PortWise Manual

PortWise 4.
7
Manual
Version: 1.5
II Copyright Notice
IMPORTANT NOTICE
PortWise 4.7 Manual
Version: 1.5
Copyright © 2009 PortWise AB. All rights reserved.
Warranty Disclaimer
This manual, as well as the software described in it, is furnished under license and may be used or copied only in accordance with the terms of such
license. The content of this manual is furnished for informational use only, is subject to change without notice, and should not be construed as a com-
mitment by PortWise AB. PortWise AB assumes no responsibility or liability for any errors or inaccuracies that may appear in this documentation. Except
as permitted by such license, no part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means,
electronic, mechanical, recording, or otherwise, without the prior written permission of PortWise AB.
Notice to U.S. government end users. The software and documentation are “commercial items” as that term is defined at 48 C.F.R.§2.101, consisting
of “commercial computer software” and “commercial computer software documentation”; as such terms are used in 48 C.F.R. §12.212 or 48 C.F.R.
§227.7202, as applicable. Consistent with 48 C.F.R. §12.212 or 48 C.F.R. §§227.7202-1 through 227.7202-4, as applicable, the commercial computer
software and commercial computer software documentation are being licensed to U.S. government end users (A) only as commercial items and (B) with
only those rights as are granted to all other end users pursuant to the terms and conditions set forth in the PortWise standard commercial agreement
for this software. Unpublished rights reserved under the copyright laws of Sweden.
PortWise and the PortWise logo are registered trademarks of PortWise AB. All other trademarks are the property of their respective owners.
Part Number: 700-180500-100
PortWise 4.7 Manual

Table of Contents III
Table of Contents
Introduction.............................................................................................................................................17
PortWise 4.7 Manual......................................................................................................................................... 17
Target Audience........................................................................................................................................... 17
Other Resources.......................................................................................................................................... 17
Conventions Used in this Publication............................................................................................................ 18
Contacting PortWise Documentation Department........................................................................................ 18
References................................................................................................................................................... 18
Getting Started................................................................................................................................................. 18
Reading Suggestions......................................................................................................................................... 19
Customer Support............................................................................................................................................. 20
PortWise Overview..................................................................................................................................21
Product Overview.............................................................................................................................................. 21
Assessment................................................................................................................................................. 21
Authentication............................................................................................................................................. 22
Authorization.............................................................................................................................................. 23
Access......................................................................................................................................................... 23
Auditing...................................................................................................................................................... 23
Abolishment................................................................................................................................................ 24
PortWise 4.7 Technical Overview............................................................................................................25

Administration Service....................................................................................................................................... 25
Access Point...................................................................................................................................................... 26
Advanced Access Point Features........................................................................................................................ 26
Load Balancing............................................................................................................................................ 26
Trusted Gateways........................................................................................................................................ 27
Cipher Suites............................................................................................................................................... 27
Link Translation and DNS Mapping.............................................................................................................. 27
Policy Service.................................................................................................................................................... 27
PortWise 4.7 Manual

IV Table of Contents
Resources.................................................................................................................................................... 28
Standard Resources..................................................................................................................................... 28
Access Rules................................................................................................................................................ 28
Single Sign-On............................................................................................................................................. 29
Authentication Service...................................................................................................................................... 29
PortWise Authentication.............................................................................................................................. 30
PortWise Distribution Service............................................................................................................................ 30
Planning...................................................................................................................................................31
Define the Deployment Goals............................................................................................................................ 31
Initial Questions........................................................................................................................................... 31
Security Audit/Planning..................................................................................................................................... 32
System Architecture Review......................................................................................................................... 32
Public Key Infrastructure.............................................................................................................................. 32
Securing Your Operating System........................................................................................................................ 33
Securing the File System.............................................................................................................................. 33
Securing Shared Resources.......................................................................................................................... 34
File Auditing................................................................................................................................................ 34
Securing Disk Resources.............................................................................................................................. 34
User Management Strategy............................................................................................................................... 34
Analyzing Your Environment........................................................................................................................ 35
Directory Service Requirements.................................................................................................................... 35
Password Management............................................................................................................................... 35
Securing Microsoft Active Directory............................................................................................................. 36
Recommendations for DNS Management..................................................................................................... 36
Recommendations for the Active Directory Installation................................................................................. 36
Recommendations for Domain and OU Management................................................................................... 37
Recommendations for Tree and Forest Management.................................................................................... 37
Recommendations for Object Access Control Management.......................................................................... 37
Recommendations for Replication Management........................................................................................... 37
Recommendations for Operations Masters................................................................................................... 38
Recommendations for Auditing.................................................................................................................... 38
Resource Access................................................................................................................................................ 38
Access Strategies......................................................................................................................................... 38
Select Authentication Methods.................................................................................................................... 39
Pre-Installation Check List................................................................................................................................. 39
The PortWise 4.7 Network................................................................................................................................ 39
Recommended Network Layout................................................................................................................... 39
Default Listening Ports................................................................................................................................. 40
PortWise 4.7 Manual

Table of Contents V
PortWise Installation.............................................................................................................................. 43
Overview........................................................................................................................................................... 43
PortWise User.............................................................................................................................................. 44
Upgrade Overview....................................................................................................................................... 44
Preparation....................................................................................................................................................... 45
License........................................................................................................................................................ 45
IP Addresses................................................................................................................................................ 45
Ports........................................................................................................................................................... 45
Time Synchronization................................................................................................................................... 45
Antivirus Programs...................................................................................................................................... 45
Installing on Windows....................................................................................................................................... 45
Installing Administration Service.................................................................................................................. 46
Installing Access Point................................................................................................................................. 46
Installing Policy Service................................................................................................................................ 47
Installing Authentication Service (Optional).................................................................................................. 47
Installing Distribution Service (Optional)...................................................................................................... 47
Installing PortWise Mobile ID (Optional)...................................................................................................... 48
Installing Access Client (Optional)................................................................................................................ 48
Installing on Linux............................................................................................................................................. 48
Installing Administration Service.................................................................................................................. 48
Setup System............................................................................................................................................... 49
Installing Access Point................................................................................................................................. 49
Installing Policy Service................................................................................................................................ 49
Installing Authentication Service (Optional).................................................................................................. 49
Installing Distribution Service (Optional)...................................................................................................... 50
Installing PortWise Mobile ID (Optional)...................................................................................................... 50
Installing PortWise Mobile ID on Mac OS X....................................................................................................... 50
Upgrading PortWise Services and Clients.......................................................................................................... 50
Upgrading on Windows................................................................................................................................51
Upgrading on Mac OS X...............................................................................................................................51
Upgrading on Linux..................................................................................................................................... 52
Reverting an Upgrade....................................................................................................................................... 53
PortWise Services........................................................................................................................................ 53
Starting and Stopping PortWise Services........................................................................................................... 53
On Windows................................................................................................................................................ 54
On Linux...................................................................................................................................................... 54
Uninstalling PortWise 4.7.................................................................................................................................. 54
On Windows................................................................................................................................................ 54
PortWise 4.7 Manual

VI Table of Contents
On Linux...................................................................................................................................................... 55
Setup System...........................................................................................................................................57
About Setup System.......................................................................................................................................... 57
Requirements and Preparation..................................................................................................................... 57
What Setup System Includes........................................................................................................................ 58
Starting the Setup System Wizard...................................................................................................................... 58
PortWise Administration Service Dashboard................................................................................................. 59
PortWise Administrator................................................................................................................................ 59
Upload License File............................................................................................................................................ 59
Select Directory Service..................................................................................................................................... 59
Configure Directory Service............................................................................................................................... 60
Super Administrator Credentials........................................................................................................................ 63
Set up Administration Service............................................................................................................................ 63
Set Up Access Point........................................................................................................................................... 63
Set Up Policy Service......................................................................................................................................... 64
Set Up Authentication Service........................................................................................................................... 64
Select PortWise Authentication Methods..................................................................................................... 64
Select Additional Authentication Methods................................................................................................... 65
Configure Authentication Methods.................................................................................................................... 66
Confirm Authentication Methods....................................................................................................................... 68
Configure User Storage..................................................................................................................................... 68
Select Additional Directory Service.................................................................................................................... 70
Configure Additional Directory Service.............................................................................................................. 71
Finishing the Setup System Wizard.................................................................................................................... 72
Administration.........................................................................................................................................73
Introduction...................................................................................................................................................... 73
About PortWise Administrator........................................................................................................................... 73
Top Menu.................................................................................................................................................... 74
Navigate in PortWise Administrator............................................................................................................. 75
Monitor System .......................................................................................................................................... 75
Manage Accounts and Storage.................................................................................................................... 75
Manage Resource Access............................................................................................................................. 76
Manage System........................................................................................................................................... 77
Monitor System........................................................................................................................................79
About Monitor System....................................................................................................................................... 79
Status Overview........................................................................................................................................... 79
Event Overview............................................................................................................................................ 79
PortWise 4.7 Manual

Table of Contents VII
Manage Monitor System.................................................................................................................................... 80

Status Overview........................................................................................................................................... 80
Event Overview............................................................................................................................................ 81
Manage Settings.......................................................................................................................................... 81
System Status......................................................................................................................................... 83
About System Status......................................................................................................................................... 83
General Status............................................................................................................................................. 83
Access Points............................................................................................................................................... 83
Policys Services............................................................................................................................................ 83
Authentication Services............................................................................................................................... 83
User Sessions.......................................................................................................................................... 85
About User Sessions.......................................................................................................................................... 85
Log Viewer...............................................................................................................................................87
About Log Viewer............................................................................................................................................. 87
Diagnostics File............................................................................................................................................ 88
Log Viewer Settings..................................................................................................................................... 89
Logging....................................................................................................................................................91
About Logging.................................................................................................................................................. 91
Manage Logging............................................................................................................................................... 92
Log Level Filter............................................................................................................................................. 92
Log File Rotation.......................................................................................................................................... 92
Windows Event Log/Unix Syslog.................................................................................................................. 93
License.................................................................................................................................................... 95
About License................................................................................................................................................... 95
View License Details.......................................................................................................................................... 95
Upload New License.................................................................................................................................... 96
Alerts........................................................................................................................................................97
About Alerts..................................................................................................................................................... 97
Alert Events................................................................................................................................................. 97
Manage Alerts.................................................................................................................................................. 98
Alert Settings............................................................................................................................................... 98
Alert Event Settings..................................................................................................................................... 98
Alert Notification Receivers.......................................................................................................................... 98
Reports...................................................................................................................................................103
About Reports................................................................................................................................................. 103
PortWise 4.7 Manual

VIII Table of Contents
Time Range............................................................................................................................................... 103

Filters........................................................................................................................................................ 104
Graphics.................................................................................................................................................... 105
Statistics......................................................................................................................................................... 105
Data Retrieval............................................................................................................................................ 105
About Report Database................................................................................................................................... 106
Manage Reports.............................................................................................................................................. 107
Set Time Range.......................................................................................................................................... 107
Assessment Report Settings....................................................................................................................... 108
Abolishment Report Settings..................................................................................................................... 108
Access Report Settings.............................................................................................................................. 109
Authentication Report Settings...................................................................................................................110
Authorization Report Settings.....................................................................................................................110
Account Statistics Report Settings...............................................................................................................111
Session Trend Report Settings.....................................................................................................................112
Communication Report Settings..................................................................................................................112
Alert Report Settings..................................................................................................................................112
System Report Settings...............................................................................................................................113
Performance Report Settings......................................................................................................................113
Tunnel Report Settings................................................................................................................................114
Manage Accounts and Storage.............................................................................................................115

About Accounts and Storage............................................................................................................................115
User Accounts............................................................................................................................................115
User Groups...............................................................................................................................................116
User Storage...............................................................................................................................................116
Global User Account Settings...............................................................................................................117

About User Linking.....................................................................................................................................117
About User Link Repair...............................................................................................................................117
General Settings.........................................................................................................................................118
Manage User Linking..................................................................................................................................119
User Linking...........................................................................................................................................123
About User Linking.......................................................................................................................................... 123
Manage User Linking...................................................................................................................................... 123
Manage User Link Repair............................................................................................................................124
User Import............................................................................................................................................125
About User Import...........................................................................................................................................125
PortWise 4.7 Manual

Table of Contents IX
Manage User Import........................................................................................................................................125
User Accounts........................................................................................................................................129
About User Accounts....................................................................................................................................... 129
Add User Account...................................................................................................................................... 130
User Linking.............................................................................................................................................. 130
User Import................................................................................................................................................131
PortWise Authentication.............................................................................................................................131
Single Sign-On Domain Settings..................................................................................................................131
User Certificate...........................................................................................................................................132
Manage User Accounts.....................................................................................................................................132
Manage User Accounts...............................................................................................................................132
General Settings.........................................................................................................................................132
Manage SSO Settings................................................................................................................................ 134
User Certificate...........................................................................................................................................135
User Groups...........................................................................................................................................143
About User Groups.......................................................................................................................................... 143
About User Location Group....................................................................................................................... 143
About User Property Group....................................................................................................................... 143
About User Group in Directory Service....................................................................................................... 143
Manage User Groups....................................................................................................................................... 144
Manage User Property Groups................................................................................................................... 144
Manage User Location Groups................................................................................................................... 144
User Storage..........................................................................................................................................147
About User Storage......................................................................................................................................... 147
Search Rules.............................................................................................................................................. 147
Directory Mapping..................................................................................................................................... 147
Manage User Storage...................................................................................................................................... 147
General Settings........................................................................................................................................ 147
Manage Search Rules................................................................................................................................. 148
Member Attribute Name............................................................................................................................ 149
Manage Directory Mapping....................................................................................................................... 150
Self Service............................................................................................................................................151
About Self Service............................................................................................................................................151
Self Service Example...................................................................................................................................151
Manage Self Service.........................................................................................................................................152
Settings........................................................................................................................................................... 154
PortWise 4.7 Manual

X Table of Contents
Enabling Authentication Methods for Self Service.............................................................................................155
Manage Resource Access......................................................................................................................157

About Resource Access....................................................................................................................................157
Access Rules...............................................................................................................................................157
Standard Resources....................................................................................................................................157
Global Resource Settings......................................................................................................................159

About Internal Proxy.................................................................................................................................. 159
About DNS Name Pool............................................................................................................................... 159
About Filters.............................................................................................................................................. 160
About Link Translation................................................................................................................................161
Filters........................................................................................................................................................ 162
Link Translation......................................................................................................................................... 162
DNS Name Pool......................................................................................................................................... 164
Standard Resources...............................................................................................................................167
About Standard Resources.............................................................................................................................. 167
Manage Standard Resources........................................................................................................................... 168
Citrix MetaFrame Presentation Server........................................................................................................ 169
Thinlinc Application Server..........................................................................................................................170
Domino Web Access 6.5.............................................................................................................................171
Terminal Server 2000 and 2003..................................................................................................................171
Outlook Web Access 2000/Outlook Web Access 2003/Outlook Web Access 2007/Outlook Web Access 5.5.172
Microsoft Outlook Client 2000/2003/2007................................................................................................ 173
POP3/SMTP............................................................................................................................................... 173
IMAP/SMTP............................................................................................................................................... 173
Windows File Share ...................................................................................................................................174
Access to Home Directory...........................................................................................................................174
Secure Remote Access to Administrator......................................................................................................174
SalesForce .................................................................................................................................................175
Web Resources.......................................................................................................................................179
About Web Resources..................................................................................................................................... 179
Single Sign-On........................................................................................................................................... 179
Manage Web Resource Hosts.......................................................................................................................... 180
Access Rules.............................................................................................................................................. 185
Advanced Settings..................................................................................................................................... 185
PortWise 4.7 Manual

Table of Contents XI
Manage Web Resource Paths.......................................................................................................................... 188

Access Rules.............................................................................................................................................. 190
Tunnel Resources...................................................................................................................................193
About Tunnel Resources.................................................................................................................................. 193
Manage Tunnel Resources............................................................................................................................... 193
Tunnel Resource Settings........................................................................................................................... 193
Alternative Hosts....................................................................................................................................... 194
Access Rules.............................................................................................................................................. 194
Tunnel Resource Networks....................................................................................................................197

About Tunnel Resource Networks.................................................................................................................... 197
Manage Tunnel Resource Networks................................................................................................................. 197
Tunnel Resource Network Settings............................................................................................................. 197
Access Rules.............................................................................................................................................. 197
Tunnel Sets.............................................................................................................................................201
About Tunnel Sets........................................................................................................................................... 201
Static Tunnels............................................................................................................................................ 201
Dynamic Tunnels........................................................................................................................................ 201
Access Rules.............................................................................................................................................. 202
Access Client............................................................................................................................................. 202
Manage Tunnel Sets........................................................................................................................................ 202
Tunnel Set Settings.................................................................................................................................... 202
Startup Settings......................................................................................................................................... 205
Access Rules...............................................................................................................................................210
External DHCP Settings...............................................................................................................................210
Use External DHCP.....................................................................................................................................210
DHCP Server...............................................................................................................................................210
IP Address Pool...........................................................................................................................................210
DNS Server.................................................................................................................................................210
Client Firewalls......................................................................................................................................213
About Client Firewalls......................................................................................................................................213
Prevent Other Network Connections to be routed.......................................................................................213
PortWise 4.7 Manual

XII Table of Contents
Check the Integrity of Connecting Application............................................................................................213

Firewall Rules Based on Device...................................................................................................................215
Manage Client Firewalls...................................................................................................................................216
Incoming Firewall Rules..............................................................................................................................216
Outgoing Firewall Rules..............................................................................................................................217
Customized Resources...........................................................................................................................219
About Customized Resources...........................................................................................................................219
Manage Customized Resource Hosts................................................................................................................219
Customized Resource Host Settings............................................................................................................219
Access Rules.............................................................................................................................................. 220
Manage Customized Resource Paths............................................................................................................... 221
Customized Resource Path Settings........................................................................................................... 221
Access Rules.............................................................................................................................................. 222
SSO Domains..........................................................................................................................................225
About SSO Domains........................................................................................................................................ 225
Access Rules.............................................................................................................................................. 225
Domain Types............................................................................................................................................ 225
Manage SSO Domains..................................................................................................................................... 227
SSO Domain Settings................................................................................................................................. 227
Domain Attributes..................................................................................................................................... 227
Access Rules.............................................................................................................................................. 230
Access Rules.......................................................................................................................................... 233

About Access Rules......................................................................................................................................... 233
Access Rule Types...................................................................................................................................... 233
Managing Access Rules............................................................................................................................. 235
Manage Access Rules...................................................................................................................................... 235
Manage Global Access Rule............................................................................................................................ 235
Selecting Registered Access Rules.............................................................................................................. 236
Creating New Access Rules........................................................................................................................ 236
Manage Access Rules for Resource or SSO Domain.......................................................................................... 236
Selecting Registered Access rules............................................................................................................... 237
Creating New Access Rules........................................................................................................................ 237
Global Access Rule ................................................................................................................................... 237
About Application Portal................................................................................................................................. 247
Access Client............................................................................................................................................. 247
PortWise 4.7 Manual

Table of Contents XIII
Manage Application Portal.............................................................................................................................. 247

Application Portal Item Settings................................................................................................................. 248
Identity Federation................................................................................................................................251
About Identity Federation................................................................................................................................251
Assertions..................................................................................................................................................251
Preconditions............................................................................................................................................. 252
Service Provider......................................................................................................................................... 252
Identity Provider ....................................................................................................................................... 252
Global Identity Federation Settings............................................................................................................ 252
Service Providers....................................................................................................................................... 252
Identity Providers....................................................................................................................................... 253
Manage System......................................................................................................................................257
About Manage System.................................................................................................................................... 257
Abolishment...........................................................................................................................................259
About Abolishment......................................................................................................................................... 259
Manage Abolishment...................................................................................................................................... 259
Cache Cleaner........................................................................................................................................... 260
Advanced.................................................................................................................................................. 261
Access Points........................................................................................................................................ 263

About Access Points........................................................................................................................................ 263
Manage Access Points..................................................................................................................................... 265
Access Point Settings................................................................................................................................. 265
Additional Listeners................................................................................................................................... 266
Cipher Suites............................................................................................................................................. 268
Client Access............................................................................................................................................. 269
Performance.............................................................................................................................................. 269
Trusted Gateways...................................................................................................................................... 269
About Load Balancing..................................................................................................................................... 270
Manage Load Balancing............................................................................................................................ 270
Administration Service..........................................................................................................................277
About Administration Service.......................................................................................................................... 277
Configuration............................................................................................................................................ 278
Manage Administration Service....................................................................................................................... 278
Administration Service Settings.................................................................................................................. 278
PortWise 4.7 Manual

XIV Table of Contents
Assessment............................................................................................................................................281
About Assessment.......................................................................................................................................... 281
Manage Assessment....................................................................................................................................... 282
General Settings ....................................................................................................................................... 282
Plug-ins .................................................................................................................................................... 285
Authentication Methods.......................................................................................................................287
About Authentication Methods....................................................................................................................... 287
PortWise Authentication Methods............................................................................................................. 288
Additional Authentication Methods........................................................................................................... 290
Manage Authentication Methods.................................................................................................................... 291
Authentication Method Server................................................................................................................... 296
RADIUS Replies......................................................................................................................................... 303
Extended Properties.................................................................................................................................. 304
Authentication Services........................................................................................................................311
About Authentication Services.........................................................................................................................311
Manage Authentication Services......................................................................................................................312
Authentication Service Settings..................................................................................................................312
RADIUS Authentication...............................................................................................................................314
Password/PIN.............................................................................................................................................315
E-mail Messages........................................................................................................................................ 320
SMS/Screen Messages............................................................................................................................... 324
Certificates.............................................................................................................................................329
About Certificates........................................................................................................................................... 329
Registered Server Certificates.................................................................................................................... 329
Registered Client Certificate....................................................................................................................... 329
Manage Certificates........................................................................................................................................ 330
Certificate Authority Settings..................................................................................................................... 330
Server Certificate Settings.......................................................................................................................... 331
Client Certificate Settings.......................................................................................................................... 332
Device Definitions..................................................................................................................................335
About Device Definitions................................................................................................................................. 335
Manage Device Definitions.............................................................................................................................. 335
Delegated Management........................................................................................................................337
About Delegated Management....................................................................................................................... 337
PortWise 4.7 Manual

Table of Contents XV
Manage Delegated Management.................................................................................................................... 337

Role Settings............................................................................................................................................. 338
Directory Services.................................................................................................................................341
About Directory Services................................................................................................................................. 341
Manage Directory Services.............................................................................................................................. 341
Communication Settings............................................................................................................................ 342
Notification Settings............................................................................................................................ 345

E-mail Channel Settings............................................................................................................................. 345
SMS Channel Settings................................................................................................................................ 346
Policy Services.......................................................................................................................................351
About Policy Services.......................................................................................................................................351
Manage Policy Services................................................................................................................................... 352
XPI: Web Services...................................................................................................................................... 353
Communication Settings............................................................................................................................ 354
RADIUS Configuration...........................................................................................................................357
About RADIUS Configuration.......................................................................................................................... 357
Manage RADIUS Configuration....................................................................................................................... 357
RADIUS Client Settings.............................................................................................................................. 358
Manage RADIUS Back-End Servers............................................................................................................ 359
About OATH Configuration.............................................................................................................................. 361
Glossary................................................................................................................................................ 365
Colophon.................................................................................................................................................... I
PortWise 4.7 Manual

XVI Table of Contents
PortWise 4.7 Manual

Introduction 1-17
1
Introduction
PortWise 4.7 Manual

Welcome to the PortWise 4.7 Manual – your reference guide to a secure and flexible solution for safe access to any
and all of your internal and external resources and applications.
With PortWise 4.0, PortWise took a huge step as to user assistance and usability in the PortWise administration user
interface for easy administration of access, authentication, and authorization. With the PortWise 4.7 Manual, we
continue that journey.
Our aim has been to provide PortWise users with a comprehensive guide to all aspects of PortWise administration. In
doing so, we have structured the PortWise 4.7 Manual in About… and Manage… sections, allowing readers to
access in-depth information when they need it. Regardless if this is conceptual information to prepare for installation,
to gain deeper understanding of complex topics, or instructions on how to administer specific functionality.
The About… sections contain overview information of specific functionality in PortWise 4.7, presented in the same
order as it is structured in the PortWise 4.7 Administrator, so when you wish to learn more on a specific task in a con-
ceptual point of view – this is where to look.
Browse the Manage… sections when you are performing a task in the PortWise 4.7 Administrator and do not find the
information you need in the PortWise 4.7 Online Help.
It is up to you if we have succeeded in our aim or not. Please do not hesitate to contact the PortWise Documentation
Department with comments and suggestions for improvement: documentation@portwise.com.
Target Audience
This manual covers all aspects of PortWise 4.7 and is intended for both administrators and system integrators. For more
detailed information on essential reading, please see section Getting Started below.
Other Resources
PortWise Technical Note Library covers a large number of topics that extends the coverage presented in this manual.
PortWise 4.7 Manual

1-18 Introduction
Conventions Used in this Publication

This publication uses various conventions to present information. Words that require special treatment appear in specific
fonts or font styles. Certain information, such as command-line options, uses special formats so that you can scan it
quickly.
Special Fonts
This publication uses several typographical conventions. All code listings, reserved words, and the names of actual data
structures, constants, fields, parameters, and routines are shown in monospaced font (this is monospace). Words
that appear in boldface are menu items and/or settings in the PortWise Administrator.
Type of Notes
This publication uses two types of notes.
Information
A note like this contains information that is interesting but possibly not essential to an
understanding of the main text.
Important
A note like this contains information that is essential for an understanding of the main
text.
Contacting PortWise Documentation Department

PortWise is always interested in feedback from our users. Please direct comments or questions regarding any PortWise
publication to the PortWise Documentation Department at documentation@portwise.com. Please include the title of
the document in your e-mail.
References
Referenced documents, such as technical notes, are included with your product and can be located on the product
distribution, or if the product is already installed, in the Documentation folder where the product was installed. It is also
possible to access the documentation directly from the PortWise Administrator Dashboard.
Getting Started
The PortWise 4.7 Manual covers all areas related to PortWise 4.7. Below is an outline of the main parts and what each
part covers.
Information
The PortWise 4.7 Administration Service, PortWise 4.7 Access Point, PortWise 4.7 Policy
Service, and PortWise 4.7 Authentication Service will be referred to as the Adminis-
tration Service, Access Point, Policy Service, and Authentication Service respectively
throughout the manual.
PortWise 4.7 Manual

Introduction 1-19
• Introduction
The reference manual starts with this introduction, outlining notation conventions, references, and presents a
comprehensive road map.
• Planning
This chapter deals with preparations that you need to perform before installing PortWise 4.7. It also contains
recommendations for a successful PortWise 4.7 deployment.
• Installation
This chapter covers the installation and initial setup of your PortWise system. This chapter should be read in
detail, and contains specific instructions on how to install PortWise 4.7.
• Setup System
The Setup System section details all steps necessary to configure and set up your PortWise system. This sec-
tion is most important, and should be read carefully.
• Administration
This chapter is a general introductory overview of how to navigate in PortWise 4.7.
• Monitor System
This chapter covers all aspect of the Monitor System section in the PortWise Administrator.
• Manage Accounts and Storage
This chapter covers all aspects of the Manage Accounts and Storage section in the PortWise Administra-
tor.
• Manage Resource Access
This chapter covers all aspects of the Manage Resource Access section in the PortWise Administrator.
• Manage System
This chapter covers all aspects of the Manage System section in the PortWise Administrator.
• Glossary
This chapter presents a comprehensive glossary of terms.
Reading Suggestions
Be sure to read the following items.
• PortWise 4.7 Release Notes
Contains important information about the PortWise 4.7 release. Available on the product distribution.
• PortWise 4.7 Online Help
Contains context sensitive help and in-depth conceptual information. Available in the PortWise 4.7 Adminis-
trator.
• Technical Notes
Available on the PortWise Administrator Dashboard.
PortWise 4.7 Manual

1-20 Introduction
Customer Support
When you register your product, you may be entitled to technical support. Terms may vary depending on the country of
residence. For more information, refer to technical support at http://support.portwise.com, or contact your local sales
representative.
PortWise 4.7 Manual

PortWise Overview 21
2
PortWise Overview
Product Overview
Users today rely on access to applications and information from any location using any device, for maximum business
productivity and return-on-investment. By implementing a security strategy immediately, organizations can ensure that
customer trust is kept, profits are not lost, and the brand image is not damaged by malicious attacks.
PortWise covers entry-to-exit security by following the six core principles of security, also known as the six A’s. The six
A’s follows a holistic approach to security to ensure that users and organizations are completely protected using best of
breed technologies:
• Assess
Inspection of user device (laptops and desktop computers, PDAs, smart-phones) to ensure it complies with a
corporate security policy
• Authenticate
Identify that users are who they claim to be
• Authorize
Determine which applications users gain access to
• Access
Creates a secure encrypted network link between users’ devices and the desired application or information
• Audit
Audits who accessed which application, when did they do it, and what did they download
• Abolish
Removes all traces of access to the corporate network on completion of the session
Assessment
PortWise 4.7 inspects, or assesses, client devices to ensure compliance with your corporate security policy.
Requirements may include assessment of:
PortWise 4.7 Manual

2-22 PortWise Overview
• Firewall and anti-virus software

• Operating systems and patches
• Spyware checking
• Device type
• Network configuration
Non-compliant devices may be refused entry, or be referred to software update sites.
How Does It Work?

When activated, PortWise 4.7 Assessment inspects the client computer and makes a security assessment before the
user is granted access to a resource. This step complements the proceeding user authorization by verifying that the client
computer is actually an authorized computer and has been properly protected.
You create access rules on which the actual security assessment and policy verification is based.
The security assessment can be configured and extended to support your security policy.
The communication and data from the client computer is protected and an intruder cannot modify any evidence col-
lected from the client computer.
Please refer to the PortWise 4.7 Online Help and the Manage Assessment section in the Manage System chapter,
for detailed information on how to setup Assessment Client Scans.
Authentication
Authentication in PortWise 4.7 is a seemingly easy process for the user.
All requests flow through a web of specialized servers: the Access Point, the Policy Service, the Authentication Service,
and back again. But for the user, the single point of contact is a Web browser when accessing resources.
To put it simply, the Access Point verifies the identity of the user by forwarding the user credentials via the Policy Service
to the Authentication Service, which in turn compares the information with credentials stored in the user storage. When
the control is completed, a Request Accept is sent to the Access Point which allows the user to enter.
The Authentication Service supports five authentication methods relying on the RADIUS protocol:
• PortWise Mobile Text
• PortWise Web
• PortWise Challenge
• PortWise Password
• PortWise Synchronized
• PortWise OATH
Also supported are other RADIUS authentication methods such as SafeWord and SecurID.
One feature in PortWise 4.7 is the management of Certificate Authorities. It provides, among other things, the opportu-
nity to specify several parameters concerning certificate revocation: Certificate Authority Revocation List and Certificate
Revocation List retrieval.
Access control is specified by means of roles that link user groups with resources. A number of authentication methods
can be set for each resource and it is also possible to specify multiple authentication methods for a specific resource.
Examples of authentication methods are client certificates, business rules, and RADIUS compliant methods. All authen-
tication methods can be used in combination.
PortWise 4.7 Manual

PortWise Overview 2-23
Authorization
Access rules are defined to allow users access to resources. All resources are associated with at least one access rule,
consisting of requirements such as authentication methods, date or time restrictions, or user-group memberships.
PortWise 4.7 also provides access control in conjunction with firewalls and access control in the internal systems. The
firewall access control is performed when users interact with the system. The access control is performed on the same
level of security as the firewall, which is on both IP and port level.
Behind the scene, a complex chain of events verifies the identity of the user, secure the protection of the resource, and
log all activities surrounding its access. Resources are typically applications, either Web-enabled applications or files
accessible from the Web, or client-server applications accessed through tunnels.
Access
Any kind of resource, usually an application, can be accessed through the Application Portal and the Access Client.
Resources include Web, Client Server, Terminal Server, and File Server applications. By using the Application Portal the
complexity of how access is granted is hidden from the user.
The Access Client creates a secure encrypted network tunnel between the user device and the application.
You may define possible limitations for user access. PortWise 4.7 is designed for 24/7 access.
How Does It Work?

We recommend that systems administrators use this work flow to ensure secure application access:
• Add a user account
When creating PortWise user accounts, you can define specific levels of security for a group of or individual
users regarding password management or authentication methods, and so on.
See the User Management Strategy section in the chapter Planning below for recommendations regard-
ing user management.
• Add access rules
Access rules protect resources by allowing or denying access, and specify the requirements for a particular
user, resource group, or communication channel.
• Add a resource protected by the access rules
With your user management strategy and access rules defined and in place, you simply add the applications
your users will access. Resource hosts and specific paths are defined, and you choose how the application is
presented in the Application Portal.
Please refer to the PortWise 4.7 Online Help and the Manage User Accounts section in the Manage
Accounts and Storage chapter, for detailed information on how to add user accounts, and the Manage
Access Rules and Manage Resources sections respectively in the Manage Resource Access chapter for
information on access rules, and resources.
Auditing
Auditing in PortWise 4.7 provides:
• Central capture of all access to corporate applications
• Real-time and historical reports covering all of the six A’s, plus system and performance reports
• Permanent record of application access
PortWise 4.7 Manual

2-24 PortWise Overview
The advanced auditing features in PortWise 4.7 provide organizations with the tools to meet strict industry, government,
and corporate compliance regulations.
How Does It Work?

The PortWise 4.7 Log Viewer is used to filter and display the logging messages. The Report Generator then stores these
messages in the report database. You then use different filters to create reports using different presentation formats,
which also are configurable.
Please refer to the PortWise 4.7 Online Help and the Manage Logging section in the Monitor System chapter, for
detailed information on how to search logs using special characters and quoted searches. Also see the Manage Alerts
and Manage Reports sections in the same chapter for information on how logs are used in these features.
Abolishment
With PortWise 4.7 all traces of access to the corporate network on completion of the session can be removed.
Browsers are renowned for creating a “snail trail” of information during an access session, including:
• Cookies
• URL history
• Cached Pages
• Registry Entries
• Downloadable Components
All these objects can be eradicated.
How Does It Work?

