts before being certain that the autoconfiguration is correct. If not correct, the FormBasedLearning.txt file can
be altered manually. Se below how to do that.
Sometimes a login form got hidden fields that is filled by a javascript with client-specific information such as screen
resolution etc. These parameters will be defined by the user that learns the system the first time. So if the screen resolu-
tion of the first user is 1600x1200, all users will seem to have this resolution. There is no simple workaround for this.
The old Form Based SSO has the same limitation.
If the user has an empty password at the backend system, Adaptive SSO will be unable to learn the credentials.
Troubleshooting (FAQ)
I have enabled Adaptive SSO on a resource, but I don’t get SSO to work?
When you test it with a browser, make sure that the resource is always accessed through PortWise - i.e. that your
browser is never redirected outside PortWise while accessing the resource. If your browser is redirected, the resources
are not correctly configured. You may have to add more resource hosts to the system or you may add addresses to the
“additional host names”. There is a debug log called “hyperlinks.log” under access-point/logs/debug, in which you can
see which hosts are resolved and which are foreign. You may have to add a new resource host based on the information
of a foreign host in hyperlinks.log.
Make sure that the login page is part of the resource that you have enabled SSO for. If you are not certain, you may try
to enable Adaptive SSO on the resource host (the root) rather than on the resource path.
SSO works but when I’m timed out from the resource I do not get re-authenticated automatically
Make sure the relogin page is delivered from a URL whose resource is set to use Adaptive SSO. If not certain, use Adap-
tive SSO on the resource root rather than on the resource path.
SSO works, but sometimes when I log out from the backend server, I come to the login page and some-
times the login page is hidden for me and I just get relogged in automatically directly after a logout.
This works as designed. However, You can hide the logout link using a filter script to prevent this behavior. The reason
why the relogin page is sometimes shown and sometimes not, is due to the time it takes from you logging on to the
resource and logging off. If you click the resource, wait for 30 seconds and then logout, you will be automatically logged
in back again. But if you wait less than 30 minutes, you will see the login page after logging out. The reason for this is to
prevent the SSO from getting stuck in the “vinkelvolt” - Adaptive SSO never knows whether your credentials are correct
or not, so if they are not correct, the user must be able to see the login page and enter the new valid credentials.
I have manually changed the FormBasedLearning.txt file as described. It worked fine for a while. But
after some time, it seems to have forgotten my manual settings. Users no more get access to the
backend system.
Access Point will reset the learning for a resource if it stops working correctly. This will happen in one of the following
scenarios:
the backend server responds with a HTTP 404, or a HTTP 405, as a response to the POST
the resource host pointed out by formActionURL has been removed from the resource list in RemoteConfiguration.
The reason why your manual changes disappeared was thereby due to a change on the backend server or due to a
change in the resource configuration. You will have to redo the manual changes in FormBasedLearning.txt.
Alternative Hosts
Alternative hosts are required for link translation to function properly. You can define one or several alternative hosts
for the Web resource host. The alternative host is specified as an IP address or a DNS name.
When the Web resource uses a non-default HTTP port (other than 80) or uses an HTTPS port other than 443, the port
must be added as an alternative host.
Example
www.portwise.com:8080
If the default port is used, the alternative host must contain the server name without port.
Example
www.portwise.com
Settings
Label Mandatory Description
Enable resource No Selected by default
Display Name Yes Unique name used in the system to identify the Web resource host.
Description No Describes the Web resource host.
Host Yes IP-address or a DNS name for the host.
HTTP Port (Yes) Either HTTP Port or HTTPS Port is mandatory.
Set to 80 by default.
HTTPS Port (Yes) Either HTTP Port or HTTPS Port is mandatory.
Access Rules
See Manage Access Rules
Advanced Settings
The following advanced settings are available for the Web resource host. All advanced settings are optional.
Access Settings
Link Translation
You set link translation type used: URL mapping, Pooled DNS Mapping or Reserved DNS Mapping. By default, a Web
resource is set to not use a mapped DNS name. You can only assign reserved mapped DNS names that are not used for
any other Web resource.
When selecting Pooled DNS Mapping, the resource is automatically assigned a DNS name when it is used. When se-
lecting Reserved DNS Mapping, you select among available DNS names displayed in a list to specify a DNS name for a
resource.
Cookies
You have the option to forward cookies between client and resource. When the option is selected, cookies are allowed
to pass through from the client to the resource and back. When not selected, all cookies are stopped at the Access
Point.
When forwarding cookies, you need to specify a list of cookies to either allow or block (or use the wildcard character *
to allow or block all). If allowed, the cookies pass through from the client to the resource and back. If blocked, cookies
are stopped at the Access Point.
NTLM v2
Use NTLM v2 if possible.
Authorization Settings
There are a number of advanced authorization settings available, enabling you to specify in detail how a specific Web
resource will be accessed.
Path Match
You have the option to require an exact path match. When enabled, the defined access rules for this Web resource path
apply for this path only and not for all paths beginning with this one.
When not selected, the access rules apply to this Web resource path and all paths beginning with this one, unless a more
significant resource is found under this path.
Automatic Access
You can configure the Web resource path to be accessed automatically. For resources where automatic access is acti-
vated, the user session time-outs are not affected. For example, a script can automatically request a resource, but the
user is still regarded as inactive according to time-out configurations.
Expression of Will
When expression of will is used, re-authentication is required for each request.
MIME Types
You can also define which MIME types that should be allowed to be cached on the client browser. Required format is
text/html.
Time-out
You can configure resource-specific time-out settings for max inactivity time and absolute time-out. These settings are
specified globally for user accounts, to 15 by default for max inactivity time and to 720 by default for absolute time-
out.
By configuring time-out settings on the resource, you can ensure the security of the resource on a higher level, or the
opposite – specific resources may not need the same level of security or you may accept a longer time-out period.
Information
The setting Session Time-Out (on the Global User Account Settings page) ultimate-
ly controls the validity time for a session.
Encryption Level
You have the option to specify the encryption level required for clients to be allowed access to the resource. By default,
SSL is required in the traffic between the client and the system.
Options for encryption level are:
• Strong encryption level: 128 bits (default)
• Weak encryption level: 56 bits
• Other encryption level (specify desired bits level)
Settings
Label Mandatory Description
Link Translation Type No Available options are:
URL Mapping
Pooled DNS Mapping
Reserved DNS Mapping
Set to URL Mapping by default.
General Settings
Configuration of a path to a Web resource host includes settings described below.
Path
When configuring a Web resource path you specify its path, i.e. the path to the subset of the Web resource host. The
path you specify is added to the path of the parent host or path to form the complete path.
When registering a sub path, i.e. a path added to an existing Web resource path, the path to the parent Web resource
path is displayed for your convenience.
Authorization
If you do not want to set specific authorization (Access Rules and advanced settings) for the Web resource path, you
have the option to reuse the authorization specified for the parent Web resource host or path. Using this option, the
authorization set for the parent host or path is inherited to the Web resource path and the Access Rules and Advanced
Settings sections of the configuration are not displayed.
Single-Sign On
If you have registered Single Sign-On domains, you can enable SSO for the Web resource host. Depending on the domain
types of the registered SSO domains, you can select SSO domain type text or cookie (text is selected by default) and then
select which SSO domain to use.
If you select domain type text and will use form-based SSO, additional configuration regarding the logon form to the
resource host and the form response message is required.
The logon form is added to the resource host to enable form-based SSO. Configuration of the logon form includes
whether SSO should perform POST or GET when triggered, the URL to GET or POST data to, as well as form data sent
to the server.
A form response message can be used to determine whether a logon was successful or not. Configuration of the form
response message, that will appear when the user has logged on or failed to log on, includes a URL to which the re-
sponse from the form should be sent, and a text string form response used to decide if the authentication is successful
or unsuccessful..
For infomation about Adaptive SSO please see the Adaptive Single Sign-On section in Manage Web Resource Hosts
Settings
Label Mandatory Description
Enable resource No Selected by default.
Parent Path No Available when adding a child resource path (a sub-path to another
resource path). Displays the path to the parent resource path. Not
editable.
Path Yes Path to the resource.
Use Parent Authorization No Available when adding a resource path.
Selected by default
Access Rules
See Manage Access Rules
Information
Note that for resource paths, access rules are not available for configuration if you have
selected to use the authorization of the parent path.
Advanced Settings
The following advanced settings are available for the Web resource path. All advanced settings are optional.
Information
Note that the advanced settings are not available for configuration if you have selected
to use the authorization of the parent path.
Authorization Settings
There are a number of authorization settings available, enabling you to specify in detail how the specific Web resource
path will be accessed.
Path Match
You have the option to require an exact path match. When enabled, the defined access rules for this Web resource path
apply for this path only and not for all paths beginning with this one.
When not selected, the access rules apply to this Web resource path and all paths beginning with this one, unless a more
significant resource is found under this path.
Automatic Access
You can configure the Web resource path to be accessed automatically. For resources where automatic access is acti-
vated, the user session time-outs are not affected. For example, a script can automatically request a resource, but the
user is still regarded as inactive according to time-out configurations.
MIME Types
You can also define which MIME types that should be allowed to be cached on the client browser. Required format is
text/html.
Expression of Will
When expression of will is used, re-authentication is required for each request.
Time-out
You can configure resource-specific time-out settings for max inactivity time and absolute time-out. These settings are
specified globally for user accounts, to 15 by default for max inactivity time and to 720 by default for absolute time-
out.
By configuring time-out settings on the resource path, you can ensure the security of the resource path on a higher
level, or the opposite – specific resource paths may not need the same level of security or you may accept a longer
time-out period.
Information
The setting Session Time-Out (on the Global User Account Settings page) ultimate-
ly controls the validity time for a session.
Encryption Level
You have the option to specify the encryption level required for clients to be allowed access to the resource. By default,
SSL is required in the traffic between the client and the system.
Options for encryption level are:
Settings
Label Mandatory Description
Require exact path match No Not selected by default.
Automatic access No Not selected by default.
Cache MIME Types No Defines all resource MIME types that allowed to be cached on the
client browser.
Required format: text/html.
Several MIME types are allowed. No MIME types are allowed by
default.
Use Expression of Will No Not selected by default.
Use Time-out No Selected by default.
Max Inactivity Time No Maximum user inactivity time in minutes (0-1440) before re-
authentication is required.
Set to 15 by default.
Absolute Time-out No Time in minutes (0-1440), since the user was last authenticated
with required authentication method, before re-authentication is
required, independent of user activity.
Set to 720 by default.
Tunnel Resources
Alternative Hosts
Alternative hosts are used to map a tunnel resource to a Scripted Resource in the associated tunnel set. When
Scripted Resource is selected, no registered resource is selected but a filter on the Access Point decides which re-
source to use.
One common example is the Citrix nFuse server that sends a properties file through the Access Point specifying which
Citrix MetaFrame server to use in the current session.
You need to configure the filter script on the Filters tab on the Global Resource Settings page.
The alternative host is specified as an IP address or a DNS name.
When the Web resource uses a non-default HTTP port (other than 80) or uses an HTTPS port other than 443, the port
must be added as an alternative host. Example: www.portwise.com:8080
If the default port is used, the alternative host must contain the server name without port.
Example
www.portwise.com
Access Rules
See Manage Access Rules
Advanced Settings
Access Settings
You can select to connect via proxy, directing the connection to the tunnel resource through a proxy server.
Authorization Settings
There are a number of advanced authorization settings available, enabling you to specify in detail how a specific tunnel
resource will be accessed.
Automatic Access
You can configure the tunnel resource to be accessed automatically. For resources where automatic access is activated,
the user session time-outs are not affected. For example, a script can automatically request a resource, but the user is
still regarded as inactive according to time-out configurations.
Time-out
You can configure resource-specific time-out settings for authentication time-out, max inactivity time and absolute
time-out. These settings are also available, and specified by default, for user accounts.
By configuring time-out settings on the resource, you can ensure the security of the resource on a higher level, or the
opposite – specific resources may not need the same level of security or you may accept a longer time-out period for
certain resources.
Information
The setting Session Time-Out (on the Global User Account Settings page) ultimate-
ly controls the validity time for a session.
Settings
Label Mandatory Description
Enable resource Selected by default.
Display Name Yes Unique name used in the system to identify the tunnel resource.
Host Yes IP address or DNS name of the resource host.
TCP Port Set (Yes) This can be either a single port, a range of ports, or the wildcard
character * for all ports (1-65535).
Either TCP Port or UDP Port is mandatory.
UDP Port Set (Yes) This can be either a single port, a range of ports, or the wildcard
character * for all ports.
Either TCP Port or UDP Port is mandatory.
Use File Share SSO Selected if Single Sign-On for File Shares should be enabled for this
Resource Host. If selected File Share SSO Domain will be enabled and
an SSO Domain must be selected. This checkbox will be disabled if
no SSO Domains have been registered in the system.
File Share SSO Domain (Yes) The SSO Domain that should be used for File Share SSO. Only avail-
able if File Share SSO is enabled for this Tunnel Resource.
Use Remote Desktop SSO Selected if Single Sign-On for Remote Desktop (RDP protocol) should
be enabled for this Resource Host. If selected Remote Desktop SSO
Domain will be enabled and an SSO Domain must be selected. This
checkbox will be disabled if no SSO Domains have been registered in
the system.
Access Rules
See Manage Access Rules
Advanced Settings
Access Settings
You can select to connect via proxy, directing the connection to the tunnel resource network through a proxy server.
Authorization Settings
There are a number of advanced authorization settings available, enabling you to specify in detail how a specific tunnel
resource network will be accessed.