When Abolishment is enabled, secure cleanup of a client computer removes all traces of the user session.
For example:
• Cleaning of relevant Microsoft Internet Explorer cache entries
All cache information is deleted after the session is ended.
• Cleaning of MS Internet Explorer History entries
All contents in the History folder is deleted.
• Cleaning of downloaded files
All files created and saved during the session are deleted.
Please refer to the PortWise 4.7 Online Help and the Manage Abolishment section in the Manage
System chapter, for detailed information.
PortWise 4.7 Manual

PortWise Technical Overview 2-25
PortWise 4.7 Technical Overview

This illustration outlines a complete installation of PortWise 4.7.
Figure 2-1: PortWise Architecture
Administration Service
From a systems administrator’s point of view, the Web user interface PortWise Administrator is PortWise 4.7, but as the
illustration above clearly demonstrates, that is not the case. PortWise 4.7 is a complete network of services, with the
Administration Service as the natural connecting point, or hub, and the PortWise Administrator its interface.
PortWise 4.7 Manual

2-2-26 PortWise Technical Overview
You publish all updates in the PortWise Administrator to the different services, and monitor and manage all user activity
in real-time.
Please refer to the PortWise 4.7 Online Help for detailed information on how to configure and manage the different
services, directory services, and resources.
Information
You can only configure one Administration Service server per PortWise network. Regu-
lar backups of the configuration file are therefore strongly recommended.
Access Point
As the gatekeeper for all resource and access requests, the Access Point is on constant alert, listening for incoming
communication.
Figure 2-2: Default Listening Ports for the Access Point
All requests are logged, filtered, encrypted, and forwarded to the Policy Service or a resource host depending on the
type of request.
Information
It is recommended that you dimension the Access Point as it is subject to the heaviest
load in the PortWise network.
Advanced Access Point Features
Load Balancing
Load balancing is the distribution of client sessions between two or more Access Points to handle situations with large
numbers of requests.
PortWise Access Points can be load balanced with a third-party solution to gain redundancy and handle heavy activity.
Load balancing enables Access Points to share sessions among each other, so that requests may be processed correctly
no matter which server receives the request.
PortWise 4.7 Manual

PortWise Technical Overview 2-2-27
Trusted Gateways
A client connecting to the Access Point may not have a secure connection, but incoming traffic from the trusted gateway
(a specified IP address and port) is assumed to have a specified level of security.
Cipher Suites
When an SSL connection is initialized, the client and server determine a common cipher value to be used for key ex-
change and encryption. Various cipher values offer different types of encryption algorithms and levels of security.
Link Translation and DNS Mapping

Link translation is used to ensure that all traffic to registered Web resource hosts are routed through the Access Point,
which in turn enables the use of SSL and a secure connection. With link translation, Web resource hosts are as secure
as a tunnel resource hosts.
A link can sometimes be divided into subsets, for example by protocol, host, and path, and then dynamically put
together to form a link by the browser. In that case, the Access Point cannot establish if it is a link and consequently
cannot translate it.
To solve this, DNS mapping is used. A DNS name or an IP address pointing to the Access Point is mapped to an internal
host and protocol: a mapped DNS name.
All mapped DNS names are added to a DNS name pool. From there, you map Web hosts to DNS names using one of
two methods:
• Reserved DNS mapping
The Web resource is mapped to a specific DNS name in the DNS name pool.
• Pooled DNS mapping
The Web resource is assigned the first available DNS name from the DNS name pool.
Policy Service
An important part of PortWise 4.7 is the authentication, authorization, and auditing server — the Policy Service. It
provides for policy management, authentication, authorization, and log services regardless of service or communication
channel.
Figure 2-3: Default Listening Ports for the Policy Service
All authentication methods are configured in the Policy Service, so when a request comes in, the Policy Service evaluates
the appropriate access rules and forwards the request to its destination.
PortWise 4.7 Manual

Resources
In PortWise 4.7, applications, folders and files, and URLs are registered as Web or tunnel resources. Web-enabled ap-
plications are registered as Web resources, and client-server applications that are not Web enabled are registered as
tunnel resources.
You then protect the resources with access rules, authorization settings, and encryption levels to create seamless, secure
access control. Users access the resources through the Web-based PortWise Application Portal, the Access Client, or
directly in a Web browser using shortcuts.
In order for users to be able to access a resource, you need to configure a resource host and specify if it will be available
in the Application Portal or not. A resource host can have one or several paths.
There are three different types of resource hosts:
• Web Resources
• Tunnel Resources
Tunnel Resources are collected into Tunnel Sets where each tunnel in the set points to a tunnel resource.
• Customized Resources
Standard Resources
We have collected several of the most frequently used resources as Standard Resources. The purpose of this is to mini-
mize your configuration time.
The standard resources are:
• Outlook Web Access 2003
• Domino Web Access 6.5
• Citrix MetaFrame Presentation Server
• Terminal Server 2003
• Terminal Server 2000
• MS Outlook Client 2000/2003
• File Sharing
• Access to Home Directory
You can edit the standard resource settings just as easily as any other type of resource. Please refer to the PortWise 4.7
Online Help and the Manage Standard Resources section in the Manage Resource Access chapter.
Access Rules
PortWise 4.7 authorization makes the access decisions using access rules.
These rules rely on:
• who wants access
• what resource or service is requested
• what communication channel (or device) is used
• which authentication methods are most suitable
PortWise 4.7 Manual

PortWise Technical Overview 2-2-29
Access rules protect resources by allowing or denying access, and specify the requirements for a particular user, re-
source group, or communication channel. Additionally, business related conditions can be customized for services. For
example, only customers who are allowed credit are able to use the ordering function.
Access Control Lists (ACLs) stored in existing systems such as mainframes and databases can be reused by PortWise 4.7.
ACL is a list of security protections that apply to an entire object, a set of the object’s properties, or an individual prop-
erty of an object. In Microsoft Active Directory for example, there are two types of ACLs: discretionary and system.
Please refer to the PortWise 4.7 Online Help and the Manage Access Rules section in the Manage Resource Ac-
cess chapter, for detailed information on how to add and use Access Rules.
Single Sign-On
Single Sign-On (SSO) permits users to enter their credentials once, which then gives them access to several resources
without the need to re-authenticate when accessing each resource.
All resources using the same user credentials can be defined in a SSO domain. When user credentials are modified, the
changes apply to all resources in the SSO domain.
When using the system for the first time, users are prompted for SSO credentials (user ID and password). The SSO cre-
dentials are stored per user account and retrieved whenever the user accesses resources registered in a SSO domain. If
credentials are changed, the user will be prompted for authentication.
SSO domains are divided into two domain types:
• Text
• Cookie
Depending on which type you choose, different domain attributes can be associated with the SSO domain. Both types
can be protected by access rules.
To use form based logon for an SSO domain, you need to design a Web form for access to each resource in the SSO
domain.
Cookie-based Authentication
Cookie-based authentication is used to send authentication information in HTTP headers. A common use of cookie SSO
is when back-end applications only want to read the authentication information at the very first request.
Text-based Authentication
Text-based authentication is used to send authentication information as text, with different attributes defining the
information needed.
When adding all domain attributes for the domain type text (user name, password, and domain), the Microsoft au-
thentication method NTLM is used. When the attributes user name and password are added, the Basic authentication
method is used. It is the most commonly used authentication method for Web environments.
Authentication Service
The Authentication Service provides mobile users with strong authentication methods that can be used regardless of
device and location.
The Authentication Service can act as a RADIUS proxy, that is, proxy the authentication request to another RADIUS
server.
PortWise 4.7 Manual

Figure 2-4: Default Listening Ports for the Authentication Service
PortWise Authentication
PortWise authentication refers to the Authentication Service using the PortWise authentication methods Mobile Text,
Web, Challenge, Password, Synchronized, and OATH.
All methods can be used on your laptop or desktop computer.
When using the Synchronized or Challenge methods, users install Mobile ID client applications on the device being used.
When using the Web authentication method, the client is either an ActiveX component or a Java applet.
All supported authentication methods are described in the chapter Manage System, in the Manage Authentica-
tion Methods section.
To choose the authentication method, you need to consider your users’ needs: mobility, device flexibility, and level of
security. Refer to each authentication method for more detailed information.
All PortWise authentication methods can be used in combination or singularly to access any type of resource.
Please refer to the PortWise 4.7 Online Help and the Manage Authentication Methods section in the Manage
System chapter for detailed information on how to configure and use the different authentication methods.
PortWise Distribution Service

The Distribution Service is responsible for the distribution of Mobile ID clients to end-users, and for the injection of seed
and mode into cell phone clients.
The PortWise Distribution Service has no physical connection to the PortWise network, but it is recommended that it is
placed on the DMZ behind the Access Point, or with an existing download server.
The Distribution Service configuration settings include:
• Notification messages to simplify download of Mobile ID clients
• Seed injection with URL argument ”seed”
• Mode injection with URL argument ”mode”
Synchronized (s)
Challenge (c)
Please refer to the PortWise 4.7 Distribution Service Online Help for detailed information on how to setup the Distribu-
tion Service and for end-user assistance.
PortWise 4.7 Manual

Planning 31
Planning
In this section, a few general security recommendations that should be considered are presented.
The sections covered include:
• Define deployment goals
• Security planning
• Securing your operating system
This section contains specific recommendations for environments using Windows 2000.
• User management strategy
• Resource access
Define the Deployment Goals

The major goals of the planning phase are to make sure that:
• User and administrator needs are addressed by the services you deploy
• Service prerequisites that affect installation and initial setup are identified
Installation planning is especially important when you are preparing to set up multiple servers.
Initial Questions
• What are the day-to-day requirements PortWise 4.7 needs to address?
• What are the user management requirements PortWise 4.7 needs to meet?
• What shape is your existing network in? Do you need to upgrade power supplies, switches, and other network
components?
Make sure the required hardware is available in time for the deployment.
PortWise 4.7 Manual

2-32 Planning
Security Audit/Planning
You need to make decisions about your security architecture. This involves creating accounts in the operating system (or
with other authentication providers), organizing your users into groups, and planning for access control.
These are the phases in the security planning process:
• Define your security goals
• Make some preliminary decisions about your security architecture
• Determine which users need which permissions to which resources, and develop a strategy for creating access
rules
System Architecture Review

Find potential security problems related to the system architecture. This includes going through existing design docu-
mentation and high-level descriptions of the system. Typical areas of investigation are:
• Where and how sensitive information is stored
• Identify “trusted” components
• Communication paths and their protection
• Identify single-points of failure and components likely to hit Denial Of Service (DOS) attacks
Public Key Infrastructure

A well-defined public key infrastructure (PKI) enables your organization to secure critical internal and external pro-
cesses.
Deploying a PKI allows you to perform tasks such as:
• Digitally signing files such as documents and applications
• Securing e-mail from unintended viewers
• Enabling secure connections between computers, even if they are connected over the public Internet or
through a wireless network
• Enhancing user authentication through the use of smart cards
If your organization does not currently have a public key infrastructure, begin the process of designing a new PKI by
identifying the certificate requirements for your organization.
If your organization already uses a PKI, you can manage all of your internal security requirements, as well as security
requirements for business exchanges with external customers or business partners.
Designing a PKI for your organization involves defining your certificate requirements, creating a design for your infra-
structure, creating a certificate management plan, and deploying your PKI solution.
A PKI consists of the following basic components:
• Digital certificates
Electronic credentials, consisting of public keys, which are used to sign and encrypt data. Digital certificates
provide the foundation of a PKI.
PortWise 4.7 Manual

Planning 2-33
• One or more certification authorities (CAs)

Trusted entities or services that issue digital certificates. When multiple CAs are used, they are typically ar-
ranged in a carefully prescribed order and perform specialized tasks, such as issuing certificates to subordinate
CAs or issuing certificates to users.
• Certificate policy and practice statements
Two documents that outline how the CA and its certificates are to be used, the degree of trust that can be
placed in these certificates, legal liabilities if the trust is broken, and so on.
• Certificate repositories
A directory service or other location where certificates are stored and published. In a Windows Server 2003
domain environment, the Active Directory® service is the most likely publication point for certificates issued
by Windows Server 2003–based CAs.
• Certificate Revocation Lists (CRL)
Lists of certificates that have been revoked before reaching the scheduled expiration date.
Securing Your Operating System

The following section outlines the steps necessary for securing your Windows 2000 operating system. It contains sum-
maries from the NSA Central Security Service’s Security Configuration Guide “Guide to Securing Microsoft Windows
2000 File and Disk Resources” http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/win2k/w2k_active_dir.
pdf.
NSA has developed and distributed configuration guidance for operating systems including Apple Mac OS X, Microsoft
Windows XP, Microsoft Windows 2000, and Sun Solaris 8. Please refer to this page for configuration guides on how to
secure different operating systems: http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1.
Securing the File System

It is strongly recommended that all volumes use NTFS (Windows 2000 New Technology File System) to achieve the
highest level of security. When using Windows 2000, only NTFS supports Discretionary Access Control to directories
and files.
Non-NTFS volumes can be converted to NTFS by using the Convert.exe program.
File and Folder Permissions:
• NTFS allows varying levels of file access permissions to users and user groups
• All new files and folders inherit the parent’s file access permissions by default
• File permissions can be set with high granularity
To secure Access Control Lists (ACL), use the least privilege principle when deciding how to implement ACLs. That is,
only allow access to users that absolutely require permission for certain levels.
Data Remanence relates to images of data remaining on the platform after it should no longer be available. This includes
data left in the system page file and the recycle bin.
PortWise 4.7 Manual

2-34 Planning
Securing Shared Resources

Share permissions are granted independent of NTSF permissions but can be used in close cooperation. When accessing
a remote share, the more restrictive of the two apply.
Default share permission is set to Full Control for Everyone. You must explicitly set security permissions for all shares.
Share Security Recommendations:
• Ensure that the Everyone group is not given permissions on any shares
• Use the Authenticated Users or Users group in place of the Everyone group
• Give users and/or groups the minimum amount of permissions needed on a share
• Use hidden shares by adding a $ after the share name. The full path including the $ must be entered to access
the share
File Auditing
Auditing is not enabled by default, but set on a per-system basis. Each Windows 2000 system includes auditing with
logs collecting information on applications, system, and security events.
• User Account auditing
• File System auditing
• System Registry auditing
• Auditing can consume large amounts of processor time and disk space. It is highly recommended to check,
save, and clear audit logs daily/weekly to reduce the chances of system degradation or save audit logs to a
separate machine.
• File Auditing
• Auditing specific directories or files can prove useful in identifying a system compromise or unauthorized use
of resources.
Securing Disk Resources

Recommended physical security management:
• Keep servers in a locked room
• Disable the removable media based boot option if available
• Remove removable media drives if not required or install a locking device
• The CPU case should be secured by a key stored safely away from the computer
• Secured Disk resources at System Boot
• Set boot options to prevent booting from removable media
• Prevent booting into other operating systems
User Management Strategy

The best security plans and designs cannot protect an organization if security is not an essential part of their operating
procedures.
PortWise 4.7 Manual

Planning 2-35
In this section, a few general security recommendations regarding user management that should be considered are
presented.
The Securing Microsoft Active Directory section contains specific recommendations for environments using Mi-
crosoft Active Directory.
Analyzing Your Environment

Your user management settings need to complement your particular environment, including:
• The size and distribution of your network
• The number of users who will access your network
• The kind of clients users will employ
• Which clients are mobile
• Which users should have administrator privileges
• Which users should have access to particular computers
• What services and resources users need
• How you might divide users into groups
• Define a password strategy
Directory Service Requirements

Identify the directories that will be used for user storage: user and group information used for authorization.
If you have an Active Directory or LDAP server already set up, you might be able to take advantage of existing records.
Use the following guidelines:
• If you are using Microsoft Active Directory, manage users and computers across domains and forests. Active
Directory uses the Kerberos version 5 protocol for authentication. This provides a high level of security.
• If you are using UNIX, you can use a UNIX Kerberos Key Distribution Centre (KDC) to provide authentication
services for a realm. It is as secure as an Active Directory environment.
• You can also use the Security Accounts Manager (SAM) and NTLM to authenticate local users. This option is
not as secure as the first two.
Password Management
There are no default passwords or pre-configured encryption keys in PortWise 4.7. All encryption keys and passwords
are set or generated by the systems administrator at installation.
PortWise 4.7 does not store passwords or encryption keys in unprotected configuration files, LDAP directories, or other
system storages.
It is not recommended that encryption keys are set by manual configuration. Encryption keys not derived from a pass-
word are automatically generated by the system. A minimum key length of 128 random bits is used for stream and block
ciphers. For RSA, a minimum of 1024 bits is used.
Block ciphers use cipher-block-chaining to avoid cut-and-paste attacks.
Encryption keys that are not automatically generated use a “secure encryption key generation function” to derive the
key from a password.
PortWise 4.7 Manual

2-36 Planning
Systems administrators are advised to implement a password policy:

• Password dictionary with banned passwords
• Password history saving already used passwords
• Password validity time (not before, not after)
• Password minimum length
• Constraints on characters, must contain a capital letter and a number for example
Use of Foreign Characters

Avoid foreign characters (å, ä, ö, ^, ¨, ~, and so on) in user names and/or passwords.
Since Active Directory equals “å, ä, and ö” to “a and o”, we recommend that these characters are not used for samac-
countname. The user “Åke” for example may otherwise be able to log on using “Ake”, “Äke”, or “Åke”. PortWise 4.7
creates separate PortWise user accounts for all three examples, and subsequently no common SSO data.
As to other directory services, you need to investigate how foreign characters, and lower and upper case is handled.
The PortWise log on page uses UTF-8 by default, to use special characters the templates need to be edited to use UTF-
8.
Securing Microsoft Active Directory

The following section contains summaries from the NSA Central Security Service’s Security Configuration Guide “Guide
to Securing Microsoft Windows 2000® Active Directory” http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/
os/win2k/w2k_active_dir.pdf.
Please note that these guidelines do not include hands-on instructions for securing your Active Directory. You are ad-
vised to use the Microsoft help documentation for detailed information.
Recommendations for DNS Management

• Active Directory uses the Domain Name System (DNS) for name resolution, to locate services, and to establish
the domain namespace for the Active Directory hierarchy.
• Implement Active Directory integrated zones
• Use or create Active Directory DNS administrator groups and users to manage DNS
• Link only the designated DNS administrator groups and users, and configure permissions through the DNS
server properties security tab
• Place the DNS administrators and users into a designated OU and apply the appropriate Group Policy.
Recommendations for the Active Directory Installation

• Set permissions compatible only with Windows 2000 servers, if possible.
• Use robust password guidelines when setting the Directory Service Restore Mode Administrator’s password.
Consider using SYSKEY for additional security.
PortWise 4.7 Manual

Planning 2-37
Recommendations for Domain and OU Management

• Active Directory domains represent a security boundary or partition because permissions and authority do not
flow in or out of a domain. Permissions can, however, flow in and out of sites and Organizational Units.
• Create separate domains as needed to partition or compartment portions of Active Directory requiring differ-
ent security or administrative policies.
• Physically secure domain controllers.
• As soon as possible, move default user and computer objects into OUs within the target OU structure.
• Members of the domain administrators group should generally not be placed in OUs to manage sub-domain
elements of the directory tree.
• Take steps to ensure that unauthorized hidden OU objects do not exist within the directory structure.
• Use SYSKEY to augment the physical protection of domain controllers.
• At least one sub-domain or replica domain controller should be installed shortly after the first domain.
Recommendations for Tree and Forest Management

• Significant planning must be done before creating the DNS namespace, trees, and forests because many
aspects of these structures cannot be later modified.
• Maintain separate domains as needed to block administrative authority from one part of a system to another.
• Bulk imported accounts should be inactive; a secure method to create or change the account password as
each account is activated should be locally devised.
Recommendations for Object Access Control Management

• Use groups and group nesting to manage user permissions and to manage and audit access to Active Direc-
tory objects.
• Do not grant Modify Permissions or Modify Ownership permissions.
• Apply templates from the Security Configuration Toolset.
• Establish a policy to use system security tools to monitor and manage access control and security settings.
• Move printers into a single OU (or central OUs) to simplify security management and to apply a GPO.
• Use DACLs on published resources to manage access.
• Do not assign NTFS Write permission to a custom MMC console .msc file if it is to remain unchanged.
• Distribute custom MMC consoles via a shared folder with only Read & Execute NTFS permissions for users.
Recommendations for Replication Management

• Manually initiate NTDS replication to increase the certainty that security settings begin replication in a timely
manner.
• If lack of network bandwidth is a security concern, minimize membership in and use of Universal Groups to
reduce replication overhead.
• Use SMTP for replication between sites where replication crosses a firewall boundary.
PortWise 4.7 Manual

2-38 Planning
Recommendations for Operations Masters

• Permanently remove from the network a disabled domain controller that held a schema master, domain-
naming master, or RID master whose role has been seized.
• Take measures to hide the identity of domain controllers from external networks.
Recommendations for Auditing

• Identify and audit specific user, computer, group and other objects that have security significance.
• Formulate a plan to test major changes to audit settings.
Resource Access
An authorization strategy enables you to effectively manage users’ access to different resources.
Access Strategies
The first part of this process is identifying your users by workgroup, job function, or a combination of workgroup and job
function. You can then identify the different types of resources that users access, such as departmental or job-specific
data.
You should consider policies that determine who is allowed to create user groups, how they are named, and how they
are administered.
In PortWise 4.7, the basic strategy for controlling access to resources is to create access rules. Based on the decisions you
make regarding how to identify different users and resources, access rules are created to support these decisions.
Information
Reminder: Access Rules protect resources by combining requirements such as user group
memberships or date and time ranges, and authentication methods such as PortWise
Web or Challenge.
Using Groups
An example: all users in the HR department might need access to privileged personnel records. To protect these, group
every member of the HR department into a user group that is authorized to access those files and create access rules of
the type User Group.
The rule of thumb is to assign permissions to groups, rather than to individual accounts.
Naming Conventions
Without a naming convention, the potential for simple mistakes when adding or removing user accounts and selecting
the correct group increases.
The consequences of granting access to the wrong group can be serious, causing members to have access to restricted
resources or to be denied access to resources that are necessary for job tasks.
When establishing a security group naming convention for your organization, ensure that names:
PortWise 4.7 Manual

Planning 2-39
• Differentiate each group from similar groups

• Allow group names to be sorted alphabetically into organized lists
Select Authentication Methods

Some resources require a stable set of common permissions, for example a file share, which typically requires full per-
missions for very few people, read-write permission for more people, and read-only permission for most people. In this
situation, you might create three user groups, one for each of the three common access levels.
The different user groups may also have different requirements on mobility, which demands different authentication
methods. A user belonging to a group with full permission for file share, may also need a strong authentication method
enabling mobile access from different clients.
The combinations are more or less infinite, which further emphasizes the need for thorough planning.
Pre-Installation Check List

The following list is by no means exhaustive, meaning that every organization must establish their own check list for
necessary steps for their deployment.
As always, use this list as inspiration and a starting point, not as something absolute.
Check Activity Comment
a Identify and resolve user management issues Environment analyzed

Directory service secured
Password strategy in place
a Identify and resolve security issues Public Key Infrastructure

Operating system secured
File system secured
Shared resources secured
Physical environment secured
Auditing strategy in place
Backups and recovery strategies in place
a Ensure that existing network has necessary power supplies, switches,

and other network components
a Perform time synchronization
Table 2-1: Pre-Installation Check List
The PortWise 4.7 Network

This section describes the recommended PortWise 4.7 network layout and provides a summary of default ports used
in the network.
Recommended Network Layout

The recommended PortWise 4.7 network layout is illustrated below.
PortWise 4.7 Manual

2-40 Planning
Figure 2-5: PortWise Network
It is recommended that the Access Point reside on the DMZ. It interacts with the Policy Service to validate queries and
authorize access. The Access Point does not communicate directly with the Authentication Service.
The Policy Service and the Authentication Service are placed on the internal LAN. A directory service (the user storage)
is used for authorization and authentication purposes.
Default Listening Ports

Before installing PortWise 4.7, it is necessary to ensure that communication between the Access Point and the Policy
Service is allowed. In addition, the Access Point must be able to access internal applications, as well as be made ac-
cessible to external traffic. Communication between the Authentication Service and the Policy Service also has to be
enabled.
PortWise 4.7 Manual

Planning 2-41
Figure 2-6: PortWise Network with Default Ports
The table below describes default listening ports used for traffic to and from the services in the PortWise network.
Information
Note that all registered services must be able to communicate with the Administration
Service.
Firewall Interface From To Listening Port Protocol and Comment

External Interface All Access Point TCP 80 HTTP (for redirection to
HTTPS)
External Interface All Access Point TCP 443 HTTPS (SSL)
N/A Access Point Access Point TCP 16972 Internal communication for
load balancing between Ac-
cess Points
Internal Interface Access Point Policy Service TCP 8301 Internal communication
between the Access Point
and the Policy Service
Internal Interface Access Point Any internal applica- Port used by internal Communication between
tion application Access Point and internal
applications
PortWise 4.7 Manual

2-42 Planning
Firewall Interface From To Listening Port Protocol and Comment

Internal Interface Access Point Administration Service TCP 8300 Internal communication be-
tween the Access Point and
the Administration Service
N/A Policy Service LDAP Server TCP 389 LDAP communication
N/A Policy Service LDAP Server TCP 636 LDAPS communication
(optional)
N/A Policy Service Policy Service TCP 8301 Internal communication for
load balancing between
Policy Services
N/A Policy Service/External Authentication Service UDP 18120 RADIUS communication for
RADIUS client PortWise Mobile Text
N/A Policy Service /External Authentication Service UDP 18121 RADIUS communication for
RADIUS client PortWise Web
RADIUS client PortWise Challenge
RADIUS client PortWise Password
RADIUS client PortWise Synchronized
RADIUS client PortWise OATH
N/A Policy Service Administration Service TCP 8300 Internal communication be-
tween the Policy Service and
the Administration Service
N/A Authentication Service LDAP Server TCP 389 LDAP communication
N/A Authentication Service LDAP Server TCP 636 LDAPS communication
(optional)
N/A Authentication Service Authentication Service TCP 8302 Internal communication for
load balancing between
Authentication Services
N/A Authentication Service Administration Service TCP 8300 Internal communication
between the Authentication
Service and the Administra-
tion Service
N/A Administration Service LDAP Server TCP 389 LDAP communication
N/A Administration Service LDAP Server TCP 636 LDAPS communication
(optional)
N/A Administrator client Administration Service TCP 8443 HTTPS for administration
Internal, external External RADIUS client Authentication Service UDP 18119 RADIUS communication for
or none accounting
Table 2-2: Default Listening Ports
PortWise 4.7 Manual

PortWise Installation 3-43
3
PortWise Installation
This chapter provides detailed information regarding the installation of PortWise 4.7. It covers the entire installation
process, from preparation to installation, on Windows, and Linux.
For optimal results, installation and use of PortWise 4.7 is preceded by thorough directory service and network security
planning as well as various technical preparations.
The following areas are described in detail below:
• Overview
• Preparation
• Installing on Windows
• Installing on Linux
• Installing PortWise Mobile ID on Mac OS X
• Upgrading PortWise Services and Clients
• Reverting an Upgrade
• Starting and Stopping PortWise Services
• Uninstalling PortWise 4.7
Overview
A default installation of PortWise 4.7 includes the following services:
• Administration Service
• Access Point
• Policy Service
The following services and clients are optional and available for installation when included in the license:
• Authentication Service
• Distribution Service
• Mobile ID
• Access Client
PortWise 4.7 Manual

3-44 PortWise Installation
Information regarding installation of all available services and clients are included in this chapter.
PortWise User
In PortWise 4.7, we introduce the PortWise user (pwuser). PortWise services are executed as this user, who has limited
privileges.
PortWise User on Windows

When installing/upgrading one of the following services: Access Point, Administration Service, Authentication Service,
Policy Service, or Distribution Service, the pwuser is created automatically (if not already existing). All these services,
except for the Access Point, are executed as pwuser. The Access Point is executed as “Local System” by default, to make
Full Network Access available “out of the box”.
The PortWise user (pwuser) is part of the Users group on Windows, which has limited rights.
To view executing users, open the Services window or the Processes tab in the Windows Task Manager.
Information
The pwuser is created according to the server’s user account policy. One possible side
effect of this is for example, if the “Maximum password age” option is set to a limited
value, that the pwuser password will expire.
For more information search for “net accounts” at http://microsoft.com.
Changing the PortWise User Password on Windows

It is not possible to logon as pwuser, but it is recommended to change the default password for pwuser which is set at
installation.
When changing the pwuser password, do not forget to enter the new password in the Log On tab of each service run-
ning as pwuser on Windows.
PortWise User on Linux

When installing/upgrading one of the following product components: Access Point, Administration Service, Authentica-
tion Service, Policy Service, or Distribution Service the pwuser is created (if not already existing).
The services are executed as this user, which you can see when using the command ps –ef.
Upgrade Overview
When upgrading from a previous release, the installers automatically detect that an upgrade rather than installation is
required and subsequently performed.
These are the steps performed by the installers during upgrade:
• Backup of configuration files
• Previous version is uninstalled
• New version is installed
• Restore of configuration files
• Upgrade script is run (Administration Service only)
PortWise 4.7 Manual

Preparation
The preparations we recommend that you make before installing PortWise 4.7 are described below. Follow these recom-
mendations to avoid any unnecessary problems during or subsequent to installation.
License
Ensure that you have a valid PortWise 4.7 license at hand. The license is uploaded in the PortWise Administrator in the
first step of the Setup System wizard.
IP Addresses
Ensure that you have the IP addresses of the machines on which you install the different services at hand.
Ports
Ensure that ports used in the PortWise 4.7 network are available (refer to the Default Ports section for details).
Time Synchronization
It is recommended that you perform time synchronization between the different services, to avoid any future problems
in PortWise 4.7 caused by differing timestamps.
Antivirus Programs
Some antivirus programs may display warnings during installation of the PortWise 4.7 services. For example, this can oc-
cur due to parameters being replaced in a file installed by the installation program. The antivirus program may interpret
this activity as usage of a malicious script. If this occurs, allow the script or temporarily disable the antivirus program.
Installing on Windows
Installation of PortWise 4.7 on Microsoft Windows 2003 Server includes the following procedures:
• Installing Administration Service
• Running Setup System wizard
• Installing Access Point
• Installing Policy Service
• Installing Authentication Service (Optional)
• Installing Distribution Service (Optional)
• Starting the services
Installation of PortWise 4.7 clients includes the following procedures:

• Installing PortWise Mobile ID (Optional)
• Installing Access Client (Optional)
All procedures are described below.
PortWise 4.7 Manual

All installation log files are placed in the %APPDATA% folder. %APPDATA% is usually located in the Application Data
folder in your home directory.
Installing Administration Service

Double-click the file Install Administration Service.exe and follow the instructions in the installation wizard.
By default, the PortWise Administrator will listen to host 127.0.0.1 and port 8443 (HTTPS). It will also redirect from port
8080 (HTTP). For communication within the network, it will listen to host 127.0.0.1 and port 8300.
In the Setup System wizard, described below, you can change the host and port the PortWise Administrator listens to.
Important
If all services are installed on the same machine, 127.0.0.1 can be used for internal com-
munication. However, if the services are distributed on multiple machines, 127.0.0.1
cannot be used for any of the services.
Setup System
A wizard in the Web based administration interface allows you to perform a basic configuration of the system. The Setup
System wizard must be completed before remaining PortWise services can be used.
Information
The PortWise Administration Service must be started to run the Setup System wizard.
If you install all services on a single machine, you must not use port 8080 or 8443 for the Access Point since they are
used by default for the PortWise Administrator.
The host to be used for the external traffic to the Access Point must be specified as a DNS name in the license. By default,
the DNS name 127.0.0.1 is included in the license.
When defining the directory service, select a clean location (a location without LDAP objects) in the directory service
to store user accounts.
Installing Access Point

Double-click the file Install Access Point.exe and follow the instructions in the installation wizard.
When prompted to enter host and port for the Administration Service, use host 127.0.0.1 and port 8300 (if you have not
changed the settings for the Administration Service).
Information
You need to enter the server ID (default for the Access Point is 2) during the installation
process.
The Access Point is executed as “Local System” by default, to make full network access available “out of the box”.
During installation of the Access Point, the PortWise Access Point Virtual Client Driver required for full network access
is also installed. This will prompt a number of security warnings since the driver is not signed. Choose to continue with
the installation.
If you have decided not to run full network access, and therefore have no need for the PortWise Access Point Virtual
PortWise 4.7 Manual

Client Driver, or if you experience serious problems during installation you have the option to install the Access Point
without the PortWise Access Point Virtual Driver.
Use the following command on the command line to install the Access Point without the PortWise Access Point Virtual
Client Driver:
“Install Access Point.exe” /v”INSTALLDRIVERS=NO”
Installing Policy Service

Double-click the file Install Policy Service.exe and follow the instructions.
When prompted to enter the host and port for the Administration Service, use host 127.0.0.1 and port 8300 if you have
not changed the settings for the Administration Service.
Information
You need to enter the server ID (default for the Policy Service is 3) during the installa-
tion process.
Installing Authentication Service (Optional)

The Authentication Service is optional to PortWise 4.7, and can be installed if included in your license.
Double-click the file Install Authentication Service.exe and follow the instructions in the installation wizard.
When prompted to enter the host and port for the Administration Service, use host 127.0.0.1 and port 8300 (if you have
not changed the settings for the Administration Service).
Information
You need to enter the server ID (default for the Authentication Service is 4) during the
installation process.
Installing Distribution Service (Optional)