Automatic Access
You can configure the tunnel resource network to be accessed automatically. For resources where automatic access is
activated, the user session time-outs are not affected. For example, a script can automatically request a resource, but
the user is still regarded as inactive according to time-out configurations.
Time-out
You can configure resource-specific time-out settings for authentication time-out, max inactivity time and absolute
time-out. These settings are also available, and specified by default, for user accounts.
By configuring time-out settings on the resource, you can ensure the security of the resource on a higher level, or the
opposite – specific resources may not need the same level of security or you may accept a longer time-out period for
certain resources.
Information
Note that the setting Session Time-Out (on the Global User Account Settings page)
ultimately controls the validity time for a session.
Settings
Label Mandatory Description
Enable Resource No Not selected by default.
Display Name Yes Unique name used in the system to identify the tunnel resource
network.
Description Description of the tunnel resource network.
IP Range Yes IP address to the first and last host for the range of tunnel resources
in the network.
TCP Port Set (Yes) One, several, or a range of port numbers can be entered separated
with a comma sign.
Either TCP Port Set or UDP Port Set is mandatory.
UDP Port Set (Yes) One, several, or a range of port numbers can be entered separated
with a comma sign.
Either TCP Port Set or UDP Port Set is mandatory.
Max Inactivity Time Maximum user inactivity time in minutes (0-1440) before re-authen-
tication is required.
Set to 15 by default.
Absolute Time-out Time in minutes (0-1440), since the user was last authenticated
with required authentication method, before re-authentication is
required, independent of user activity.
Set to 720 by default.
Tunnel Sets
Important
Note that the ActiveX loader requires administrator rights on the client the first time it
is used. In addition, local lookups and DNS forwarding require administrator rights on
the client every time they are used. When using the installable PortWise Access Client,
administrator rights are not required on the client for local lookups.
Apart from configuring static and/or dynamic tunnels for the resources in the set, there are a number of advanced set-
tings available for the tunnel set. The advanced settings include local lookups used to define host addresses that should
be resolvable on the client if no external DNS record is found. Local lookups are checked before any external DNS, so
the external DNS can be overriden.
Advanced settings also include mapped drives, and client configuration involving for example startup and shutdown
commands. It checks
Static Tunnels
Static tunnels are configured to tunnel resources on the local interface using a single port, and can be used on all
platforms.
Dynamic Tunnels
Dynamic tunnels are configured to tunnel resources using any IP address on one or a range of ports, and can only be
used on Windows platforms.
Access Rules
The tunnel resources you collect in a tunnel set are normally protected by access rules. In addition, you can apply access
rules to the tunnel set itself, to control how and when users should be able to access the tunnel set.
A tunnel resource can be included in several tunnel sets. This enables you to associate tunnel sets with different levels
of access control, for example for different user groups.
Information
Access control of a specific tunnel resource is always done using the access rules config-
ured for that tunnel resource. The only use of access rules on a tunnel set is to make the
associated icon in the Application Portal subject to access control as well.
Access Client
When a user clicks an icon for a tunnel set in the Application Portal, the Access Client attempts to load an ActiveX Web
loader or a Java applet loader. The order of this is configured on the tab.
Settings
Label Mandatory Description
Enable tunnel set No Selected by default.
Display Name Yes Unique name used in the system and by the Access Client to identify
the tunnel set
Protocol
You can specify whether to use the TCP or UDP protocol.
Client IP Address
You also specify the client IP address, i.e. the IP address that the client listens to. The IP address must be in the range
127.x.x.x, and is set to 127.0.0.1 by default.
Client Port
In addition, you specify which port the client listens to, as well as which port should be used by the system to contact
the internal resource host. Only one port can be specified per client and per resource. If the entered port is occupied, the
next available port is used. It is recommended that the same port is entered for client and resource host.
Confirm Connections
For both static and dynamic tunnels, you have the option to confirm connections. When enabled, the user must confirm
all tunnel resource host connections before they are established.
Advanced Settings
The advanced setting available for static tunnels is No delay for TCP traffic. When this option is selected, Nagle’s
algorithm (use TCP_NO_DELAY) is disabled. When using devices with limited bandwidth (such as cell phones), you can
choose to enable Nagle’s algorithm to favor less packet-overhead over response-time. When using a broadband con-
nection or a LAN you will want to disable Nagle’s algorithm to favor response-time at the cost of sending more packets
(more overhead).
Settings
Label Mandatory Description
Resource Yes List of available registered tunnel resources.
Protocol No This option is only available if both TCP ports and UDP ports have
been set for the specified tunnel resource host.
Set to TCP by default.
Client IP Address Yes IP address must be in the range 127.x.x.x
Set to 127.0.0.1 by default.
Client Port Yes Only one port number can be entered. If the entered port is oc-
cupied, the next available port is used.
It is recommended that the same port as Resource Port is used.
Resource Port Yes Only one port number can be entered. If the entered port is oc-
cupied, the next available port is used.
It is recommended that the same port as Client Port is used.
Confirm connections No Not selected by default.
If the resource is a Tunnel resource network then you can specify IP set, TCP Port set, UDP Port set, and Confirm Con-
nections.
Virtual IP Address
You also specify a virtual IP address used to forward traffic to the resource. This can be an arbitrary IP address, but it is
recommended that you use the IP address of the selected resource host.
Resource Port
A resource port is specified to capture traffic on the client, and the same port that will be used for the resource host.
This can be either a single port, a range of ports, or the wildcard character * for all ports (1-65535).
Example
9010, 9011-9022, 9030
Confirm Connections
For both static and dynamic tunnels, you have the option to enable Confirm Connections. When enabled, the user must
confirm all tunnel resource host connections before they are established, either in the Application Portal or in the Ac-
cess Client.
Settings
Label Mandatory Description
Resource Yes Tunneled resource host.
Virtual IP Address Yes This can be an arbitrary IP address, it is recommended to not use the
selected resource host’s IP address.
Resource Port Yes This can be either a single port, a range of ports, or the wildcard
character * for all ports (1-65535).
Confirm connections No Not selected by default.
Startup Settings
You can specify startup commands to start a specific client to use the tunneled resource. You can also enter an URL that
is displayed when the tunnel has been successfully started.
Settings
Label Mandatory Description
Startup Command Trusted commands executed when the client is started and the
tunnels are set up.
Advanced Settings
Local Lookups
You can add local lookups to define host addresses that should be resolvable on the client if no external DNS record
is found. Local lookups and DNS forwarding require administrator rights on the client, every time they are used. When
using the installable Access Client, administrator rights are not required.
Lookups are specified by entering a fully qualified domain name, or domain name using the wildcard character *, as
well as an IP address.
Example
mailserver.*
Use the virtual IP address entered for the dynamic tunnel, when applicable. For static tunnels, use 127.0.0.1.
Mapped Drives
You can add mapped drives to the tunnel set drives to map network resources (printers or drives) to drive letters on the
clientnetwork. Mapped drives are specified by entering the path to mapped network resource:
Example
\\192.168.12.55\[$uid]
You also have the option to specify a drive letter for the drive or printer that the resource host is mapped to.
Example
M:
If the selected drive is occupied, the next available drive letter is used. You can specify a drive letter here and combine
it with a a Startup Command defined in the Advanced section.
Another option is to use cached credentials. When enabled, cached credentials (Windows domain credentials) are used
when mapping a drive. This option is selected by default.
If any of the Java Applet options is selected, you also have the option to use pure Java.
Users are allowed to edit the list of trusted commands in the Access Client.
Supported variables in startup and shutdown commands:
Supported Variables Description
[$ehost] The Access Point server name including port number
[$eprot] HTTP or HTTPS
[$uid] External user name
[$iuid] Internal user name, usually [$uid]
Redirect URL
URL opened in a browser window after the tunnel has started successfully.
Example
/http/citrix/
Specific Settings
When one of the applications tunneled with the tunnel set is MS Outlook, it is recommended that you enable support
for the MS Outlook patch. The patch solves a problem with the Windows 2000 client authentication. When the option
is selected, the patch is supported when the client is based on Windows 2000 and is part of a domain.
Provide IP Address
Select Provide IP Address to assign an unique IP address to the client from the IP Address Pool. You manage the IP
Address Pool on the Manage Global Tunnel Set Settings page.
This also enables configured resources to establish connections towards the client. If IP addresses from the IP Address
Pool are added as a tunnel resource, it makes it possible for clients to connect to each other when connected.
DNS Forwarding
Select Enable DNS Forwarding to temporarily redirect the client’s DNS server to the DNS server specified on the
Manage Global Tunnel Set page.
When DNS Forwarding is selected, all DNS requests on the client are tunneled over the encrypted tunnel to the Access
Point where it is proxied to the configured DNS server set on the Manage Global Tunnel Set page.
Client Firewall
Select which Internet firewall configuration that should be associated with the tunnel set.
Internet Firewall configurations are managed on the Manage Client Firewall page.
Settings
Label Mandatory Description
Domain Name Yes A fully qualified domain name, or domain name using the wildcard
character *.
IP Address Yes IP address the domain name is translated to.
Access Rules
See Manage Access Rules
DHCP Server
Enter the host address of the DHCP Server.
IP Address Pool
Specify a range of IP addresses in the IP address pool. The IP address pool is used to define a set of IP addresses which
are assigned to connecting clients, thus enabling the Access Point to route traffic from the backend systems to the cli-
ent.
You configure a time-out in milliseconds, which define how long the Access Point will wait for responses while detecting
possible IP conflicts on the internal network.
DNS Server
Specify IP address or DNS name of the DNS server used for DNS forwarding.
When Enable DNS forwarding has been selected on the Manage Tunnel Set page, on the Advanced tab, the
client’s DNS server is temporarily redirected to the DNS Server specified here. Local lookups are checked before any
external DNS, so the external DNS can be overriden.
Settings
Label Mandatory Description
Use External DHCP No Select this to Use an External DHCP Server to assign addresses to
the Access Client
DHCP Server (Yes) The Host Address of the DHCP Server to use
Client Firewalls
The rules are downloaded to the client computer when downloading the tunnel set. The rules are then applied to pre-
vent network traffic to be routed at the client.
• Network
• Incoming or outgoing traffic
• Ports
• Allow or block traffic
The rules are downloaded to the client computer when downloading the tunnel set configuration. The rules are then
applied to prevent network traffic to be routed at the client.
Information
The order of the rules is significant since the firewall starts in the top of the list and
stops as soon as a match between the rule and the connection is found.
When adding a new Internet Firewall Configuration, the rule lists will have default entries showing that all connections
will be blocked unless you add a rule above the default rule that accepts a specific connection.
Information
If several Tunnel Sets are used simultaneously by the same user, the firewall configura-
tions of all the Tunnel Sets will be active and the most restrictive rules will apply.
When active, the firewall will check each connection from and to the client computer that they match the client firewall
configuration.
For each connection going through the PortWise Access Client, information about application path and check sum is
added. This information is taken into consideration when doing the authorization decision.
Valid application information in PortWise Administrator is configured and maintained on the Device Definitions page
in the Manage System section.
Incoming Rules
Once a connection comes in to the computer, the firewall will go through the list of Incoming Firewall rules.
Each rule is checked against the incoming connection to see if they match. If they do not match, the firewall will continue
to look at the next rule in the list. If they match, the connection will be accepted or denied depending on the rule’s
configuration and the firewall will not continue to check further rules in the list.
If the rule denies the connection, it will be dropped. If the rule accepts the connection, it will be let through to the client
computer.
Outgoing Rules
Once an application on the client computer tries to connect to the Internet, the firewall will go through the list of Outgo-
ing Firewall rules.
Each rule is checked in the same way as for incoming connections. If the rule denies the connection, it will be rejected.
If the rule accepts the connection, it will be let through to the Internet.
Exceptions
The client firewall checks all TCP and UDP connections except the following:
• Incoming connections from an IP address of a configured resource on the intranet (a connection through the
tunnel).
• Connections towards Access Point
• Connections towards an IP address of a configured resource on the intranet through the tunnel.
• Instead of checking the firewall rules, the access rules of the configured resource will apply
Important
Only Device Definitions containing these variables can be used in the Client Firewall
Rules.
To add Internet Explorer as a Device Definition, you should add a Device Definition with the following settings:
Example
Display Name: Internet Explorer Process
Definition: clientfirewall-path=%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles% is an environment variable that will be parsed on Access Client so that the device definition will be
valid on all clients whatever language the operating system has.
It is also possible to have a stricter rule that is based on the MD5 checksum of the executable. To define a device based
on the checksum, use a hexadecimal representation of the MD5 checksum.
Example
Display Name: Internet Explorer Process
Definition: clientfirewall-checksum=e7484514c0464642be7b4dc2689354c8
When using clientfirewall-checksum, the device will only be valid for a specific version of Internet Explorer.
It is also possible to combine both checksum and path using AND/OR between expressions. For example, you may
specify a list of valid checksums, using the pipe character | (OR):
Example
clientfirewall-checksum=<checksum1> | clientfirewall-checksum=<checksum2> | …
Note that all entries between the | (OR) operator must be on the same line.
The Device Definitions made for Client Firewalls can also be used in Access Rules for tunnel resources.
Please refer to the How To section in the Online Help for example configurations.
Settings
Label Mandatory Description
Display Name Yes Unique name used in the system to identify the internet firewall
configuration.
Settings
Label Mandatory Description
IP Range Yes IP address for the first and last tunnel resources hosts.
Settings
Label Mandatory Description
IP Range Yes IP address for the first and last tunnel resources hosts.
Port Set Yes One, several, or a range of port numbers can be entered separated
with a comma sign.
Protocol Yes Available options are: TCP and UDP.
Set to TCP by default.
Customized Resources
URI
You define a Uniform Resource Identifier (URI) for the customized resource host, specifying the IP address or DNS name
of the resource host.