The Distribution Service is optional to PortWise 4.7, and can be installed if included in your license.
Install Distribution Service if you need to distribute Mobile ID to your end users, for use with authentication methods
PortWise Synchronized and/or PortWise Challenge.
Double-click the file Install Distribution Service.exe and follow the instructions in the installation wizard.
During the installation, you will be prompted for the HTTP and HTTPS port numbers that the Distribution Service will
use.
When installation is completed, you can connect to the Distribution Service at:
http://<your host>:<HTTP port>/.
Information
A self-signed test certificate used for HTTPS is supplied with the Distribution Service.
The certificate is located at conf/servercert.p12. For instructions regarding replacing
the test certificate, please refer to Technical Note Replacing Distribution Service Test
Certificate.
PortWise 4.7 Manual

Installing PortWise Mobile ID (Optional)

Install Mobile ID on the client computer if you will use authentication methods PortWise Synchronized and/or PortWise
Challenge. If you have installed the Distribution Service, download Mobile ID from the Distribution Service.
Double-click the file PortWise Mobile ID.msi and follow the instructions in the installation wizard.
When installation is completed, you can start Mobile ID from Start->All Programs->PortWise->Mobile ID->PortWise
Mobile ID.
Installing Access Client (Optional)

Install the Access Client on the client computer if your users do not have administrator privileges. You need administrator
privileges to install the Access Client, but not to run it. Please refer to the PortWise Online Help FAQ for further informa-
tion on the Access Client and required privileges.
Double-click the file Install Access Client.exe and follow the instructions in the installation wizard.
When installation is completed, you can start the Access Client from Start->All Programs->PortWise->Access Client-
>PortWise Access Client.
Installing on Linux
Installation of PortWise 4.7 on Red Hat Enterprise Linux 5 or SUSE Linux Enterprise Server 10 includes the following
steps:
• Installing Administration Service
• Running Setup System wizard
• Installing Access Point
• Installing Policy Service
• Installing Authentication Service (Optional)
• Installing Distribution Service (Optional)
• Starting the services
Installation of PortWise 4.7 clients includes the following procedures:

• Installing PortWise Mobile ID (Optional)
All procedures are described below.
Installing Administration Service

Enter ./install-administration-service-rh.bin or ./install-administration-service-suse.bin at
the command prompt to perform installation of the Administration Service.
To check that the Administration Service is installed, use rpm -qi administration-service.
By default, the PortWise Administrator will listen to host 127.0.0.1 and port 8443 (HTTPS). It will also redirect from port
8080 (HTTP). For communication within the network, it will listen to host 127.0.0.1 and port 8300. In the Setup System
wizard, described below, you can change the host and port the PortWise Administrator listens to.
PortWise 4.7 Manual

Important
If all services are installed on the same machine, 127.0.0.1 can be used for internal com-
munication. However, if the services are distributed on multiple machines, 127.0.0.1
cannot be used for any of the services.
Setup System
A wizard in the Web based administration interface will allow you to perform a basic configuration of the system. The
Setup System wizard must be completed before remaining PortWise services can be used.
Information
The PortWise Administration Service must be started to run the Setup System wizard.
If you install all services on a single machine, you must not use port 8080 or 8443 for the Access Point since they are
used by default for the PortWise Administrator.
The host to be used for the external traffic to the Access Point must be specified as a DNS name in the license. By de-
fault, the DNS name 127.0.0.1 is included in the license.
When defining the directory service, select a clean location (a location without LDAP objects) in the directory service
to store user accounts.
Installing Access Point

Enter ./install-access-point-rh.bin or ./install-access-point-suse.bin at the command prompt to
perform installation of the Access Point.
You are prompted to enter server ID as well as the host and port for the Administration Service. Use host 127.0.0.1 and
port 8300 if you have not changed the settings. Server ID defaults to 2 after the Setup System wizard.
When the information has been entered, the installation starts automatically.
To check that the Access Point is installed, use rpm -qi access-point.
Installing Policy Service

Enter ./install-policy-service-rh.bin or ./install-policy-service-suse.bin at the command prompt
to perform installation of the Policy Service.
You are prompted to enter the server ID as well as the host and port for the Administration Service. Use host 127.0.0.1
and port 8300 if you have not changed the settings. Server ID defaults to 3 after the Setup System wizard.
To check that the Policy Service is installed, use rpm -qi policy-service.
Installing Authentication Service (Optional)

Enter ./install-authentication-service-rh.bin or ./install-authentication-service-suse.bin at
the command prompt to perform installation of the Authentication Service.
You are prompted to enter the server ID as well as the host and port for the Administration Service. Use host 127.0.0.1
and port 8300 if you have not changed the settings. Server ID defaults to 4 after the Setup System wizard.
PortWise 4.7 Manual

To check that the Authentication Service is installed, use rpm -qi authentication-service.
Installing Distribution Service (Optional)

Install PortWise Distribution Service if you need to distribute PortWise Mobile ID to your end users, for use with authen-
tication methods PortWise Synchronized and/or PortWise Challenge.
Enter ./install-distribution-service-rh.bin or ./install-distribution-service-suse.bin at the
command prompt to perform installation of the Distribution Service.
To check that the Distribution Service is installed, use rpm -qi distribution-service.
When installation is completed, you can connect to the Distribution Service at http://<your host>:<HTTP port>/.
Information
A self-signed test certificate used for HTTPS is supplied with the Distribution Service.
The certificate is located at conf/servercert.p12. For instructions regarding replacing
the test certificate, please refer to Technical Note Replacing Distribution Service Test
Certificate.
Installing PortWise Mobile ID (Optional)

Challenge. If you have installed the Distribution Service, download Mobile ID from the Distribution Service.
Enter ./install-portwise-mobile-id-rh.bin or ./install-portwise-mobile-id-suse.bin at the com-
mand prompt to perform installation of Mobile ID.
To check that Mobile ID is installed, use rpm -qi mobile-id.
Installing PortWise Mobile ID on Mac OS X

Challenge. If you have installed the Distribution Service, download PortWise Mobile ID from the Distribution Service.
Double-click the downloaded PortWise Mobile ID.dmg file to mount it, if it is not already mounted. Then start the
installer PortWise Mobile ID 2.1.pkg and follow the instructions.
Mobile ID is installed in the Application folder on your hard drive.
Upgrading PortWise Services and Clients

The procedure for upgrading the PortWise Services and clients differ depending on the operating system used.
PortWise 4.7 Manual

Upgrading on Windows
Important
Stop all PortWise services in Control Panel>Administrative Tools>Services before
upgrading.
Always back up your entire PortWise installation directory before upgrading, so that
you can revert to the previously installed release if necessary.
And always make a backup of all PortWise accounts in the Directory Service.
Follow these instructions to upgrade the PortWise services on Windows:

1. Start the upgrade by double-clicking the appropriate installer:
Install Administration Service.exe
Install Access Point.exe
Install Policy Service.exe
Install Authentication Service.exe
Install Distribution Service.exe
2. Once the installer has started, it will recognize any previously installed versions. This will be displayed in the
installer window.
3. Follow the instructions in the installer to perform the upgrade.
4. Remember to manually start the PortWise services using Control Panel>Administrative
Tools>Services.
PortWise Clients for Windows

PortWise Access Client
Close PortWise Access Client before upgrading.
1. Uninstall the previous PortWise Access Client (A restart is needed).
2. Install PortWise Access Client.
PortWise Mobile ID
Close PortWise Mobile ID before upgrading.
1. Start the upgrade by double-clicking the PortWise Mobile ID installer (PortWise Mobile ID.msi).
Upgrading on Mac OS X
PortWise Mobile ID
1. Start the upgrade by double-clicking the PortWise Mobile ID installer (PortWise Mobile ID.pkg).
PortWise 4.7 Manual

Upgrading on Linux
Important
Stop all PortWise services before upgrading:
/etc/init.d/administration-service stop
/etc/init.d/access-point stop
/etc/init.d/policy-service stop
/etc/init.d/authentication-service stop
/etc/init.d/distribution-service stop
Always back up your entire PortWise installation directory before upgrading, so you can
revert to the previously installed release if necessary.
Below is an example on how to back up your PortWise installation directory.
Example:
cp -r /opt/portwise /opt/portwise.old
IMPORTANT
Always make a backup of all PortWise accounts in the Directory Service
Follow these instructions to upgrade the PortWise services on Linux:

1. Start appropriate installer by running the appropriate installer:
./install-administration-service-rh.bin or ./install-administration-service-suse.bin
./install-access-point-rh.bin or ./install-access-point-suse.bin
./install-policy-service-rh.bin or ./install-policy-service-suse.bin
./install-authentication-service-rh.bin or ./install-authentication-service-suse.bin
./install-distribution-service-rh.bin or sh install-distribution-service-suse.bin
2. Start all PortWise services after upgrading:

/etc/init.d/administration-service start
/etc/init.d/access-point start
/etc/init.d/policy-service start
/etc/init.d/authentication-service start
/etc/init.d/distribution-service start
PortWise 4.7 Manual

PortWise Clients on Linux

PortWise Mobile ID
1. Start the upgrade by double-clicking the PortWise Mobile ID installer (install-portwise-mobile-id-rh.bin or
install-portwise-mobile-id-suse.bin).
Reverting an Upgrade
Follow these instructions to revert the PortWise upgrade.
PortWise Services
Follow these instructions to revert the PortWise services’ upgrade:
1. Stop the PortWise services
2. Uninstall PortWise 4.x
3. Install the previous PortWise version without starting the services
4. Replace the installation folders with your backup folders
5. Restore your PortWise accounts in Directory Service from its backup
6. Start the PortWise services
PortWise Clients
Follow these instructions to revert the PortWise clients’ upgrade:
PortWise Access Client

1. Uninstall PortWise Access Client 4.x
2. Install the previous PortWise Access Client
PortWise Mobile ID
1. Uninstall PortWise Mobile ID 4.x
2. Install the previous PortWise Mobile ID
Starting and Stopping PortWise Services

The procedure for starting and stopping the PortWise Services differ depending on the operating system used.
PortWise 4.7 Manual

On Windows
On Windows, you use the Services window (Control Panel->Administrative Tools) to start and stop the PortWise
services. Select the applicable service in the list and click the Start or Stop link respectively to start and stop the
services.
On Linux
You start and stop the PortWise services at the command prompt.
Starting Services
To start the PortWise services, enter the following:
/etc/init.d/administration-service start
/etc/init.d/access-point start
/etc/init.d/policy-service start
/etc/init.d/authentication-service start
/etc/init.d/distribution-service start
Stopping Services
To stop the PortWise services, enter the following:
/etc/init.d/administration-service stop
/etc/init.d/access-point stop
/etc/init.d/policy-service stop
/etc/init.d/authentication-service stop
/etc/init.d/distribution-service stop
Starting Mobile ID
Start Mobile ID at the command prompt:
/opt/portwise/mobile-id/bin/mobile-id
Uninstalling PortWise 4.7

Information on how to uninstall PortWise 4.7 on Windows, and Linux is provided below.
On Windows
Follow the instructions below to uninstall PortWise 4.7 on Microsoft Windows.
1. Stop the PortWise services in the Services window (Control Panel->Administrative Tools)
2. Use Add or Remove Programs in the Control Panel to remove the services from Windows Services as well
as to remove installed files
Information
Some files, including log files, will remain after uninstalling PortWise 4.7.
PortWise 4.7 Manual

On Linux
Follow the instructions below to uninstall PortWise 4.7 on Linux.
1. Stop the PortWise services
2. At the command prompt, use rpm –e to remove the services as well as installed files:
rpm –e administration-service
rpm –e access-point
rpm –e policy-service
rpm –e authentication-service
rpm –e distribution-service
Information
Some files, including log files, remain after uninstalling PortWise 4.7.
PortWise 4.7 Manual

PortWise 4.7 Manual

Setup System 4-57
4
Setup System
About Setup System

Setup System is a Web-based wizard providing step-by-step configuration of a basic PortWise 4.7 installation.
Setup System constitutes the second step of installing PortWise 4.7, following the installation of the Administration
Service. It results in a basic system configuration, including a connection to the directory service where PortWise user
accounts will be stored as well, as search rules for locating existing users and user groups in the directory service.
Setup System is performed in the Web-based PortWise administration interface, the PortWise Administrator. After hav-
ing installed Administration Service, you can access the Setup System wizard from any type of Web browser.
The first step of the Setup System wizard is to upload your PortWise license. The wizard adapts to the contents of your
license and only displays the steps relevant to your deployment.
Information
This chapter describes all available steps in the Setup System wizard, as provided when
using a full PortWise 4.7 license. Please refer to the Getting Started with Setup Sys-
tem in the PortWise 4.7 Online Help for detailed information including examples on
how to run the Setup System wizard.
If you leave the Setup System wizard before finishing it, the information you have entered is saved in the system. This
enables you to quit Setup System and resume setup at a later stage, if necessary, without the need to re-enter informa-
tion.
Requirements and Preparation

The following is required for Setup System:
In order to run Setup System, you must have successfully installed the Administration Service.
• Valid license for PortWise 4.7
Your PortWise 4.7 license is received from PortWise or a PortWise partner. You need to know the location of
your license to be able to upload it.
PortWise 4.7 Manual

4-58 Setup System
• Directory service location for storing PortWise user accounts

It is possible to create a new organizational unit (OU) in your directory service for this purpose via the wizard.
You can also create the OU in your directory service in advance. We recommend that the location does not
contain existing users or user groups. PortWise 4.7 requires read and write permissions to this location. See
Directory service account below.
• Directory service account or accounts for PortWise access
During Setup System you specify an account for PortWise 4.7 to use for accessing the directory service.
PortWise 4.7 will store user accounts as well as read information about existing users and user groups. For
that reason, the account must have read and write permission in the directory service location where PortWise
user accounts will be stored, as well as read permissions in directory service locations where existing users and
user groups are stored. If you use different directory services for these purposes, you need to specify accounts
for each directory service used.
What Setup System Includes

These are the steps included in the Setup System wizard:
• Upload license file
• Configure directory service (for the purpose of storing PortWise user accounts)
• Set up Administration Service
• Set up Access Point
• Set up Policy Service
• Set up Authentication Service
• Select and configure PortWise authentication methods
• Select and configure other authentication methods
• Configure user storage (for the purpose of locating existing users)
The following sections describe the configuration options set during the Setup System wizard in detail.
Starting the Setup System Wizard

You access the PortWise Administrator and the Setup System wizard from the Administration Service dashboard.
Information
The PortWise Administration Service must be running to access the PortWise Admin-
istration Service dashboard. If you did not select to start the PortWise Administration
Service during installation, start it from the Services window (Control Panel > Adminis-
trative Tools > Services) on Windows or by running the start script /opt/portwise/
administration-service/bin/administration-service.sh from the command prompt
on Linux.
PortWise 4.7 Manual

Setup System 4-59
PortWise Administration Service Dashboard

To access the Administration Service dashboard after installing the Administration Service, you enter
https://127.0.0.1:8443 in a Web browser.
When accessing the Administration Service dashboard, a security alert dialog is displayed. This dialog enables you to
view the server certificate associated with the PortWise Administrator. The information listed includes Certificate Au-
thority (CA), the issuer of the certificate, validity, and associated DNS name.
The Administration Service dashboard contains the following sections:
• PortWise Administrator
This section contains a link for logon to the Web based administration system.
• PortWise 4.7 Documentation
This section contains links to available documentation in the PortWise 4.7 release.
• PortWise Online
This section contains links to corporate Web sites.
PortWise Administrator
At this point, the PortWise Administrator only consists of the Setup System wizard. When you access it from the Ad-
ministration Service dashboard, the start page of the Setup System wizard is displayed. There you upload your license
file to start the wizard.
Upload License File

The first step of the Setup System wizard is to upload the PortWise license file to adapt the PortWise Administrator to
the contents of your license. Once uploaded you can return to this page at a later stage. For example, if you have quit
the wizard before finishing it and log back on.
Settings
Label Mandatory Description
Upload License File No Name of your license file for upload
Uploaded No Name of previously uploaded license file
Table 4-1: License File
Select Directory Service

The next step in the Setup System wizard is to select your directory service.
It is possible to choose not to use a directory service with PortWise 4.7, but this results in great limitations to PortWise
functionality since it eliminates features associated with the use of user storage and user accounts.
Available options are:
PortWise 4.7 Manual

4-60 Setup System
• Microsoft Active Directory

• OpenLDAP
• Sun Java System Directory Server
• Novell eDirectory
• Other or customized directory service
• No directory service
The directory service is configured in the following step in the Setup System wizard. If you select not to use a directory
service, super administrator credentials are configured in the following step.
Configure Directory Service

This step of the Setup System wizard is displayed when you have selected a type of directory service.
During this step you specify which directory service to store PortWise user accounts. You also specify where in the
directory service the PortWise user accounts will be stored, which account PortWise 4.7 will use to access the directory
service, and whether SSL is to be used in the communication with the directory service. In addition, you create a super
administrator account for the PortWise Administrator.
During Setup System you perform a basic configuration of the directory service. You can configure the directory service
in detail when the Setup System wizard is completed.
The settings for the directory service include:
Directory Service
Host (IP address or DNS name) for the directory service and port for the directory service. This is set to port 389 by
default. When SSL is selected it is recommended to use port 639, which is the default port for LDAP/S.
Distinguished name (DN) of the location in the directory service where PortWise user accounts will be stored (see
Browsing for Location DN below).
Account, DN, ID or similar depending on type of directory service (user name and password) with read and write permis-
sions in the OU where PortWise user accounts will be stored. A DN is a string of entries, or collected attribute types with
values. Such as “ou” for organizational unit or “dc” for domain control.
Example
ou=nnw,dc=thesecurecompany,dc=com
An ID can be an account name, for example admin.
Location DN
The full DN of the location in the Directory Service where PortWise user accounts will be stored. This does not have to
be an existing OU. When a new OU is entered in the Location DN this is automatically created. An example of this could
be ou=test,ou=portwise,dc=thecurecompany,dc=com.
SSL
Option to use SSL in communication with the directory service. This can be used to support the user change of an Active
Directory password when logging on to the Application Portal using the Active Directory authentication method.
PortWise 4.7 Manual

Setup System 4-61
Option to upload CA certificate to validate the server certificate presented by the directory service.
Super Administrator
User name and password (see Super Administrator Password Policy below) to create a super administrator ac-
count. The super administrator has full privileges in the PortWise Administrator. If Delegated Management is included
in the license, the super administrator can add additional administrators with privileges for resource and user account
management. Note that the super administrator credentials do not need to correspond to existing user credentials in
your directory service.
It is possible to change the password of the super administrator in PortWise Administrator (in the Monitor System
section using the Settings link at the bottom of the Monitor System page) after completing the Setup System
wizard.
Test Connection
Link to check whether a connection to the specified directory service can be established. Host, port, and credentials for
the account are checked.
Other or Customized Directory Service

If selected directory service type is Other or Customized, additional settings to those listed above are available. These
settings are pre-configured for the individual directory services, but need to be specified when the system is unaware
of which directory service you use.
The additional advanced settings are:
• Name of the object class used to store objects in storage, for example: organizationUnit.
• Naming attribute is the relative name of the common object class. Holds the object ID that is automatically
generated by the system.
• Storing attributes are specified used to store storage object attributes, property data of size less than 1024
bytes for example searchGuide for Active Directory.
• Unique naming attributes are used to store the unique storage object name (or unique ID) for example: l (for
location).
Super Administrator Password Policy

When specifying the super administrator password in the Setup System wizard, you need to comply with a password
policy that is enabled in the system by default. You can disable the policy or change the password in the PortWise
Administrator after the Setup System wizard is completed. This is done in the Monitor System section using the Set-
tings link at the bottom of the Monitor System page.
The super administrator policy dictates that passwords must meet certain requirements. When enabled the policy re-
quires passwords to meet the following characteristics:
• The password consists of at least six characters
• The password contains characters from at least three of the four following categories:
–– English uppercase characters (from A through Z)
–– English lowercase characters (from a through z)
–– Base 10 digits (from 0 through 9)
–– Non-alphanumeric characters (for example: !, $, #, or %)
PortWise 4.7 Manual

4-62 Setup System
Browsing for Location DN

When specifying a location in the directory service to store PortWise user account data, you can enter the full DN di-
rectly. You may also browse to select an existing (previously created) location or parent location in your directory service
structure to retrieve a full or partial DN.
If you choose to browse for the location DN, you first need to enter an account and password to access the directory
service. You can enter part of the distinguished name before you browse or leave the field empty. If you have entered
part of the DN, it is displayed in the browse window. If you have not entered a DN, the browse window displays the root
DN of the directory service. You can also select root DN in a drop-down list.
The DN is displayed with a + sign. If you click the + sign, you can navigate to the appropriate location in the directory
service. When a location DN is selected the DN is automatically retrieved to the Configure Directory Service page.
Information
If you have not previously created a dedicated organizational unit for the purpose of
storing PortWise user data, it is possible to create a new OU by specifying the DN of a
non-existing OU. The OU will be created when you click Next in the wizard.
Settings
Host Yes IP address or DNS name of the directory service.
Port Yes Listening port.
Account Yes DN, ID or similar (depending on type of directory service).
Password Yes Directory service password.
Location DN Yes The full distinguished name (DN) of the location in the Directory Service where
PortWise user accounts will be stored.
Use SSL No Not selected by default.
CA Certificate No Certificate Authority certificate.
User Name Yes Logon name for the PortWise super administrator.
Password No Logon password to the PortWise Administrator.
Verify Password No Verification of Password.
Table 4-2: Common Settings for all Directory Service Types

Object Class No Name of the object class used to store objects in storage.
Naming Attribute No Relative name of the common object class
Storing Attribute No Common object class attribute name used to store storage object attributes.
Unique Naming Attribute No Common object class attribute name used to store the unique storage object
name (or unique ID).
Table 4-3: Specific Settings for Other or Customized Directory Service
PortWise 4.7 Manual

Setup System 4-63
Super Administrator Credentials

This step of the Setup System wizard is displayed instead of the Configure Directory Service step if you have
selected not to use a directory service. Here you specify the user name and password to create a super administrator
account.
Settings
User Name Yes Logon name for the PortWise super administrator.
Password Yes User logon password.
Verify Password Yes Verification of Password.
Table 4-4: Super Administrator Credential Settings
Set up Administration Service
Settings
Internal Host Yes IP address or DNS name of the Administration Service.
Table 4-5: Administration Service Settings
Set Up Access Point

During Setup System you perform a basic configuration of one single Access Point. You can configure the Access Point
in detail or configure additional Access Points when the Setup System wizard is completed.
The basic configuration of the Access Point consists of display name, host, and HTTP as well as HTTPS port.
Information
If you install all services on a single machine, you must not use ports 8080 or 8443 for
the Access Point since they are used by default for the PortWise Administrator.
The host to be used for the external traffic to the Access Point must be specified as a DNS name in the license. By default
the DNS name 127.0.0.1 is included in the license.
Settings
Display Name Yes Unique name used in the system to identify the Access Point.
Host Yes IP address or DNS name of the Access Point.
PortWise 4.7 Manual

4-64 Setup System

HTTP Port No Listening port for HTTP traffic. This is set to port 80 by default.
HTTPS Port Yes Listening port for HTTPS traffic. This is set to port 443 by default.
Table 4-6: Access Point Settings
Set Up Policy Service

During Setup System you perform a basic configuration of one single Policy Service. You can configure the Policy Service
in detail or configure additional Policy Services when the Setup System wizard is completed.
The basic configuration of the Policy Service consists of display name and host.
Information
Extensible Programming Interface (XPI) is automatically initialized for the Policy Service
when configuring the Policy Service in the Setup System wizard.
Settings
Display Name Yes Unique name used in the system to identify the Policy Service.
Host Yes IP address or DNS name of the Policy Service.
Table 4-7: Policy Service Settings
Set Up Authentication Service

During Setup System you perform a basic configuration of one single Authentication Service. You can configure the
Authentication Service in detail or configure additional Authentication Services when the Setup System wizard is com-
pleted.
The basic configuration of the Authentication Service consists of display name and host.
Select PortWise Authentication Methods

When configuring the Authentication Service you also select which of the PortWise authentication methods to use. You
can also enable (or disable) PortWise authentication methods after finishing the Setup System wizard.
Available PortWise authentication methods are:
PortWise 4.7 Manual

Setup System 4-65
• PortWise Mobile Text

• PortWise Web
• PortWise Challenge
• PortWise Password
• PortWise Synchronized
Settings
Display Name Yes Unique name used in the system to identify the Authentication Service.
Host Yes IP address or DNS name of the Authentication Service.
PortWise Mobile Text Yes Selected by default.
PortWise Web No Selected by default.
PortWise Challenge No Selected by default.
PortWise Password No Selected by default.
PortWise Synchronized No Selected by default.
Table 4-8: Authentication Service and Authentication Method Settings
Select Additional Authentication Methods

The next step in the Setup System wizard is to select which authentication methods (other than PortWise authentication
methods) to use.
In Setup System only the most commonly used authentication methods are available for configuration. You can config-
ure other types of authentication methods or configure selected authentication methods in detail after the Setup System
wizard is completed.
Authentication methods available in Setup System are:
• RSA SecurID
• Secure Computing SafeWord
• LDAP
• Windows Integrated Login
• NTLM
• Basic
• User Certificate
Selected authentication methods are configured in the following steps of the Setup System wizard.
For reference, additional authentication methods available in PortWise Administrator are:
PortWise 4.7 Manual

4-66 Setup System
• General RADIUS
• Extended User Bind
• Form-based Authentication
• E-ID
• E-ID Signer
• Custom-defined authentication method
Configure Authentication Methods

This step in the Setup System wizard is displayed if you have selected an authentication method (other than the PortWise
authentication methods).
During Setup System you perform a basic configuration of the authentication method. You can configure the authentica-
tion method in detail after the Setup System wizard is completed.
Apart from authentication methods Secure Computing SafeWord and RSA SecurID (RADIUS authentication) that have
identical configuration settings, the settings differ depending on the type of authentication method selected.
Settings
Display Name Yes Unique name used in the system to identify the authentication method.
Host Yes IP address or DNS name of the Authentication Service.
Port Yes Port of the Authentication Service.
Table 4-9: Common Authentication Method Settings

Display Name Yes Unique name used in the system to identify the authentication method.
LDAP server used is the directory service specified in the previous step of the
wizard.
Administrator DN Yes User ID to access the Active Directory.
User Password Yes User password to the Active Directory.
Table 4-10: LDAP Settings
Default values are retrieved from the General Settings for Directory Service page in the Setup system wizard.
Root DN No DN for the root node in the Active Directory.
Table 4-11: Microsoft Active Directory Settings
PortWise 4.7 Manual

Setup System 4-67

Path Yes Address to the logon page.
Format: /%DIR%/pagename.html
Use SSL No Not selected by default
Table 4-12: Windows Integrated Login Settings

Path Yes Address to the logon page. The format is: /%DIR%/pagename.html
NTLM Domain Yes Windows domain name.
Use SSL Yes Not selected by default.
Table 4-13: NTLM Settings

Path Yes Address to the logon page. The format is: /%DIR%/pagename.html
Use SSL Yes Not selected by default.
Table 4-14: Specific Basic Settings

Certificate Authority No CA used to validate the identity of the individual holding the user certificate.
Table 4-15: User Certificate Settings

Users Root DN Yes Root DN in IBM Tivoli where the system will search for users.
Password Policy DN Yes Password Policy DN specifies the location of the IBM Tivoli Password Policy
object.
Table 4-16: IBM Tivoli Settings

Users Root DN Yes Root DN in IBM RACF where the system will search for users.
Expiration message (reg- Yes When user logs in the IBM RACF will return an error message when password is
exp) expired, specify the error code here if other than the default.
Table 4-17: IBM RACF Settings

Users Root DN Yes Root DN in Novell eDirectory where the system will search for users.
Table 4-18: Novell eDirectory Settings
PortWise 4.7 Manual

4-68 Setup System
Confirm Authentication Methods

In this step, the Setup System wizard lists the authentication methods you have selected. You can use the Previous link
to go back in the wizard to remove or add authentication methods before you proceed.
You can also add or remove authentication methods after completing the Setup System wizard.
Configure User Storage

Here you specify the user storage location that PortWise 4.7 will use to locate existing users and user groups. You also
specify search rules to enable PortWise 4.7 to locate the users and groups.
The user storage is configured for the purpose of using your local user administration. For example, PortWise 4.7 can
use existing user data such as phone numbers and passwords when creating user accounts, or leverage existing user
groups when you create access rules based on these groups.
To facilitate Setup System it is assumed that your users and user groups are stored in the same directory service that
you specified for maintaining PortWise user accounts (in the Configure Directory Service step). When this is the
case, you only need to enter display name and specify search rules for the user storage. If you use a different directory
service for user storage, however, you need to specify that additional directory service first. See Configure Additional
Directory Service below for details.
You specify one single user storage location in the Setup System wizard and one single set of search rules. If your user
information is stored in several different locations, you can specify multiple levels of search rules for the user storage
after finishing the Setup System wizard.
If your users are stored on several different directory services, you can specify additional user storage locations with
corresponding search rules after finishing the Setup System wizard.
Information
This step in the wizard is not mandatory. You can configure the user storage after com-
pleting Setup System wizard. If you choose to configure the user storage in the wizard,
all fields are mandatory.
The settings for the user storage include:

• Display name for the user storage location
• User search rules
User root DN (see Browsing for Root DN below), object class name/class category, attribute name, search
scope. See Search Rules below for details.
• User group search rules
User group root DN (see Browsing for Root DN below), object class name/class category, attribute name,
member attribute name and search scope. See Search Rules below for details.
• Test connection
Link to check that a connection to the user storage can be established. The nodes in the search rules are
checked.
PortWise 4.7 Manual

Setup System 4-69
Browsing for Root DN

When specifying a root DN as a start base for user or user group searches in the directory service, you can enter the full
distinguished name directly or browse to select an existing location or parent location in your directory service structure
to retrieve a full or partial DN.
If you browse for the location DN, the root DN of the directory service is displayed in the browse window. You can also
select root DN in a drop-down list.
service. When a location DN is selected the DN is automatically populated to the Configure Directory Service
page.
Search Rules
Search rules are designed to enable PortWise 4.7 to locate your users and user groups in the directory service. The
search rules you define depends on the directory structure of your organization, and which user objects you require.
Search rules are created by combining the following settings:
• User Root DN
The distinguished name of the search root from where the system will start to search for objects. If you want
to use a specific sub-tree in your directory service, you can specify the sub-tree as the search root.
Example: ou=people,dc=thesecurecompany,dc=com
• Object Category/Object Class Name
The object category (Active Directory) or object class name (other directory services) that users belong to.
Examples are user in Active Directory, and inetorgperson, the most common object class name. Refer to
your directory service documentation for additional information.
• Attribute Name
The attribute name to be used when searching for users. The values differ depending on directory service
used: Active Directory uses samaccountname, other directory services use uid. Refer to your directory service
documentation for additional information.
Example: cn
Set to samaccountname when using Active Directory.
• Member Attribute Name
The member attribute name to use when searching for user groups. Example: member
• Search Scope
Use the search scope when searching for users. Available options are:
–– Object Level, which only searches for objects located on base level.
–– One Level, which only searches for objects located directly below base not including the base.
–– Sub-tree level, which only searches for objects located below base not including the base.
After Setup System wizard is completed you can also apply additional filters on the search rules. For example to specify
that only users belonging to certain group are accepted when creating user accounts or that only users from a specific
domain will be accepted.
PortWise 4.7 Manual

4-70 Setup System
Settings
Display Name Yes Unique name used in the system to identify the user storage location.
Table 4-16: General Settings

User Root DN Yes Start base for searches in the user storage.
Object Class Name Yes Object Class users belong to when using another directory service than Micro-
soft Active Directory. Set to inetOrgPerson by default.
Object Category Yes Object Class users belong to when using Microsoft Active Directory for user
storage. Set to user by default.
Attribute Name Yes Unique user attribute. Set to samaccountname when using Microsoft Active
Directory.
Search Scope Yes Set to Sub-tree Level by default.
Table 4-17: User Search Settings

User Group Root DN Yes Start base for searches in the user storage.
Object Class Name Yes Object Class users belong to when using another directory service than Micro-
soft Active Directory. Set to groupOfNames by default.
Object Category No Object Class users belong to when using Microsoft Active Directory for user
storage. Set to group by default.
Attribute Name Yes Unique user attribute. Set to samaccountname when using Microsoft Active
Directory. When using other directory service it is set to cn.
Member Attribute Name Yes Unique directory service member attribute.
Search Scope Yes Set to Sub-tree Level by default.
Table 4-18: User Group Search Settings
Select Additional Directory Service

This step in the Setup System wizard is displayed if you have selected to use another directory service for user storage
than the directory service specified for storing PortWise user accounts (in the Configure Directory Service step).
In this step you select which type of directory service to use.
Available directory services are:
PortWise 4.7 Manual

Setup System 4-71

• OpenLDAP
• Other or customized directory service
The directory service is configured in the following step in the Setup System wizard.
Configure Additional Directory Service

This step in the Setup System wizard is displayed if you have selected a type of directory service to use for user storage,
different from the directory service specified for storing PortWise user accounts (in the Configure Directory Service
step).
The settings for the additional directory service include:
• Directory service
–– Host and port for the directory service
–– Account with read permissions in the directory service where existing users and groups are located
• SSL
–– Option to use SSL in communication with the directory service
–– Option to upload CA certificate to validate the server certificate presented by the directory service
After having configured the additional directory service used for user storage, you return to the Configure User Stor-
age step to continue by specifying the display name for the user storage and defining the search rules.
Settings
Host Yes IP address or DNS name of the directory service.
Port Yes Listening port for the directory service. This is set to port 389 by default.
Account Yes
Password Yes Defines the Password for the directory server Administrator.
Use SSL No Not selected by default.
Upload CA Certificate No CA certificate used to validate the server certificate presented by the directory
server.
Table 4-19: Additional Directory Service Settings
PortWise 4.7 Manual

4-72 Setup System
Finishing the Setup System Wizard

In the last step of the Setup System wizard a confirmation page is displayed. The configured services are listed with
unique server IDs.
Make a note of these IDs, which you will need to enter when installing the services. It is also possible to look up the IDs
in the PortWise Administrator after finishing the Setup System wizard (select Manage System in the main menu, then
select Access Points, Policy Services, and Authentication Services respectively in the left-hand menu).
PortWise 4.7 Manual

Administration 5-73
5
Administration
Introduction
This is a general introduction to PortWise Administrator.
The basic features in PortWise Administrator include:
• Web-based administration interface
• Task-oriented approach
• Wizards for common tasks
• Interface adapted to features included in the license
• Context-sensitive online user assistance
About PortWise Administrator

The PortWise Administration has four types of menus:
• Top menu
• Main menu
• Left-hand menu
The Main menu is divided into four sections: Monitor System, Manage Accounts and Storages, Manage Re-
source Access, and Manage System. Each section has a left-hand menu, allowing you to manage your configuration
in a flexible and structured environment. Use the Navigate in PortWise 4.7 section below to acquaint yourself with
PortWise Administrator.
The Administrator is task oriented. When you click an Add… link, a wizard guides you through the process of adding
user accounts, resources, and so on. You can always cancel a wizard by selecting a different menu item or by simply
closing your browser. No changes are saved until you click Finish Wizard.
You can always step backwards in a wizard, using the Previous link.
PortWise 4.7 Manual

5-74 Administration
Top Menu
Use the Publish button to distribute changes in the configuration to the entire PortWise network. When updates in the
PortWise services are ready for publishing, the Publish button is highlighted. This includes added or edited resources,
access rules, services and so on.
Information
Note that there is no need to publish updated user settings.
Use the Restore button to revert to a previous configuration. The last ten configurations are displayed, sorted by date.
You can select any configuration but once restored, you cannot revert the process.
Use the Browse button to browse the centrally stored files. In the Browse dialog, schema, templates, and applets
stored in the Administration Service is displayed.
A browser allows you to create directories, and create, move, and copy files in the PortWise directory structure.
Use the Help button to access help topics by using a table of contents, or to search the entire PortWise 4.7 Online Help.
Each page in the PortWise 4.7 Administrator has a corresponding help page.
The followoing tabs are available in the online Help:
• Use the Glossary tab to browse terms used in PortWise 4.7.
• Use the Search tab to find specific topics, the help pages for specific Administrator pages, or terms in their
context.
• Use the Index tab to search for key concepts in PortWise 4.7.
PortWise 4.7 Online Help

You can access the information in the PortWise 4.7 Online Help in different ways. If you click the question mark in
PortWise 4.7 Administrator, you access context-sensitive information concerning that specific page. There, you can
choose to expand the Help window to use the Table of Contents and tabs. If you click the Help button in the top menu
of the Administrator, you access the start page of the PortWise Online Help, with the Table of Contents and help tabs
already visible.
Below are brief descriptions of the contents of the different sections in the Table of Contents in the PortWise 4.7 Online
Help .
Getting Started
The Getting Started section of the PortWise 4.7 Online Help contains instructions for how to complete a basic setup
and an initial configuration of PortWise 4.7.
The section also contains instructions for getting started with different features in PortWise 4.7.
PortWise 4.7 Administrator

This section of the PortWise 4.7 Online Help contains help topics describing the contents of the PortWise Administrator,
and describing how to navigate in PortWise Administrator.
The main part of this section consists of help topics connected to all the PortWise Administrator pages. Here, you will
find conceptual information as well as detailed parameter information.
PortWise 4.7 Manual

Administration 5-75
How To
The How To section of the PortWise 4.7 Online Help contains help pages containing detailed instructions for various
tasks performed in PortWise Administrator. The subjects cover common tasks as well as configuration that can be a bit
tricky to achieve. The instructions are sorted in alphabetical order.
Navigate in PortWise Administrator

Here, you will find brief descriptions of the PortWise Administrator main menu and left-hand menu items:
Monitor System
Use the Settings link to enable/disable Event Monitoring and to edit the Super Administrator logon credentials. In
Status Overview, current user, resource, and system information is displayed. Event Overview lists events occurred
since last logon.
System Status
System Status contains status information presented on four tabs: General Status, Access Points, Policy Ser-
vices, and Authentication Services.
User Sessions
Search for sessions using all or specific authentication methods to view or delete current user sessions.
Log Viewer
Search for specific log events or download a diagnostics .zip file containing all logs and configuration files for all serv-
ers.
Logging
Manage settings for logging of all or specific servers in the PortWise network. You can set log collection interval, debug
mode, and which time zone to use for timestamps.
License
View contents of the current license.
Alerts
Create alerts used to notify administrators of different types of events.
Reports
Generate reports containing statistics and run-time information on access, authentication, authorization, accounts,
and system.
Manage Accounts and Storage

In User Accounts, the number of registered users is displayed. The User Groups section lists the number of registered
user groups, sorted by type. In User Storage, registered user storage locations are displayed.
User Accounts
Add user accounts using the Add User Account wizard. To edit settings for a specific user account, you can search
for registered user accounts and users.
PortWise 4.7 Manual

5-76 Administration
User Linking
Create user accounts by linking from user storage.
User Link Repair

Repair broken links used in User Linking.
User Import
Create user accounts by importing a file with existing user information.
User Groups
Add user groups using the Add User Group wizard. To edit settings for a specific user group, you can search for
registered user groups.
User Storage
Add user storage locations using the Add User Storage Location wizard. To edit settings for a specific user storage,
you can search for registered user storage locations.
Global User Account Settings

Manage global default settings for all registered user accounts. The General Settings tab contain default account set-
tings for logon to the Application Portal and PortWise authentication settings. Enable automatic and/or manual linking
on the User Linking tab. Enable auto repair to update links to the directory service in the Auto Repair tab.
Manage Resource Access

Use the add resource wizards to add Web and tunnel resources. All registered resource hosts and paths can be edited
or deleted here.
Standard Resources
Use the Standard Resource wizard to add standard resources.
Web Resources
Add Web resources using the Add Web Resource wizard. To manage settings for a specific Web resource host or path,
use the + sign to display detailed resource information.
Tunnel Resources
Add tunnel resources using the Add Tunnel Resource wizard. To manage settings for a specific tunnel resource host
or path, use the + sign to display detailed resource information.
Tunnel Sets
Add tunnel sets using the Add Tunnel Set wizard. To edit settings for a tunnel set, select tunnel set in the list.
Client Firewalls
Add client firewalls consisting of Internet firewall configurations. An Internet firewall configuration is a collection of rules
that control traffic to and from the Access Client. Each configuration is connected to a corresponding tunnel set.
PortWise 4.7 Manual

Administration 5-77
Customized Resources
Add customized resources using the Add Customized Resource Host wizard. To manage settings for a specific
customized resource host or, use the + sign to display detailed resource information.
Access Rules
Add access rules available for several resources and/or SSO domains using the Add Access Rule wizard. To edit set-
tings for an access rule, select access rule in the list.
Application Portal
Add Application Portal items using the Add Application Portal Item wizard. To edit settings for a specific item,
select item in the list.
SSO Domains
Add SSO domains using the Add SSO Domain wizard. To edit settings for a specific SSO domain, select SSO domain
in the list.
Identity Federation
Add SAML 2.0 identity and service providers.
Global Resource Settings

Manage global default settings for all registered resources.
Global resource settings are managed on the following tabs:
• Specify internal proxy hosts on the Internal Proxy tab
• Manage DNS names on the Mapped DNS Names tab
• On the Filters tab, you manage filters used to filter specific pages or requests to specific resources
• Edit headers used for filtering on the Link Translation tab.
Manage System
The main Manage System page does not contain any functionality. It describes what you can do in the Manage
System section of the system: add, edit and delete services, certificates, authentication methods, RADIUS back-end
servers and clients, as well as configure directory service settings. It is also possible to enter global settings which ap-
ply to all Access Points, Policy Services, and Authentication Services, and general settings for notifications and SMS
distribution.
Authentication Methods
Add authentication methods using the Add Authentication Method wizard. To edit settings for extended properties
and/or RADIUS replies for a specific authentication method, select authentication method in the list.
Add Certificate Authorities and Server Certificates using the applicable wizard.
To edit settings for a specific CA and/or server certificate, select item in the appropriate list.
Abolishment
Define actions performed on a client computer when using an abolishment access rule. Actions include the monitoring
of downloaded files and deleting of internet browser history and browser cache.
PortWise 4.7 Manual

5-78 Administration
Assessment
Define user client computer assessment activities. Activities include: client scan, setup of reference machines, and use
of plug-ins in assessment access rules.
RADIUS Configuration
Add RADIUS clients using the Add RADIUS Client wizard. To edit settings for a specific RADIUS client, select client in
the list. Click the Manage RADIUS Back-end Servers link to add and edit RADIUS back-end servers. These RADIUS
clients and back-ends servers are used by the Authentication Service.
Notification Settings
Manage settings for notification message channels: SMS, e-mail, and/or E-mail/Screen. The notification channel setting
are also used for alerts.
Device Definitions
Manage definitions of how HTTP headers in requests are interpreted to identify devices by the Access Point. Add defini-
tions using the Add Device Definition wizard. To edit the definition of a specific device, select device in the list.
Delegated Management
Manage administrative roles with different privileges and responsibilities.
Access Points
Add Access Points using the Add Access Point wizard. To edit settings for a specific Access Point, select Access Point
in the list.
Click the Manage Global Access Point Settings link to display Client Access, Performance, Trusted Gate-
ways, Cipher Suites, and Advanced settings. Furthermore, use the Configure Load Balancing link to enter set-
tings for load balancing and to manage mirrored Access Points.
Policy Services
Add Policy Services using the Add Policy Service wizard. To edit settings for a specific Policy Service, select Policy
Service in the list. Click the Manage Global Policy Service Settings link to edit default global communication set-
tings.
Add Authentication Services using the Add Authentication Service wizard. To edit settings for a specific Authentica-
tion Service, select Authentication Service in the list. Click the Manage Global Authentication Service Settings
link to display global default RADIUS authentication and password and/or PIN settings.
Manage internal (in the PortWise network) and external (with the client) communication settings.
Directory Service
Manage general settings for the directory service. You can change type of directory service here, and also enable SSL
communication.
PortWise 4.7 Manual

Monitor System 6-79
6
Monitor System
About Monitor System

In this section, general status of the system and status for each specific service registered in the PortWise network is
presented.
Status and event information is only displayed if the license includes the applicable services or features.
Status Overview
In the Status Overview section, you view status of the registered number of concurrent users and user accounts. Also
listed are the number of registered resource hosts and Single Sign-On (SSO) domains.
System information includes PortWise 4.7 release and build number and the license type registered, which in turn
defines what services and features are included in your installation.
Administrators lists the Display Name of the user currently logged on to PortWise Administrator. Also listed is the
number of administrators logged on to the PortWise Administrator.
Event Overview
Event Overview provides you with a snapshot of the PortWise network status. It is updated in real time every 15
seconds.
Listed events include:
• Failed connection to the directory service or any of the configured user storage locations
• Restored connection to the directory service or any of the configured user storage locations
• Failed connection to any of the services included in the PortWise network
• Restored connection to any of the services included in the PortWise network
• Activated or deactivated debug logging
Enable Event Monitoring for polling of your directory service and user storage on the Monitor System page.
PortWise 4.7 Manual

6-80 Monitor System
Manage Monitor System
Status Overview
Users
The following user information is displayed:
• Concurrent Users
Number of concurrent users is displayed.
• Registered User Accounts
Number of registered user accounts is displayed.
• Logged-on Users
Number of logged-on unique users is displayed.
• Active Users
Number of users that have made a request within the last 15 minutes is displayed. This time-out value is
configured in Manage Global Account Settings.
Resources
The following resource information is displayed:
• Registered Resources
Number of registered resources is displayed.
Only resource hosts are counted, not paths.
• Registered SSO Domains
Number of registered SSO domains is displayed.
System information
The following system information is displayed:
• Software Version
PortWise 4.7 release number is displayed.
• License Version
License version is displayed.
• License Type
License type is displayed. Available options are evaluation and production license.
Administrators
The following administrator information is displayed:
• Display name of the currently logged in administrator
• Number of logged on administrators
PortWise 4.7 Manual

Monitor System 6-81
Follow the View Administrator Activities link to view a list of time and date for the last logon per administrator, as
well as time and date for the last action taken. Note that action is any action performed in the PortWise Administrator
by the administrator: clicked links as well as saved updates or completed wizards.
Event Overview
Each PortWise network event is listed with the date and time according to the browser locale setting.
Events that have occurred since the last time you were logged on are listed. If new events occur while you are logged
on, they are added to the list in real time.
The Event Overview list is updated every 15 seconds.
The following events can be listed:
• Lost connection to the directory service or any of the configured user storage locations
• Restored connection to the directory service or any of the configured user storage locations
• Lost connection to any of the PortWise network services
• Restored connection to any of the PortWise network services
• Activated debug logging
• Deactivated debug logging
Manage Settings
Enables event monitoring of the directory service and user storage to check the connection to the directory service
every 15 seconds. Since each check results in an event in the directory service log, unselecting this option may enhance
performance.
Information
If you disable event monitoring, the Alert and Reporting events concerning Directory
Service and User Storages will not function properly.
You can enable the PortWise password policy to ensure that passwords are used to log on to PortWise Administrator
following certain requirements.
The following requirements must be met if the PortWise password policy is enabled:
• The password is at least six characters long
• The password contains characters from at least three of the following four categories
–– English uppercase characters (from A through Z)
–– English lowercase characters (from a through z)
–– Base 10 digits (from 0 through 9)
–– Non-alphanumeric characters (for example: !, $, #, or %)
The current password for logon to the PortWise Administrator is not shown in clear text. This password was set during
the Setup System wizard.
Enter a new password for the Super Administrator to change the password. The new password is not shown in clear
text. If the Enable password policy option is selected, the password must meet the password policy requirements.
PortWise 4.7 Manual

6-82 Monitor System
Settings
Enable event monitoring of directory No Selected by default.
service and user storage This option can be disabled to enhance performance.
Table 6-1: Event Monitoring

Enable password policy No Selected by default.
Current Password No
New Password (Yes) Mandatory when Current Password is entered.
Verify New Password (Yes) Mandatory when New Password is entered.
Table 6-2: Super Administrator Password
PortWise 4.7 Manual

Monitor System 6-83
System Status
About System Status
General Status
On the General Status tab, all registered services in the PortWise network, Directory Services, user storage locations,
and RADIUS clients are listed with Display Name and DNS name or IP address.
Furthermore, host, current server time, and version of the Administration Service is presented.
Configured notification channels are listed as enabled and/or disabled.
Access Points
On the Access Points tab, all registered Access Points are listed displaying Display Name and Host.
Policys Services
On the Policy Services tab, all registered Policy Services are listed displaying Display Name and Host.
On the Authentication Services tab, all registered Authentication Services are listed displaying Display Name and
Host.
PortWise 4.7 Manual

6-84 Monitor System
PortWise 4.7 Manual

Monitor System 6-85
User Sessions
About User Sessions

In this section, you search and view all ongoing user sessions.
You can search for current sessions by entering a User ID, or part of a User ID and the wildcard character *, and select
one or all authentication methods used.
In the search result list, you can delete active user sessions. Note that you do not delete the user account.
Settings
User ID No N/A
Authentication Method No N/A
Table 6-3: Search User Session

Session ID No N/A
User ID No N/A
Client IP Address No N/A
Authentication Method No N/A
Table 6-4: View Active User Sessions
PortWise 4.7 Manual

6-86 Monitor System
PortWise 4.7 Manual

Monitor System 6-87
Log Viewer
About Log Viewer

By using the PortWise Administrator Log Viewer (in the Monitor System section), logging messages are filtered and
displayed. When you wish to view logs, you select Filter settings and click the View Log link. A separate browser
window then displays the logs.
Use Search Criteria to trace specific log events such as user activity through selected servers.
Example
logon userA
This example will list all logons made by the user userA.
It is also possible to enter the following:
Example
logon and userA
Both types will display all log entries containing the words logon and userA.
Searches are not case sensitive and the search criteria can consist of several words. For an exact match, all entered
words must exist. Note that a search can be time consuming if there is a large number of logs to filter.
For an OR search, use the special word ‘or’. OR operations have precedence over AND operations.
Example
fatal or warning
Displays all lines with the FATAL or WARNING severity levels.
Example
fatal or warning and sql
Displays all messages with the FATAL or WARNING severity levels containing the word SQL.
PortWise 4.7 Manual

6-88 Monitor System
Negations can be obtained using the minus sign ‘-‘.
Example
-info
Displays all severity levels except the INFO level (i.e. only the FATAL and WARNING levels).
Example
fatal or warning -sql
Displays all lines with the FATAL or WARNING severity levels, except for SQL messages.
The wildcard characters ‘*’ and ‘?’ are allowed. * signifies any number of characters, and ? signifies exactly one char-
acter.
Example
abc*def
Displays all lines where the text “abc” can be found before the text “def”.
Example
abc?def
Displays all lines where the text “abc” can be found, followed by exactly one character, and then followed by the text
“def”.
Quoted searches can be used to search for whole sentences or for the wildcard characters.
Example
fatal or warning -lcp -”tc5 system”
Displays all lines that have the FATAL or WARNING severity levels, but does not contain any LCP messages or the string
“tc5 system”.
Example
“ info “
Displays lines with the string “info” with spaces on each side (as a separate word).
Diagnostics File
You can download a .zip file containing all System, Audit, Billing, HTTP, and RADIUS logs for the selected servers.
The diagnostics file also contains all configuration files and message logs, as well as the debug logs (including the Ac-
cess Point raw external and internal logs, raw proxy interchange log, form based log, and hyperlinks log).
By selecting Enable debug logging on the Manage General Logging Settings page, the debug logs are auto-
matically enabled.
PortWise 4.7 Manual

Monitor System 6-89
Log Viewer Settings

You can select one, several, or all the registered servers in the PortWise network in the Log Viewer. The messages
displayed in the log viewer are restricted to selected servers.
There are two time range options available: Last number of hours or days, and to and from dates (format depending
on browser locale).
Settings
Log Type No Set to System log by default.
Servers Yes Set to All servers by default.
Search Criteria No Searches are not case sensitive and the search criteria can consist
of several words.
For an exact match, all entered words must exist.
Time Range No Set to Last 1 hour by default.
Table 6-5: Log Viewer Settings
PortWise 4.7 Manual

6-90 Monitor System
PortWise 4.7 Manual

Monitor System 6-91
Logging
About Logging
All registered servers in the PortWise network generate several individual logs. You can manage each server’s log set-
tings individually.
Another important factor of logging is that both the Report and Alert functionality depend on the log collecting.
If the Log Collection Interval is set too high (this is done on the Manage Global Logging Settings page), the ability
to view real-time reports diminishes. Alerts are not sent until logs with this information are collected.
PortWise 4.7 include five types of logs:
Log Type Log Level Description
System Logs Fatal Logs run-time events
Warning
Info
Audit Logs Warning Logs user activity, such as log on, log out, and session events.
Info All PortWise Administrator user activities are also logged here
Billing Logs Info Logs events required for billing
HTTP Logs Info Logs HTTP server requests
RADIUS Logs Info Logs RADIUS server requests
Table 6-6: Log Types
In the Administrator it is possible to filter the severity level of the logged messages. It is also possible to turn logging
off. The following table shows the possible log level filtering:
Log Level Filter Description
Off Logs nothing, the log is disabled
Fatal Logs only fatal messages
Warning Logs warning and fatal messages
Info Logs info and above messages
Table 6-7: Log Level Filters
PortWise 4.7 Manual

6-92 Monitor System
Manage Logging
You manage logging settings for each registered service on individual tabs representing each log type.
The different services generate separate log types:
Log types: System, Audit, Billing, and HTTP logs
• Access Point
Log types: System, Audit, and HTTP logs
• Policy Service
Log types: System, Audit, Billing, and HTTP logs
• Authentication Service
Log types: System, Audit, Billing, and RADIUS logs
You can configure the same kind of settings for all log types, these are described below.
Information
Note that the Access Point audit log includes more settings than the other services’
audit logs. You can enable settings on the accessing client, session, and access request
settings such as requested path and resource, protocol used, and response information.
Log Level Filter

You can select a log level filter and define what severity levels should be logged for each log type on each registered
service.
Available log level filters are:
• Off
When Off is selected, the log type for that specific service is disabled. No log messages are generated.
• Fatal
Logs only fatal messages
• Warning
Logs only fatal and warning messages
• Info (default)
Logs all levels
Log File Rotation

When log file rotation is enabled, log files are rotated such as a new file created every day or based on file size. When file
size is used, a max file size is set and when this is reached the current log file is closed and a new log file is created.
Using file size rotation, a max number is also configured, deciding the number of allowed concurrent log files. When the
max number is reached, the system removes the oldest log file and creates a new log file.
When log file rotation is disabled, all logging messages are registered in the same log file.
PortWise 4.7 Manual

Monitor System 6-93
Windows Event Log/Unix Syslog

You can select a log level filter for Windows Event logs or Unix syslog, depending on operating system, on system logs
for each registered service.
Available log level filters are:
• Off
When Off is selected, the log type for that specific service is disabled. No log messages are generated.
• Fatal
Logs only fatal messages
• Warning
Logs only fatal and warning messages
• Info (default)
Logs all levels
Information
Note that log level filter is set to Off by default.
Manage Global Logging Settings

You specify the path to the directory where all logs are stored. This is set to the folder logs in each service’s installation
folder by default.
You also select to show timestamps in local time or GMT time.
You enter a log collection interval in seconds. Log collection includes collection of all the logs from the PortWise net-
work services to the Administration Service. This is set to 5 seconds by default.
Information
Note that if the Log Collection Interval option is set to high, the ability to view real-time
reports diminishes. Alerts are not sent until logs with this information are collected.
Select the Enable debug logging option to automatically enable the debug logs including the Policy Service End-
Point Security log, the Access Point raw external log, raw internal log, raw proxy interchange log, hyperlinks log, and
form-based log.
Settings
Log Directory Yes Set to logs by default.
Table 6-8: Log Directory
PortWise 4.7 Manual

6-94 Monitor System

Local time No Selected by default.
GMT No Not selected by default.
Table 6-9: Time Zone

Log collection interval No Set to 5 by default.
Table 6-10: Interval

Enable debug logging No Not selected by default.
Table 6-11: Debug Logging
PortWise 4.7 Manual

Monitor System 6-95
License
About License
You initially uploaded the license file in Setup Wizard. PortWise 4.7 scans the license and adjusts the PortWise Admin-
istrator to included products and features.
The license format supports both concurrent users and named users. You decide which type of users the license should
be based on when requesting the license.
You can upload a new license file if you have purchased additional features, if your license file has expired, or if it is
corrupt.
View License Details

These are the contents of a full PortWise 4.7 license:
• License Number
A sequential number that uniquely identifies the license
• License Version
• License Type
Evaluation or Production
• Issued
Issue date.
• Issued To
Name, company, and e-mail address for the person the license was issued to
• Issued By
Name, company, e-mail address for the issuer of the license
• Validity PortWise 4.7
Start and end date of the validity period for the license. If an asterisk is used for the end date, the license does
not expire. The date format complies to your browser’s language settings.
PortWise 4.7 Manual

6-96 Monitor System
• Max Concurrent Users

The maximum number of users allowed to simultaneously use the system. The number of users currently using
the system is displayed in parenthesis.
• Max Named Users
The maximum number of named users allowed to use the system. The number of registered named users is
displayed in parenthesis.
• Validity Authentication Service
Start and end date of the validity period for the Authentication Service. If the wildcard character * is used for
the end date, the license does not expire.
• Max PortWise Authentication Users
The maximum number of named users allowed to use PortWise authentication methods. The number of regis-
tered users with PortWise authentication methods is displayed in parenthesis.
• Max RADIUS Clients
The maximum number of RADIUS clients allowed
• Max Resources
The maximum number of allowed resources
• Max Authentication Methods
The maximum number of allowed authentication methods
All licensed DNS names, authentication methods, and features are listed in separate sections.
Upload New License

You specify the new license by clicking the Browse button to locate the license and then click the Upload License
link to replace the current license.
Remember to click Publish after you have uploaded a new license file, for distribution of changes to your network.
Settings
License File No N/A
Table 6-12: Upload New License
PortWise 4.7 Manual

Monitor System 6-97
Alerts
About Alerts
Alert notifications are messages sent to selected receivers when specified events have occurred in the system. Selected
receivers can either be a selection of roles, managed in the Delegated Management section, or listed e-mail ad-
dresses or cell phone numbers.
Alert notification messages are distributed by e-mail and/or SMS. You need to configure the appropriate channels for
each service respectively. This is done in the Manage System section on the Notification Settings pages.
You can select and combine a number of pre-defined alert events. Alert events include lost and restored connections to
the directory service or services in the PortWise network, or user activity such as exceeded number of access requests.
One example is if the Administration Service is unable to communicate with the directory service an alert event is
triggered. An alert is created and configured to notify selected alert receivers of the Lost connection to Directory
Service event. An alert message containing event specific information is created and distributed using SMS, e-mail,
or both.
Alert Events
A number of pre-defined alert events are configured for you to select from:
• User accounts
Alerts can be triggered when accounts are locked and unlocked for access, authentication, and time-locks.
• Resources
Alerts can be triggered when resources are offline and online.
• PortWise network
Alerts can be triggered when the connection to services in the PortWise network are lost and restored.
• Directory service
Alerts can be triggered when the connection to the directory service is lost and restored.
• Authentication method server
Alerts can be triggered when the connection to the authentication method server is lost and restored.
PortWise 4.7 Manual

6-98 Monitor System
Manage Alerts
Registered alerts are listed on the Manage Alerts page in the Monitor System section of PortWise Administrator.
You can add, edit, and delete alerts.
Alert Settings
All alerts consist of an alert event that triggers an alert notification.
You specify which type of notification channel to use for the alert notification messages. You can specify an SMS chan-
nel, an e-mail channel, or both. You can only specify channels that have been configured.
Notification channels are configured on the Notification Settings pages in the Manage System section of PortWise
Administrator.
Alert Event Settings

For alerts, you specify which type of alert events that will trigger an alert notification message. At least one alert event
must be selected.
You select alert events from a number of pre-configured alert event groups:
• User account events
Specify if alert notifications are triggered for locked and unlocked access, authentication, and time lock.
• Resource host events
Specify if alert notifications are triggered when resource hosts are offline and/ or online.
• Services in PortWise network events
Specify if alert notifications are triggered when connections are lost and/or restored to services in the PortWise
network.
• Directory service events
Specify if alert notifications are triggered when connections are lost and/or restored to the directory service.
• Authentication method server events
Specify if alert notifications are triggered when connections are lost and/or restored to the authentication
method server.
Alert Notification Receivers

You specify which delegated roles that will receive alert notification messages about selected events. Registered e-mail
addresses and/or cell phone numbers are retrieved automatically for each selected role.
You add other roles than the ones listed as available here in the Manage System section on the Delegated Man-
agement page.
Alert e-mail notifications can also be distributed to other receivers than to delegated roles, or to delegated roles with
no registered e-mail address. You can specify add e-mail addresses with no connection to registered users or PortWise
user accounts as receivers.
Alert SMS notifications can also be distributed to other receivers than to delegated roles or to delegated roles with
no registered cell phone number. You can specify add cell phone numbers with no connection to registered users or
PortWise user accounts as receivers.
PortWise 4.7 Manual

Monitor System 6-99
Settings
Enable alert No Selected by default.
Display Name Yes Unique name used in the system to identify the alert.
Description No

SMS (Yes) Either SMS, E-mail, or both are mandatory.
E-mail (Yes) Either SMS, E-mail, or both are mandatory.
Table 6-14: Notification Settings

Locked for access No Not selected by default.
Unlocked for access No Not selected by default.
Locked for authentication No Not selected by default.
Unlocked for authentication No Not selected by default.
Time-lock locked No Not selected by default.
Time-lock unlocked No Not selected by default.
Table 6-15: Alert Events for User Accounts

Offline No Not selected by default.
Online No Not selected by default.
Table 6-16: Alert Events Resource Hosts

Lost connection to service No Not selected by default.
Restored connection to service No Not selected by default.
Table 6-17: Alert Events PortWise Network

Lost connection No Not selected by default.
Restored connection No Not selected by default.
Table 6-18: Alert Events Directory Service
PortWise 4.7 Manual

6-100 Monitor System

Lost connection No Not selected by default.
Restored connection No Not selected by default.
Table 6-19: Alert Events Authentication Method Server

Successful Backup No Not selected by default.
When selected, an alert message is distributed when a scheduled
backup has finished successfully.
To receive an alert for a delegated role, the role has to have at
least one of Publish or View Logs privilege.
Failed Backup No Not selected by default.
When selected, an alert message is distributed when a scheduled
backup has failed.
To receive an alert for a delegated role, the role has to have at
least one of Publish or View Logs privilege.
Table 6-20: Alert Events OATH Scheduled Backup

Available Roles No List with all available registered roles.
Selected Roles No
Table 6-21: Alert Receivers

E-mail Address Yes E-mail address that will receive alert notifications.
Table 6-22: Add E-mail Address

Cell Phone Number Yes Cell phone number that will receive alert notifications.
Table 6-23: Add Cell Phone Number
Manage Global Alert Settings

All alert messages correspond to alert events, but you can edit the default messages or even create your own specific
messages on the Manage Global Alert Settings page.
By default, all messages include a variable for the exact date and time of the event. Note that the presentation of date
and time is decided by your browser’s locale settings. There are no logical constraints or limitations of how an alert mes-
PortWise 4.7 Manual

Monitor System 6-101
sage is designed, but a recommendation is to keep in mind the selected receiving method: SMS messages for example
can usually only display a limited number of characters.
When editing or designing alert messages regarding user accounts, resources, and PortWise services, another variable
is used to indicate the specific event trigger.
Example
{0}: User {1} has been locked for authentication.
In this example alert message, {0} will be replaced with the exact date and time of the event, and {1} will be replaced
with an actual user ID. The resulting alert message that will be received will be presented like this:
2005-09-01 09:11:31: User Joe Smith has been locked for authentication.
You cannot change any formatting such as usage of bold text or italics in alert messages.
Settings
Subject Yes Set to An alert has been triggered by default.
Table 6-24: Messages

Locked for Access Yes Set to {0}: User “{1}” has been locked for access by default.
Unlocked for Access Yes Set to {0}: User “{1}” has been unlocked for access by
default.
Locked for Authentication Yes Set to {0}: User “{1}” has been locked for authentication
by default.
Unlocked for Authentication Yes Set to {0}: User “{1}” has been unlocked for authentication
by default.
Time-lock Locked Yes Set to {0}: User “{1}” has been Time-lock locked until {2}
by default.
Time-lock Unlocked Yes Set to {0}: User “{1}” has been Time-lock unlocked by
default.
Table 6-25: User Accounts

Lost Connection Yes Set to {0}: Lost connection to Resource Host “{1}” by
default.
Restored Connection Yes Set to {0}: Restored connection to Resource Host “{1}” by
default.
Table 6-26: Resource Hosts
PortWise 4.7 Manual


Lost Connection Yes Set to {0}: Lost connection to “{1}” by default.
Restored Connection Yes Set to {0}: Restored connection to “{1}” by default.
Table 6-27: PortWise Network

Lost Connection Yes Set to {0}: Lost connection to Directory Service by default.
Restored Connection Yes Set to {0}: Restored connection to Directory Service by
default.
Table 6-28: Directory Service

Lost Connection Yes Set to {0}: Lost connection to Authentication Method
Server used by Authentication Method “{1}” by default.
Restored Connection Yes Set to {0}: Restored connection to Authentication Method
Server used by Authentication Method “{1}” by default.
Table 6-29: Authentication Method Servers

Failed Backup Yes Set to {0}: OATH database backup {1} failed. by default.
Successful Backup Yes Set to {0}: OATH database backup {1} successfully per-
formed. by default.
Table 6-30: OATH Scheduled Backup
PortWise 4.7 Manual

Reports
About Reports
In addition to the Log Viewer, you also have the possibility to generate reports in PortWise 4.7. The reports can be
snapshots of activity at any given time, or statistics showing for example the behavior of users or usage of resources.
You can select to generate reports from seven report groups:
• Abolishment reports
• Assessment reports
• Access reports
• Authentication reports
• Authorization reports
• Account Statistics reports
• System reports
The option Complete Report generates a complete report containing statistics from all available report types.
Each report group consists of one or several reports, and each report contains one or several charts.
Reports are divided in three information parts:
• Time range
• Filters
• Graphics
Time Range
You can specify three types of time ranges:
• Last
When you specify a time range of the type Last, time is counted from the current time, when generating the
report, to the specified time (in hours, days, weeks, months, or years).
For example, if you select Last 2 Days at 02:15 PM, data is collected for 24 hours + 02:15 hours from now.
PortWise 4.7 Manual

• From - To date
When you specify a time range of the type From - To date, time is collected from and to a specific date. For
each day, a 24-hour period starting at 00:00 and ending at 24:00 is calculated.
• All Available
When you specify time range of the type All Available, time is collected from the time when the database
was created. If there is not any data from this start time, the time gap (from no data to data) will show in the
reports.
When selecting large ranges the time to generate reports increases drastically.
Filters
You can specify filters to select the data included in different reports. Report groups have different available filters.
These filters are available for most reports:
• Access Points
Specifies one or several Access Points.
You make the selection from all registered Access Points.
• Policy Services
Specifies one or several Policy Services.
• Authentication Services
Specifies one or several Authentication Services.
• Client IP
Specifies one or a range of IP addresses.
You make the selection from all client IP addresses.
• User ID
Specifies users and user accounts.
You make the selection from all registered users, both PortWise user accounts and users stored in user storage.
• Devices
You make the selection from all registered devices.
• Web resource hosts
You make the selection from all registered Web resource hosts.
• Tunnel resource hosts
You make the selection from all registered Tunnel resource hosts.
• Tunnel Protocol
Select UDP, TCP or both.
• Tunnel IP
Specify the IP range for the tunnels.
• Tunnel Port
Specify the port range for the tunnels.
PortWise 4.7 Manual