Example
bean://<hostname>/account
Access Rules
See Manage Access Rules
Advanced Settings
A number of advanced settings are available for configuration of the customized resource host.
Access Settings
You can select to connect via proxy, directing the connection to the tunnel resource through a proxy server.
Authorization Settings
There are a number of authorization settings available, enabling you to specify in detail how the specific customized
resource host will be accessed.
Path Match
You have the option to require an exact path match. When enabled, the defined access rules for this customized resource
path apply for this path only, and not for all paths beginning with this one.
When not selected, the access rules apply to this customized resource path and all paths beginning with this one, unless
a more significant resource is found under this path.
Automatic Access
You can configure the customized resource path to be accessed automatically. For resources where automatic access is
activated, the user session time-outs are not affected. For example, a script can automatically request a resource, but
the user is still regarded as inactive according to time-out configurations.
Expression of Will
When expression of will is used, re-authentication is required for each request.
Time-out
You can configure resource-specific time-out settings for max inactivity time and absolute time-out. These settings are
specified globally for user accounts, to 15 by default for max inactivity time and to 720 by default for absolute time-
out.
By configuring time-out settings on the resource path, you can ensure the security of the resource path on a higher level,
or the opposite – specific resource paths may not need the same level of security or you may accept a longer time-out
period.
Information
Note that the setting Session Time-Out (on the Global User Account Settings page) ulti-
mately controls the validity time for a session.
Settings
Customized Resource Host Settings
Label Mandatory Description
Enable resource No Selected by default.
Display Name Yes Unique name used in the system to identify the customized resource
host.
Description No Describes the customized resource host.
URI Yes IP address or the DNS name of the resource host.
Path
When configuring a customized resource path you specify its path, i.e. the path to the subset of the customized resource
host. The path you specify is added to the path of the parent host or path to form the complete path.
When registering a sub path, i.e. a path added to an existing customized resource path, the path to the parent resource
path is displayed for your convenience.
Authorization
If you do not want to set specific authorization (Access Rules and advanced settings) for the customized resource path,
you have the option to reuse the authorization specified for the parent resource host or path. Using this option, the
authorization set for the parent host or path is inherited to the customized resource path and the Access Rules and
Advanced Settings sections of the configuration are not displayed.
Access Rules
See Manage Access Rules
Note that for resource paths, access rules are not available for configuration if you have selected to use the authorization
of the parent path.
Advanced Settings
A number of advanced settings are available for configuration of the customized resource path.
Information
Note that the advanced settings are not available for configuration if you have selected
to use the authorization of the parent path.
Access Settings
You can select to connect via proxy, directing the connection to the resource through a proxy server.
Authorization Settings
There are a number of authorization settings available, enabling you to specify in detail how the specific customized
resource path will be accessed.
Path Match
You have the option to require an exact path match. When enabled, the defined access rules for this customized resource
path apply for this path only, and not for all paths beginning with this one.
When not selected, the access rules apply to this customized resource path and all paths beginning with this one, unless
a more significant resource is found under this path.
Automatic Access
You can configure the customized resource path to be accessed automatically. For resources where automatic access is
activated, the user session time-outs are not affected. For example, a script can automatically request a resource, but
the user is still regarded as inactive according to time-out configurations.
Expression of Will
When expression of will is used, re-authentication is required for each request.
Time-out
You can configure resource-specific time-out settings for max inactivity time and absolute time-out. These settings are
specified globally for user accounts, to 15 by default for max inactivity time and to 720 by default for absolute time-
out.
By configuring time-out settings on the resource path, you can ensure the security of the resource path on a higher
level, or the opposite – specific resource paths may not need the same level of security or you may accept a longer
time-out period.
Information
Note that the setting Session Time-Out (on the Global User Account Settings page)
ultimately controls the validity time for a session.
Settings
Label Mandatory Description
Enable resource No Selected by default.
Parent Path No Available when adding a child resource path (a sub-path to another
resource path). Displays the path to the parent resource path. Not
editable.
Path Yes Path to the resource.
Use Parent Authorization No Available when adding a resource path (a path to another resource
host, or a sub-path to another path).
Selected by default
SSO Domains
Access Rules
You define how and when Single Sign-On should be used by protecting the SSO domain with access rules. The access
rules specified for the SSO domain apply to the SSO functionality only, not to the resources in the SSO domain. For
example, if a user successfully accesses a resource in the SSO domain but the SSO access rule fails, the user is still free
to access resources in the domain. The user will be required to enter credentials for each resource, as if SSO was not
applied.
Domain Types
In PortWise 4.7, SSO domains are available in two domain types:
• Text (default)
• Cookie
Depending on domain type, different domain attributes can be associated with the SSO domain.
Text
The domain type Text is used to send user credentials as text, with different attributes defining the information needed
for authentication.
Available domain attributes for the domain type Text are:
• User name
• Password
• Domain
Which domain attributes you add to the domain type depends on the authentication method used. The domain attri-
butes normally used for the different authentication methods are described below.
• NTLM
When using the Microsoft authentication method NTLM, all domain attributes for the domain type text (user
name, password, and domain) are added to the domain type.
• Basic
When using the authentication method Basic, the attributes user name and password are added to the do-
main type. Basic is the most commonly used authentication method for Web environments.
• Form-based
When using form-based logon for an SSO domain, the attributes user name and password are added to the
domain type.
To use form-based logon for an SSO domain, you need to design a Web form for access to each resource in
the SSO domain. This is done when adding or editing a resource: selecting form-based SSO will provide the
logon form and form response configuration.
Cookie
Cookie authentication is used to send authentication information in HTTP headers. When the domain type Cookie is
used, a cookie is set on the Access Point before proxying the request to the backend server.
A common use of cookie SSO is when back-end applications only want to read the authentication information at the
very first request.
Available attributes are:
• Cookie name
• Cookie value
• Cookie secure
• Cookie domain
Domain Type
For each SSO domain, you select domain type.
Available options are:
• Text (default)
• Cookie
Domain type Text is used for domains of the type NTLM, Basic, and Form-based. Domain type Cookie is used for do-
mains of the type Cookie.
SSO Restrictions
You have the option to choose how SSO credentials should be handled. When Cache on session only is selected, SSO
credentials are cached (kept in memory) and only valid during the user session.
When the option is not selected (default), the SSO credentials are stored persistently on the user account.
Note
When Domain Type is set to Cookie, this option is not available.
You have the option to enable a user inactivity check on the SSO domain. Specify a period of time (set in number of
days, weeks, or months) during which users are allowed to be inactive, i.e. not access the domain. When the period has
passed, credentials must be re-entered for access to the domain to be granted. This option is not available when Cache
on session only has been selected.
You also have the option to enable an absolute time limit check on the SSO domain. Specify a period of time (set in num-
ber of days, weeks, or months) during which users’ SSO credentials are valid. When the period has passed, credentials
must be re-entered for access to the domain to be granted. This setting is independent of user inactivity. This option is
not available when Cache on session only has been selected.
Domain Attributes
The domain attributes you can add to the SSO domain differ depending on SSO domain type. The domain attributes
refers to the user authentication settings, the settings that characterize the SSO domain.
Domain attribute settings for both SSO domain types are described below.
Attribute Name
For each domain attribute, you define the type of attribute you specify.
Available options are:
• User name (default)
• Password
• Domain
• Ticket
Note
Ticket supersedes Password. If a SSO Domain is configured with both Password and
Ticket then Password will be ignored, because the ticket is used as password.
Attribute Restriction
Select how the attribute is presented on the HTML page the first time the user accesses the resource and needs to enter
SSO credentials.
Available options are:
• Editable
The attribute is presented as a text field in the logon form
• Hidden
The attribute and the attribute value are hidden in the logon form and is not visible for users
• Locked
The attribute and the value are locked in the logon form and cannot be edited by users
Note
The default value for Attribute Restriction is forced to Locked and cannot be altered
when Attribute Name is set to Ticket, because user shall not be able to alter the ticket
string.
Referenced By
You configure whether SSO credentials are entered manually or retrieved automatically. This is specified for both types
of domain attributes.
Available options are:
• User Attribute
The SSO credentials are retrieved from the user object in the directory service.
Example
samAccountName
theCompanyCookie
Example
Portwise.com
Note
The default value for Referenced By is forced to Static and cannot be altered when
Attribute Name is set to Ticket.
Attribute Value
When you have configured the Referenced By setting to User Attribute or Static, you need to define the value for the
domain attribute.
Note
This parameter is ignored when Attribute Name is set to Ticket.
Attribute Name
For each domain attribute, you define the type of attribute you specify.
Available options are:
• Cookie name (default)
• Cookie value
• Cookie secure
• Cookie domain
Referenced By
You configure whether SSO credentials are entered manually or retrieved automatically. This is specified for both types
of domain attributes. Available options are:
• User Attribute
The SSO credentials are retrieved from the user object in the directory service.
Example
samAccountName
theCompanyCookie
• Static
The information entered in Attribute Value is displayed
Example
Portwise.com
Attribute Value
Finally you define the value for the domain attribute.
Access Rules
See Manage Access Rules
Settings
Label Mandatory Description
Display Name Yes Unique name used in the system to identify the SSO domain.
Domain Type No Available options are: Text and Cookie.
Set to Text by default, it is used for domains of the type NTLM,
Basic, and Form-based.
Cache on session only No Not selected by default.
Access Rules
Authentication Method
An access rule of the type Authentication Method allows access to the resource protected by the access rule if the user
is authenticated with the defined authentication methods.
Several authentication methods can be used in combination, using arguments AND and/or OR.
Client Devices
An access rule of the type Client Devices allows access to a resource protected by the access rule if the user uses a
specified device, for example Web or WAP.
User Storage
An access rule of the type User storage allows access to a resource protected by the access rule if the user is stored in
a specified user storage location.
Note that the access rule is dependent on user authentication: the user must be authenticated for the Policy Service to be
able to determine whether the user is located in the allowed user storage. As a result, the access rule must be combined
with an access rule of the type Authentication method if it is to be used pre-authentication (for example in a global
access rule). It can be used on its own for example when applied to resources accessed through the Application Portal.
Assessment
An access rule of the type Assessment can be plug-in-based or customized. It allows or denies access to a resource
protected by the access rule if the result of a scan of the client computer matches specified client data requirements.
Abolishment
An access rule of the type Abolishment allows access to a resource protected by the access rule if the listener that will
be collecting information about the client is active. When the session ends, abolishment as specified in the abolishment
configuration is performed on the client.
Information
Note that abolishment can be configured to allow the user to decide whether created,
changed, or downloaded files should be deleted or not.
Access Point
An access rule of the type Access Point allows access to a resource protected by the access rule if the request comes
through a specified Access Point.
Identity Provider
An access rule of the type Identity Provider allows access to a resource protected by the access rule
The different ways of managing access rules are described in the following sections.
Information
Note that if you select registered as well as create new access rules for the global access
rule, they are all required for access to resources and SSO domains to be allowed: they
are combined with an implicit AND statement.
Access rules included in the global access rule can be of different access rule types. For details regarding settings for the
different access rule types, see Access Rule Settings below.
Once access rules have been created for and/or included in the global access rule and the configuration has been
published, these access rules are automatically applied to all resources and SSO domains in the system. All access rules
included in the global access rule are displayed in the access rules step of the add resource versus SSO domain wizard,
and on the Access Rules tab when editing a resource or SSO domain.
Information
Note that if you select several registered access rules, they are used for authorization in
the order they are selected.
Information
Note that if you select registered as well as create new access rules for the resource or
SSO domain, they are all required for access to be allowed: i.e. they are combined with
an implicit AND statement.
Access rules applied to the resource or SSO domain can be of different access rule types. For details regarding settings
for the different access rule types, see Access Rule Settings below.
Information
Note that if you select several registered access rules, they are used for authorization in
the order they are selected.
Authentication Method
When creating an access rule of the type Authentication Method, you select one or several authentication methods that
the user must use to access a resource protected by the access rule.
All registered and enabled authentication methods are available for selection.
You can select several authentication methods for the access rule. You then specify if the authentication methods are
to be combined in a logical AND or OR statement. OR is selected by default.
Select OR if the user should be able to choose which of the listed authentication methods to use for authentication.
Select AND if all listed authentication methods are to be used to authenticate the user.
If you select AND, note that the order in which the methods are selected will correspond to the order in which the
authentication methods will be used to authenticate the user.
Select OR if the user has to be a member of at least one of the listed user groups. Select AND if the user has to be a
member of all listed user groups.
IP Address
When creating an access rule of the type IP address, you specify an IP address, several IP addresses, or a range of IP
addresses that the incoming client must have to access a resource protected by the access rule.
Several IP addresses are separated with a comma sign. A range of IP addresses is specified using a hyphen.
Example
192.168.12.12 – 192.168.12.98.
Client Device
When creating an access rule of the type Client device, you specify one or several devices that the user must use to ac-
cess a resource protected by the access rule.
Devices available for selection are the devices specified on the Manage Device Definitions page in the Manage
System section.
Note that you can also specify restrictions for the individual devices. The device restrictions (with Deny, Warn, and Ac-
cept permissions) are managed on the Client Access tab on the Manage Global Access Point Settings page in
the Manage System section.
Example
12/1/06 – 12/31/06
One or several weekdays can be specified by selecting Monday through Sunday. You specify start time and end time for
the time period (hour and minute formatted according to your browser’s language settings).
Example
12:00 AM – 8:00 PM
User Storage
When creating an access rule of the type User storage, you specify in which user storage the user must be stored to be
allowed to access a resource protected by the access rule. All registered user storages are available for selection.