Graphics
You specify two types of graphics: Chart Types and Styles.
Each report can be presented using different chart types. For example, when you select to generate an Assessment
report, you can select the chart types Failed over Time, Succeeded over Time, Failed by Reason, and Failed by User. You
need to select at least one chart type to generate the report.
Each chart type is then presented using different styles: Bar, Line, or Pie in 2D or 3D.
PortWise 4.7 suggests a chart type and style by default per report, but you can change and combine any report with
any chart type and style.
Statistics
Statistics are presented in reports in PortWise Administrator. The reports are available in real time and historically.
PortWise 4.7 reports the following statistics:
• Response Time (after workload)
• Device Usage
• User resource usage
• Session trend
• Current Workload
• Bandwidth Usage
• Free memory space
• Free Disk Space
Information
Free disk space information is not available from Access Points
Event statistics include:

• Access
• Authentication
• Assessment
• Abolishment
The statistics are available in different formats at the current status, averages, etc.
The reporting format will also support third-party products. PortWise 4.7 can provide reports that can be used in Mi-
crosoft Excel and Crystal Reports.
Data Retrieval
All reporting information is collected and stored in a database. Queries are run both to the database and the directory
service. The result is then graphically presented in PortWise Administrator with the possibility to store the result in a
text file or export it to a .zip file.
PortWise 4.7 Manual

About Report Database

The database used for storage of the report statistics is HSQLDB (previously called Hypersonic) and is a well established
Open Source database. It runs embedded in the Administration Service process. For more specific information about the
database, please refer to http://www.hsqldb.org/.
Limitations
The HSQLDB database is allowed to grow to a maximum size of 250 MB. This is a limitation enforced by PortWise to
ensure acceptable startup and shutdown times for the Administration Service. If statistics data needs to be stored for a
longer time period, it is recommended to use another database.
The HSQLDB database is suitable when having up to 5000 authentication attempts per day; this would allow statistics
for up to a period of 50 days.
If the workload exceeds 5000 authentications per day, it is recommended to use another high-performing database, for
example MySQL. It is possible to change the database to any kind that supports JDBC and the dialect of SQL defined
by SQL standards 92.
Backup and Restore

To create a backup of the database, stop Administration Service and create a copy of the \database\ folder.
To restore a backup from file, stop the Administration Service and replace the \database\ folder with the backup.
Schedule Cleanup
Scheduled cleanup is not enabled by default to ensure no loss of report statistics data. If you enable scheduled cleanup,
you need to specify how old events need to be in order for them to be removed. When selected, scheduled cleanup is
performed once every midnight.
If enabled, and the HSQLDB database grows to its limit before cleanup is executed, it is recommended to decrease
number of logged days in the system log file.
Forced Cleanup
Forced cleanup is performed once every midnight. The cleanup is performed when the database is greater than 250
MB.
Forced cleanup removes all events from the oldest date in the database; this process is then repeated until the database
is equal to, or less than 250 MB.
Database Growth
When the database size is 250 MB it holds approximately 1,750,000 events, each event takes an average of 150
bytes.
If we assume that each successful authentication attempt generates a total of 7 events, the following is true:
• 1 Authentication event
• 1 Assessment event
• 1 Abolish event
• 1 Session Created event
• 3 Authorization request (assuming request is cached in Access Point)
One authentication event will generate 7 events, 150 * 7 = 1,050 bytes.
PortWise 4.7 Manual

Each authentication event takes 1,050 bytes, so 5,000 authentication event takes 5 MB; this workload allows report
statistics data for a period of 50 days.
Manage Reports
Available report types are listed on the Manage Reports page in the Monitor System section of PortWise Admin-
istrator. You can generate several types of reports using different filters and graphics.
All reports can be generated using the default configuration
Set Time Range

You specify a time range to be able to compare statistics over time, or to see progress over time, or to view status for
specific events at an exact time.
Time ranges are presented differently depending on selected chart type.
Filter Selection Time Unit X-axis Comment
1–6 hours Minutes Every (h*60/12) minutes
7–18 hours Hours Every hour Allowed hours: 1-24
19–24 hours Hours Every second hour
1 day Hours Every second hour
2-7 days Hours Every weekday Allowed days: 1-7
1 week Weekdays Every weekday
2-4 weeks Date Every day Example: April 24
Allowed weeks: 1-4
1 month Date Every day
2-12 months Months Every month Example: April 2005
Allowed months: 1-12
1 year Months Every month
2-29 years Year Every year Example: 2005
Allowed years: 1-29
Any date range Month/Year
Overall Month/Year
Table 6-29: Time Ranges
You can specify the following time ranges:

• Last
The system collects data from the exact date and time when the report is generated, to a selected value ac-
cording to below.
For example, if last two weeks are selected and the time for report creation is 12:15, the system collects data
for the previous 336 (24 x 14) hours.
PortWise 4.7 Manual

Input Value
Hours Entered value must be in the range 1 to 24.
Days Entered value must be in the range 1 to 7.
Weeks Entered value must be in the range 1 to 4.
Months Entered value must be in the range 1 to 12.
Years Entered value must be in the range 1 to 30.
Table 6-30: Time Intervals
• From – To dates
The time range to collect data is defined by a from and to date. For each day, the system calculates a 24-hour
period starting at 00:00 and ending at 24:00.
• All available
The time range depends on the available data stored in the database.
Assessment Report Settings

The following filters are available for assessment reports:
• Access Points
• Client IP
• User ID
• Devices
For an assessment report, you can also specify the report specific filter Assessment Access Rule, which defines if all or
a selection of assessment access rules will be included in the report.
For assessment reports, you can select one, several, or all of the following chart types:
• Failed assessment attempts over time
By default presented as a bar chart
• Succeeded assessment attempts over time
• Failed assessment attempts sorted by reasons
• Failed assessment attempts sorted by users
Abolishment Report Settings

The following filters are available for abolishment reports:
PortWise 4.7 Manual

• Access Points
• Client IP
• User ID
• Devices
For an abolishment report, you can also specify the report specific filter Abolishment Access Rule, which defines if all or
a selection of abolishment access rules will be included in the report.
For abolishment reports, you can select one, several, or all of the following chart types:
• Failed abolishment attempts over time
• Succeeded abolishment attempts over time
• Failed abolishment attempts sorted by users
Access Report Settings

The following filters are available for access reports:
• Access Points
• Client IP
• User ID
• Devices
For access reports, you can select one, several, or all of the following chart types:
• Access Requests by User
By default presented as a bar chart.
The number of access requests is calculated once per user session.
• Access Requests Over Time
The number of access requests is calculated once per resource request and not per user.
• Access Requests by Web Resource Host
By default presented as a pie chart.
The number of access requests is calculated once per resource request and summarized for each host.
The report also includes the name of the most frequently accessed resource host.
• Access Requests by Tunnel Resource Host
The number of access requests is calculated once per resource request and summarized for each tunnel
resource host.
The report also includes the name of the most frequently accessed tunnel resource host.
PortWise 4.7 Manual

Authentication Report Settings

The following filters are available for access reports:
• Access Points
• Client IP
• User ID
• Devices
• Authentication Method
For an authentication report, you can also specify the report specific filter Authentication Method, which defines if all
or a selection of authentication methods will be included in the report.
For authentication reports, you can select one, several, or all of the following chart types:
• Failed Authentication Attempts over Time
• Succeeded Authentication Attempts over Time
• Failed Authentication Attempts by Reason
• Failed Authentication Attempts by User
• Authentication Method Usage
This chart displays the most frequently used authentication methods.
• Day Trend
This chart displays the average number of authentication attempts at specific hours in a specified period of
time.
Note that the number is calculated once per resource request and not per user.
All authentication requests for the time range is presented for each hour of the day (0..23). The value for each
hour is divided with number of days set in Time Range.
Time range must be equal to or greater than one day for any values to be presented on the report.
Authorization Report Settings

The following filters are available for authorization reports:
• Access Points
• Client IP
• User ID
• Devices
• Resources
PortWise 4.7 Manual

For an authorization report, you can also specify the report specific filter Web Resource Hosts, which defines if all or a
selection of Web resource hosts will be included in the report.
For authorization reports, you can select one, several, or all of the following chart types:
• Failed Authorization Attempts over Time
• Succeeded Authorization Attempts over Time
• Failed Authorization Attempts by Reason
• Failed Authorization Attempts by User
• Day Trend
The number of authorization requests is calculated once per resource request and not per user.
All authorization requests for the time range is presented for each hour of the day (0..23). The value for each
hour is divided with number of days set in Time Range.
Time range must be equal to or greater than one day for any values to be presented on the report.
Account Statistics Report Settings

For an account statistics report, you only specify the filters User ID, Web Resource Host, Tunnel resource hosts, Tunnel
Protocol, Tunnel IP and Tunnel Port.
By default, the following information is included in the account statistics report:
• Name of the most frequently accessed resource host
• Total number of PortWise user accounts, regardless of selected User ID filter
• User account with last failed authentication attempt
• User account with last succeeded authentication attempt
• User account with last changed password
• User account with last locked access
• User account with last locked authentication
For account statistics reports, you can select one, several, or all of the following chart types:
• User Access Attempts by Web Resource Host
For each web host, the number of users is presented both as an actual amount and as a percentage of the
total number of users.
The number is calculated once per user ID.
• User Access Attempts by Tunnel Resource Host
PortWise 4.7 Manual

For each tunnel host, the number of users is presented both as an actual amount and as a percentage of the
total number of users.
The number is calculated once per user ID.
Session Trend Report Settings

The following filters are available for session trend reports:
• Access Points
• Client IP
• User ID
• Devices
By default, the following information is included in the session trend report:

• Concurrent Sessions over Time
The report also includes the peak value of concurrent sessions.
• Ongoing Sessions per User
Since the chart displays ongoing sessions, a specified time range is ignored.
• Duration
All sessions with an end time inside the specified time range are included in the selection regardless of the
session start time.
All session times are summarized, and then an average is calculated and presented as well as organized in
minutes and days.
Communication Report Settings

No filters are specified for communication reports.
By default, the following information is included in the communication report:
• Lost Connections over Time
All failed connections for different PortWise services over time are displayed.
The report also includes lost connections to registered user storage locations and to the directory service.
Alert Report Settings

The following filters are available for alert reports:
• Access Points
• Client IP
• User ID
• Devices
PortWise 4.7 Manual

By default, the following information is included in the alert report:

• Alerts
For each alert type, the number of alert notifications are presented both as an actual amount and as a per-
centage of the total number of alert notifications.
Note that all alert events are listed in the report, regardless your configuration of alert notifications.
System Report Settings

The following filters are available for system reports:
• Access Points
• Client IP
• User ID
• Devices
By default, the following information is included in the system report:

• Client Server Connections
By default presented as a line chart.
The report also includes peak and average values for client and server connections.
• Used Memory over Time
The report also includes the peak value of memory usage.
• Used Disk Space over Time
The report also includes the peak value of disk space usage.
• SSL Sessions over Time
The report also includes the peak value and average number of SSL sessions.
Performance Report Settings

For a performance report, you only specify the filters Access Points and Web resource hosts, which defines if all or a
selection of Access Points and Web resource hosts will be included in the report.
By default, the following information is included in the performance report:
• Request Rate over Time
The report also includes the average request rate.
• Response Time by Host
The report also includes the average response time.
PortWise 4.7 Manual

• Transfer Rate over Time

The report also includes the average transfer rate.
• Client to Server
The report also includes the average transfer rate to server.
• Client to Server
The report also includes the average transfer rate to client.
Tunnel Report Settings

For a tunnel report, you only specify the filters Access Points, Tunnel resource hosts, Tunnel Protocol, Tunnel IP and
Tunnel Port that will be included in the report.
By default, the following information is included in the tunnel report:
• Client to Tunnel Resource Host
The report also includes the average transfer rate to server.
• Tunnel Resource Host to Client
The report also includes the average transfer rate to client.
Settings
All No All registered filter data is displayed.
Selection No A search is performed and a selection can be made.
Available No List of available filter data.
Selected No Selected from the Available list.
Table 6-31: Filter Settings

Time Range Yes Last - Set to Last 1 Weeks are set by default.
From - Mandatory when To is specified.
To - Mandatory when From is specified.
All
Table 6-32: Time Range Settings
PortWise 4.7 Manual

Manage Accounts and Storage 7-115
7
Manage Accounts and Storage
About Accounts and Storage

The PortWise 4.6 solution provides enhanced identity and user management. Using a combination of user groups,
user storage, directory service configuration, and identity management, PortWise 4.6 enables system administrators to
control which users access what applications and how.
On the Manage Accounts and Storage page, all user accounts, user groups, and user storage locations are listed
for easy overview of your system’s user management status.
User Accounts
In the PortWise vernacular, users and user accounts are separate terms. PortWise user accounts are required for access
to registered resources, and the accounts are connected to actual users. But not all users in your directory service need
to have registered PortWise user accounts.
PortWise user accounts are linked to user information already stored in your directory service. A user storage link estab-
lishes a connection to your local user information.
User accounts are managed in the Manage User Accounts section.
In the Global User Account Settings section, you manage global default settings used in authentication, for time-
outs, when using user linking (described below), and to setup automatic repair of user links.
Please refer to the About Creating User Accounts section for detailed information on different methods of creating
user accounts.
User Import and Linking

User import and user linking are both alternatives to using the Add User Account wizard to create user accounts. To
create a number of user accounts simultaneously, with a minimum of manual intervention, you can import a file contain-
ing user information. The file needs to be formatted according to certain rules.
When using user linking, user accounts are added according to default settings, configured in the Global User Ac-
count Settings section, with links to the appropriate user storage. This is an alternative to the Add User Account
wizard.
All default settings for for user accounts created through import or linking are retrieved from the Global User Account
Settings section.
PortWise 4.7 Manual

7-116 Manage Accounts and Storage
User Groups
There are three types of user groups available in PortWise 4.6:
• User groups defined in directory service
• User location groups
• User property groups
User groups are managed in the Manage User Groups section.
User Storage
The user storage is the external location where users are stored and used by the Policy Service as part of the authori-
zation process. To automatically add references (when authenticating a user, for example) to existing users and user
groups in the directory service, you need to configure user storage.
It is recommended that the user accounts are linked to the user storage, to enable reuse of user information.
When configuring user storage, you specify the host for the directory service and define a set of search rules to find
users and user groups.
You can specify several user storage locations in directory services of different brands and different vendors. For infor-
mation on supported directory services, please see the PortWise 4.6 Release Notes.
A user storage location was added to the system during the Setup System wizard.
User storage locations are managed in the Manage User Storage section.
PortWise 4.7 Manual

Global User Account Settings
About Global User Account Settings

All global user account settings are used by default for new user accounts created with the Add User Account wizard
or through User Linking. When a user account is created through User Import, these settings are used by default if not
otherwise specified in the file used for import.
All default values are documented in the online Help if you wish to revert to the default system configuration.
On the General Settings tab, you configure default account validity, PortWise authentication, and time-out settings.
Additional tabs concern user linking and link repair are described below.
Information
Changes made in settings for specific user accounts override the global default configu-
ration.
About User Linking

When a user tries to access a resource using PortWise authentication, and no matching user account exists, a PortWise
user account is created and the user information is linked from the user storage location to the new user account. When
other authentication methods are used, the user must exists in the user storage in order for a user account to be cre-
ated.
There are two methods of user linking: manual and automatic. Automatic linking is used when authenticating users (as
described above).
Manual linking is performed by the PortWise system administrator, using user linking to create user accounts in PortWise
Administrator.
Default global settings for user linking are configured per PortWise authentication method. These settings are described
in detail in the Manage Global User Account Settings section below.
About User Link Repair

If users are moved in or deleted from the user storage location, established links between PortWise user accounts and
the directory service will be broken. When this occurs, these users cannot be authenticated.
PortWise 4.7 Manual

To repair broken links, missing users are searched for in the user storage location and when found the link is re-
established.
Link repair can be performed using two methods:
• Use the User Link Repair wizard to check directory links, and repair or delete user accounts with broken
links.
• Use the default global setting Auto Repair to repair user links automatically when users access the system.
When Auto Repair is used, the directory link is automatically updated when the user attempts to access the
system using .
Manage Global User Account Settings

In PortWise 4.6, a number of default settings can be configured on the Global User Account Settings page. This
page contains three tabs:
• General Settings
Includes default settings for user account validity, PortWise authentication, and time-outs.
• User Linking
Includes default settings link repair methods, and for each applicable authentication method.
• Auto Repair
Includes the option to enable auto repair.
General Settings
You configure the default number of maximum retries for user access for all accounts. You can, however, re-configure
this number for specific user accounts, using the Number of retries setting. When set to 0, the user account is never
locked. This setting is used for both default account configuration and for PortWise authentication.
You specify the number of days a user account is valid. This is used as default when a new user account is created. When
set to 0, the user account never expires.
Optional default account settings for PortWise authentication include:
• Use groups
When selected, user group names are supported. If supported, a group name can be connected to a user
when managing user accounts. This group information is sent to the RADIUS client. The RADIUS client can
then be configured to use this attribute for authorization.
• Framed IP
When a framed IP address has been configured, this IP address is sent to a network access point from the
Authentication Service upon successful authentication. This information can be used in authorization decisions
made by the access point.
• Time-lock
You can set a time-out time for authentication time-lock, meaning the length of time users are locked out from
attempting logon after failed logon the number of times set in Time-lock Interval.
Time-out settings are used as default values when a Web resource is created. To edit or specify any or all of these set-
tings for a specific resource, go to the Web Resource Host Advanced Settings page.
PortWise 4.7 Manual

You set the maximum user inactivity time before re-authentication is required, validity time for a session in the system,
time since the user was last authenticated with required authentication method before re-authentication is required,
and time before users are warned and prompted to re-authenticate.
Manage User Linking

User linking can be performed manually or automatically. These default settings apply to both methods of user link-
ing.
You specify if PortWise authentication should be enabled when a user account is linked to a user in the directory service.
When PortWise authentication is enabled for automatic user linking, you are also required to select notification method.
• By e-mail (default)
• By SMS
Default global settings for user linking per PortWise authentication method are configured. These default settings
include:
• Enable authentication method after user linking
• Generate password/PIN
When selected, the password/PIN is created automatically when user linking is used
Password/PIN can be retrieved automatically if a user storage attribute has been specified on the Directory
Mapping tab in the Manage User Storage section.
Select Generate Password for an automatically created password. When selected, directory mapping is not
performed.
• Password/PIN never expires
When selected, the password/PIN does not expire when user linking is used
• User cannot change password/PIN
When selected, users cannot change the password/PIN when user linking is used
• User must change password/PIN at next logon
When selected, users are required to change password/PIN at next logon when user linking is used
• Use password from directory service
This option is only available for the authentication methods: PortWise Mobile Text and PortWise Password.
When selected, the password used in the applicable directory service is used for authentication when user
linking is used
Information
Password and PIN can be retrieved automatically if a user storage attribute has been
specified on the Directory Mapping tab in the Manage User Storage section.
PortWise 4.7 Manual

Settings
General Settings
Max Retries Yes Maximum number of invalid login attempts allowed (1-999) before
the user account is locked for authentication.
Set to 10 by default.
Account Expires In No Number of days a user account with enabled PortWise Mobile ID
authentication is valid.
Table 7-1: Default Account Settings

Max Retries Yes Maximum number of invalid login attempts allowed (1-999) before
the user account is locked for PortWise authentication.
Table 7-2: Default Account Settings for PortWise Authentication

Use Groups No Not selected by default.
Use Framed IP No Not selected by default.
Time-lock Time-out Yes Number of minutes (1-999) the user account is locked from the
system after the number of incorrect logon attempts set in Time-
lock Interval.
Time-lock Interval Yes Number of consecutive incorrect logon attempts allowed before
the user account is time-locked.
Change Password/PIN Notification No Number of passed days (1-19) before users are asked to change
password/PIN.
Table 7-3: Account Settings for PortWise Authentication

Max Inactivity Time Yes Maximum user inactivity time in minutes (0-1440) before re-
authentication is required.
Session Time-out Yes Validity time in minutes (0-1440) for a session in the system.
Absolute Time-out Yes Time in minutes (0-1440) since the user was last authenticated
with required authentication method, before re-authentication is
required, independent of user activity.
PortWise 4.7 Manual


Time-out Warning Yes Time in seconds (0-3600) before user is warned and prompted to
re-authenticate.
Table 7-4: Time-Out Settings
Auto Repair
Auto repair user links when the users No Selected by default.
access the system
Table 7-5: Auto Repair Users
User Linking
Enable PortWise Authentication when No Not selected by default.
manually linking the user
Enable PortWise Authentication when No Not selected by default.
automatically linking the user
Notification No Available options are: By E-mail and By SMS.
Set to By SMS by default.
Table 7-6: User Linking

Enable authentication method after user No Not selected by default.
linking
Generate password No Not selected by default.
Password never expires No Not selected by default.
User cannot change password No Not selected by default.
User must change password on next No Not selected by default.
logon
Use password from directory service No Not selected by default.
Table 7-7: PortWise Mobile Text

linking
PortWise 4.7 Manual


logon
Table 7-8: PortWise Web

linking
Generate PIN No Not selected by default.
PIN never expires No Not selected by default.
User cannot change PIN No Not selected by default.
User must change on next logon No Not selected by default.
Generate seed No Not editable.
Selected by default.
Table 7-9: PortWise Challenge

linking
logon
Use password from directory service No Not selected by default.
Table 7-10: PortWise Password

linking
User must change on next logon No Not selected by default.
Generate seed No Not editable.
Table 7-11: PortWise Synchronized
PortWise 4.7 Manual

User Linking
About User Linking

User Linking is used when you quickly want to create a basic user account based on an existing user in user storage. You
add user accounts according to your default settings in Global User Account Settings with links to the appropriate
user storage.
To enable PortWise authentication with User Linking, you need to enable the User Linking option. This is done on the
User Linking tab in the Global User Account Settings section.
PortWise authentication refers to the Authentication Service and the PortWise authentication methods Web, Mobile
Text, Challenge, Synchronized, and Password.
Default settings for PortWise authentication for user accounts are retrieved from the General Settings tab on the
Global User Account Settings page.
Manage User Linking

When you use user linking, you create user accounts and links to user storage for one user at a time. You specify a User
ID to link the user to the user account. When the user account has been created, you cannot change the User ID.
You also select how the new password or PIN used for PortWise authentication will be distributed to the user when the
user account has been created.
Available options depend on the system configuration for notification and SMS distribution configuration.
Available notification options are:
• By e-mail
• By screen
• By SMS
• By e-mail and screen
• By SMS and screen
• To e-mail address configured on the Global Authentication Service Settings page, on the E-mail Mes-
sages tab.
PortWise 4.7 Manual

You have the option to specify a message set. A message set is a set of all PortWise authentication notification mes-
sages.
The Default message set includes all messages specified on the Global Authentication Service Settings page.
To create additional message sets, please refer to the Technical Note available from the PortWise Technical Library.
Manage User Link Repair

Use the User Link Repair wizard to check directory links, and repair or delete user accounts with broken links.
Depending on type of link error, a number of repair options are provided:
• Update user link and check next user account
• Update user link and repair all remaining user accounts automatically
• Remove user account and remove all remaining user accounts automatically
• Remove user account and check next user account
• Ignore user account and check next user account
• Cancel the wizard
When the wizard is completed, a repair result is displayed. The user accounts included in the link repair are listed ac-
cording to applicable repair result:
• Link Repaired User Accounts
• Removed User Accounts
• Ignored User Accounts
Settings
Update user link and repair all remaining No If the user has been moved or modified, the user storage location
user accounts automatically and directory link information are updated.
Update user link and check next user No When selected, the system updates the user storage location and
account directory link information with the new link information.
Remove user account and check next No When selected, the system removes the user account.
user account
Remove user account and remove all No When selected, the system controls and removes all remaining user
remaining user accounts accounts with broken links.
Ignore user account and check next user No When selected, the system does not update the user storage loca-
account tion and directory link information.
Cancel No When selected, the repair is cancelled.
Table 7-12: User Link Repair
PortWise 4.7 Manual

User Import
About User Import

Use User Import to create multiple user accounts simultaneously by importing an external file containing user informa-
tion to the Administration Service.
The import file is separated by a comma, semicolon, or tab. There can only be one entry per line in the import file.
The file to import must be formatted according to specific rules, detailed in Manage User Import below.
Manage User Import

The file used for import must be formatted according to the following format rules:
• The first row in the import file must contain the column headings, specifying the fields in the import file.
• The headings cannot contain any spaces and they are not case-sensitive.
• Each row contains data for one and only one user.
• Empty rows and rows beginning with a comment sign (#) are ignored during import.
The formatting rules are applied to the following import file items:
Item Description Comment
Heading Description
String A string containing any character
Integer Non-negative numeral
Boolean True or false
Password Password in clear text or {SHA}+ Make sure the date format in the file
[base64-encoded SHA hashed password] matches your browser settings
Date Date format complies to your browser’s
language settings
Table 7-13: Import File Items
PortWise 4.7 Manual

The content of each entry in the import file is the following:

Heading Value Comment
UID String Mandatory
RealName String Mandatory
Comments Column you may use for comments.
It is ignored during import.
DirectoryLink String
UserStorage String
GroupName String
FramedIP String
MailAddress String
MobileNumber String
AccountDisabled Boolean
AccountValidFrom Date
AccountExpires Date
AccountNeverExpires Boolean
AccessMaxRetries Integer
AuthenticationMaxRetries Integer
ChallengeEnabled Boolean
ChallengePIN Password
ChallengePINNeverExpires Boolean
ChallengePINCannotChange Boolean
ChallengePINMustChange Boolean
ChallengePINGenerate Boolean
ChallengeSeed String
ChallengeSeedGenerate Boolean
SynchronizedEnabled Boolean
SynchronizedPIN Password
SynchronizedPINNeverExpires Boolean
SynchronizedPINCannotChange Boolean
SynchronizedPINMustChange Boolean
SynchronizedPINGenerate Boolean
SynchronizedSeed String
SynchronizedSeedGenerate Boolean
WebEnabled Boolean
WebPwd Password
WebPwdNeverExpires Boolean
PortWise 4.7 Manual

Heading Value Comment

WebPwdCannotChange Boolean
WebPwdMustChange Boolean
WebPwdGenerate Boolean
PasswordEnabled Boolean
PasswordPwd Password
PasswordPwdNeverExpires Boolean
PasswordPwdCannotChange Boolean
PasswordPwdMustChange Boolean
PasswordPwdGenerate Boolean
PasswordPwdUseDirectory Boolean
MobileTextEnabled Boolean
MobileTextPwd Password
MobileTextPwdNeverExpires Boolean
MobileTextPwdCannotChange Boolean
MobileTextPwdMustChange Boolean
MobileTextPwdGenerate Boolean
MobileTextPwdUseDirectory Boolean
NotifyByMail Boolean
NotifyBySMS Boolean
NotifyToAddress E-mail address
Table 7-14: Import File Contents
Settings
Separator in File No Available options are: Comma, Semicolon, and Tab.
Set to Comma by default.
Import File No Imported file.
Table 7-15: User Import
PortWise 4.7 Manual

PortWise 4.7 Manual

User Accounts
About User Accounts

In PortWise 4.6, there are three different ways to create user accounts:
• Add User Account
• User Linking
• User Import
These three options are designed to meet different administrative requirements, but all result in user accounts. The only
difference in the end result can be the level of detail in account settings. In edit mode, applicable account settings are
available for configuration regardless of how the user account was created.
Using the Add User Account wizard is the standard way to create user accounts, and the way that presents you with the
largest number of options. It is suitable when the majority of user accounts are already registered in the Administrator.
User Linking is used when you quickly want to create a basic user account based on an existing user in user storage. If
you want to create user accounts for users not stored in user storage, or if you want to create multiple user accounts
simultaneously, use User Import to create user accounts by importing a file containing user information.
User Account Search Result List

On the Manage User Accounts page, you can search for and subsequently manage users and user accounts.
The following user account activities can be performed in the list directly:
• Disabled
When selected, the user account has been manually locked from access to the PortWise network and its
resources. You can enable and disable user accounts here in this list.
• Locked Access
When selected, the system has locked the user account from access to the PortWise network and its resources.
You can un-lock user accounts here in this list.
• Locked Authentication
When selected, the system has locked the user account from use of PortWise authentication methods. You can
un-lock user accounts here in this list.
PortWise 4.7 Manual

• Time-Lock Authentication
When selected, the system has time-locked the user account from access to the PortWise network and its
resources according to the time configured on the Global User Account Settings page. You can un-lock
user accounts here in this list.
Add User Account

Creating a user account through the Add User Account wizard on the Manage User Accounts page enables you to
specify almost all available user account functionality.
These settings are automatically created for the user account:
• Max Retries for Access (default value is set in Manage Global User Account Settings)
• Max Retries for PortWise Authentication (default value is set in Manage Global User Account Settings)
• Account Expires Within is set to 0 to never expire (default value is set in Manage Global User Account
Settings).
The following account settings can be specified during the wizard:

• Link to User Storage
You can link the user account to an existing user in user storage.
A link to the correct location (DN) to the user in the user storage is created. The user’s display name, e-mail
address, and cell phone number is retrieved when available.
• Custom-defined User Attributes
You can define attributes that are specific for the user account. These attributes can for example be used when
creating user property groups.
• PortWise Authentication Settings
You can enable available PortWise authentication methods and enter corresponding password or PIN settings.
Also included are user account specific notification settings, which refer to what e-mail address and SMS to
use, and message set. You have the option to specify a message set. A message set is a set of all PortWise
authentication notification messages.
The Default message set includes all messages specified on the Global Authentication Service Settings
page.
To create additional message sets, please refer to the Technical Note available from the PortWise Technical
Library.
• SSO Settings
You can connect the user account to available SSO domains and enter credentials for each domain attribute.
• User Certificates
You can connect specific user certificates to the user account. This option is only available when the authenti-
cation method User Certificate is configured.
User Linking
Creating a user account through User Linking requires a user storage location, since the user account is created by link-
ing to an existing user in user storage.
PortWise 4.7 Manual

User linking can be performed manually or automatically.

Manual user linking is performed on the Manage User Linking page.
Automatic user linking is enabled on the User Linking tab in Manage Global User Account Settings. The ac-
counts are then created automatically when users who are located in user storage but do not have corresponding user
accounts in PortWise 4.6 attempt to log on to the system.
Regardless of whether the user linking is manual or automatic, the following settings are automatically created for the
user account:
• Max Retries for Access (default value is set according to Manage Global User Account Settings)
• Max Retries for PortWise Authentication (default value is set according to Manage Global User Account
Settings)
• Account Expires Within (default value is set according to Manage Global User Account Settings)
• Authentication methods enabled on the User Linking tab in Manage Global User Account Settings and
their corresponding settings (only if Enable PortWise Authentication when manually linking the user
on the same tab is selected)
User Import
Creating a user account through User Import on the Manage User Import page does not require user storage. Mul-
tiple user accounts are created simultaneously by importing a file containing user information separated by commas,
semi-colons, or tabs.
The minimum user information in the file required to create a user account is user ID and display name.
The following settings are automatically created for the user accounts (only if the corresponding information is not
specified in the imported file):
• Max Retries for Access (default value is set according to Manage Global User Account Settings)
• Max Retries for PortWise Authentication (default value is set according to Manage Global User Account
Settings)
• Account Expires Within (default value is set according to Manage Global User Account Settings)
As opposed to User Linking, authentication methods enabled on the User Linking tab in Manage Global User Ac-
count Settings and their corresponding settings are not retrieved when creating user accounts through user import.
PortWise Authentication
PortWise Authentication includes use of the PortWise authentication methods Web, Mobile Text, Challenge, Synchro-
nized, and Password.
To disable PortWise authentication for a user account, you need to disable all PortWise authentication methods for
that user account.
Single Sign-On Domain Settings

In PortWise 4.6, you can configure Signle Sign-On (SSO) domains where several resources using the same credentials
are collected. Thus enabling users to enter their credentials when logging on to the domain only and not to the resources
individually, easing user convenience.
PortWise 4.7 Manual

When configuring SSO domain settings for user accounts, all Domain Attributes associated with a specific SSO domain
are automatically retrieved.
There are two types of SSO domains: Text and Cookie. For detailed information on SSO domains, please refer to the
About SSO Domains section.
User Certificate
Certificates can be bound to specific users to be used for authentication with the authentication method User Certifi-
cate.
Manage User Accounts
Manage User Accounts

On the Manage User Accounts page, you have the possibility to perform a number of management activities in the
Search Result list.
You conduct a search using one of the following search criteria:
• All users
The system searches among all users. If you find and select a user that does not have a user account, you will
be redirected to the Add User Account wizard.
• All user accounts
The system searches only for users with a user account registered.
• Enabled
The system searches for all user accounts that are enabled for PortWise access.
You can disable user accounts using applicable checkbox in the list.
• Disabled
The system searches for all user accounts that are disabled for PortWise access.
You can enable user accounts using applicable checkbox in the list.
• Locked authentication
The system searches for all user accounts where PortWise authentication is locked.
You can un-lock user accounts using applicable checkbox in the list.
• Locked access
The system searches for all user accounts where access is locked.
You can un-lock user accounts using applicable checkbox in the list.
Search Criteria is set to All user accounts by default.
General Settings
On the General Settings page, you specify general configuration settings for the user account.
Display Name can be retrieved automatically if a user storage attribute has been specified on the Directory Map-
ping tab in the Manage User Storage section.
PortWise 4.7 Manual

You can link the user account to an existing user in user storage. A link to the correct location (DN) to the user in the user
storage is created. The user’s display name, e-mail address, and cell phone number is retrieved when available.
You can also define attributes that are specific for the user account. These attributes can for example be used when creat-
ing user property groups.
You can select to temporarily disable a user account, or to specify a time period for the user account’s validity. The default
value here is retrieved from the Global User Account Settings page.
Information
Format complies with your browser’s language settings.
When portWise authentication has been enabled on the PortWise Authentication tab, you can specify the user’s noti-
fication settings. Both E-mail Address and SMS can be retrieved automatically if a user storage attribute has been
Manage Authentication Settings
On the PortWise Authentication Settings page, you configure the number of retries allowed for users, lock and
un-lock settings, and time-lock of PortWise authentication.
Notification settings include configuration of e-mail and SMS channels.
Password/PIN settings for each enabled authentication method include:
• Generate password/PIN
• Password never expires
• User cannot change password/PIN
• User must change password/PIN on next logon
• Use password from directory service
This option is only available for the authentication methods: PortWise Mobile Text and PortWise Password.
• Generate seed
• Clear password/PIN
Information
Password and PIN can be retrieved automatically if a user storage attribute has been
You also select how the new password or PIN used for PortWise authentication will be distributed to the user when the
user account has been created.
Available options depend on the system configuration for notification and SMS distribution configuration.
Available notification options are:
PortWise 4.7 Manual

• By e-mail
• By screen
• By SMS
• By e-mail and screen
• By SMS and screen
• To e-mail address configured on the Global Authentication Service Settings page, on the E-mail Mes-
sages tab.
You have the option to specify a message set. A message set is a set of all PortWise authentication notification mes-
sages.
The Default message set includes all messages specified on the Global Authentication Service Settings page.
To create additional message sets, please refer to the Technical Note available from the PortWise Technical Library.
Specify Group Name when Use Groups is selected as default for user accounts on the Global User Account Set-
tings page. When a group name is entered, only that group can be associated with that specific user. The group
information is then sent to the RADIUS client and the RADIUS client can be configured to use this information (managed
as an attribute) for authentication. Group Name can be retrieved automatically if a user storage attribute has been
Edit the setting Framed IP when Use Framed IP is selected as default for user accounts on the Global User Ac-
count Settings page. See that section for more information. Framed IP can be retrieved automatically if a user storage
attribute has been specified on the Directory Mapping tab in the Manage User Storage section.
Manage SSO Settings

Depending on domain type attributes specified, different options are available for the specific user account.
For the domain type text:
• User name used in the SSO Domain is an SSO Domain attribute
A non-entered field results in a prompt for User Name when users access resources in the SSO domain. When
Set to blank is selected, User Name is set intentionally blank and users are not prompted to enter credentials
to access resources in the SSO domain.
• Password indicate password used in the SSO Domain.
Note that a non-entered field results in a prompt for User Name when users access resources in the SSO do-
main. When Set to blank is selected, Password is set intentionally blank and users are not prompted to enter
credentials to access resources in the SSO domain.
For the domain type cookie:

• Cookie name and value
• Secure
• Domain
PortWise 4.7 Manual

User Certificate
Certificates can be bound to specific users to be used for authentication with the authentication method User Certifi-
cate.
You can replace or remove the certificate bound to the user account. To search for certificates, you can use one of two
methods:
• Browse for the certificate in a file system, using the Browse button
• Enter the user attribute that holds the user’s certificate and search for the certificate in the user storage loca-
tion
Settings
User ID Yes User account in PortWise 4.6.
Search Criteria No Set to All user accounts by default.
Table 7-16: Search User Accounts

User ID Yes User ID connects the actual user with the user account.
Display Name Yes Name used in the system to identify the user account.
User Location in Directory No Distinguished Name for the user in the user storage.
It is not possible to edit the link manually.
Last Logged In No This setting is only available when editing a user account.