Assessment
When creating an access rule of the type Assessment, you either specify a plug-in to use or manually specify assessment
requirements. The client computer is assessed through a client scan performed to match the client data with specified
requirements.
Plug-In
When using a plug-in, you select which plug-in to use and configure it according to its requirements. If the plug-in you
would like to use is not available in the drop-down list, you can upload the plug-in.
Custom
When not using a plug-in, you specify one or several information paths and requirements for client data per operating
system. Currently, you can create client data requirements for Windows only. Future versions of PortWise will support
other operating systems. You also select whether an assessment result matching this client data should result in that
access to a resource protected by the access rule is allowed or denied.
You specify the requirements for client data by defining values to be matched on the client computer.
Example
Allow access when a process name matches yourantivirussoftware.exe
Client data is collected in a number of information types, i.e. areas of client data. Available information types and cor-
responding client data that you can specify requirements for are listed below.
Microsoft Windows
Information
Note that when Wildcard match is selected, a first and last * is applied by default to
the Matching Rule. Only use wildcard characters inside the matching rule:
Example: C:\note*.exe
Linux
Available in a future release
Mac OS X
Available in a future release
Information
Note that the client scan paths you add when creating the assessment access rule are
added to the Client Scan tab on the Manage Assessment page.
A user feedback message is provided by default, regardless if you use the plug-in based or the custom version of the
access rule. The feedback message is displayed when the user fails to authenticate using the assessment access rule,
i.e. when the client data does not match the specified requirements. You can edit the feedback message to provide the
desired level of detail.
Abolishment
When creating an access rule of the type Abolishment, you enable abolishment as defined on the Manage Abolish-
ment page in the Manage System section. No settings are made on the access rule itself.
Abolishment is then performed on the client computer when the user session ends. It entails cleaning of client cache and
browser history, as well as deletion of created, edited, or downloaded files of specified file types.
Access Point
When creating an access rule of the type Access Point, you specify one or several Access Points that the resource access
requests must come through for the user to be allowed to access a resource protected by the access rule.
All registered Access Points are available for selection.
Identity provider
When creating an access rule of the type identity provider, you select the applicable identity provider from a list of reg-
istered identity providers. You manage identity providers in the Manage Identity Federation section.
Custom-defined
When creating an access rule of the type Custom-defined, you specify one or several custom-defined access rules that
the user must fulfill to be allowed to access a resource protected by the access rule.
All available custom-defined access rules (XML files) are available for selection. You can also upload a new custom-
defined access rule.
Settings
Label Mandatory Description
Available Authentication Methods No Lists authentication methods enabled in the system.
Selected Authentication Methods Yes Lists authentication methods selected to be included in the access
rule.
Combine with OR No Selected by default.
Combine with AND No Not selected by default.
Application Portal
About Application Portal
The Application Portal is the PortWise Web portal that users log on to in order to access corporate applications from
remote locations. In the Application Portal, the applications - registered resources - are displayed as icons with link
texts. In PortWise Administrator, these icons and link texts that form the graphical representation of the resources are
called Application Portal items.
Application Portal items can be created for the following resource types:
• Web resources
• Tunnel sets
• External sites
All Web resources and tunnel sets configured to be displayed in the Application Portal are automatically associated with
an Application Portal item. Application Portal items can also be manually created for Web resources or tunnel sets. Note
that for Web resources, it is possible to configure a shortcut. The shortcut enables users to access the resource directly
in a Web browser, without the need to log on to the Application Portal.
You can also create Application Portal items for external sites, i.e. external URLs not registered as Web resources.
Access Client
Users access the Application Portal through the use of PortWise Access Client. The Access Client is available as a Mi-
crosoft Windows executable (loaded over the Application Portal by either an ActiveX component or a Java applet) and
as a pure Java applet.
The Windows version of the Access Client is also available on an installation CD, for installations on client computers
using Windows. When using the installable Access Client, users do not need to use the Application Portal but are able
to access resources directly from their PC. They also have the opportunity to edit preferences in as well as add favorites
(frequently visited applications) to their Access Client.
An Application Portal item can be created in two different ways: automatically or manually. When you configure a
resource to be displayed in the Application Portal, an Application Portal item is automatically created and added to the
Manage Application Portal page. You can also manually create Application Portal items on the Manage Applica-
tion Portal page. You then associate the items with the corresponding Web resource or tunnel set.
You can also register Application Portal items not associated with a registered resource, for example an external Web
site.
Icon
You select which icon that should represent the resource in the Application Portal. You can browse for an icon in an icon
library, or upload an icon of your choice. The icon must be of the type .gif, .jpeg, or .png and must not exceed 10kB in
size.
Link Text
You enter a link text to be displayed below the icon. The link texts are sorted in alphabetical order in the Application
Portal, providing you with an opportunity to affect how the resources are displayed.
Information
Note that in the Registered Application Portal Items list on the Manage Application
Portal page, the link text is displayed in the Display Name column.
Shortcut
For Web resources, you can define a shortcut allowing users to access the resource without accessing the Application
Portal. The users enter the address to the Access Point and the shortcut in a browser window to access the resource
directly.
Example
http://www.AccessPoint.com/Shortcut
Example
http://www.portwise.com/index.php?id=2&page=1
Protocol
For Web resources, you can also configure what protocol to use between the Access Point and the Web resource back-
end server. This setting is only available if both HTTP and HTTPS can be used to access the resource.
Settings
Label Mandatory Description
Web Resource No Selected by default.
Tunnel Set No Type of resource for the Application Portal item.
External Site No Type of resource for the Application Portal item.
Identity Federation
SAML 2.0 (Security Assertion Markup Language) is an XML standard for using SSO between online business partners,
that is, between an identity provider and a service provider.
SAML 2.0 relies on assertions and defines three kinds of attribute statements that can be carried within an assertion:
• Authentication statements
Authentication statements are issued by the identity provider. They define who issued the assertion, the
authenticated subject, validity period, plus other authentication related information.
• Attribute statements
• Authorization decision statements
These identify what users are entitled to do (for example permissions to buy a specified item).
Assertions
In PortWise 4.7, only one assertion attribute is exposed per assertion. Attributes are mapped against existing attributes
in user storage and the Directory service.
The key concept of SAML 2.0 assertions is a subject (a principal, someone who can be authenticated, within the context
of a particular security domain) about which something is being asserted.
A trust is set up between the service provider and the identity provider using certificates. The Identity Provider uses
server certificates to sign the SAML 2.0 responses, and the Service Providers use server certificates to validate their
SAML 2.0 responses.
PortWise 4.7 can be configured to act as either a Service Provider or an Identity Provider.
Preconditions
Before starting to configure your Identity Federation settings, make sure you have completed the following tasks:
• Server Certificates used when creating service providers are added using the Add Server Certificate wizard in
the Manage Certificates section
• Hosts used as Service Providers are added using the Add Web Resource Host wizard in the Manage Re-
source Access section
• CA Certificates used when creating Identity Providers are added using the Add CA Certificate wizard in the
Manage Certificates section
Depending on how you use PortWise 4.7, as identity or service provider, you select appropriate certificates, add Web
resource hosts, and specify exact paths to these Web resources.
Service Provider
Typically there are a number of service providers that use assertions about users in order to control access and provide
customized service, and subsequently become an asserting party: the identity provider.
Service providers use this information, depending on its access policies, to grant access to local resources.
Identity Provider
Identity providers assert users’ identities to relying parties, the service providers.
Service Providers
You specify a registered Web resource host as service provider. You can also specify an exact path to Web resource.
On the Assertion tab, you can edit the time in minutes to specify the length of the SAML 2.0 session. By default, the
session time is set to 15 minutes.
You specify which subject is being asserted by selecting either User ID or E-mail as the unique identifier.
SAML 2.0 Attributes are mapped against existing user attributes in user storage and the directory service.
Identity Providers
When adding an identity provider, you select a CA certificate and specify an attribute to map against existing user at-
tributes in user storage and the directory service.
Settings
Label Mandatory Description
Enable Service Provider No Selected by default.
Display Name Yes Unique name used in the system to identify the service provider.
Web Resource Host Yes List of available Web resource hosts.
Path No Exact path to the selected Web Resource Host used as service
provider.
CA Certificate Yes List of available CA certificates.
9
Manage System
Abolishment
About Abolishment
The end-point protection solution in PortWise 4.7 consists of the concept Abolishment, which focuses on client clean
upon completion of the session.
Web browsers leave traces such as browser history and browser cache after a session has ended. Abolishment simpli-
fies the secure cleanup of a client computer through removing cached content on the client, browser history, as well as
downloaded, created, or edited files.
Abolishment is used as a basis for access control. A resource is protected by an abolishment access rule based on abol-
ishment settings specifying what should be cleaned on the client after the session is completed. When a user attempts
to access the resource, access is allowed only if the abolishment client is running, ensuring that abolishment will be
performed when the session is completed.
When abolishment is performed, cache and Web browser history is deleted according to the abolishment configuration.
As to files downloaded, created, or edited during the session, you can configure whether or not the user should be
notified and able to choose which files to delete.
Information
Note that in the dialog displayed to the end-user, the Abolishment client is called the
End-Point Protection client.
Manage Abolishment
Abolishment settings are managed on the Manage Abolishment page in the Manage System section of PortWise
Administrator.
Abolishment settings are available on three tabs: General Settings, Cache Cleaner, and Advanced.
General Settings
On this tab, you specify which file types should be monitored on the client. You also define whether a user should
receive a notification message regarding downloaded, created, or edited files of these types upon completion of the
session, allowing the user to decide which – if any – files should be deleted. If you select not to notify the user, down-
loaded, created, or edited files of the specified file types will be deleted automatically the session is completed.
Monitor Files
Specify which file types should be monitored on the client, and deleted automatically when the session is ended or as
a result of the notification message to the user. The file types are specified per operating system in comma-separated
lists.
The example below displays the file types specified for Windows by default.
Example
doc, docx, xls, xlsx, ppt, pptx, pdf, txt, zip, exe
Notification
When the options Enable delete and Notify user are selected, the PortWise Abolishment dialog will be displayed
when users log off the Application Portal.
The PortWise Abolishment dialog contains a list of downloaded and/or created files, with the option to select which
files to delete. The user may select not to delete any files.
You can customize the notify message displayed in the PortWise Abolishment dialog. The default message Abolish-
ment is requested. Select the files you want to delete is provided.
Note
If if the option to notify user is not selected, all downloaded, created, or edited files of
the specified file types will be deleted automatically when the session is completed.
Settings
Label Mandatory Description
Windows (Yes) Files types to be deleted when the session is ended.
Enable delete No Selected by default.
Notify user No Selected by default.
Notify message (Yes) Message used in the Abolishment dialog when users can select
which files to delete.
Set to Abolishment is requested. Select the files you want
to delete by default.
Cache Cleaner
On this tab, you specify per operating system what the cache cleaning should include.
Available options are:
• Microsoft Windows
Internet Explorer history and typed URLs
Internet Explorer cache entries
• Linux
Available in a future release
• Macintosh
Available in a future release
When you select to clean cache entries, you specify a URL filter to define which cache entries to delete. The URL filter is
matched to the cache entries. The wildcard character * is supported. When used alone, all cache entries are deleted.
The URL filter is mapped to cache entries in the Windows folder Temporary Internet Files, in the Internet Address
column. The cache cleaner removes all cached session information in this column from the start of the session until it
is ended.
Examples
* removes all cache entries
https* removes all cache entries downloaded from a secure server
http://www.thesecurecompany.com/* removes all entries from that particular server
Settings
Label Mandatory Description
Enable clean of Internet Explorer history No Not selected by default.
and typed URLs
Enable clean of Internet Explorer cache No Not selected by default.
entries
URL Filter (Yes) Set to * by default.
Advanced
On this tab, you manage advanced abolishment settings.
When the ActiveX - Java Applet option is selected, the loader uses ActiveX when available. If not it uses the Java
Applet.
Settings
Label Mandatory Description
Display resources in Application Portal No Resources protected by an Abolishment access rule are displayed in
the Application Portal, regardless if the listener collecting informa-
tion about the client is active or not.
Selected by default.
Abolishment Client Loader Yes Set to ActiveX - Java Applet by default.
Access Points
Internet Channels
Access Points can operate in any network that supports TCP/IP with ports open for both HTTP and SSL. OpenSSL algo-
rithms are supported, with no limitation of key lengths.
Authentication
The Access Point supports a number of authentication methods used to identify and verify identification of users. Au-
thentication methods range from static passwords to one-time passwords generated by PortWise Mobile ID or by third
party products.
Access Control
Advanced access control is implemented in the Access Point. Access control can be based on group membership, for
example, and is performed on both incoming and outbound traffic.
The Access Point provides access control in conjunction with a firewall and the access control in internal systems. The
firewall access control is performed when users interact with the system. The access control is performed on the same
level of security as the firewall, i.e. on both IP level and port level.
Access control capabilities can be expanded by using the Policy Service, which adds advanced authorization rules to
the solution.
Encryption
Encryption is supported from the client and when connecting to internal systems. The Access Point supports OpenSSL
algorithms, with no limitations of key lengths.
Digital Signatures
Access Points provide for validation of digital signatures when integrated with a Public Key Infrastructure (PKI) solu-
tion.
Session Handling
The session to the client is handled by the use of cookies. The Access Point communicates with internal systems using
normal HTTP or SSL session. Cookies generated from internal systems are never passed on from the Access Point to
the client.
Session handling is important for security reasons, as the normal Web client is a silent client. Using advanced security
solutions, a security context will also exist apart from the cookie or variable.
Internal Host
The internal host of the Access Point is the IP address used in the internal communication between the Access Point
and the Policy Service. To verify the identity of a connecting Access Point, the Policy Service uses this address with the
Access Point service ID.
It is not recommended to use the IP address 0.0.0.0. To listen to all local IP addresses, use the Listen on all interfaces
option. When selected, the services listens to all specified IP addresses and not only to the specified IP address.
Sandbox Port
The sandbox port is an additional port for redirecting requests from the Application Portal port. Defining a redirect port
can be useful when running within a sandbox on a Linux machine.
Additional Listeners
It is possible to add one or several additional listeners to an Access Point, for Web traffic or load balancing purposes.
Additional listeners are additional ports or IP addresses the Access Point listens to. The configuration will not be distrib-
uted to other proxies in a load balanced environment.
It is possible to specify separate SSL certificates for each additional listener. When HTTPS listeners are set up, you need
to specify a server certificate.
Settings
Label Mandatory Description
Service ID No Identification number automatically assigned to the Access Point
when it is created.
Display Name Yes Unique name used in the system to identify the Access Point.
Internal Host Yes IP address used in the internal communication between the Access
Point and the Policy Service.
Application Portal Host Yes IP address or DNS name where to bind all incoming external traffic
to the Application Portal.
Application Portal Port Yes HTTPS port for incoming traffic to the Application Portal.
Set to 443 by default.
Sandbox Port No Additional port for redirecting request from the Application Portal
Port.
Set to 443 by default.
Server Certificate Yes List of server certificates that the Access Point uses in the external
communication.
Listen on all interfaces No Specifies what interfaces the service listens to.
Not selected by default.
Support crypto cards No Not selected by default.
Distribute key files automatically No Selected by default.
Advanced Settings
Internal Cookies
You can define what kind of client data that will be sent as cookies in internal requests. Client data includes user ID,
client IP, session ID and session ID cookie.
This is an example of what an internal cookie can look like in the HTTP request:
Example
Cookie: WA_T=45; WA_UID=test; WA_WASID=0c351d862cea55cc; WA_AM=PortWise Password; WA_
CLIP=192.168.139.1; WA_SEPO=443; WA_SSL=256; WA_INTERNAL_ID=3.0.259121969733801860.147627430
34494641120710727875
Session Control
You can configure client session control using the WAAK (Web access authentication key) option. Plain HTTP only is not
as secure as WAAK. It is also possible to set the strength of the secure authentication cookie.
The Web access session ID (WASID) is a random hexadecimal value generated by the Access Point.
When the Bind session to client IP option is selected, the client session is allowed to move from one computer to another
if the client does not change the source IP during the session.
Use the Duplicate user name login reverse action to ensure that two users cannot log on with the same user name until
the first session is logged out or timed out.
Cookie Persistence
You have the option to select if all session cookies are transformed to persistent cookies. Note that this only apply to
resources protected by Abolishment and for Internet Explorer users.
Cache Control
It is possible to select whether to use Cache-Control: no store to disallow browser cache on HTTP/1.1 clients. When
selected, the header Cache-Control: no store is used, and Internet Explorer users are able to view Word documents, Excel
files, PowerPoint files and PDF files and still not cache data. When not selected, the header Pragma:no_cache is used.
Client Access
Settings for communication between clients and Access Points include whether error messages should be displayed to
the user in SSL v2 communication, if server headers should be hidden, and an option to select which authentication
method should be used when a user accesses /wa/auth without the parameter authmech specified.
Bad URIs
Lists URIs to be handled as forbidden requests. The purpose of the URIs is to detect when a user makes an attempt to
access a URL that would normally be protected with access rules. It is strongly recommended to keep the default URIs.
Example
*\* A URI can not contain backslash
*%5c* A URI can not contain the URL encoding of backslash
*%2f* A URI can not contain the URL encoding of slash
*/../* A URI can not contain “/../”
*/%2e%2e/* A URI can not contain “/../” where both dots are URL encoded
*/.%2e/* A URI can not contain “/../” where the second dot is URL encoded
*/%2e./* A URI can not contain “/../” where the first dot is URL encoded
*/./* A URI can not contain “/./”
*/%2e/* A URI can not contain “/./ where the dot is URL encoded
*//* A URI can not contain double slash
Cipher Suites
When an SSL connection is initialized, the client and server determine a common cipher value to be used for key ex-
change and encryption. Various cipher values offer different types of encryption algorithms and levels of security.
You can select which protocols for cipher suites to support, as well as define which types of cipher suites to support.
Available protocols are TLS v1.0, SSL v3.0, and SSL v2.0.
Client Access
Client Access Settings/WAP Client Settings
Define Web versus WAP default pages displayed when accessing the /root, as well as welcome pages displayed after
successful logon.
Information
You can specify default and welcome pages for specific devices using device control.
Device Control
Specify stricter control over, for example, client browsers connecting to the Access Point using device access restrictions.
You can warn users using a certain browser, or disallow others to enter. To exercise device control, you register device
settings and device access restrictions. When registering device settings, you specify which type of session handling the
Access Point will use for a specific device. This can be useful for devices that, for example, cannot handle cookies.
Available options are URL session, WAP agent, and/or Basic authentication.
Use device access restrictions to map devices with permissions Deny, Warn or Accept. Device access restrictions are
controlled in the order they are listed. On first match the restriction takes effect, independent of whether it is a Deny,
Warn or Accept restriction.
Performance
Performance Settings
Enhance the performance of your Access Points by configuring Access Point performance settings. Performance settings
include the possibility to set time-outs for idle connections. You can also limit the number of TCP connections that the
operating system is able to queue, and allow the Access Point to cache SSL sessions for communication with internal
servers.
Trusted Gateways
Register trusted IP addresses, for example WAP gateways or HTTP proxies, as trusted gateways.
Trusted in this context means that even though a client connecting to the Access Point may not have secure connection,
incoming traffic from the specified IP address and the specified port is automatically assumed to have a specified level
of security (128 bit encryption) added.
Users are not redirected to HTTPS when coming from a trusted gateway.
The load-balancing product needs to support “SSL session resistance”. When not supported, unnecessary traffic be-
tween the Access Points is created, and the SSL handshakes are heavier. Access Points use a specific TCP port for the
interchange of session data. The default port is set to 16972.
The Access Point uses a specific TCP port for the interchange of session data. The default port is set to 1697. The traffic
can be either in plain data or SSL. SSL is recommended unless the network is totally private.
Optionally the servers may have two or three network cards each:
• Network card 1: Client communication
• Network card 2: Proxy session interchange communication
• Network card 3: Intranet communication
To achieve full redundancy, set up the servers in pairs, where each Access Point shares the session with another Access
Point.
Settings
Label Mandatory Description
User ID No Not selected by default.
Client IP No Not selected by default.
Server Port No Not selected by default.
SSL Strength No Not selected by default.
Last used authentication method No Not selected by default.
Max inactivity time in seconds No Not selected by default.
Session ID cookie No Not selected by default.
System Session ID No Not selected by default.
Administration Service
Information
Only one Administration Service can be configured per PortWise network.
Configuration
The main configuration file (RemoteConfiguration.xml) is stored on the Administration Service. Local configuration files
stored on the different PortWise services are only used initially to contact the Administration Service. The current con-
figuration is pushed to the different services in runtime through the publish functionality in the PortWise Administrator.
The services do not need to be restarted to retrieve the configuration.
A history of the ten latest configurations is saved. A previous configuration can be retrieved by using the restore func-
tionality in the PortWise Administration Service.
or if external IP addresses are used for other reasons, the default settings for Internal Host, Administrator HTTP Host,
and Administrator HTTPS Host should be changed.
Settings
Label Mandatory Description
Internal Host Yes IP address or DNS name of the host for internal traffic in the
PortWise network.
Internal Communication Port Yes Set to 8300 by default.
Assessment
About Assessment
The end-point integrity solution in PortWise consists of the Assessment concept, which focuses on access control based
on client restrictions.
Assessment is used to define how a client must be constituted, and to allow or deny access to resources accordingly.
A resource or SSO domain is protected by an assessment access rule, detailing client scan paths per operating system.
Client scan paths define the information that will be scanned during the client scan.
When a user attempts to access the resource, a client scan is performed and a subsequent assessment of the client
constitutes the basis of the access decision.
Information
Note that in the dialog displayed to the end-user, the client scan is called the End-Point
Integrity scan.
An alternative to registering client scan paths is to use the plug-ins available for specific client scans.
PortWise supports assessment on Microsoft Windows. Future releases will support additional operating systems.
Client data paths can be specified for the following areas:
• File information
• Registry information
• Process information
• Windows user information
• Windows domain information
• Network interface information
• UDP port information
• TCP port information
Manage Assessment
You manage assessment settings on the Manage Assessment page in the Manage System section.
Manage Assessment consists of three tabs:
• General Settings
• Advanced Settings
• Plug-ins
General Settings
On this tab, you configure the client scan settings which include settings for a real time scan as well as the client scan
path. Note that you need to add an assessment access rule in order for these settings to take effect. Access rules are
managed on the Manage Access Rules page in the Manage Resource Access section.
Information
The real time scan is a global setting: when enabled, it applies to all resources protected
by an assessment access rule.
Information
The client scan paths you add when creating assessment access rules are added to the
list on this tab.
You can select several check boxes to scan for different information, even if only part of the information is used as a
basis for assessment in accordance with specified access rules.
Information
If you create client scan paths (that require collection of information) when creating an
assessment access rule, the corresponding check boxes are selected automatically on this
page.
Available information types and corresponding client data that you can specify requirements for are displayed in the
table below.
Windows
Information type Client Data Client Scan Settings
File information File attributes Information path of the type File
File name
File digest
File time created
File time last written
Directory information Directory Name Information path of the type Directory
Attributes
Registry key information Registry name Information path of the type Registry Key
Registry type
Registry value
Registry subkey information Registry name Information path of the type Registry Subkey
Registry type
Registry value
Process information Process digest Enable collection of process information
Process name
Process ID
Windows user information Windows logon domain Enable collection of Windows information
Windows alternative domains
Windows user name
Windows logon server
Windows domain information Computer name Enable collection of Windows information
LAN group
Major version
Minor version
Platform ID
Network interface information Network interface address Enable collection of network information
TCP local address
TCP remote address
TCP status
TCP port information Local address Enable collection of network information
Local port
Remote address
Remote port
State
UDP local address Local address Enable collection of network information
Local port
Linux
Available in a future release
Mac OS X
Available in a future release
Settings
Label Mandatory Description
Enable real time scan No Not selected by default.
Interval (Yes) Mandatory if Enable real time scan is selected.
Set to 120 by default.
Advanced Settings
On this tab, you manage advanced assessment settings.
When the ActiveX - Java Applet option is selected, the loader uses ActiveX when available. If not it uses the Java
Applet.
Settings
Label Mandatory Description
Display resources in Application portal No Resources protected by an Assessment access rule are displayed in
the Application Portal before the client scan has been performed.
Selected by default.
Abolishment Client Loader Yes Set to ActiveX- Java Applet by default.
Plug-ins
On this tab, you add or delete plug-ins to be used in assessment access rules, as a basis for the client scan. The plug-ins
displayed here are located in the following folder: <PortWise installation folder>/files/policy-service/ep/plugins.
File names, version numbers, and descriptions of the plug-ins are displayed.
You can add a plug-in to this list by uploading it to the correct folder location. Use the Browse button to locate the
plug-in. The plug-in is uploaded when you click Save.
Settings
Label Mandatory Description
Plug-in No The name of the plug-in to upload.
Authentication Methods
You can configure several channels. Configure more than one SMS channel to be used in case the primary fails.
All authentication and notification messages are sent via mobile text to the cell phone number or e-mail address regis-
tered to that specific user account. This is done on the User Account PortWise Authentication Settings page.
When Allow Two-step Authentication is selected, the authentication is distributed over two sessions: the first one
to make the server send the OTP to the mobile phone; and the second one to logon with the OTP.
The authentication method Mobile Text relies on the RADIUS protocol.
Information
PortWise Web can not be used for tunnel resource access when using the installable
Access Client stand-alone.
When a new PortWise user account is registered and the PortWise Web authentication method is enabled, the pass-
word or PIN is created and distributed to the user.
Note
PortWise Web authentication method only can be used with the Access Point.
PortWise Web can be used for authentication on your laptop or desktop computer.
• User Certificate
The User Certificate authentication method leverages user/certificate attribute mapping. If and only if there
is an exact, unique match between the configured certificate attribute and the user attribute, the user is
authenticated.
• NTLM
The NTLM authentication method is an authentication protocol used in various Microsoft network protocol
implementations.
• Basic
This authentication method performs a basic authentication according to RFC 2617, “HTTP Authentication:
Basic and Digest Access Authentication”.
• General RADIUS
The general RADIUS authentication method is an authentication protocol that can be used with any RADIUS-
compliant authentication server.
• Extended User Bind
The Extended User Bind authentication method adds an extended form of user data retrieval, parsing and
matching with user presented certificate and the LDAP user object.
• Form Based Authentication
• Windows Integrated Login
Windows Integrated Login authentication enables Windows domain credentials to be reused. For example,
users do not have to log on to the Application Portal when it is protected by Windows Integrated Login
authentication. User credentials are retrieved from the client, and not entered by the user.
• E-ID
A consortium of Scandinavian banks has agreed on a standard service for electronic authorization and signing
over the Internet.
• E-ID Signer
Using E-ID, the client can authorize an order or a document by signing.
Note
The settings for all available authentication methods are listed in the Settings section
below.
General Settings
All authentication methods have a display name and the option to enable the authentication method. All authentication
methods are enabled by default. For the PortWise authentication methods, the display name is used as display name in
the Select Authentication Method dialog when logging on to the Application Portal.