Disable User Account No Not selected by default.
User Account Validity Yes Corresponds to Account Expires In on the Global User Ac-
count Settings page.
Table 7-18: User Account Settings

Number of Retries No Number of tries according to limit set in Max retries on the Global
User Account Settings page.
Reset No Use to reset number of invalid login attempts (Number of
Retries).
Locked for the user account No Not selected by default.
Table 7-19: PortWise Access Settings
PortWise 4.7 Manual


E-mail Address No Receiving e-mail address of password/PIN messages.
SMS No Receiving phone number (or e-mail address, if configuring to send
Mobile Text OTP to user e-mail addresses) of the OTP and the
password/PIN messages.
Message Set Set to Default by default.
Table 7-20: Account Notification Settings

Number of Retries No Counter keeping track of the number of incorrect logon attempts.
Default value is retrieved from the Global User Account Gen-
eral Settings page.
Reset No Used to manually reset Number of Retries.
Not selected by default.
Locked for the user account No Not selected by default.
Time-lock activated No If locked, the user will not be able to log on until the time defined
in Time Lock Time-out on the Global User Account General
Settings page is reached, or until you unlock the user account.
Table 7-21: PortWise Authentication

Enable PortWise Mobile Text for the user No Only available when editing a user account.
account Note selected by default.
Password (Yes) Mandatory when PortWise Mobile Text is enabled, Generate
Password is not selected, and the user’s linked Mobile text
password cannot be found in the directory service.
Verify Password (Yes) Verification of Password.
Table 7-22: PortWise Mobile Text
PortWise 4.7 Manual


login
Clear Password No Only displayed if the password has been manually entered or
generated (not if the directory service password is used or if the
password is set through directory mapping).
Use password from directory service Not selected by default.
Table 7-23: PortWise Mobile Text Password Properties

Enable PortWise Web for the user No Only available when editing a user account.
account Not selected by default.
Password (Yes) Mandatory when PortWise Web is enabled, Generate Password
is not selected, and the user’s linked Web password cannot be
found in the directory service.
Table 7-24: PortWise Web

login
Table 7-25: PortWise Web Password Properties

Enable PortWise Challenge Not selected by Only available when editing a user account.
default. Not selected by default.
PIN (Yes) Mandatory when Challenge is enabled, Generate PIN is not
selected, and the user’s linked Synchronized PIN cannot be found
in the directory service.
PIN must be 6 numerals.
PortWise 4.7 Manual


Verify PIN (Yes) Verification of PIN.
Table 7-26: PortWise Challenge

User must change PIN on next login No Not selected by default.
Generate Seed (Yes) Mandatory when Synchronized is enabled.
Clear PIN No Only displayed if the PIN has been manually entered or generated
(not if the PIN is set through directory mapping).
Table 7-27: PortWise Challenge PIN Properties

Enable PortWise Password for the user No Only available when editing a user account.
account Not selected by default.
Password (Yes) Mandatory when PortWise Password is enabled, Generate
Password is not selected, and the user’s linked password cannot
be found in the directory service.
Select Generate Password for an automatically created
password.
Password password must contain a minimum of 2 letters
Table 7-28: PortWise Password

login
Use password from directory service Not selected by default.
Table 7-29: PortWise Password Password Properties
PortWise 4.7 Manual


Enable PortWise Synchronized Not selected by Only available when editing a user account.
default. Not selected by default.
PIN (Yes) Mandatory when Synchronized is enabled, Generate PIN is not
selected, and the user’s linked Synchronized PIN cannot be found
in the directory service.
PIN must be 6 numerals.
Verify PIN (Yes) Verification of PIN.
Table 7-30: PortWise Synchronized

User must change PIN on next login No Not selected by default.
Generate Seed (Yes) Mandatory when Synchronized is enabled.
Clear PIN No Only displayed if the PIN has been manually entered or generated
(not if the PIN is set through directory mapping).
Table 7-31: PortWise Synchronized PIN Properties

Notification No The displayed options depend on the system notification configu-
ration and the SMS distribution configuration.
Set to Screen by default.
Group Name No This setting is only displayed when Use Groups is selected as
default for user accounts on the Global User Account Set-
tings page.
Framed IP No Framed IP is only displayed when Use Framed IP is selected as
default for user accounts on the Global User Account Set-
tings page.
Table 7-32: Notification

Settings Last Saved No Date and time when settings were last saved.
Settings Last Used No Date and time when settings were last used.
User Name No User name used in the SSO Domain.
Set to blank No Only available when Referenced by is set to User Input.
PortWise 4.7 Manual


Referenced by No Automatically retrieved from the Domain Attributes tab in the
SSO Domain section.
Restriction No Automatically retrieved from the Domain Attributes tab in the
SSO Domain section.
Password No Password used in the SSO Domain.
SSO Domain section.
SSO Domain section.
Domain No Domain used in the SSO Domain.
SSO Domain section.
SSO Domain section.
Table 7-33: SSO Domain of the Type Text

Settings Last Saved No Date and time when settings were last saved.
Settings Last Used No Date and time when settings were last used.
Cookie Name No Cookie name used in the SSO Domain.
SSO Domain section.
SSO Domain section.
Cookie Value No Cookie value used in the SSO Domain.
SSO Domain section.
SSO Domain section.
Cookie secure No Cookie secure used in the SSO Domain.
SSO Domain section.
SSO Domain section.
Cookie domain No Cookie domain used in the SSO Domain.
SSO Domain section.
PortWise 4.7 Manual


SSO Domain section.
Table 7-34: SSO Domain of the Type Cookie

Upload from File System No The file path to a user certificate to bind to the user.
Locate in Directory No The attribute in storage where to get the user certificate to bind to
the user.
Table 7-35: User Certificate
PortWise 4.7 Manual

PortWise 4.7 Manual

User Groups
About User Groups

User groups are used to categorize users. This categorization controls what a user can access, or what actions users
must perform to enable certain access rights.
About User Location Group

User location groups contain all users existing under a specified node in the directory service structure.
Use this type when users are stored in a location with structural significance.
Example
ou=sweden,dc=thesecurecompany,dc=com
The advantage of using User Location Groups is high performance, since no additional catalogue control is performed,
however with decreased flexibility.
About User Property Group

User property groups contain user accounts with specified properties.
Use this type when users have common properties that can be used for categorization, such as job function. In PortWise
4.6, these properties are managed as attributes. Each attribute contains a source, name, and value, and together they
constitute a property.
Available attribute sources are: User storage, Custom-defined, and RADIUS Session. The specified attribute value must
match the attribute name returned from specified source type. When Custom-defined is selected, you can use the user
attributes specified on the General Settings page for user accounts.
The advantage of using User Property Groups is high performance with low administration.
About User Group in Directory Service

Directory service groups contain all users belonging to a certain user group defined in your user storage.
Use this type to integrate existing local user groups.
PortWise 4.7 Manual

The advantage of this approach is high flexibility with low administration, however with decreased performance com-
pared with the other types.
Information
This type cannot be added or modified.
Manage User Groups

To search for user groups, you enter the registered Display Name, or part of the name using the wildcard character *,
and click Search. Max 50 user groups can be listed. If the search generates more than 50 user groups, a message is
displayed advising you to perform a more specific search.
When adding user groups, you first select which type of user group to add: User Property Groups or User Location
Groups. The Add User Group wizard is adjusted to the type selected.
Manage User Property Groups

A User Property Group is defined by its attributes. You select the Attribute Source from a list containing User Storage Lo-
cation, Custom-defined, and RADIUS session. Once the source is selected, you specify the Attribute Name and Value.
Manage User Location Groups

A User Location Group is defined by its location in the directory service structure.
You specify the User Location DN which is the start base for user or user group searches in the directory service. You can
enter the full distinguished name directly, or use the Show Tree link to browse to an existing location or parent location
in your directory service structure to retrieve a full or partial DN.
If you browse for the location DN, the root DN of the directory service is displayed in the browse window. You can also
select root DN in a drop-down list.
service.
Use the View Users link to view a list of all registered users in the selected location. In the list displayed, all registered
users are listed with a PortWise user account Display Name when available. No Display Name indicates that the particu-
lar user does not have a corresponding user account. To register a user account, simply click the User ID to automatically
launch the Add User Account wizard.
Settings
Display Name Yes Unique name used to identify the user group inside the system.

PortWise 4.7 Manual


Description No Describes the user group.
User Location DN No Node in the directory structure where the users are located.
Table 7-37: User Location Groups

Description No Describes the user group.
Attribute Source No Type of attribute.
Set to Directory Service by default.
Attribute Name (Yes) Attribute name defined in the directory service schema.
Mandatory if Attribute Source is set to Directory Service or
Custom-defined.
Attribute Value Yes All members of the group must have this attribute value.
Table 7-38: User Property Group
PortWise 4.7 Manual

PortWise 4.7 Manual

User Storage
About User Storage

User storage is the external location where users are stored and used by the Policy Service as part of the authorization
process.
It is recommended that user accounts are linked to the user storage, to enable reuse of user information.
To automatically add references (when authenticating a user, for example) to existing users and user groups in the direc-
tory service, you need to configure user storage.
To setup user storage you need to specify the host for the directory service and define a set of search rules that enables
the system to find users and user groups.
You can specify several user storage locations in directory services of different brands and different vendors.
Search Rules
Define the search rules that your directory service uses to match users and user groups. What rules that are the best
for your organization depend on the directory structure your organization has selected and what user objects you want
to use in your rules.
Directory Mapping
Directory mapping is used to retrieve existing information in user storage using specified attributes.
When used, you can reuse information such as passwords or e-mail addresses without specifying them in the PortWise
Administrator when creating or linking user accounts, for example.
Manage User Storage
General Settings
You specify a host and secondary host, and an account (Distinguished Name (DN), ID or similar, depending on type of
directory service) to an administrative account with read- and write permissions on the user storage. A DN is a string of
entries, collected attribute types with values. Such as “cn” for common name or “dc” for domain controller.
PortWise 4.7 Manual

Example
cn=admin,dc=thesecurecompany,dc=com
An ID can be an account name.
Example
admin
When SSL is enabled, you can select a CA Certificate from a list of registered CA Certificates.
You can specify the time in seconds before the request to user storage is time-outed. When Follow referrals is se-
lected, referrals, i.e. links between different directory services or within the same directory service are followed.
Manage Search Rules

Which search rules to use depends on the directory structure of your organization, and on which user objects you want
to use.
Search rules are created by combining the following settings:
Root DN
The distinguished name of the search root from where the system will start to search for objects (users or user groups).
If you want to use a specific sub-tree in your directory service, you can specify the sub-tree as the search root.
Example
ou=people,dc=thesecurecompany,dc=com
Use the Show Tree link to browse for the location DN, the root DN of the directory service is displayed in the browse
window. You can also select root DN in a drop-down list.
service.
Object Category/Object Class Name

The object category (Active Directory) or object class name (other directory services) that users belong to.
Please refer to your directory service documentation for additional information.
Attribute Name
The attribute name to be used when searching for users. The values differ depending on directory service used: Active
Directory uses samaccountname, other directory services use uid. Refer to your directory service documentation for
additional information.
Example
cn set to samaccountname when using Active Directory.
PortWise 4.7 Manual

Member Attribute Name

The member attribute name to use when searching for user groups.
Example
member
Search Scope
Use the search scope when searching for users.
• Object Level
Searches for objects located on base level only
• One Level
Searches for objects located directly below base, not including the base
• Sub-tree level
Searches for objects located below base, not including the base
Settings
User Root DN Yes Distinguished Name of the start base, when searching for objects in
the user storage.
Table 7-39: User Search Rule

Object Category Yes Object Category users belong to.
Set to user by default.
Attribute Name Yes Unique user attribute.
Set to samaccountname by default.
Additional Filter No Filter used on the user search rule to specify what users to find.
Search Scope No Search scope used when searching for objects in the selected user
storage location.
Set to Sub-tree Level by default.
Table 7-40: User Search Rule when Using MS Active Directory

Object Category Yes Object Class users belong to.
Set to inetOrgPerson by default.
PortWise 4.7 Manual


Attribute Name Yes Unique user attribute.
Set to uid by default.
Additional Filter No Filter used on the user search rule to specify what users to find.
Search Scope No Search scope used when searching for objects in the selected user
storage location.
Set to Sub-tree Level by default.
Table 7-41: User Search Rule when Using Other Directory Service
Manage Directory Mapping

Directory mapping is useful when creating or linking user accounts, for example. By specifying attributes used in your
directory service, the information can be reused automatically.
For example, by specifying the user storage attribute “userPassword” for the PortWise attribute “Web Authentica-
tion Password”, you are not required to specify or generate a password used for authenticating with the PortWise Web
authentication method. The user’s password is retrieved from the directory service and subsequently mapped.
Information
All default mapping attributes are standard LDAP attributes.
See Table 7-42: Directory Mapping below for details.
Settings
Display Name No Set to the standard LDAP attribute displayName by default.
Group Name No Set to the standard LDAP attribute sn by default.
Framed IP No
Notification E-mail Address No Set to the standard LDAP attribute mail by default.
Notification SMS No Set to the standard LDAP attribute mobile by default.
Mobile Text Authentication Password No Set to the standard LDAP attribute userPassword by default.
Web Authentication Password No Set to the standard LDAP attribute userPassword by default.
Challenge Authentication PIN No Set to the standard LDAP attribute userPassword by default.
Synchronized Authentication PIN No Set to the standard LDAP attribute userPassword by default.
Password Authentication password No Set to the standard LDAP attribute userPassword by default.
Table 7-42: Directory Mapping
PortWise 4.7 Manual

Self Service
About Self Service

Self Service is a function in PortWise to delegate some part of the user maintenance to the end users themselves. Users
will be able to perform the following functions: Auto-Activate User Account, Request Forgotten Password,
and Request Forgotten User ID.
To be able to do this in a secure way the system will request a number of control answers from the end user that will
firmly establish the end-users identity. The control questions are referred to as Challenges. There are three different
types of challenges defined in the system:
• Internal Challenges: These challenges are used by the system to identify the user and cannot be changed.
An example of an internal challenge is the Portwise UserID, which is created automatically and used when the
userid is requested. This is currently only used in Request Forgotten Password.
• System Challenges: These challenges are managed by the administrator and can be any control question
that can be confirmed by information stored in an attribute in the user storage. For example, if the drivers li-
cense number is stored in an attribute in the user storage for every end user, the system will request this from
the end user and verify this against what is stored in the attribute in the user storage for that user.
• User Challenge: This is a control question which is defined by the end user. Note that there can be only one
User Challenge. When creating this challenge the user will select a question to which only the user knows
the answer. For example, the brand of my first car, or what was my mother’s maiden name. The user will
provide the answer to this question which will be used when confirming the identity of the user. This is used
in Request Forgotten Password and Request Forgotten User ID.
Self Service Example

To give an example of what type of information that is requested when a user has forgotten the password and uses the
Request Forgotten Password function to retrieve it. Note that this depends on your given configuration.
The user will be prompted for the following information in this example:
• User ID
This is an Internal Challenge that will locate the user ID in the Portwise User Database.
PortWise 4.7 Manual

• Drivers License Number

This is a System Challenge defined by the administrator and mapped to an attribute in the User Storage.
• What is your favorite frog
This is a User Challenge defined by the user. A possible answer to this question might be Kermit.
If all answers are correct, corresponding to the information stored on this particular user, the challenge phase will be
successful and the system distributes the new password to the end user using the preferred channel.
Manage Self Service

To configure Self Service you select Manage Accounts and Storage from the top menu, and select Self Service
from the left-hand menu.
Information
Self Service requires that you have purchased the Self Service license option. If you do
not see the Self Service menu item in the left-hand menu, please verify that you have
the Self Service license option.
After selecting the Self Service menu item, the PortWise Administrator displays the Manage Self Service pane. You are
now presented with three choices:
• Yes - help me with the settings…
If you self the Yes option, the system will configure default settings that will work for the most common
setups.
• No - I will do the configuration myself…
If you select the No option, the system will only configure the most basic settings and leave the rest of the
configuration to you.
• Leave it as it is…
You can also select the Leave option, which will leave Self Service inactivated.
If you select the Yes option, the pane will be updated and show the Self Service Enabled checkbox selected. You are
instructed to update some of the pre-configured settings before the system works correctly. Select the Modify System
Challenges link to update these settings.
Manage System Challenges

The Manage System Challenges pane show all pre-configured System Challenges that has been configured automati-
cally. Those challenges that contain the [Update this] label need to be modified before the configuration is done. Select
one of the challenges by clicking on the link. The Edit System Challenge pane will be shown.
There are three settings on this page:
• Display Name is used for lists and headings
• Challenge Question is what the system will prompt the user with
• Attribute Name is the name of the User Storage attribute that holds the information. For example, birthdate or
cn.
PortWise 4.7 Manual

Information
For Internal Challenges and User Challenge, the Attribute Name can not be updated
since it is only used internally.
You should always remove the [Update this] label once you have edited the challenge. This will give you a visual cue that
this challenge has been updated.
Add Challenges to Functions

When you finished updating the challenges, you will have to add these challenges to the different functions. If the sys-
tem has been configured using the default settings, the Yes option, the most common configuration is already selected.
To view or modify these settings you select Self Service Settings. This will show the Manage Self Service Set-
tings pane. This pane is divided in three sections, one for each Self Service function:
• Auto Activate
• Request Forgotten Password
• Request Forgotten User ID
You can control the order of the challenges in each section using the Up and Down links. Use the Remove link to
remove an unwanted challenge.
Auto Activate
The Auto Activate function has the following challenges defined by default:
• System e-mail
• Needs to be updated before use
• System control challenge
• Needs to be updated before use
This means that the end user will be prompted to enter an e-mail address, which must be registered in User Storage.
After that the user will be challenged with the defined System Control Challenge, for example the drivers license number.
If a user can be found in the system using this e-mail address and with the corresponding answer to the control chal-
lenge, then the Auto Activation sequence is initiated.
Request Forgotten Password
The Request Forgotten Password function has the following challenges defined by default:
• User Name
Needs to be updated before use
• User Challenge
• System e-mail
This means that the end user will be prompted to enter the User Name as defined in the Auto Activate process. After that
the user will be challenged with the defined System Control Challenge, for example the drivers license number. Then the
user will be prompted to answer the User Challenge control question defined in the Auto Activation step andfinally the
user will be requested to enter the e-mail as defined in the system.
PortWise 4.7 Manual

As a control mechanism the administrator can select to send a message to the alternative channel when a new password
has been requested and generated. That means, that if the user selects to receive the password by e-mail, a message
will be issued to the SMS channel, if present, indicating that a new password has been issued. The administrator can
also select what message should be delivered, if this is the case.
If a user can be found in the system using this User Name and with the corresponding answer to the System Control
Challenge, the User Defined Challenge and the system e-mail, the Request Forgotten Password sequence is initi-
ated.
Request Forgotten User Name
The Request Forgotten User Name function has the following challenges defined by default:
• User Name
• User Challenge
• System e-mail
This means that the end user will be prompted to enter the User Name as defined in the Auto Activate process. After that
the user will be challenged with the defined System Control Challenge, for example the drivers license number. Then the
user will be requested to answer the User Challenge control question defined in the Auto Activation step and finally the
user will be requested to enter the e-mail as defined in the system.
As a control mechanism the administrator can select to send a message to the alternative channel when a new password
has been requested and generated. That means, that if the user selects to receive the password by e-mail, a message
will be issued to the SMS channel, if present, indicating that a new password has been issued. The administrator can
also select what message should be delivered, if this is the case.
If a user can be found in the system using this User Name and with the corresponding answer to the System Control
Challenge, the User Challenge and the system e-mail, the Request Forgotten User Name sequence is initiated.
General Settings
To circumvent the possibility to request a user name and immediately request a password for that user, the default value
for the minimum amount of time between user name request and a password request is set to 24 hours. This amount
can be changed, but it is strongly advisable not to configure a lower value.
Settings
Self Service Enabled No Enables or disables Self Service
Table 7-43: Manage Self Service

Display Name Yes Name used in the system to identify the system challenge.
Challenge Question Yes The question the system will prompt the user with.
PortWise 4.7 Manual


Attribute Name Yes The name of the attribute in User Storage, which should be used to
validate the users reponse.,
Table 7-44: Edit System Challenge

Send message to secondary channel No Select wheither the secondary channel should be used to send a
when Password has been issued requested password
Message to secondary Channel No Message text for the secondary channel.
Table 7-45: Forgett Password Settings

Forgotten User Name Message No Message text for Forgotten User Name. User the tag {0} for insert-
ing the user name
Table 7-46: Forgotten User Name Settings

Min. Hours between User Name and Yes The minimum amount required between a forgotten user name
Password requests request and a request for password.
Default this is set to 24 hours.
Enabling Authentication Methods for Self Service

You must enable you authentication methods before your users can use the Self Service functions. To do this you must
go to the Manage System in the main menu and select Authentication Methods from the left-hand menu. The
Manage Authentication Methods pane is shown. Select Add Authentication Method and select an authentication
method type from the list presented. Select Manage Default Template Specification and change the template
specification from GenericForm to SelfServiceForm if you are using a password based authentication method, or Self-
ServiceFormPIN if you are using a PIPIN based authentication method.
You also need to enable the authentication method and how it should perform when linking users. Select Manage Ac-
counts and Storage from the top menu, and select Global User Account Settings from the left-hand menu. The
Manage Global User Account Settings pane will be shown. Select the User Linking tab.
For more information on User Linking settings, please read chapter User Accounts.
PortWise 4.7 Manual

PortWise 4.7 Manual

Manage Resource Access 157
8
Manage Resource Access
About Resource Access

The PortWise solution provides secure application access. Using a complex combination of resource management,
identity management, and access control, PortWise 4.7 enables users to access corporate applications from remote
locations without compromising security.
In PortWise 4.7, you register applications, folders and files, URLs – everything users need remote access to – as Web or
tunnel resources. Web enabled applications are registered as Web resources, and client-server applications that are not
Web enabled are registered as tunnel resources. You then protect the resources with access rules, authorization settings
and encryption levels to create seamless, secure access control. Users access the resources through the Access Point via
the Web based PortWise Application Portal, or directly in a Web browser using shortcuts.
You can collect resources that share logon credentials in Single Sign-On (SSO) domains, allowing users to enter their
credentials once to access several resources. For added security, you can place the SSO functionality itself under access
control. Access rules are also used to enforce the end-point security feature abolishment, enabling file deletion as well
as cleaning of client cache and browser history on completion of the user session.
Access Rules
Access rules consist of detailed requirements that users must conform to in order to be allowed access to resources.
Available access rules range from authentication methods, user group membership, and date period, to client IP ad-
dress, client assessment, and client device. You can specify general access rules available for all resources or SSO
domains, access rules that apply to individual resources, as well as a global access rule that automatically applies to all
resources and SSO domains.
Standard Resources
In PortWise 4.7, a number of applications are available as pre-configured standard resources. The purpose of the stan-
dard resources is to facilitate registration. You create a standard resource using a wizard, which creates the applicable
Web and/or tunnel resources for you.
PortWise 4.7 Manual

158 Manage Resource Access
PortWise 4.7 Manual

Global Resource Settings
About Global Resource Settings

Global resource settings apply automatically to all resources in the system. The global settings are grouped in four
categories:
• Internal proxy
• DNS name pool
• Filters
• Link translation
About Internal Proxy

You can specify addresses for internal proxies. The addresses are used when a resource is accessed via a cache or an
ordinary proxy server. You can select to use NTLM v2 for HTTP and HTTPS proxies. If you experience authentication
problems you may try to uncheck the use of NTLM v2.
Proxies available for configuration are:
• Internal HTTP proxy
• HTTPS proxy
• TCP proxy
The TCP proxy is used for the PortWise Access Client.
About DNS Name Pool

You configure the DNS name pool for the purpose of improving link translation, and for using multiple DNS domains.
Multiple DNS domains allow several customers to be hosted on the same PortWise platform, and a single Access Point
to serve multiple designs of logon pages as well as of the Application Portal. This feature is mainly useful for ASP solu-
tions.
The registered DNS names define the pool of available DNS names. To use multiple DNS domains, you define several
DNS names for the Access Point.
PortWise 4.7 Manual

Information
All DNS names must also be registered in a public DNS server, or written to the hosts file
on the client machine that uses the system.
When a user makes a request using a registered mapped DNS name, the Access Point looks up which server to connect
to and which protocol to use and sends the request towards this server.
In PortWise 4.7, three methods of DNS mapping are supported:
• URL mapping
The resource is mapped to a path instead of using a mapped DNS name
The resource is mapped to a specific DNS name
The resource is assigned a DNS name on first Access Point request towards an internal server
You specify which method of DNS mapping to use when adding or editing a resource.
About Filters
In PortWise 4.7, you can use filters to change content in specific pages or in requests for resources.
You can apply a filter to a specific resource host or to all resource hosts. You apply the filter to requests or responses
and to content or headers. For general filters, you can use variables instead of hard-coded values. You can add one or
several variables, specified using name-value pairs, to each filter.
The filters are written using scripts in a proprietary script language called WASCR and have the file suffix .wascr.
Scripts provided with PortWise 4.7 are located in
Paths
Microsoft Windows
<PortWise installation folder>\Access Point\built-in files\scripts\
Linux
/opt/portwise/access-point/built-in-files/scripts/
Solaris
/opt/portwise/access-point/built-in-files/scripts/
An example of how filters with variables can be used is displayed below.
Example
<APPLET code=”com.function.class” archive=”applet.jar”>
<param name=”address” value=”1.2.3.4”>
</APPLET>
In the example above, the value of the parameter “address” should be replaced with another value, depending on
what path this page is downloaded from. If it is downloaded from the path /telnet.html, the parameter value
PortWise 4.7 Manual

should be replaced with ”192.168.0.7”. If the page is downloaded from the path /ftp.html, the value should be
”192.168.0.23”.
Follow the steps below to set up your WASCR script to handle this.
1. Use a script that replaces the value with a variable called ip_address.
2. Add a filter and configure the path to /telnet.html. Add a variable to the filter, with variable name ip_
address and value “192.168.0.7”.
3. Add another filter with the path /fpt.html, and add a variable with variable name ip_address and value
“192.168.0.23”.
As a result, when accessing the /telnet.html the address parameter is replaced with “192.168.0.7”, and when
accessing the /ftp.html page the address parameter is replaced with “92.168.0.23”.
About Link Translation

Link translation is used to ensure that all traffic to registered Web resource hosts are routed through the Access Point,
which in turn enables use of SSL and a secure connection. With link translation, Web resource host are as secure as a
tunnel resource host.
When a user connects to a page on a server via the Access Point, all absolute and (depending on link translation type)
semi-relative links to other servers are translated to point to the Access Point.
Translated, or re-written, links contain information about the original server and what protocol to use. For example,
when users enter a URL to a registered Web resource, for example http://www.aWebPage.com/start.asp, the
Access Point recognizes the link and automatically rewrites, or translates, the URL to https://<AccessPoint>/
http://www.aWebPage.com/start.asp.
A link can sometimes be divided into subsets, for example by protocol, host, and URI, and then dynamically put together
to form a link by the browser. In that case, the Access Point cannot establish if it is a link or not and consequently can-
not translate it.
To solve this issue, DNS mapping is used. A DNS name or an IP address pointing to the Access Point is mapped to an
internal host and protocol: a mapped DNS name.
All mapped DNS names are added to a DNS name pool. From there, you select to map Web hosts to DNS names using
one of two methods:
When using Reserved DNS mapping, the Web resource is mapped to a specific DNS name in the DNS name
pool.
When using Pooled DNS mapping, the Web resource is assigned the first available DNS name from the DNS
name pool. This is performed once per session.
Manage Global Resource Settings

Global resource settings are managed on the Manage Global Resource Settings page in the Manage Resource Access
section of PortWise Administrator.
PortWise 4.7 Manual

General Settings
General settings include the addresses used for internal proxies. These are defined by specifying host and port.
Internal proxies available for configuration are:
• Internal HTTP proxy
• HTTPS proxy
• TCP proxy
Filters
Define which script to use in the filter by specifying the applicable script name, excluding the file ending .wascr. Note
that the file must be stored in one of the following folders:
• <PortWise installation folder>/files/access-point/built-in-files/scripts
• <PortWise installation folder>/files/access-point/custom-files/scripts
The filter can be applied to individual resources, or all resource hosts. Optionally, you can define if the filter should be
applied to requests or responses, as well as if it should be applied to content or headers.
Path
When specifying path to the files to be filtered, the wildcard character * can be used.
Example
/exchange/*
/index.html
*
Content Type
When defining which content type to filter, the wildcard character * can be used.
Example
text/html
application/x-javascript
text/*
*
Link Translation
In the Link Translation section of the global resource settings, you specify which headers and content types that will be
filtered and checked for link translation.
Available headers and content types are:
PortWise 4.7 Manual

• Request headers
• Response headers
• Request content types
• Response content types
Request Headers
Defines the request headers that should be filtered and checked for link translation before sending the request to the
internal host. Headers listed must be one-valued. If not, the first value is translated and the second is deleted.
Set to the following headers by default:
• Destination
• Referrer
Response Headers
Defines the response headers that should be filtered and checked for link translation before sending the request to the
client. Headers listed must be one-valued. If not, the first value is translated and the second is deleted.
Set to the following headers by default:
• Location
• Content-Base
• Content-Location
• Content Location
Request Content Types

Specify request content types that should be link translated. The string “NOT_DEFINED” can be entered, defining that
if no content type is sent it should be translated anyway.
Request content types are set to the following content types by default:
• text/html
• application/x-javascript
• text/vnd.wap.wml
• text/xml
• text/css
Response Content Types

Specify response content types that should be link translated. The string “NOT_DEFINED” can be entered, defining that
if no content type is sent it should be URL translated anyway.
Response content types are set to the following content types by default:
PortWise 4.7 Manual

• text/html
• application/x-javascript
• text/vnd.wap.wml
• text/xml
• text/css
DNS Name Pool

DNS Names for Access Point
A DNS name for the Access Point is defined by a host name and relative file path towards the content of the wwwroot
(the HTML interface) that should be displayed when using the corresponding DNS name.
It is strongly recommended that the host name is defined as a DNS name, but for testing purposes the host name can
also be defined as an IP address.
Example
DNS Name for PortWise Access Point WWWRoot

(default) wwwroot
access.thesecurecompany.com wwwroots/thesecurecompany
www.vpn.company.com wwwroots/company
The first DNS name in the example above is pre-configured in the system and available by default. It cannot be edited
or deleted.
DNS Name Pool

In previous releases, the first name in the DNS name pool was used as the Access Point DNS name. This is no longer the
case, DNS name for Access Point now replaces the need to use the first name in the pool.
Entries in the DNS Name Pool must end with the same string as an entry in DNS Names for Access Point. If not, the
pooled DNS name will never be used. For example, there is little use to add www1.company.com to the DNS Name Pool
if you do not have a corresponding entry that ends with “.company.com” in DNS Name for PortWise Access Point.
Example
vpn1.thesecurecompany.com
vpn2.thesecurecompany.com
www1.company.com
www2.company.com
PortWise 4.7 Manual

Settings
Filters
Script Name Yes The name of the filter file, stored in the folder files/custom-files/
scripts or files/built-in-files/scripts or files/custom-files/scripts or
files/custom-files/scripts
Type of filter No Available options are: Request and Response.
Set to Request by default.
Resource Host Yes Set to All Resource Hosts by default.
Path Yes Path to the files to be filtered. The wildcard character * is sup-
ported.
Set to * by default.
Content Type Yes Filtered content type. The wildcard character * is supported.
Apply Filter To No Available options are: Headers and Content.
Set to Content by default.