Some authentication methods (listed below) have a template specification, which defines the physical appearance of the
authentication method logon dialog. The specified Template Name is sent to the Policy Service enabled application
which has a corresponding template file on the local server.
All PortWise Mobile ID authentication methods, and most of the supported additional authentication methods (listed
below), need one or several authentication method servers.
The authentication method server settings include:
• Host and port
• Different search methods to locate users in the directory service structure for authentication
Settings
Label Mandatory Description
Enable authentication method No Selected by default.
Display Name Yes Unique name used in the system to identify the authentication
method.
Settings
Note
Only the PortWise authentication methods and the additional methods Active Directo-
ry, E-ID, E-ID Signer, Custom-defined, Extended User Bind, Form Based, General RADIUS,
NTLM, SafeWord, and Windows Integrated Login require a registered authentication
method server.
RADIUS Replies
All authentication methods using RADIUS have a number of pre-configured RADIUS replies associated. These replies
can be edited, and it is also possible to add new ones.
Each RADIUS reply consists of a name and a so called matching string, which is the actual reply presented to users.
When the name and string match, the authentication method responds using the appropriate template specification,
set in Template Name on the General Settings page.
Example
Name: WebCurrentPwd
Matching String: Enter current password. Challenge %. Configuration %
Settings
Note
Only PortWise Mobile ID authentication methods and General RADIUS, SafeWord, and
SecurID support RADIUS replies.
Extended Properties
Authentication methods may also have a number of extended properties, allowing you to further customize how au-
thentication should be handled.
Some extended properties are used uniquely for specific authentication methods; others are global Policy Service set-
tings that does not affect the authentication method behavior. To facilitate administration however, they are managed
on each applicable authentication method.
The global Policy Service settings used as extended properties are:
User attribute
When specified, only users associated with the specified user ID attribute are allowed authentication.
Applicable when the authentication method uses a different attribute name than the default attribute name for au-
thentication.
Example
mail (As opposed to default attribute names cn or samAccountName.)
Information
Note the following when using this extended property with the authentication method
E-ID:
When set to true, and the E-ID certificate attribute and E-ID user attribute are not speci-
When set to true, and the E-ID certificate attribute is specified as for example “cn”, the
user ID is set to the certificate’s cn.
Important
It is not recommended to add this extended property to authentication methods where
user ID only is used initially for authentication. This can be considered a security threat,
since it will entail a possibility to identify which user IDs are known versus unknown.
Settings
Extended Property Used In Comment
User attribute All This is a global Policy Service setting.
User attribute User Certificate User storage attribute that is mapped to the certificate
attribute.
User name may not change during All This is a global Policy Service setting, added to the
session authentication method by default.
Set to true by default.
Allow user not listed in any User All This is a global Policy Service setting.
Storage Set to false by default
PortWise account required before All This is a global Policy Service setting.
authentication Set to false by default
Service Host Alternative FQDN E-ID Used in verification requests sent to OSIF. Variable is
named “host” in
the OSIF specification.
Keys for additional extended proper- Custom-defined Additional extended properties.
ties
User bind attribute Extended User Bind (UBA) Actual value of the user attribute to be bound to.
UBAX Extended User Bind Integer (0-4) that contains the user attributes used in the
pattern below.
UBA pattern Extended User Bind One or several UBAX, concatenated by the sign ‘+’ and
any character within quotation marks.
Certificate bind attribute Extended User Bind (CBA) Actual certificate attribute to be bound to.
CBAX Extended User Bind Integer (0-4) that contains the user attributes used in the
pattern below.
CBA pattern Extended User Bind One or several CBAX, concatenated by the sign ‘+’ and
any character within quotation marks.
Method Form-based Set to POST by default.
Mandatory.
Form action Form-based Path that defines the URL to GET or POST data to.
Mandatory.
Form data Form-based Definition of data sent to the server.
The variables [$username], [$password] and [$domain]
can be used for dynamic replacement with internal user
name, password and NTLM domain.
Mandatory.
Set to 3 by default.
Certificate log rotation max size (kB) User Certificate This extended property specifies max size of each certifi-
cate log file.
Authentication Services
Key Files
You can define that key files should be distributed automatically. Using this option, key files are automatically distributed
from the Administration Service to the Authentication Service after the Authentication Service has been installed. Not
selecting this option will keep the system more secure, but the administrator will be required to copy key files manu-
ally.
Server Certificate
The Server Certificate defines the certificate used when the authentication service performs TLS handshaking (for ex-
ample authenticating with the PEAP-MSCHAPv2 protocol). If PEAP-MSCHAPv2 authentication protocol is used, you
need to assign a server certificate. If not, PEAP-MSCHAPv2 authentication will fail.
All available server certificates are available for selection. Server certificates are managed in the Manage Certificates
section of PortWise Administrator.
Additional Listeners
You can register additional listeners for the Authentication Service, i.e. additional IP addresses or DNS names that the
Authentication Service listens to. The listeners you add are added to the list of hosts available in the RADIUS accounting
section.
RADIUS Accounting
When RADIUS accounting is enabled, the system responds to RADIUS accounting packets sent from RADIUS clients. The
system logs the incoming RADIUS packet and replies with an accounting response packet. Accounting packets can also
contain information about when a user logs in and out of a system.
You select host (internal host or registered additional listener) and specify port for the system that sends the accounting
response message.
You can also select if the system should be listening on all interfaces or not regarding RADIUS accounting traffic.
Settings
Label Mandatory Description
Service ID No Identification number automatically assigned to the Authentication
Service when it is created.
Display Name Yes Unique name used in the system to identify the Authentication
Service.
Internal Host Yes IP address or DNS name of the Authentication Service, used for
communication in the PortWise network.
Internal Communication Port No Port used for internal communication in the PortWise network.
Set to 8302 by default.
Listen on all interfaces No Specifies what interfaces the service listens to.
Not selected by default.
Distribute key files automatically No Defines whether or not key files should be automatically distrib-
uted from the Administration Service to the Authentication Service
after the Authentication Service has been installed.
Selected by default.
RADIUS Authentication
A number of settings are available for RADIUS authentication.
Session Time-out
You define a number of seconds that the state attribute is valid. The RADIUS session times out after this time limit. Set
to 180 seconds by default. The server will discard a RADIUS session after this time span (if not used, then the time is
reset)
RADIUS Encoding
When the system receives a RADIUS package, it normally transforms the data to strings according to the UTF-8 standard.
Some RADIUS clients do not support the UTF-8 standard. If this is the case another standard needs to be specified.
Set to UTF-8 by default.
Settings
Label Mandatory Description
Drop unknown sessions No Not selected by default.
Drop unknown users No Not selected by default.
Proxy unknown users No Not selected by default.
Reveal reject reason No Not selected by default.
Session time-out Yes Number of seconds (1-999) the state attribute is valid.
Set to 180 by default.
Password/PIN
On this tab, you define global password and PIN restrictions for PortWise authentication methods.
PortWise Web
Available global password settings for PortWise Web are listed below. Default values are displayed in parenthesis.
Available global password settings:
PortWise Challenge
Available global PIN settings for PortWise Challenge are listed below. Default values are displayed in parenthesis.
Available global PIN settings:
• PIN validity period in days (90)
When set to 0, the PIN does not expire.
• PIN history size in number of PINs (5)
The user cannot reuse any of the PINs saved in the PIN history when changing PIN.
• Support value signing (off)
PortWise Password
Available global password settings for PortWise Password are listed below. Default values are displayed in parenthe-
sis.
Available global password settings:
• Minimum (6) and maximum (16) number of characters
• Minimum number of letters (2) and numbers (2)
• Allow sequentially-repeated characters (true)
• Disallowed characters (empty)
Note: disallowing the usage of any character will reduce the password complexity level; impairing general
security.
• Password validity period in days (90)
When set to 0, the password does not expire.
• Password history size in number of saved passwords not eligible for reuse (5)
The user cannot reuse any of the passwords saved in the password history when changing password.
PortWise Synchronized
Available global PIN settings for PortWise Synchronized are listed below. Default values are displayed in parenthesis.
PortWise OATH
Available global PIN settings for PortWise OATH are listed below.
Available global PIN settings:
• Offset before prompt: minimum (0), maximum (99), default (3)
Set to 0 to disable
• Look-ahead window size: minumum (0), maximum (1000), default (50)
Set to 0 to disable
Settings
Label Mandatory Description
Minimum Yes Minimum number of characters (1-64) for the PortWise Web
password.
Set to 6 by default.
Maximum Yes Maximum number of characters (1-64) for the PortWise Web
password.
Set to 16 by default.
Minimum No Minimum amount of numbers (0-64) the PortWise Web password
must contain.
Set to 2 by default.
Minimum No Minimum amount of letters (0-64) the Web client password must
contain.
Set to 2 by default.
Allow sequentially-repeated characters No Allow characters in the password to be sequentially-repeated.
Set to True by default.
Disallowed characters No Characters that are not allowed to be used as members in the
password.
Note: disallowing the usage of any character will reduce the pass-
word complexity level; impairing general security.
Empty by default.
Password expires in No Number of days (0-999) the PortWise Web password lasts before
it must be changed.
Set to 90 by default.
E-mail Messages
On this tab, you define the e-mail messages sent to users to notify them of new or changed passwords, PINs, or
seeds.
Information
There is no limitation as to allowed number of characters for e-mail messages.
General settings include e-mail recipients, as well as message subject line, header, and footer.
In addition, you can specify different password/PIN/seed messages per authentication method.
E-mail Addresses
In addition to sending e-mail notifications to the users whose accounts have changed due to new or changed pass-
words, PINS, or seeds, you have the option to specify additional recipients.
Enter e-mail addresses for one or several (use semicolon to separate several addresses) recipients who will receive e-
mail notifications of such events.
E-mail Messages
Specify the message subject line, header and footer.
Default values are listed below:
• Subject line
“Your Authentication Service account has changed”
• Header
“{0} your account {1} has changed“
(The variable {0} is replaced with the user’s name, {1} with the user ID.)
• Footer
“Changed by {2}, PortWise Administrator”
(The variable {2} is replaced with the name of the administrator.)
Seed
For PortWise Synchronized and PortWise Challenge, you can specify the message used to notify users (and any ad-
ditional recipients) of new seeds to use in the Mobile ID clients Synchronized and Challenge.
Example
Download your Mobile ID client from http://<distribution service host>:<distribution service
port>/?seed={0}&mode=c
This renders a Mobile ID client with a pre-configured seed when using a supported mobile phone. Other devices receive
the seed displayed on screen.
Settings
Label Mandatory Description
E-mail Addresses to Notify Yes Additional e-mail addresses (separated by an ; character) the
notification message is sent to.
Look-ahead window size Yes maximum number of ‘next’ HOTP-server values to check against
the received client
HOTP. When the maximum number of authorized attempts is
reached, the server
will lock out the account. Range: 0-1000, 50 is the default value.
Set to 0 to disable.
SMS/Screen Messages
On this tab, you define the SMS/Screen messages sent and displayed respectively to users to notify them of new or
changed passwords, PINS, or seeds.
General settings include header and footer of the SMS/Screen message.
In addition, you can specify different password/PIN/seed messages per authentication method.
Seed
For PortWise Synchronized and PortWise Challenge, you can specify the message used to notify users (and any ad-
ditional recipients) of new seeds to use in the Mobile ID clients Synchronized and Challenge.
The default text is, according to respective authentication method:
“Your new seed for Challenge/Synchronized Authentication is {0}.”
The {0} variable will be replaced with generated seed.
It is possible to distribute the mode Challenge or Synchronized together with the seed, resulting in a pre-configured
Mobile ID Challenge or Synchronized client with injected seed.
To achieve this, use the variables mode=c for Challenge and mode=s for Synchronized.
In the example below, the seed notification includes instructions for Mobile ID client download, a seed, and a variable
which is used to pre-configure the client with PortWise Challenge.
Example
Download your Mobile ID client from http://<distribution service host>:<distribution service
port>/?seed={0}&mode=c
This renders a Mobile ID client with a pre-configured seed when using a supported mobile phone. Other devices receive
the seed displayed on screen.
Settings
Label Mandatory Description
Header No Start of the message.
Set to Account Changed by default.
Footer No End of the message.
Certificates
About Certificates
A Certificate Authority (CA) issues client certificates used in authentication. In order to authenticate a user, a CA cer-
tificate is needed.
Some client certificates issued by a CA may be stolen, or in some other way be subject to unintended usage. To cancel
an already issued client certificate the client certificate validation routine checks against a list of cancelled client certifi-
cates. This list is called Certificate Revocation List (CRL). The CRL is distributed through a CRL Distribution Point (CDP).
Supported CDP Protocols are HTTP and LDAP.
Rooted at the “root CA”, every subordinate CA depends on a chain of trust between the issuers up to the root point. If
a CA is compromised, the whole CA and its subordinate CAs are invalid. To check weather a CA is valid or not, the CA
issuers produces an Authority Revocation Lists (ARL) stating which subordinate CAs that are not to be trusted.
If you want to use PKI you have to configure each CA you wish to use. You can then use the configured CA when you
add authentication methods of the type User Certificate.
Each CA requires a new authentication method, a feature which makes it possible to have several CAs configured and
enabled and then be able to configure which CAs that are valid for a specific resource. This is a powerful feature since
the trustworthiness of a CA can vary.
There are two prerequisites for managing Certificate Authorities:
• A X.509 v3 certificate must be stored in some persistent form on the application host.
• A CA Root in your user storage in order to create CA objects.
Manage Certificates
In PortWise, you manage three types of certificates:
• Certificate authorities
• Server certificates
• Client certificates
All settings are described in their respective section below.