Name Yes Name of the variable
Value Yes Value of the variable
Table 8-2: Variables
Internal proxy
Host No IP address or the DNS name of the HTTP proxy or cache
Port No Proxy port connection via the HTTP protocol
Table 8-3: Internal HTTP Proxy

Host No IP address or DNS name of the HTTPS proxy or cache
Port No Proxy port connection via the HTTPS protocol
Table 8-4: Internal HTTPS Proxy
PortWise 4.7 Manual


Host No IP address or DNS name of the proxy for Access Clients
Port No Proxy port connection for Access Client traffic
Table 8-5: Internal TCP Proxy
Link Translation
Request Headers No Request headers that are filtered and checked for link translation if
the destination host is configured to translate request headers.
Set to Destination and Referrer by default.
Response Headers No Response headers that are filtered and checked for link translation
if the host sending the response is configured to translate response
headers.
Set to Location, Content-Base, and Content-Location by
default.
Request Content Types No Defines the content types filtered for requests.
Set to text/html, application/x-javascript, text/vnd.wap.
wml, text/wml, and text/css by default.
Response Content Types No Defines the content types filtered for responses.
Set to text/html, application/x-javascript, text/vnd.wap.wml,
text/xml, and text/css by default.
Table 8-6: Link Translation
DNS Name Pool

DNS Name No Not available for editing
WWW Root No
Table 8-7: Add DNS Name for Access Point

DNS Name No DNS name added to the pool.
Table 8-8: Add DNS Name to Pool
PortWise 4.7 Manual

Standard Resources
About Standard Resources

In PortWise 4.7, a number of commonly used applications are available as partly pre-configured standard resources.
Standard resources are provided for your convenience, to facilitate registration. Instead of creating ordinary Web or
tunnel resource hosts for these applications, you use a wizard to create the resources with a minimum of manual
configuration. Different settings as well as applicable Web and/or tunnel resources are created automatically when the
wizard is completed.
The following applications are available as standard resources:
PortWise 4.7 Manual

File Sharing Resources

• Microsoft Windows File Share
• Access to Home Directory
Mail
• IMAP/SMTP
• POP3/SMTP
• Outlook Web Access 5.5
• MS Outlook Client 2000/2003/2007
Portal Resources
• Citrix Metaframe Presentation Server
• Microsoft Sharepoint Portal Server 2003
• ThinLinc
Portwise Resources
• Secure Remote Access to Administrator
Remote Controlling Resources
• Microsoft Terminal Server 2000
• Microsoft Terminal Server 2003
Other Web Resources
• SalesForce
Manage Standard Resources

Standard resources are created on the Standard Resources page in the Manage Resource Access section of the
You create a standard resource by using an Add Standard Resource wizard. After completing the wizard, applicable
Web and/or tunnel resources are created. Consequently, once a resource has been registered as a standard resource,
it is added to and managed in the Manage Web Resources versus Manage Tunnel Resources sections of the
Common Standard Resource Settings

All resources require a Display Name. The display name is the name used to identify the resource in the PortWise
network. You may also specify a Description for the Standard Resource which can be used as reference description if
there are several Resources defined of the same type.
PortWise 4.7 Manual

Special Settings
These are the settings that differ between the Standard Resources. Please see the Standard Resources Settings section
below for instructions on how to define each Standard Resource Type.
Application Portal Settings

You can select to make the standard resource host available in the Application Portal. You then specify an icon to repre-
sent the resource. An icon library provides a range of icons to choose from, but you can also browse to a desired image
file. The icon must be of the type .gif, .jpeg, or .png and must not exceed 10kB in size.
In addition, you enter a link text accompanying the icon in the Application Portal. All link texts in the Application Portal
are displayed alphabetically, which provides a possibility to organize the order in which the resources are presented.
For each resource specified to be displayed in the Application Portal, a corresponding Application Portal item is auto-
matically created. The Application Portal item is displayed and can be edited or deleted on the Manage Application
Portal page in the Manage Resource Access section of the PortWise Administrator.
Access Rules
See Manage Access Rules
Standard Resources Settings
Citrix MetaFrame Presentation Server

Configuration of a standard resource for Citrix MetaFrame Presentation Server includes the settings described below.
Citrix Web Server

You configure host and HTTP port for the Citrix Web Server. Host is specified as an IP address. When used in tunnel
sets, Virtual IP Address is set to this address by default. HTTP port defines the HTTP port for the Citrix MSAM Web
server traffic.
When the standard resource uses a non-default HTTP port (other than 80), the port must be added to registered alter-
native hosts.
Example
citrixweb.portwise.com:8080
If the default port (80) is used, make sure the alternative host contains the server name without port.
Example
citrixweb.portwise.com
The alternative host is registered as an IP address or DNS name on the General Settings tab on the Edit Resource
Host page.
Citrix MetaFrame Server

You can configure up to three Citrix MetaFrame servers. For each server, you specify host (IP address) . Dynamic Tunnels
will be added to each server using ports 1494 and 2598.
PortWise 4.7 Manual

Automatically Configured Settings

When the standard resource Citrix MetaFrame Presentation Server is registered, the following settings are automatically
configured:
• Web resource host for the Citrix Web server
• Display name for the Web resource host
• One or several tunnel resource hosts for the Citrix MetaFrame Server(s)
• Display name(s) for the tunnel resource host(s)
• The setting Forward cookie between client and resource is enabled
• Tunnel set including the tunnel resources with ports 1494 and 2598 predefined
• Display name
• Host: host=tcp:host address:port
• Redirect URL: redirect=/wa/http/nfuse
Thinlinc Application Server

Configuration of a standard resource for Thinlinc Application Server includes the settings described below.
Thinlinc Web Server

You configure host and HTTPS port for the Thinlinc Web Server. Host is specified as an IP address. HTTPS port defines
the HTTPS port for the Thinlinc Web server traffic.
When the standard resource uses a non-default HTTPS port (other than 443), the port must be added to registered
alternative hosts.
Example
thinlincweb.portwise.com:443
If the default port (443) is used, make sure the alternative host contains the server name without port.
Example
thinlinc.portwise.com
Host page.
Thinlinc Application Server

You can configure up to three Thinlinc Application servers. For each server, you specify host (IP address) . Dynamic Tun-
nels will be added to each server using port 22.

When the standard resource Thinlinc Application Server is registered, the following settings are automatically config-
ured:
PortWise 4.7 Manual

• Web resource host for the Thinlinc Web server

• One or several tunnel resource hosts for the Thinlinc Application Server(s)
• Display name(s) for the tunnel resource host(s)
• Tunnel set including the tunnel resources with port 22 predefined
• Display name
• Host: host=tcp:host address:port
Domino Web Access 6.5

Configuration of a standard resource for Domino Web Access 6.5 includes the settings described below.
General Settings
You specify host and HTTP or HTTPS ports for Domino Web Access. Host defines the IP address or DNS name of the
Domino Web Access host.
HTTP Port is set to 80 by default for Web resource hosts. Either HTTP Port or HTTPS Port is mandatory. When the
Web resource uses a non-default HTTP port (other than 80) or HTTPS port other than 443, the port must be added to
registered alternative hosts.
Example
www.portwise.com:8080
If the default port is used, make sure the alternative host contains the server name without port.
Example
www.portwise.com
Host page.

When the standard resource Domino Web Access 6.5 is registered, the following settings are automatically config-
ured:
• Web resource host for the Domino server
Terminal Server 2000 and 2003

Configuration of a standard resource for Terminal Server 2000 and 2003 includes the settings described below.
PortWise 4.7 Manual

Special Settings
You specify host and port for the Terminal Server 2000 or 2003. Host defines the IP address or DNS name of the Termi-
nal Server host. Port defines the port for Terminal Server TCP. Several port numbers or a range of port numbers can be
entered, separated with a comma sign. Default port is 3389.
You can also select to use Dynamic or Static tunnels. Please see the Tunnel Configuration Settings for further informa-
tion on the difference between Dynamic and Static Tunnels

When the standard resource Terminal Server 2000 or 2003 is registered, the following settings are automatically con-
figured:
• Tunnel resource for the Terminal Server
• Display name for the tunnel resource
• Tunnel set including the tunnel resource
Outlook Web Access 2000/Outlook Web Access 2003/Outlook Web Access 2007/
Outlook Web Access 5.5
Configuration of standard resources for Microsoft Outlook Web Access 2000, Microsoft Outlook Web Access 2003
,Microsoft Outlook Web Access 2007 , and Microsoft Outlook Web Access 5.5 includes the settings described below.
Special Settings
You specify host and HTTP or HTTPS ports for Outlook Web Access. Host defines the IP address or DNS name of the
Outlook Web Access host.
Example
mail.portwise.com:8080
Example
mail.portwise.com
Host page.

When the standard resources Microsoft Outlook Web Access 2000, Microsoft Outlook Web Access 2003, Microsoft
Outlook Web Access 2007, Microsoft Outlook Web Access 5.5 are registered, the following settings are automatically
configured:
PortWise 4.7 Manual

• Resource host for the Exchange Server

• Display name for the resource host
Microsoft Outlook Client 2000/2003/2007

Configuration of a standard resource for Microsoft Outlook Client 2000/2003/2007 includes the settings described
below.
Special Settings
You specify host and port for the Microsoft Outlook Client 2000/2003/2007. Host defines the IP address or DNS name
of the Exchange Server host. Port defines the port for the MAPI Exchange. Several port numbers or a range of port
numbers can be entered, separated with a comma sign. Set to 1-65535 by default.

When the standard resource Microsoft Outlook Client 2000/2003/2007 is registered, the following settings are auto-
matically configured:
• Tunnel resource for the Exchange server
• Support for all TCP and UDP ports for the range 1-65535
POP3/SMTP
Configuration of a standard resource for a POP3/SMTP mail server includes the settings described below.
Special Settings
You specify host and port for the POP3/SMTP mail server. Mail Server Address defines the IP address or DNS name of
the POP3/SMTP mail server. Startup command is the command used to start the local mail client.

When the standard resource POP3/SMTP is registered, the following settings are automatically configured:
• Tunnel resource for the POP3/SMTP server
• Support for all TCP ports 25 and 110
IMAP/SMTP
Configuration of a standard resource for a IMAP/SMTP mail server includes the settings described below.
Special Settings
You specify host and port for the IMAP/SMTP mail server. Mail Server Address defines the IP address or DNS name of
the IMAP/SMTP mail server. Startup command is the command used to start the local mail client.
PortWise 4.7 Manual


When the standard resource IMAP/SMTP is registered, the following settings are automatically configured:
• Tunnel resource for the IMAP/SMTP server
• Support for all TCP ports 25,143,993
Windows File Share

Configuration of a standard resource for Windows File Share includes the settings described below.
Special Settings
You specify host, share, and drive letter for the standard resource. Host defines the IP address or DNS name of the host.
Share defines the share to connect to on the file server. Drive letter (optional) defines the preferred drive to map on to
the client.

When the standard resource Windows File Share is registered, the following settings are automatically configured:
• Tunnel resource for the file share server
• Support for TCP and UDP ports for the range 137-139, 445
• Tunnel set including a dynamic tunnel to the tunnel resource, mapped drive, and startup command
Access to Home Directory

Configuration of a standard resource for Access to Home Directory includes the settings described below.
Special Settings
You specify the host for the standard resource. The host defines the IP address or DNS name of the host.

When the standard resource Access to Home Directory is registered, the following settings are automatically config-
ured:
• Tunnel resource for the file share server
• Support for TCP and UDP ports for the range 137-139, 445
• Tunnel set including a dynamic tunnel to the tunnel resource, mapped drive, and startup command
Secure Remote Access to Administrator

Configuration of a standard resource for Secure Remote Access to Administrator includes the settings described be-
low.
PortWise 4.7 Manual

Special Settings
You specify host and HTTP or HTTPS ports for Secure Remote Access to Administrator. Host defines the IP address or
DNS name of the Administration Service host.
Example
Example
www.portwise.com
Host page.

When the standard resource Secure Remote Administrator Access is registered, the following settings are automatically
configured:
• Web resource host for the Administration Service
SalesForce
Configuration of a standard resource for SalesForce includes the settings described below.
Special Settings
No special settings are required for this Standard Resource. It will use the default HTTP connection towards the Sales-
Force servers..

When the standard resource SalesForce is registered, the following settings are automatically configured:
• Web resource host for www.salesforce.com
Settings
Enable Resource No Selected by default.
Make resource available in Application No Selected by default.
Portal
PortWise 4.7 Manual


Icon (Yes) Path to the image file that symbolizes the standard resource in the
Application Portal.
Mandatory when Make resource available in Application
Portal is selected.
Link Text (Yes) Text that represents the Standard Resource in the Application
Portal.
Portal is selected.
Table 8-9: Common Settings

Host Yes Citrix MetaFrame server IP address.
When used in tunnel sets, Virtual IP Address is set to this ad-
dress by default.
HTTP Port Yes HTTP port for the Citrix MSAM Web server traffic.
Citrix MetaFrame Server 1 Yes Citrix MetaFrame server IP address.
dress by default.
Citrix MetaFrame Server 2 No When used in tunnel sets, Virtual IP Address is set to this ad-
dress by default.
Citrix MetaFrame Server 3 No When used in tunnel sets, Virtual IP Address is set to this ad-
dress by default.
Table 8-10: Citrix MetaFrame Presentation Server

Host Yes Thinlinc Web server IP address.
dress by default.
HTTP Port Yes HTTPS port for the Thinlinc Web server traffic.
Thinlinc Application Server 1 Yes Thinlinc Application server IP address.
Thinlinc Application Server 2 No Thinlinc Application server IP address..

Thinlinc Application Server 3 No Thinlinc Application server IP address.
Table 8-11: Thinlinc Application Server

HTTP Port (Yes) Either HTTP Port or HTTPS Port is mandatory.
HTTPS Port (Yes) Either HTTP Port or HTTPS Port is mandatory.
PortWise 4.7 Manual

Table 8-12: Domino Web Access 6.5

Host Yes IP address to the Terminal Server host
Port Yes Port for Terminal Server TCP.
Tunnel Type Yes Use Dynamic or Static tunnels
Table 8-13: Terminal Server 2000/2003

Host Yes IP address or DNS name of the Outlook Web Access host.
Set to 80 by default
Table 8-14: Outlook Web Access 2000/2003/2007

Host Yes IP address to the Exchange Server host.
TCP Port Set Yes Port for the MAPI Exchange.
Set to 1-65535 by default.
UDP Port Set No Port for the MAPI Exchange.
Set to 1-65535 by default.
Table 8-15: MS Outlook Client 2000/2003/2007

Mail Server Address Yes Host address to the Mail Server host.
Startup Command No Startup Command used to start the client
Tunnel Type Yes Use Dynamic or Static tunnels, Dynamic by default
Table 8-16: POP3/SMTP

Mail Server Address Yes Host address to the Mail Server host.
Startup Command No Startup Command used to start the client
Tunnel Type Yes Use Dynamic or Static tunnels, Dynamic by default
Table 8-17: IMAP/SMTP
PortWise 4.7 Manual


Host Yes IP address or DNS name of the host.
Share Yes Share to connect to on the file server.
Drive Letter No Preferred drive to map on to the client. From A: to Z:
Set to None by default
Table 8-18: Windows File Share

Host Yes IP address or DNS name of the host.
Table 8-19: Access to Home Directory

Host Yes IP address to the Administration Service host
Table 8-20: Secure Remote Access to Administrator

Host Yes IP address to the Administration Service host
Table 8-21: SalesForce
PortWise 4.7 Manual

Web Resources
About Web Resources

Web resources are applications with a Web interface, or any files accessible in a Web browser.
A Web resource has a resource host (or root) which may have one or several paths connected to it. A resource host
defines a HTTP or HTTPS server based on a URL. A resource path defines a subset of a Web server, if you want to restrict
user access for that subset only.
Example
Host: https://www.portwise.com
Path: https://www.portwise.com/securefolder/securepage.htm
When using Web resource paths, you can set your own security levels with access rules for specific applications and
files. As of PortWise 4.7, you can also choose to allow Web resource paths to derive its authorization settings (consisting
of access rules and advanced settings) from the parent Web resource host or path.
Single Sign-On
When SSO is enabled and used, it performs a POST or a GET request to a URL. The form data usually contains a user
name and a password together with some static fields. The variables [$username], [$password], and [$domain] are
replaced by the stored user name, password and NTLM domain from the SSO database. If the back-end server requires
the logon request to contain specific headers, these can be supplied as additional headers.
Example
User-Agent: Mozilla/4.7 Enterprise Edition (compatible; MSIE 6.0; Windows NT 5.1;
.NET CLR 1.1.4322)
Accept: */*
PortWise 4.7 Manual

Manage Web Resource Hosts

Registered Web resource hosts and paths are listed on the Manage Web Resources page in the Manage Resource
Access section of the PortWise Administrator. You can add, edit, and delete Web resource hosts and paths.
A first Web resource, the Access Point root path, was added to the Manage Web Resources section of the system
during the Setup System wizard, when the Access Point resource host was registered. The Access Point root path can-
not be deleted.
In addition, a number of settings can be specified globally to apply to all Web resources as well as tunnel resources. This
is configured in the Manage Global Resource Settings section of Manage Resource Access. Global resource
settings cover internal proxy settings, mapped DNS names, filters, and link translation.
General Settings
Configuration of a Web resource host includes settings described below.
Important
The Web resource host Display Name is also used for link translation in the Access
Point, that is as part of the translated, or rewritten, link. Because of this, Display Name
cannot contain characters such as commas or semi-colons, for example.
Supported characters in display names are: A-Z a-z 0-9 and .
HTTP Port/HTTPS Port and Alternative Hosts

Example
Example
www.portwise.com
The alternative host is registered as an IP address or DNS name.
Single-Sign On
If you have registered Single Sign-On domains, you can enable SSO for the Web resource host. Depending on the do-
main types of the registered SSO domains, you can select SSO domain type text, cookie (text is selected by default) or
Adaptive SSO and then select which SSO domain to use. If you select Adaptive SSO you can also select to create a new
SSO Domain that will be used for this Resource. See more Information about Adaptive SSO below.
If you select domain type text and will use form-based SSO, additional configuration regarding the logon form to the
resource host and the form response message is required.
The logon form is added to the resource host to enable form-based SSO. Configuration of the logon form includes
PortWise 4.7 Manual

whether SSO should perform POST or GET when triggered, the URL to GET or POST data to, as well as form data sent
to the server.
A form response message can be used to determine whether a logon was successful or not. Configuration of the form
response message, that will appear when the user has logged on or failed to log on, includes a URL to which the re-
sponse from the form should be sent, and a text string form response used to decide if the authentication is successful
or unsuccessful.
Adaptive Single-Sign On
Adaptive SSO is a new version of Form Based SSO (from PortWise 4.7 and later) that does not need to be configured
but learns it’s configuration by itself. You only need to apply it on a resource and choose a SSO-domain to use - exactly
the same way as you do with text based SSO.
The functionality of Adaptive SSO differs from the old Form Based SSO in the following ways:
• First time a user accesses the resource, the system will learn the configuration of it. The user will never be present-
ed the PortWise standard form “Additional Authentication Required”, as with Text and old Form Based. Instead,
the user will see the original HTML form as if there where no SSO configured.
• Second time the same user accesses the resource, he or she will not see the login page but be forwarded directly
as if he/she had filled in the username/password and pressed Submit.
• When another user that lacks SSO credentials accesses the resource he/she will also see the backend server’s form,
as if no SSO was configured, but when he/she has filled in the credentials on the page, they will be stored in his/
her SSO-domain in the directory.
• The first time a user is timed out or presented a relogin page, the system learns the new URL that is likely to pres-
ent a relogin page.
• The second time a user is timed out, he will not see it but be automatically re-logged in.
• The detailed configuration is automatically detected by the Access Point as the first user accesses the resource.
This information is collected in a file located at the Access Point: config/FormBasedLearning.txt. In load balanced
mode, this file is synched between the Access Points in the system, using the native load balancing protocol that
Access Point uses to mirror sessions. The file is not synched with the Administration Service.
• If a user is timed out from the backend server, Access Point will hide the re-authentication form from the user and
automatically relogin the user.
• If the form contains hidden state parameters, Access Point will merge those state parameters into the POST
request. This is not possible with the old Form Based SSO. For example, if a user tries to access a perl-desk URL
targetting a special PD ticket, Perldesk redirects the user to a login page with a hidden parameter telling where
the user where about to go before login was requested. With Adaptive SSO, this information will be taken care of
in the auto-generated POST request so that the user gets redirected to the requested PD ticket.
Limitations
Access Point makes the best effort to find out which parameter is username, password and eventually domain, and
stores the autoconfigurated parameters in the FormBasedLearning.txt file. However, some HTML pages uses javascripts
to copy contents from one form to another or from a password field into a hidden field before the actual submit is per-
formed. In those cases, Access Point’s autoconfigurated FormBasedLearning will be incorrect and the SSO will only work
for one single user, or for no user at all. It is therefore recommended to test the SSO by logging in with two different
PortWise 4.7 Manual

accounts before being certain that the autoconfiguration is correct. If not correct, the FormBasedLearning.txt file can
be altered manually. Se below how to do that.
Sometimes a login form got hidden fields that is filled by a javascript with client-specific information such as screen
resolution etc. These parameters will be defined by the user that learns the system the first time. So if the screen resolu-
tion of the first user is 1600x1200, all users will seem to have this resolution. There is no simple workaround for this.
The old Form Based SSO has the same limitation.
If the user has an empty password at the backend system, Adaptive SSO will be unable to learn the credentials.
Troubleshooting (FAQ)
I have enabled Adaptive SSO on a resource, but I don’t get SSO to work?
When you test it with a browser, make sure that the resource is always accessed through PortWise - i.e. that your
browser is never redirected outside PortWise while accessing the resource. If your browser is redirected, the resources
are not correctly configured. You may have to add more resource hosts to the system or you may add addresses to the
“additional host names”. There is a debug log called “hyperlinks.log” under access-point/logs/debug, in which you can
see which hosts are resolved and which are foreign. You may have to add a new resource host based on the information
of a foreign host in hyperlinks.log.
Make sure that the login page is part of the resource that you have enabled SSO for. If you are not certain, you may try
to enable Adaptive SSO on the resource host (the root) rather than on the resource path.
SSO works but when I’m timed out from the resource I do not get re-authenticated automatically
Make sure the relogin page is delivered from a URL whose resource is set to use Adaptive SSO. If not certain, use Adap-
tive SSO on the resource root rather than on the resource path.
SSO works, but sometimes when I log out from the backend server, I come to the login page and some-
times the login page is hidden for me and I just get relogged in automatically directly after a logout.
This works as designed. However, You can hide the logout link using a filter script to prevent this behavior. The reason
why the relogin page is sometimes shown and sometimes not, is due to the time it takes from you logging on to the
resource and logging off. If you click the resource, wait for 30 seconds and then logout, you will be automatically logged
in back again. But if you wait less than 30 minutes, you will see the login page after logging out. The reason for this is to
prevent the SSO from getting stuck in the “vinkelvolt” - Adaptive SSO never knows whether your credentials are correct
or not, so if they are not correct, the user must be able to see the login page and enter the new valid credentials.
I have manually changed the FormBasedLearning.txt file as described. It worked fine for a while. But
after some time, it seems to have forgotten my manual settings. Users no more get access to the
backend system.
Access Point will reset the learning for a resource if it stops working correctly. This will happen in one of the following
scenarios:
the backend server responds with a HTTP 404, or a HTTP 405, as a response to the POST
the resource host pointed out by formActionURL has been removed from the resource list in RemoteConfiguration.
The reason why your manual changes disappeared was thereby due to a change on the backend server or due to a
change in the resource configuration. You will have to redo the manual changes in FormBasedLearning.txt.
PortWise 4.7 Manual


You can select to make the Web resource host available in the Application Portal. You then specify an icon to represent
the resource. An icon library provides a range of icons to choose from, but you can also browse to a desired image file.
The icon must be of the type .gif, .jpeg, or .png and must not exceed 10kB in size.
For each Web resource specified to be displayed in the Application Portal, a corresponding Application Portal item is
automatically created. The Application Portal item is displayed and can be edited or deleted on the Manage Applica-
tion Portal page in the Manage Resource Access section of the PortWise Administrator.
Alternative Hosts
Alternative hosts are required for link translation to function properly. You can define one or several alternative hosts
for the Web resource host. The alternative host is specified as an IP address or a DNS name.
When the Web resource uses a non-default HTTP port (other than 80) or uses an HTTPS port other than 443, the port
must be added as an alternative host.
Example
If the default port is used, the alternative host must contain the server name without port.
Example
www.portwise.com
PortWise 4.7 Manual

Settings
Enable resource No Selected by default
Display Name Yes Unique name used in the system to identify the Web resource host.
Description No Describes the Web resource host.
Host Yes IP-address or a DNS name for the host.

Enable Single Sign-On No Not selected by default.
SSO Type (Yes) Available options are:
Text
Cookie
Form Based
Adaptive SSO
Mandatory when Enable Single Sign-On is selected.

Set to Text by default.
SSO Domain (Yes) Lists registered SSO Domains in the system.
If Adaptive SSO is selected there is also an option create new
domain which will give the opportunity to create a new domain.
New SSO Domain Name (Yes) Name of new SSO Domain created for Adaptive SSO.
Table 8-19: SSO Settings

Portal
Icon Yes Path to the image file that symbolizes the Web resource host in the
Application Portal.
Portal is selected.
Link Text Yes Text that represents the Web resource host in the Application
Portal.
Portal is selected.
PortWise 4.7 Manual

Table 8-20: Application Portal Settings
Access Rules
Advanced Settings
The following advanced settings are available for the Web resource host. All advanced settings are optional.
Access Settings
Link Translation
You set link translation type used: URL mapping, Pooled DNS Mapping or Reserved DNS Mapping. By default, a Web
resource is set to not use a mapped DNS name. You can only assign reserved mapped DNS names that are not used for
any other Web resource.
When selecting Pooled DNS Mapping, the resource is automatically assigned a DNS name when it is used. When se-
lecting Reserved DNS Mapping, you select among available DNS names displayed in a list to specify a DNS name for a
resource.
Server DNS Name

You can specify a host header used in the communication with the internal server. If a specific server DNS name is not
defined, the host address (the connect address) is used.
Cookies
You have the option to forward cookies between client and resource. When the option is selected, cookies are allowed
to pass through from the client to the resource and back. When not selected, all cookies are stopped at the Access
Point.
When forwarding cookies, you need to specify a list of cookies to either allow or block (or use the wildcard character *
to allow or block all). If allowed, the cookies pass through from the client to the resource and back. If blocked, cookies
are stopped at the Access Point.
NTLM v2
Use NTLM v2 if possible.
Authorization Settings
There are a number of advanced authorization settings available, enabling you to specify in detail how a specific Web
resource will be accessed.
Path Match
You have the option to require an exact path match. When enabled, the defined access rules for this Web resource path
apply for this path only and not for all paths beginning with this one.
When not selected, the access rules apply to this Web resource path and all paths beginning with this one, unless a more
significant resource is found under this path.
PortWise 4.7 Manual

Automatic Access
You can configure the Web resource path to be accessed automatically. For resources where automatic access is acti-
vated, the user session time-outs are not affected. For example, a script can automatically request a resource, but the
user is still regarded as inactive according to time-out configurations.
Expression of Will
When expression of will is used, re-authentication is required for each request.
MIME Types
You can also define which MIME types that should be allowed to be cached on the client browser. Required format is
text/html.
Time-out
You can configure resource-specific time-out settings for max inactivity time and absolute time-out. These settings are
specified globally for user accounts, to 15 by default for max inactivity time and to 720 by default for absolute time-
out.
By configuring time-out settings on the resource, you can ensure the security of the resource on a higher level, or the
opposite – specific resources may not need the same level of security or you may accept a longer time-out period.
Information
The setting Session Time-Out (on the Global User Account Settings page) ultimate-
ly controls the validity time for a session.
Encryption Level
You have the option to specify the encryption level required for clients to be allowed access to the resource. By default,
SSL is required in the traffic between the client and the system.
Options for encryption level are:
• Strong encryption level: 128 bits (default)
• Weak encryption level: 56 bits
• Other encryption level (specify desired bits level)
Settings
Link Translation Type No Available options are:
URL Mapping
Pooled DNS Mapping
Reserved DNS Mapping
Set to URL Mapping by default.
PortWise 4.7 Manual


Mapped DNS name for HTTP (Yes) Only available when editing a Web resource.
Specified DNS name for the resource when applicable.
Mandatory when HTTP Port is entered on the General Settings
page, and Reserved DNS Mapping is selected in Link Transla-
tion Type.
Mapped DNS name for HTTPS (Yes) Only available when editing a Web resource.
Specified DNS name for the resource when applicable.
Mandatory when HTTPS Port is entered on the General Settings
page, and Reserved DNS Mapping is selected in Link Transla-
tion Type.
Server DNS name No Host header used in the communication with the internal server.
Connect via proxy No Not selected by default.
Forward cookies between client and No Not selected by deafult.
resource
Cookies to check (Yes) Lists name of the cookies that the system checks.
Mandatory when Forward cookies between client and
resource is selected.
Action No Available options are: Allow and Block.
When set to Allow, only cookies listed in Cookies to check are
allowed. Other cookies are blocked.
Use NTLM v2 Yes Selected by default.
Table 8-21: Advanced Access Settings

Require exact path match No Only available when editing a Web resource.
Automatic access No For resources where Automatic access is activated, the user session
time-outs are not affected when the resource is requested automati-
cally.
Cache MIME Types No Only available when editing a Web resource.
Several MIME types are allowed.
No MIME types are allowed by default.
Use Expression of Will No Only available when editing a Web resource.
Use Time-out No Only available when editing a Web resource.
Max Inactivity Time-Out No Maximum user inactivity time in minutes (0-1440) before re-
Absolute Time-out No Time in minutes (0-1440), since the user was last authenticated
PortWise 4.7 Manual

Table 8-22: Advanced Authorization Settings

Require SSL No Selected by default.
Encryption Level No Available options are:
128 bits
56 bits
Other encryption level
When set to Other encryption level, you manually enter the bits
level.
Set to 128 bits by default.
Other Encryption Level (Yes) Encryption level in bits.
Mandatory when Encryption Level is set to Other encryption
level.
Table 8-23: Advanced Encryption Level
Manage Web Resource Paths

Registered Web resource hosts and paths are listed on the Manage Web Resources page in the Manage Resource
Access section. You can add, edit, and delete Web resource hosts and paths.
You can specify one or several paths for each registered Web resource host. Each path can also have one or several sub
paths added to it.
General Settings
Configuration of a path to a Web resource host includes settings described below.
Path
When configuring a Web resource path you specify its path, i.e. the path to the subset of the Web resource host. The
path you specify is added to the path of the parent host or path to form the complete path.
When registering a sub path, i.e. a path added to an existing Web resource path, the path to the parent Web resource
path is displayed for your convenience.
Authorization
If you do not want to set specific authorization (Access Rules and advanced settings) for the Web resource path, you
have the option to reuse the authorization specified for the parent Web resource host or path. Using this option, the
authorization set for the parent host or path is inherited to the Web resource path and the Access Rules and Advanced
Settings sections of the configuration are not displayed.
Single-Sign On
If you have registered Single Sign-On domains, you can enable SSO for the Web resource host. Depending on the domain
types of the registered SSO domains, you can select SSO domain type text or cookie (text is selected by default) and then
select which SSO domain to use.
PortWise 4.7 Manual

If you select domain type text and will use form-based SSO, additional configuration regarding the logon form to the
resource host and the form response message is required.
The logon form is added to the resource host to enable form-based SSO. Configuration of the logon form includes
whether SSO should perform POST or GET when triggered, the URL to GET or POST data to, as well as form data sent
to the server.
A form response message can be used to determine whether a logon was successful or not. Configuration of the form
response message, that will appear when the user has logged on or failed to log on, includes a URL to which the re-
sponse from the form should be sent, and a text string form response used to decide if the authentication is successful
or unsuccessful..
For infomation about Adaptive SSO please see the Adaptive Single Sign-On section in Manage Web Resource Hosts

You can select to make the Web resource host available in the Application Portal. You then specify an icon to represent
the resource. An icon library provides a range of icons to choose from, but you can also browse to a desired image file.
The icon must be of the type .gif, .jpeg, or .png and must not exceed 10kB in size.
For each Web resource specified to be displayed in the Application Portal, a corresponding Application Portal item is
automatically created. The Application Portal item is displayed and can be edited or deleted on the Manage Applica-
tion Portal page in the Manage Resource Access section.
Settings
Enable resource No Selected by default.
Parent Path No Available when adding a child resource path (a sub-path to another
resource path). Displays the path to the parent resource path. Not
editable.
Path Yes Path to the resource.
Use Parent Authorization No Available when adding a resource path.
Selected by default
PortWise 4.7 Manual


Enable Single Sign-On No Not selected by default.
SSO Type (Yes) Available options are:
Text
Cookie
Form Based
Adaptive SSO