Address
This can either be an LDAP address (RFC2255):
Example
ldap://192.168.96.52/CN=win2k%20root%20CA,CN=test-win2k-ad,CN=CDP,CN=Public%20Key%20Services,CN=Service
s,CN=Configuration,DC=win2k-ad,DC=thesecurecompany,DC=com?certificateRevocationList?base?objectclass=cRLDistrib
utionPoint
Or an HTTP address:
Example
http://www.posten.se:80/ldap/crl.cer
Update time
When this option is selected, a custom update time is enabled and the defined update time stored in the system is used.
When not selected, the attribute Next Update Time from the CRL is used.
This setting is not selected by default.
Retry interval
Interval in seconds, allowed interval is 0 – 31536000, for CRL retrieving if it cannot be obtained.
This option is set to 300 by default.
You also specify an Invalid Action for the CA to determine how users authenticated with a user certificate should be
handled if the required and requested CRLs cannot be obtained.
Available Invalid Action options are:
• Denied
Authentication is denied for all users authenticated by user certificate.
• Allowed
Certificate revocation control is performed using the previous retrieved CRL. The system will log that an invalid
CRL is used. When a required and requested CRL cannot be obtained, this defines how to handle users,
authenticated by user certificate.
NOTE
PEM is the default format for OpenSSL. It stores data in Base64 encoded DER format,
surrounded by ASCII headers, suitable for text mode transfers between systems. DER
on the other hand can contain all of private keys, public keys and certificates. It stores
data according to the ASN1 DER format. It is headerless, whereas PEM is a text header
wrapped DER. This is the default format for most browsers.
You can specify server certificates for specific IP addresses and ports, which is useful when managing additional listen-
ers.
You specify a display name for the server certificate and connect a certificate to it. Use the View Certificate Details link
for certificate details.
You need to save a private key for the certificate. The key needs to be a PKCS#8 key in either DER or PEM format.
You can also specify a password to be used if the information is encrypted.
A CA is required to complete the entire certificate chain. A specific CA certificate for the server certificate can be se-
lected if the browser does not have the root or intermediate CA used to verify the server certificate
Information
You can only specify one client certificate per PortWise installation.
You specify a display name for the client certificate and connect a certificate to it. Use the View Certificate Details link
for certificate details.
You need to save a private key for the certificate. The key need to be a PKCS#8 key in either DER or PEM format.
You can also specify a password to be used if the information is encrypted.
Settings
Information
You should use OCSP as certificate revocation control when possible. If you specify both
CRL and OCSP, then the CRL checked is performed first and if certificate not found a
OCSP request is performed as a secondary control.
Device Definitions
Example
User-Agent=*MSIE*
!User-Agent=*opera* | User-Agent=*safari*
User-Agent=*netscape* | User-Agent=*mozilla*
Settings
Label Mandatory Description
Display Name Yes Name used in the system to identify the device definition.
Definition Yes Prerequisites the device must fulfill in order to be identified cor-
rectly.
Delegated Management
Information
The roles Help Desk and Super Administrator are predefined roles, and they cannot be
deleted.
Roles are used as alert receivers in the Monitor System section, Manage Alerts page.
Selected roles receive notification messages about selected alert events. If you plan to use the new role for alerts, you
need to ensure that selected users have registered e-mail addresses and/or cell phone numbers
A role can be assigned to Administrators.
Role Settings
Role settings are displayed in tabs representing the privileges selected. Each privilege has a separate set of settings
available. The Add Role wizard is adjusted accordingly.
The privileges View logs and Publish is not editable, they allow for use of the functionality View logs and Publish
respectively.
General settings and Administrators are common settings for all roles, and described below:
Help Desk
Settings available for the predefined role Help Desk include:
• General Settings
This tab includes display name and description of the role as well as the option to add available privileges to
the role.
• User accounts
This tab includes the option to select user groups containing specific user accounts which the role will be
allowed to manage.
• Administrators
This tab includes the option to assign the role to existing administrators in user storage. You search for admin-
istrators by entering a user ID, the wildcard character * is allowed for a complete search.
Super Administrator
Settings available for the predefined role Super Administrator also include:
• General Settings
This tab includes display name and description of the role as well as the option to add available privileges to
the role.
• Administrators
This tab includes the option to assign the role to existing administrators in user storage. You search for admin-
istrators by entering a user ID, the wildcard character * is allowed for a complete search.
Resources
• General Settings
This tab includes display name and description of the role as well as the option to add available privileges to
the role.
• Resources
This tab includes the option to select registered resources which the role will be allowed to manage.
• Administrators
This tab includes the option to assign the role to existing administrators in user storage. You search for admin-
istrators by entering a user ID, the wildcard character * is allowed for a complete search.
Settings
Label Mandatory Description
Display Name Yes Unique name used in the system to identify the role.
Description No Can be used to give a more detailed description about the role.
Directory Services
Information
It is possible to choose not to use a directory service with PortWise, but this entails
great limitations to PortWise functionality since it eliminates features associated with
the use of user storage and user accounts.
PortWise use the directory service for storage of user accounts and credentials for authorization and authentication.
A directory service supporting LDAP for storing for example user information is recommended when using PortWise.
A directory service was initially configured during the Setup System wizard.
Please refer to the chapter Manage Accounts and Storage for further information on how PortWise uses the direc-
tory service.
General Settings
You need to specify at least one IP address to or DNS name of to the primary host, but you also have the option to setup
a secondary host. A listening port is also required, usually this is set to 389 for LDAP and 636 for secure LDAP.
Directory service administrator credentials are also specified, for example as an DN, ID, or similar to an account with
read-and-write permissions on the directory service from the specified location. This is to enable PortWise to read and
store user information on the directory service.
To specify the Location DN, you can use the Show Tree functionality. This allows you to browse your directory service
structure to the exact applicable locations.
Furthermore, you specify the number of seconds, allowed range is 1-300, the Authentication Service waits for a connec-
tion, before the Secondary Host is connected. This is set 15 seconds by default.
The number of allowed retries for the Primary Host is set to 0 by default, When set to 0, each failed connection attempt
to the Primary Host result in that the Secondary Host is connected, when a secondary host has been configured.
It is possible to change type of directory service without the need to re-install or re-configure PortWise.
Communication Settings
You setup the communication between the directory service and PortWise by using the host and port specified in the
General Settings section. To secure this communication, you have the option to use SSL and a associated CA certifi-
cate. When SSL is used, the CA certificate is required.
This is not configured by default.
Advanced Settings
Information
Advanced settings are only available if you have selected Other or Customized configu-
ration of listed directory services.
You have the option to specify an Object Class which is used to store user accounts. Object classes allow you to control
which attributes are required and allowed in an entry.
Example
organizationUnit
Naming
This attribute is the relative name of the object class, it holds the object ID that is automatically generated by the sys-
tem.
Storing
This attribute is the common object class attribute name used to store the attributes of the storage objects.
Example
searchGuide (for Active Directory)
It specifies the attribute name used for storing all property data. It is recommended that the LDAP attribute size is at
least 5 kb or larger.
Unique name
This attribute is the common object class attribute name used to store the unique name (or a unique ID) of the storage
object.
Example
l (for locality)
Settings
Label Mandatory Description
Primary Host Yes IP address or DNS name of the primary directory service.
Secondary Host No IP address or DNS name of the secondary directory service.
Port Yes Listening port for the directory service.
Account Yes DN, ID or similar (depending on type of directory service) to an
administrative account with read- and write permissions on the
directory service.
Password Yes Password for Account.
Location DN Yes Location where PortWise users are stored.
Time-out Yes Number of seconds (1-300) the Authentication Service waits for a
connection, before the Secondary Host is connected.
Set to 15 by default.
Retries Yes Number of retries for the Primary Host.
Set to 0 by default.
Enable change of directory service type No Not selected by default.
It is strongly recommended that you do not change directory type
if you have active accounts registered.
Directory Service Type Yes Available options are:
Microsoft Active Directory
OpenLDAP
Sun Java System Directory Server
Novell eDirectory
Other or Customized configuration of listed directory
services.
Advanced Settings
Label Mandatory Description
Object Class No Name of the object class used to store PortWise users.
Notification Settings
A host and a port for the e-mail server are required, with default set to localhost and 25 respectively.
You also specify a sender’s e-mail address.
Example
admin@portwise.com
Settings
Label Mandatory Description
Enable e-mail channel No Not selected by default.
Each one of these plug-ins have different settings depending on the requirements of that specific protocol.
It is also possible to write new plugins for integration with other gateway protocols.
Replace prefix No If the prefix of the mobile number is incorrect for the service it can
be replaced with a new prefix. E.g. replace 00 with +. In this case
enter 00 as Replace Prefix and + below as New Prefix
New prefix No The new prefix that shall replace the one triggered above.
Response Parsing tab
Success Response Codes The HTTP Response Codes that will indicate success, 200,201,202
selected by default.
Failure Response Codes The HTTP Response Codes that will indicate failure, 400,401,402
selected by default.
Success Response Body Contents in the HTTP Response Body that will indicate success
Failure Response Body Contents in the HTTP Response Body that will indicate failure
Variables
The following variables can be used in all texts, which will be replaced with the corresponding content from the user
account. Variables are used surrounded with brackets and preceeded with a dollar sign. E.g. [$user-mobile]
Variable Name Description
message The notification message that should be sent
user-id The id of the user
user-display-name The display name of the user
user-mobile The mobile-number of the user (processed)
user-mobile-raw The mobile-number of the user (unprocessed).
user-mail-address The mail address of the user.
administrator-id The ID of the Administrator.
Policy Services
The Policy Service makes the access decisions depending on access policies. These policies rely on who wants to have
access, which resource or service the user is requesting, which communication channel the request comes through, and
which authentication method that is needed. In PortWise, these policies are called Access Rules.
Access rules protect resources by allowing or denying access, and by specifying the requirements for a particular user,
resource, or communication channel. Additionally, business related conditions can be customized for different services.
For example, only customers who are allowed credit are able to use the ordering function.
The Policy Service provides complete control over authentication, and supports several authentication methods, such as
static and dynamic passwords, PKI, and challenge-response.
A number of systems for authentication can be integrated, and products not managed directly by the Policy Service can
be integrated using the Extension Programming Interface (XPI).
The Policy Service can connect to multiple authentication systems and CAs. By using caching technology, the solution
can scale to serve a large amount of users while sustaining high performance.
In a traditional solution, the user is first authenticated and then the user information is connected followed by the log
information. The Policy Service works with the requested service or communication channel as a starting point. Thus,
the resource and channel constitute the requirements for access, regarding authentication method and its associated
roles for that particular resource or service.
General Settings
Policy Service configuration includes display name as well as the following general settings.
Service ID
When a Policy Service is added to the system, a service ID is automatically generated. The service ID is displayed for the
Policy Service in the Registered Policy Services list on the Manage Policy Service page, as well as when editing the
Policy Service.
The service ID must be entered when the service is installed.
Internal Host
IP address or DNS name of the Policy Service, used for communication in the PortWise network. Avoid using the IP ad-
dress 0.0.0.0 to listen to all local IP addresses. Instead, select the Listen on all interfaces check box.
Internal Port
Incoming port for the Policy Service. Set to 8301 by default.
Please refer to the PortWise Extension Programming Interface (XPI) available documentation on the PortWise
dashboard.
The XPI: Web Services settings include specifying host and incoming port. If XPI: Web Services is enabled, you define
which server certificate to use.
Settings
Label Mandatory Description
Service ID No Identification number automatically assigned to the Policy Service
when it is created.
Display Name Yes Unique name used in the system to identify the Policy Service.
Internal Host Yes IP address or DNS name of the Policy Service, used for communica-
tion in the PortWise network.
Internal Port Yes Incoming port for the Policy Service.
Set to 8301 by default.
Listen to all interfaces No Specifies what interfaces the service listens to.
Not selected by default.
Distribute key files automatically No Selected by default.
Communication Settings
The global settings for Policy Services include:
• Interval for checks for timed-out sessions
• Life-time in cache for a user
• Heartbeat interval for status checks
Information
This setting applies to the entire PortWise network
• Limit for number of missing heartbeats before the Policy Service re-connects to the network, if the server has
not answered the status request
Missing Heartbeat Limit and Heartbeat Interval creates a default time of 2 minutes (12x10 seconds).
• Option for the Policy Service to send cache specification to the Access Point, for the Access Point to cache
authorization decisions
Settings
Label Mandatory Description
Time-out Check Interval Yes Number of seconds (0-3600) checks for sessions that have timed-
out are performed.
Set to 1 by default.
User Life Time in Cache Yes Number of seconds (0-31536000) a user is cached before reloaded
from storage (despite user activity).
Set to 900 by default.
Heartbeat Interval Yes Interval in seconds (1-30) for when status checks are performed.
Set to 10 by default.
RADIUS Configuration
Example
User-Name=John Smith
NAS-IP-Address=127.0.0.3
NAS-Port=8192
Integer values can be entered either in decimal form (8192) or in hexadecimal form (0x2000).
Settings
Label Mandatory Description
Client IP Yes IP address for the RADIUS client.
Shared Secret Yes Shared secret between the RADIUS client and the Authentication
Service.
Verify Shared Secret Yes Verification of Shared Secret.
Information
Remember to select the Proxy unknown users check box on the Manage RADIUS
Authentication Settings page.
The RADIUS back-end server general settings include host (IP address or DNS name) port and a display name for the
back-end server.
You are required to specify the time in milliseconds (1000-99000) the Authentication Service waits for a back-end server
reply, before trying to connect next back-end server in the list.
You also need to specify a shared secret between the RADIUS back-end server and the Authentication Service.
Settings
Label Mandatory Description
Display Name Yes Unique name used in the system to identify the back-end server.
Host Yes IP address or DNS name of the back-end server.
Port Yes Port for the back-end server.
Set to 1812 by default.
Time-out Yes Time in milliseconds (1000-99000) the Authentication Service
waits for a back-end server reply, before trying to connect next
back-end server in the list.
Set to 5000 by default.
Shared Secret Yes Secret shared between the Authentication Service and the back-
end server.
Verify Shared Secret Yes Verification of Shared Secret.
Import
In this section you can import the file containing the seed and counter data for the hardware tokens that will be
used by your users. The first import alternative should be used when you receive tokens from a new provider. Use
the second alternative to add new tokens to an existing provider.
When importing new tokens data, the various import parameters should have been handed to you by the tokens
provider. These include the delimiter separating the different attributes (fields) and the position of token ID, seed,
and counter in the file. Note that if the seed and counter are base64 encoded the corresponding checkbox should
be checked. If importing to an already existing provider it is important that the new tokens has token IDs that does
not conflict with those already in the database. If entering a provider name which already exists in the database,
the tokens will be appended to the list of that provider.
An example of a row in a token file. Note that we choose to ignore data at position 1 below.
Example
00000100:8:3132333435363738393031323334353637383930:0
Delimiter: ‘:’
TokenId Position: 0
Seed Position: 2
Counter Position 3
Seed Position Yes The field position of Seed within the token file, first
column being 0.
Counter Position Yes The field position of Counter within the token file, first
column being 0.
Token File Yes File containing OATH tokens, one token for each row and
with fields separated with the Delimiter symbol(s).
Base64 Encoded Yes Selected when seed and counter are base 64 encoded.
Confirm
Before importing a brief presentation page of what will be imported will be shown. The first part of the page
shows the entered data, Provider Name, OTP Length, Delimiter, and if seed and counter are base64 encoded. The
second part shows a row from the file showing how token ID, seed, and counter are read from the columns in the
file, giving the user a chance to stop the import if the positions entered was incorrect.
Note that backups are resource-consuming. Therefore, it is recommended to run them at the point of day with
least load on the system. When deciding on how frequently to run backups you may use this formula as a guide-
line: divide the “look-ahead window size” setting by the average number of user log-ons per day.
To avoid flooding the system with backup files, rollover is used. Depending on the backup interval, the number of
useful backups can vary. Finally, to guarantee backups in the event of a system failure, remember to include the
backup directory ({PortWise Administrator}/plugins/root/download/oath/backup/scheduled) in the system backups.
Settings
10
Glossary
A
Access Rules
Define specific requirements for access to resources and SSO domains. The access rules can be used in combination for
more detailed access control. Example: (access rule A AND access rule B) AND (Access rule C OR access rule D).
ASCII
American Standard Code for Information Interchange. Standard 8 bit code used in data communications. Many files
interchanged from one software program to another and from IBM to Mac formats go through translation into ASCII.
ASN.1
Abbreviation for Abstract Syntax Notation one, a standard notation describing data structures for representing, encod-
ing, transmitting, and decoding data. ASN.1 provides a set of formal rules for describing the structure of objects that
are independent of machine-specific encoding techniques.
Authentication
The process of verifying the identity of an individual connecting to a system. Identities are verified through different
authentication methods. See also: Authentication Method, Access Rules
Authentication Method
A procedure used to perform authentication. Different authentication methods provide different levels of proof when
identifying a user connecting to a system: from verifying basic static passwords to handling complex combinations of
challenges, encryption keys, and passwords. See also: Authentication
Authentication Server
A server used in application access control. For access to specific network resources, the server may itself store user
permissions and company policies or provide access to directories that contain the information. Examples of authentica-
tion servers are PortWise 4.7 Authentication Service, SecurID and SafeWord. See also: Authentication
Authorization
The process of granting or denying access to a system resource. See also: Authentication Method, Access Rules
B
BankID
BankID is a service that offers secure electronic identification and signature on the Internet, which is now legally binding
in the EU. The service has been developed by a number of large banks for use by members of the public, authorities,
companies, and other organizations.
Base64
A method of encoding binary data sent as an attachment through email. Base64 encoding divides three bytes of data
into four bytes of ASCII text, making the resulting file size approximately 33% larger.
Base DN
Identifies the root node of the LDAP data store pointing to the directory containing user data.
C
CA
Abbreviation for Certificate Authority, a trusted third-party organization or company that issues digital certificates. The
role of the CA is to validate the identity of the individual holding the certificate and to sign the certificate so that it
cannot be forged.
CA Certificate
Abbreviation for Certificate Authority Certificate, a certificate that identifies a certification authority. CA certificates
are used to decide whether to trust certificates issued by the CA, for example when a Web browser validates a server
certificate.
Cipher
A cryptographic algorithm used to encrypt and decrypt files and messages.
Client Certificate
An attachment to an electronic message used for security purposes. The client certificates are associated with user ac-
counts to authenticate users and give access to protected resources.
CDP
Abbreviation for Control Distribution Point.
Client Device
The software of a client that communicates with the server. The client device may include operating system, plug-ins,
specific configurations and the proxies/gateways that the client communicates through. Examples of client devices are:
Netscape 7, Windows, Macintosh, Internet Explorer and WAP-phone. A client device may be combination of entities. For
example, this combination may be present for a single device: Windows, Internet Explorer and Internet Explorer 6.
CRC
Abbreviation for Certificate Revocation Control. A control performed by the system to make sure that the user certificate
is not revoked.
CRL
Abbreviation for Certificate Revocation List. A document maintained and published by a certification authority that lists
certificates that have been revoked.
CVC
Abbreviation for Certificate Authority Validity Control, a control performed by the system on the user certificate to verify
that a trusted CA has issued the User Certificate.
D
Delegated Management
A featured used to delegate administration of user accounts and resources to multiple administrators with different
privileges and responsibilities.
DER
Abbreviation for Distinguished Encoding Rules, used to encode ASN.1 objects for a consistent encoding using a binary
format. Microsoft Internet Explorer understands certificates downloaded in this format. See also: ASN.1
Device
See Client Device
Digital Certificate
Digital certificates are used to identify people and resources over networks such as the Internet. Digital certificates en-
able secure communication between two parties. A trusted third-party organization or company, Certificate Authority,
issues certificates. The certificate contains the public key and the name of its owner. The user certificate also carries the
digital signature of a Certification Authority to verify its integrity. See also: CA
Directory Service
A directory of names, profile information and machine addresses of every user and resource on the network. It is used
to manage user accounts and network permissions. When sent a user name, it returns the attributes of that individual,
which may include a telephone number as well as an e-mail address. Directory services use highly specialized databases
that are typically hierarchical in design and provide fast lookups.
Directory Service User Group
A user group containing all users belonging to a certain user group defined in an existing directory service.
Display Name
Defines the unique name used in the system to identify an object.
Distribution Channel
The media channel through which information is sent. For example, MobileID can send information via SMS or SMTP.
DMZ
Abbreviation for Demilitarized Zone, a middle ground between an organization’s trusted internal network and an un-
trusted, external network such as the Internet. It is recommended that the Access Point is placed in the DMZ.
DN
Abbreviation for Distinguished Name, used as primary key to entries in directory services. For example, a DN for where
users reside in the directory service could be cn=users,dc=mycompany,dc=com.
DNS
Abbreviation for Domain Name System, a name resolution system that allows users locate computers on a Unix network
or the Internet (TCP/IP network) by domain name. The DNS server maintains a database of domain names (host names)
and their corresponding IP addresses. For example, if www.mycompany.com was presented to a DNS server, the IP ad-
dress 204.0.8.51 would be returned.
E
Encryption
Any procedure used in cryptography to convert plaintext into ciphertext in order to prevent anyone except the intended
recipient from reading that data.
F
Firewall
A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both
hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users
from accessing private networks connected to the Internet, especially intranets. The firewall is normally installed at the
point where network connections enter a site, normally named DMZ.
FTP
Abbreviation for File Transfer Protocol, a protocol used to transmit files between computers on the Internet. See also:
TCP
H
Host
A computer, for example a server, that acts as a source of information or signals. It is connected to a TCP/IP network,
including the Internet. A host has a specific local or host number that, together with the network number, forms its
unique IP address.
HTTP
Abbreviation for HyperText Transfer Protocol, a protocol used to transmit files over the World Wide Web.
HTTPS
Abbreviation for HTTP with SSL encryption for security. See also: HTTP, SSL
L
LDAP
Acronym for Lightweight Directory Access Protocol, a client-server protocol for accessing and managing directory in-
formation.
Log Levels
Indicate the severity of a message stored in a log: fatal, warning, info, or debug.
M
MIME
Abbreviation for Multipurpose Internet Mail Extensions. A protocol for Internet e-mail that enables the transmission of
non-text data such as graphics, audio, video and other binary types of files.
N
NTLM
Abbreviation for NT LAN Manager, a protocol used for authentication.
O
OATH
OATH (Open AuTHentication) is an authentication method that uses OTP´s for authentication. OTP´s are generated from
a seed and a counter.
OpenSSL
An open source implementation of the SSL and TLS protocols. See also: SSL, TLS
OU
Abbreviation for Organizational Unit, a standard naming attribute used in LDAP. See also: LDAP
P
PEM
Acronym for Privacy Enhanced Mail, a standard for secure e-mail on the Internet. It supports encryption, digital signa-
tures and digital certificates as well as both private and public key methods.
PIN
Acronym for Personal Identification Number. A private code used for identification of an individual.
PKI
Abbreviation for Public Key Infrastructure, a framework for creating a secure method for exchanging information based
on public key cryptography.
Port
A port is usually an interface through which data are sent and received.
Proxy
A server that is placed between a client application, such as a Web browser, and a real server. It intercepts all requests
to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server.
R
RADIUS
Acronym for Remote Authentication Dial-In User Service, the de facto standard protocol for authentication servers.
RADIUS uses a challenge/response method for authentication.
Resource
A corporate application users can access from a remote location. Available resource types in PortWise 4.7 are Web
resources, tunnel resources, file share resources and customized resources.
Resource Host
Defines the computer where the resource is deployed. A resource host is identified through its unique IP address. A Web
resource host or customized resource host can have one or several paths connected to it.
Resource Path
Defines the route to a specific part of the web resource host or customized resource host, for example http://www.re-
sourcehost.com/path/, where the resource path defines a subset of the resource host. Resource paths are defined when
user access should be restricted to that specific subset only.
S
SAML
Acronym for Security Assertion Markup Language, an XML standard for exchanging authentication and authorization
data between an identity provider and a service provider. PortWise 4.7 supports SAML 2.0.
Seed
An initial value used to generate pseudorandom numbers. Used when authenticating with PortWise Challenge for
example.
Server Certificate
Server certificates ensure that communication between clients and application servers is secure and private. The clients
use the server certificate to authenticate the identity of the server and to encrypt information for the server, using SSL.
Shared Secret
A shared secret is used, for example, between the Authentication Service and a RADIUS client to mask passwords used
in authentication. The shared secret is set manually by the Administrator.
SMS
Abbreviation for Short Message Service, a service for sending messages of up to 160 characters (224 characters if using
a 5-bit mode) to cell phones that use Global System for Mobile (GSM) communication.
SMPP
Abbreviation for Short Message Peer-to-Peer protocol. SMPP is a telecommunications industry protocol for exchanging
SMS messages between SMS peer entities such as short message service centres.
SSL
Acronym for Secure Sockets Layer, a commonly used protocol for managing the security of a message transmission on
the internet. SSL uses the public- and private-key encryption system, which includes the use of a digital certificate.
SSO
Abbreviation for Single Sign-On, the ability for users to log on once to a network and be able to access all authorized
resources. A single sign-on program accepts the user’s name and password and automatically logs on to all appropriate
servers.
SSO Domain
A collection of resources that share the same logon credentials. A user can have logon credentials for several SSO
domains.
T
TCP
Abbreviation for Transport Control Protocol, a transport layer protocol that moves multiple packet data between ap-
plications. See also: FTP
TLS
Abbreviation for Transport Layer Security, a protocol intended to secure and authenticate communications across a
public networks by using data encryption. See also: SSL
Tunneling
A technology that enables a network to send its data via another network’s connections. Tunneling works by encap-
sulating a network protocol within packets carried by the second network. Tunnels are often used to transmit non-IP
protocols across IP networks.
U
UDP
Abbreviation for User Datagram Protocol, a transport layer protocol for the Internet. It is a datagram protocol which
adds a level of reliability and multiplexing to IP datagrams. It is defined in RFC 768.
URI
Abbreviation for Uniform Resource Identifier, a formatted string that serves as an identifier for a resource, typically on
the Internet. URIs are used in HTML to identify the anchors of hyperlinks. URIs in common practice include URLs. See
also: URL
URL
Abbreviation for Uniform Resource Locator, a unique, identifying address of any particular page on the Web. See also:
URI
User Certificate
See Client Certificate
User Group
A collection of users which share the same properties regarding access rights. There are three types of user groups: User
Location Group, User Property Group and Directory Service User Group.
User Location Group
A user group which contains all users located under a specific node in the directory tree.
W
WAP
Acronym for Wireless Application Protocol. A set of communication protocol standards to enable access of online ser-
vices from a cell phone.
X
X.509
A specification for digital certificates published by the ITU-T (International Telecommunications Union - Telecommunica-
tion). It specifies information and attributes required for the identification of a person or system.
Colophon
The PortWise Manual is a collaborative effort from many talented people, bringing together their collective
knowledge and expertise to bring you the PortWise Manual.
PortWise is always interested in feedback from our users. Please direct comments or questions to the PortWise
Documentation Team at documentation@portwise.com. Please include PortWise Manual in the subject line
in your e-mail.
P/N: 700-180500-100