Set to Text by default.
SSO Domain (Yes) Lists registered SSO Domains in the system.
If Adaptive SSO is selected there is also an option create new
domain which will give the opportunity to create a new domain.
New SSO Domain Name (Yes) Name of new SSO Domain created for Adaptive SSO.
Table 8-25: SSO Settings

Portal
Icon Yes Path to the image file that symbolizes the Web resource path in the
Application Portal.
Portal is selected.
Link Text Yes Text that represents the Web resource path in the Application
Portal.
Portal is selected.
Access Rules
Information
Note that for resource paths, access rules are not available for configuration if you have
selected to use the authorization of the parent path.
Advanced Settings
The following advanced settings are available for the Web resource path. All advanced settings are optional.
PortWise 4.7 Manual

Information
Note that the advanced settings are not available for configuration if you have selected
to use the authorization of the parent path.
There are a number of authorization settings available, enabling you to specify in detail how the specific Web resource
path will be accessed.
Path Match
You have the option to require an exact path match. When enabled, the defined access rules for this Web resource path
apply for this path only and not for all paths beginning with this one.
When not selected, the access rules apply to this Web resource path and all paths beginning with this one, unless a more
significant resource is found under this path.
Automatic Access
You can configure the Web resource path to be accessed automatically. For resources where automatic access is acti-
vated, the user session time-outs are not affected. For example, a script can automatically request a resource, but the
user is still regarded as inactive according to time-out configurations.
MIME Types
You can also define which MIME types that should be allowed to be cached on the client browser. Required format is
text/html.
Expression of Will
Time-out
out.
By configuring time-out settings on the resource path, you can ensure the security of the resource path on a higher
level, or the opposite – specific resource paths may not need the same level of security or you may accept a longer
time-out period.
Information
Encryption Level
You have the option to specify the encryption level required for clients to be allowed access to the resource. By default,
SSL is required in the traffic between the client and the system.
Options for encryption level are:
PortWise 4.7 Manual

• Strong encryption level: 128 bits (default)

• Weak encryption level: 56 bits
• Other encryption level (specify desired bits level)
Settings
Require exact path match No Not selected by default.
Automatic access No Not selected by default.
Cache MIME Types No Defines all resource MIME types that allowed to be cached on the
client browser.
Required format: text/html.
Several MIME types are allowed. No MIME types are allowed by
default.
Use Expression of Will No Not selected by default.
Use Time-out No Selected by default.
Max Inactivity Time No Maximum user inactivity time in minutes (0-1440) before re-

Require SSL No Selected by default.
Encryption Level No Available options are:
128 bits
56 bits
Other encryption level
When set to Other encryption level, you manually enter the bits
level.
Set to 128 bits by default.
Other Encryption Level (Yes) Encryption level in bits.
Mandatory when Encryption Level is set to Other encryption
level.
Table 8-28: Advanced Settings Encryption Level
PortWise 4.7 Manual

Tunnel Resources
About Tunnel Resources

In PortWise 4.7, you configure tunnel resource hosts for client-server applications that are not Web enabled. An ex-
amples of such applications is Remote Desktop. The tunnel allows any TCP/UDP traffic between the client and the server
to be channeled over a protected SSL connection.
A tunnel is an intermediary program acting as a blind relay between two connections. Once active, a tunnel is not con-
sidered a party to the HTTP communication, though the tunnel may have been initiated by an HTTP request. The tunnel
ceases to exist when both ends of the relayed connections are closed.
In order to make a tunnel resource accessible to the user, you configure a tunnel set to include static and/or dynamic
tunnels for the resource.
When using tunnel resources, you can set your own security levels with access rules for specific client applications and
servers. Use the Application Portal for tunnel resource access when authenticating with the authentication methods
PortWise Web and End-Point Security Client Scan, since the Access Client cannot be used stand-alone for tunnel re-
source access with Web based authentication.
Manage Tunnel Resources

Registered tunnel resources are listed on the Manage Tunnel Resources page in the Manage Resource Access
section. You can add, edit, and delete tunnel resources.
To make a tunnel resource accessible to the user, you create a static or dynamic tunnel for the resource in a tunnel set
and configure it to be displayed in the Application Portal.
In addition, a number of settings can be specified globally to apply to all resources, including tunnel resources. This is
configured in the Manage Global Resource Settings section of Manage Resource Access.
Tunnel Resource Settings

Ports
For a tunnel resource, you specify ports for TCP or UDP traffic. You can specify a single port, a range of ports, or the
wildcard character * for all ports (1-65535).
PortWise 4.7 Manual

Examples of common TCP ports

Fileshare: 137-139,445
Remote Desktop 3389
Citrix 1494
Exchange 1-65535 (*)
SSH 22
SMTP 25
Telnet 23
POP3 110
IMAP 143
Examples of common UDP ports

Fileshare 137-139,445
Exchange 1-65535 (*)
Alternative Hosts
Alternative hosts are used to map a tunnel resource to a Scripted Resource in the associated tunnel set. When
Scripted Resource is selected, no registered resource is selected but a filter on the Access Point decides which re-
source to use.
One common example is the Citrix nFuse server that sends a properties file through the Access Point specifying which
Citrix MetaFrame server to use in the current session.
You need to configure the filter script on the Filters tab on the Global Resource Settings page.
The alternative host is specified as an IP address or a DNS name.
When the Web resource uses a non-default HTTP port (other than 80) or uses an HTTPS port other than 443, the port
must be added as an alternative host. Example: www.portwise.com:8080
If the default port is used, the alternative host must contain the server name without port.
Example
www.portwise.com
Access Rules
Advanced Settings
Access Settings
You can select to connect via proxy, directing the connection to the tunnel resource through a proxy server.
PortWise 4.7 Manual

There are a number of advanced authorization settings available, enabling you to specify in detail how a specific tunnel
resource will be accessed.
Automatic Access
You can configure the tunnel resource to be accessed automatically. For resources where automatic access is activated,
the user session time-outs are not affected. For example, a script can automatically request a resource, but the user is
still regarded as inactive according to time-out configurations.
Time-out
You can configure resource-specific time-out settings for authentication time-out, max inactivity time and absolute
time-out. These settings are also available, and specified by default, for user accounts.
opposite – specific resources may not need the same level of security or you may accept a longer time-out period for
certain resources.
Information
Settings
Enable resource Selected by default.
Display Name Yes Unique name used in the system to identify the tunnel resource.
Host Yes IP address or DNS name of the resource host.
TCP Port Set (Yes) This can be either a single port, a range of ports, or the wildcard
character * for all ports (1-65535).
Either TCP Port or UDP Port is mandatory.
UDP Port Set (Yes) This can be either a single port, a range of ports, or the wildcard
character * for all ports.
Either TCP Port or UDP Port is mandatory.
Use File Share SSO Selected if Single Sign-On for File Shares should be enabled for this
Resource Host. If selected File Share SSO Domain will be enabled and
an SSO Domain must be selected. This checkbox will be disabled if
no SSO Domains have been registered in the system.
File Share SSO Domain (Yes) The SSO Domain that should be used for File Share SSO. Only avail-
able if File Share SSO is enabled for this Tunnel Resource.
Use Remote Desktop SSO Selected if Single Sign-On for Remote Desktop (RDP protocol) should
be enabled for this Resource Host. If selected Remote Desktop SSO
Domain will be enabled and an SSO Domain must be selected. This
checkbox will be disabled if no SSO Domains have been registered in
the system.
PortWise 4.7 Manual


Remote Desktop SSO Domain (Yes) The SSO Domain that should be used for Remote Desktop SSO. Only
available if Remote Desktop SSO is enabled for this Tunnel Resource.
Use Telnet SSO Selected if Single Sign-On for Telnet should be enabled for this
Resource Host. If selected Telnet SSO Domain will be enabled and an
SSO Domain must be selected. This checkbox will be disabled if no
SSO Domains have been registered in the system.
Telnet SSO Domain (Yes) The SSO Domain that should be used for Telnet SSO. Only available if
Telnet SSO is enabled for this Tunnel Resource.
Use SSH SSO Selected if Single Sign-On for SSH should be enabled for this Re-
source Host. If selected SSH SSO Domain will be enabled and an SSO
Domain must be selected. This checkbox will be disabled if no SSO
Domains have been registered in the system.
SSH SSO Domain (Yes) The SSO Domain that should be used for SSH SSO. Only available if
SSH SSO is enabled for this Tunnel Resource.

Connect via proxy No Not selected by default.
Table 8-30: Advanced Access Settings

Automatic access Not selected by default.
Use Time-out Selected by default.
Max Inactivity Time Maximum user inactivity time in minutes (0-1440) before re-authen-
tication is required.
Absolute Time-out Time in minutes (0-1440), since the user was last authenticated with
required authentication method, before re-authentication is required,
independent of user activity.
PortWise 4.7 Manual

Tunnel Resource Networks
About Tunnel Resource Networks

Tunnel resource networks are basically a collection of IP addresses and ports, or a range of IP addresses and ports,
which include tunnel resource hosts.
When adding a tunnel resource host with an IP address inside a tunnel resource network span, it is automatically
included in the network.
If you wish to add tunnel resource hosts outside the tunnel resource network, use the Add Tunnel Resource Host
wizard.
When using tunnel resource networks, you can set your own security levels with access rules for specific client applica-
tions and servers. You can specify tunnel resources with different access control than the networks’. These are called
exceptions.
Manage Tunnel Resource Networks

Registered tunnel resource networks are listed on the Manage Tunnel Resources page in the Manage Resource
Access section. You can add, edit, and delete tunnel resource networks.
In addition, a number of settings can be specified globally to apply to all resources, including tunnel resources. This is
configured in the Manage Global Resource Settings section of Manage Resource Access.
Tunnel Resource Network Settings

For a tunnel resource network, addresses to the first and last host for the range of tunnel resources in the network.
You also specify port sets for TCP or UDP traffic. You can specify a single port or a range of ports.
Access Rules
PortWise 4.7 Manual

Advanced Settings
Access Settings
You can select to connect via proxy, directing the connection to the tunnel resource network through a proxy server.
There are a number of advanced authorization settings available, enabling you to specify in detail how a specific tunnel
resource network will be accessed.
Automatic Access
You can configure the tunnel resource network to be accessed automatically. For resources where automatic access is
activated, the user session time-outs are not affected. For example, a script can automatically request a resource, but
the user is still regarded as inactive according to time-out configurations.
Time-out
You can configure resource-specific time-out settings for authentication time-out, max inactivity time and absolute
time-out. These settings are also available, and specified by default, for user accounts.
opposite – specific resources may not need the same level of security or you may accept a longer time-out period for
certain resources.
Information
Note that the setting Session Time-Out (on the Global User Account Settings page)
ultimately controls the validity time for a session.
Settings
Enable Resource No Not selected by default.
Display Name Yes Unique name used in the system to identify the tunnel resource
network.
Description Description of the tunnel resource network.
IP Range Yes IP address to the first and last host for the range of tunnel resources
in the network.
TCP Port Set (Yes) One, several, or a range of port numbers can be entered separated
with a comma sign.
Either TCP Port Set or UDP Port Set is mandatory.
UDP Port Set (Yes) One, several, or a range of port numbers can be entered separated
with a comma sign.
Either TCP Port Set or UDP Port Set is mandatory.
PortWise 4.7 Manual


Connect via proxy Not selected by default.
Table 8-33: Access Settings

Automatic access Not selected by default.
Use Time-out Selected by default.
Max Inactivity Time Maximum user inactivity time in minutes (0-1440) before re-authen-
tication is required.
Absolute Time-out Time in minutes (0-1440), since the user was last authenticated
Table 8-34: Authorization Settings
PortWise 4.7 Manual

PortWise 4.7 Manual

Tunnel Sets
About Tunnel Sets

In PortWise 4.7, you configure tunnel sets to enable users to access configured tunnel resources.
The tunnel set can include one or several tunnel resources. It contains static and/or dynamic tunnels, at least one for
each resource included in the set. The tunnel set is displayed as an icon in the Application Portal, providing users with
access to all tunnel resources in the tunnel set through the use of PortWise Access Client. The Access Client is either
a Win32 application or a Java application, that are loaded either using an ActiveX Web loader or a Java Applet Web
loader.
Important
Note that the ActiveX loader requires administrator rights on the client the first time it
is used. In addition, local lookups and DNS forwarding require administrator rights on
the client every time they are used. When using the installable PortWise Access Client,
administrator rights are not required on the client for local lookups.
Apart from configuring static and/or dynamic tunnels for the resources in the set, there are a number of advanced set-
tings available for the tunnel set. The advanced settings include local lookups used to define host addresses that should
be resolvable on the client if no external DNS record is found. Local lookups are checked before any external DNS, so
the external DNS can be overriden.
Advanced settings also include mapped drives, and client configuration involving for example startup and shutdown
commands. It checks
Static Tunnels
Static tunnels are configured to tunnel resources on the local interface using a single port, and can be used on all
platforms.
Dynamic Tunnels
Dynamic tunnels are configured to tunnel resources using any IP address on one or a range of ports, and can only be
used on Windows platforms.
PortWise 4.7 Manual

Access Rules
The tunnel resources you collect in a tunnel set are normally protected by access rules. In addition, you can apply access
rules to the tunnel set itself, to control how and when users should be able to access the tunnel set.
A tunnel resource can be included in several tunnel sets. This enables you to associate tunnel sets with different levels
of access control, for example for different user groups.
Information
Access control of a specific tunnel resource is always done using the access rules config-
ured for that tunnel resource. The only use of access rules on a tunnel set is to make the
associated icon in the Application Portal subject to access control as well.
Access Client
When a user clicks an icon for a tunnel set in the Application Portal, the Access Client attempts to load an ActiveX Web
loader or a Java applet loader. The order of this is configured on the tab.
Manage Tunnel Sets

Registered tunnel sets are listed on the Manage Tunnel Sets page in the Manage Resource Access section. You
can add, edit, and delete tunnel sets.
Tunnel sets contain static and/or dynamic tunnels for each tunnel resource included in the set.
Tunnel Set Settings

Configuration of a tunnel set include specifying static or dynamic tunnels per resource included in the tunnel set, ap-
plication portal settings for the tunnel set, as well as advanced settings.

You can select to make the tunnel set available in the Application Portal. You then specify an icon to represent the tunnel
set. An icon library provides a range of icons to choose from, but you can also browse to a desired image file. The icon
must be of the type .gif, .jpeg, or .png and must not exceed 10kB in size.
For each tunnel set specified to be displayed in the Application Portal, a corresponding Application Portal item is auto-
matically created. The Application Portal item is displayed and can be edited or deleted on the Manage Application
Portal page in the Manage Resource Access section.
PortWise 4.7 Manual

Settings
Enable tunnel set No Selected by default.
Display Name Yes Unique name used in the system and by the Access Client to identify
the tunnel set

Portal
Icon Yes Path to the image file that symbolizes the Web resource path in the
Application Portal.
Portal is selected.
Link Text Yes Text that represents the Web resource path in the Application Portal.
Portal is selected.
Static Tunnel Settings

Resource
For each static tunnel, you select which of the available registered tunnel resources to tunnel, or select Scripted re-
source to allow a user session parameter (set by a script executed on the Access Point) to specify which resource to
access. To use this option, you need to specify the filter script on the Filters tab on the Global Resource Settings
page.
One common example of an application that can be used as a scripted resource is the Citrix nFuse server that sends a
properties file through the Access Point specifying which Citrix MetaFrame server to use in the current session.
Protocol
You can specify whether to use the TCP or UDP protocol.
Client IP Address
You also specify the client IP address, i.e. the IP address that the client listens to. The IP address must be in the range
127.x.x.x, and is set to 127.0.0.1 by default.
Client Port
In addition, you specify which port the client listens to, as well as which port should be used by the system to contact
the internal resource host. Only one port can be specified per client and per resource. If the entered port is occupied, the
next available port is used. It is recommended that the same port is entered for client and resource host.
PortWise 4.7 Manual

Confirm Connections
For both static and dynamic tunnels, you have the option to confirm connections. When enabled, the user must confirm
all tunnel resource host connections before they are established.
Advanced Settings
The advanced setting available for static tunnels is No delay for TCP traffic. When this option is selected, Nagle’s
algorithm (use TCP_NO_DELAY) is disabled. When using devices with limited bandwidth (such as cell phones), you can
choose to enable Nagle’s algorithm to favor less packet-overhead over response-time. When using a broadband con-
nection or a LAN you will want to disable Nagle’s algorithm to favor response-time at the cost of sending more packets
(more overhead).
Settings
Resource Yes List of available registered tunnel resources.
Protocol No This option is only available if both TCP ports and UDP ports have
been set for the specified tunnel resource host.
Set to TCP by default.
Client IP Address Yes IP address must be in the range 127.x.x.x
Set to 127.0.0.1 by default.
Client Port Yes Only one port number can be entered. If the entered port is oc-
cupied, the next available port is used.
It is recommended that the same port as Resource Port is used.
Resource Port Yes Only one port number can be entered. If the entered port is oc-
cupied, the next available port is used.
It is recommended that the same port as Client Port is used.
Confirm connections No Not selected by default.

No delay for TCP traffic No When selected, Nagle’s algorithm (use TCP_NO_DELAY) is disabled.
Table 8-38: Advanced Settings
Dynamic Tunnel Settings

Resource
For each dynamic tunnel, you select which of the available registered tunnel resources to tunnel.
For a tunnel-type resource you can specify the host’s TCP Port set and/or UDP Port set. You can also select to Confirm
Connections and Use Virtual IP. If Virtual IP is not selected, the tunnel resource’s host address is used.
PortWise 4.7 Manual

If the resource is a Tunnel resource network then you can specify IP set, TCP Port set, UDP Port set, and Confirm Con-
nections.
Virtual IP Address
You also specify a virtual IP address used to forward traffic to the resource. This can be an arbitrary IP address, but it is
recommended that you use the IP address of the selected resource host.
Resource Port
A resource port is specified to capture traffic on the client, and the same port that will be used for the resource host.
This can be either a single port, a range of ports, or the wildcard character * for all ports (1-65535).
Example
9010, 9011-9022, 9030
Confirm Connections
For both static and dynamic tunnels, you have the option to enable Confirm Connections. When enabled, the user must
confirm all tunnel resource host connections before they are established, either in the Application Portal or in the Ac-
cess Client.
Settings
Resource Yes Tunneled resource host.
Virtual IP Address Yes This can be an arbitrary IP address, it is recommended to not use the
selected resource host’s IP address.
Resource Port Yes This can be either a single port, a range of ports, or the wildcard
character * for all ports (1-65535).
Confirm connections No Not selected by default.
Startup Settings
You can specify startup commands to start a specific client to use the tunneled resource. You can also enter an URL that
is displayed when the tunnel has been successfully started.
Settings
Startup Command Trusted commands executed when the client is started and the
tunnels are set up.
PortWise 4.7 Manual


Redirect URL URL opened in a browser window after the tunnel has been suc-
cessfully started.
Table 8-40: Tunnel Set Startup Settings
Advanced Settings
Local Lookups
You can add local lookups to define host addresses that should be resolvable on the client if no external DNS record
is found. Local lookups and DNS forwarding require administrator rights on the client, every time they are used. When
using the installable Access Client, administrator rights are not required.
Lookups are specified by entering a fully qualified domain name, or domain name using the wildcard character *, as
well as an IP address.
Example
mailserver.*
Use the virtual IP address entered for the dynamic tunnel, when applicable. For static tunnels, use 127.0.0.1.
Mapped Drives
You can add mapped drives to the tunnel set drives to map network resources (printers or drives) to drive letters on the
clientnetwork. Mapped drives are specified by entering the path to mapped network resource:
Example
\\192.168.12.55\[$uid]
Supported variables for the path are:

Supported Variables Description
[$ehost] The Access Point server name including port number
[$eprot] HTTP or HTTPS
[$uid] External user name
[$iuid] Internal user name, usually [$uid]
Table 8-41: Supported Path Variables
You also have the option to specify a drive letter for the drive or printer that the resource host is mapped to.
Example
M:
If the selected drive is occupied, the next available drive letter is used. You can specify a drive letter here and combine
it with a a Startup Command defined in the Advanced section.
PortWise 4.7 Manual

Another option is to use cached credentials. When enabled, cached credentials (Windows domain credentials) are used
when mapping a drive. This option is selected by default.
Access Client Loader

You specify how the Access Client is loaded for the client.
You can select from three options:
• ActiveX / Java Applet
The ActiveX loader is the first choice, and if it does not work the Java Applet is loaded
• ActiveX
Only the ActiveX loader is loaded
• Java Applet
Only the Java Applet loader is loaded
If any of the Java Applet options is selected, you also have the option to use pure Java.
Additional Client Configuration

Shutdown Commands
Use startup commands to automatically execute commands, for example displaying a mapped drive to the user, on
startup of the tunnel set. Shutdown commands are corresponding commands executed when the tunnel set is shut
down.
One or several startup and shutdown commands can be defined for each tunnel set.
The following default trusted commands are executed without user interaction (other commands prompt the user for
confirmation):
outlook
explorer
explorer /e
explorer /e,
A: to Z:
Users are allowed to edit the list of trusted commands in the Access Client.
Supported variables in startup and shutdown commands:
Supported Variables Description
[$ehost] The Access Point server name including port number
[$eprot] HTTP or HTTPS
[$uid] External user name
[$iuid] Internal user name, usually [$uid]
Table 8-42: Supported Variables in Commands
Error Codes to Suppress

You can configure a list of specific error codes to suppress pop-up messages. The error codes are entered as a comma
separated list of 7-digit error codes.
PortWise 4.7 Manual

Redirect URL
URL opened in a browser window after the tunnel has started successfully.
Example
/http/citrix/
Fallback Tunnel Set

The fallback tunnel set is used if the client computer is not able to load the ActiveX component. The fallback tunnel set
is also supported if the Windows native client with configured dynamic tunnels fails to load.
Specific Settings
When one of the applications tunneled with the tunnel set is MS Outlook, it is recommended that you enable support
for the MS Outlook patch. The patch solves a problem with the Windows 2000 client authentication. When the option
is selected, the patch is supported when the client is based on Windows 2000 and is part of a domain.
Provide IP Address
Select Provide IP Address to assign an unique IP address to the client from the IP Address Pool. You manage the IP
Address Pool on the Manage Global Tunnel Set Settings page.
This also enables configured resources to establish connections towards the client. If IP addresses from the IP Address
Pool are added as a tunnel resource, it makes it possible for clients to connect to each other when connected.
DNS Forwarding
Select Enable DNS Forwarding to temporarily redirect the client’s DNS server to the DNS server specified on the
Manage Global Tunnel Set page.
When DNS Forwarding is selected, all DNS requests on the client are tunneled over the encrypted tunnel to the Access
Point where it is proxied to the configured DNS server set on the Manage Global Tunnel Set page.
Client Firewall
Select which Internet firewall configuration that should be associated with the tunnel set.
Internet Firewall configurations are managed on the Manage Client Firewall page.
Settings
Domain Name Yes A fully qualified domain name, or domain name using the wildcard
character *.
IP Address Yes IP address the domain name is translated to.
Table 8-43: Tunnel Set Advanced Local Lookups

Network Resource Yes Path to mapped network resource.
PortWise 4.7 Manual


Drive Letter No Drive letter the resource host is mapped to. This can be a drive or a
printer.
Use cached credentials No Selected by default.
Table 8-44: Tunnel Set Advanced Mapped Drives

Access Client Loader Yes Available options are:
ActiveX/Java Applet
ActiveX
Java Applet
Set to ActiveX by default.
Use pure Java No When selected, pure Java is used.
Table 8-45: Tunnel Set Advanced Access Client Loader

Shutdown Command No Trusted commands executed when the client and all tunnels are shut
down.
Error Codes to Suppress No Enter as comma separated list of 7-digit error codes.
Fallback Tunnel Set No Tunnel set used if the client computer is not able to load the ActiveX
component. The fallback tunnel set is also supported if the Windows
native client with configured dynamic tunnels fails to load.
Table 8-46: Tunnel Set Advanced Additional Client Configuration

Support MS Outlook patch for Windows No When one of the applications tunneled with the tunnel set is MS
2000 Outlook, it is recommended that you enable support for the MS
Outlook patch.
Table 8-47: Tunnel Set Advanced Specific Settings

Provide IP Address No When selected, the client is assigned an IP address from the IP
address pool. The IP Address Pool is managed under Manage
Global Tunnel Set Settings.
Table 8-48: Tunnel Set Advanced Provide IP Address
PortWise 4.7 Manual


Internet Firewall Configuration No Client firewall configuration to be applied to the tunnel set. Regis-
tered client firewall configurations are available for selection.
Table 8-49: Tunnel Set Advanced Client Firewall Configuration
Access Rules
Manage Global Tunnel Set Settings
External DHCP Settings

This is used to assign IP addresses from an existing DHCP Server to the connecting Access Clients.
Use External DHCP

Select this if DHCP relay should be used by the Access Client to assign an IP address from the network. If selected the
adderss of a DHCP Server must be specified in the corresponding field below. To use this setting Provide IP Address must
be checked in the Tunnel Set where DHCP should be used.
DHCP Server
Enter the host address of the DHCP Server.
IP Address Pool
Specify a range of IP addresses in the IP address pool. The IP address pool is used to define a set of IP addresses which
are assigned to connecting clients, thus enabling the Access Point to route traffic from the backend systems to the cli-
ent.
You configure a time-out in milliseconds, which define how long the Access Point will wait for responses while detecting
possible IP conflicts on the internal network.
DNS Server
Specify IP address or DNS name of the DNS server used for DNS forwarding.
When Enable DNS forwarding has been selected on the Manage Tunnel Set page, on the Advanced tab, the
client’s DNS server is temporarily redirected to the DNS Server specified here. Local lookups are checked before any
external DNS, so the external DNS can be overriden.
PortWise 4.7 Manual

Settings
Use External DHCP No Select this to Use an External DHCP Server to assign addresses to
the Access Client
DHCP Server (Yes) The Host Address of the DHCP Server to use
Table 8-50: External DHCP

IP Address Pool No Range of IP addresses used in the IP address pool. Disabled if
External DHCP is defined.
Time-out No Time-out in milliseconds, specifying how long the Access Client will
wait to timeout when failing to acquire an IP address from the IP
address pool.
Table 8-51: IP Address Pool

DNS Server (Yes) IP address or DNS name of the DNS server used for DNS forwarding.
Mandatory when DNS Forwarding has been enabled.
Table 8-52: DNS Server
PortWise 4.7 Manual

PortWise 4.7 Manual

Client Firewalls
About Client Firewalls

Client firewalls consist of Internet firewall configurations. An Internet firewall configuration is a collection of rules that
control traffic to and from the Access Client. Each configuration is connected to a corresponding tunnel set.
The PortWise Client solution is divided in two different parts:
• Prevent other network connections to be routed
• Check the integrity of connecting application
Prevent Other Network Connections to be routed

You can configure rules based on the following parameters:
• Network
• Incoming or outgoing traffic
• Ports
• Allow or block traffic
The rules are downloaded to the client computer when downloading the tunnel set. The rules are then applied to pre-
vent network traffic to be routed at the client.
Check the Integrity of Connecting Application

For each connection that goes through the PortWise Access Client, information about application path and check sum
is added. This information is taken into consideration when doing the authorization decision.
Valid application information in PortWise Administrator is configured and maintained on the Device Definitions page
in the Manage System section
You can configure rules based on the following parameters:
PortWise 4.7 Manual

• Network
• Incoming or outgoing traffic
• Ports
• Allow or block traffic
The rules are downloaded to the client computer when downloading the tunnel set configuration. The rules are then
applied to prevent network traffic to be routed at the client.
Information
The order of the rules is significant since the firewall starts in the top of the list and
stops as soon as a match between the rule and the connection is found.
When adding a new Internet Firewall Configuration, the rule lists will have default entries showing that all connections
will be blocked unless you add a rule above the default rule that accepts a specific connection.
How Does It Work?

The client firewall is used locally on the user’s computers while they are connected to Access Point using the Access
Client. Its rules are configured on the server and cannot be overridden by the user. One Internet firewall configuration
per tunnel set can be used.
The firewall is typically activated when the user clicks an icon in the Application Portal pointing to a tunnel set config-
ured to use the Client Firewall. The firewall is deactivated as soon as the user closes down the Access Client or logs off
the portal. The firewall will be active as long as the associated Tunnel Set is used.
Information
If several Tunnel Sets are used simultaneously by the same user, the firewall configura-
tions of all the Tunnel Sets will be active and the most restrictive rules will apply.
When active, the firewall will check each connection from and to the client computer that they match the client firewall
configuration.
For each connection going through the PortWise Access Client, information about application path and check sum is
added. This information is taken into consideration when doing the authorization decision.
Valid application information in PortWise Administrator is configured and maintained on the Device Definitions page
in the Manage System section.
Incoming Rules
Once a connection comes in to the computer, the firewall will go through the list of Incoming Firewall rules.
Each rule is checked against the incoming connection to see if they match. If they do not match, the firewall will continue
to look at the next rule in the list. If they match, the connection will be accepted or denied depending on the rule’s
configuration and the firewall will not continue to check further rules in the list.
If the rule denies the connection, it will be dropped. If the rule accepts the connection, it will be let through to the client
computer.
Outgoing Rules
Once an application on the client computer tries to connect to the Internet, the firewall will go through the list of Outgo-
ing Firewall rules.
PortWise 4.7 Manual

Each rule is checked in the same way as for incoming connections. If the rule denies the connection, it will be rejected.
If the rule accepts the connection, it will be let through to the Internet.
Exceptions
The client firewall checks all TCP and UDP connections except the following:
• Incoming connections from an IP address of a configured resource on the intranet (a connection through the
tunnel).
• Connections towards Access Point
• Connections towards an IP address of a configured resource on the intranet through the tunnel.
• Instead of checking the firewall rules, the access rules of the configured resource will apply
Firewall Rules Based on Device

Client firewall can be used to specify rules based on the path or checksum of the process that is trying to connect to
the Internet. To make this possible, you must first add a Device Definition that specifies the values of the path, and/or
checksum of the process. There are two variables that can be used in Device Definitions that is used by Client Firewall.
These are:
• clientfirewall-path
• clientfirewall-checksum
Important
Only Device Definitions containing these variables can be used in the Client Firewall
Rules.
To add Internet Explorer as a Device Definition, you should add a Device Definition with the following settings:
Example
Display Name: Internet Explorer Process
Definition: clientfirewall-path=%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles% is an environment variable that will be parsed on Access Client so that the device definition will be
valid on all clients whatever language the operating system has.
It is also possible to have a stricter rule that is based on the MD5 checksum of the executable. To define a device based
on the checksum, use a hexadecimal representation of the MD5 checksum.
Example
Display Name: Internet Explorer Process
Definition: clientfirewall-checksum=e7484514c0464642be7b4dc2689354c8
When using clientfirewall-checksum, the device will only be valid for a specific version of Internet Explorer.
It is also possible to combine both checksum and path using AND/OR between expressions. For example, you may
specify a list of valid checksums, using the pipe character | (OR):
PortWise 4.7 Manual

Example
clientfirewall-checksum=<checksum1> | clientfirewall-checksum=<checksum2> | …
Note that all entries between the | (OR) operator must be on the same line.
The Device Definitions made for Client Firewalls can also be used in Access Rules for tunnel resources.
Please refer to the How To section in the Online Help for example configurations.
Manage Client Firewalls

You manage client firewall settings on the Manage Client Firewall page in the Manage Resource Access sec-
tion.
The Internet firewall configuration is manually connected to applicable tunnel sets. This is done on the Manage Tunnel
Set page, on the Advanced tab.
You specify rules based on incoming or outgoing traffic. In both cases, you also specify an IP address or range of IP ad-
dresses and ports, what protocol to use, and select accepted devices. A rule can Accept or Deny traffic.
Settings
Display Name Yes Unique name used in the system to identify the internet firewall
configuration.
Incoming Firewall Rules

You specify a remote IP address or range of IP addresses for incoming traffic. That is, allowed remote IP addresses.
To specify the port set, you enter a single port, several ports, and/or range of ports. Use a comma sign to separate port
numbers.
Select whether to use TCP or UDP, and if the firewall rule will accept or deny incoming traffic from specified IP addresses
and ports.
Furthermore, you can select a specific device the rule applies to, or it can be set to Any device which results in that all
connecting devices are accepted. A device can be a hardware device as well as an application. Devices are registered in
the Manage System section, on the Manage Global Access Point Settings page, using the Add Device Set-
tings link.
Settings
IP Range Yes IP address for the first and last tunnel resources hosts.
PortWise 4.7 Manual


Port Set Yes One, several, or a range of port numbers can be entered separated
with a comma sign.
Protocol Yes Available options are: TCP and UDP.
Rule Yes Available options are: Accept and Deny.
Set to Deny by default.

Devices No When selected, the Rule is applied to the selected device (when
Rule is set to Accept).
Devices are defined in Manage System, on the Device Defini-
tions page.
Table 8-54: Devices

Comment No Description of the incoming rule.
Table 8-55: Comment
Outgoing Firewall Rules

You specify a remote IP address or range of IP addresses for outgoing traffic. That is, allowed destination IP ad-
dresses.
To specify the port set, you enter a single port, several ports, and/or range of ports. Use a comma sign to separate port
numbers.
Select whether to use TCP or UDP, and if the firewall rule will accept or deny outgoing traffic from specified IP addresses
and ports.
Furthermore, you can select specific allowed devices the rule applies to. A device can be a hardware device as well as an
application. Devices are registered in the Manage System section, on the Manage Global Access Point Settings
page, using the Add Device Settings link.
Settings
IP Range Yes IP address for the first and last tunnel resources hosts.
Port Set Yes One, several, or a range of port numbers can be entered separated
with a comma sign.
Protocol Yes Available options are: TCP and UDP.
PortWise 4.7 Manual


Rule Yes Available options are: Accept and Deny.
Set to Deny by default.

Devices No When selected, the Rule is applied to the selected device (when
Rule is set to Accept).
Devices are defined in Manage System, on the Device Defini-
tions page.
Table 8-57: Devices

Comment No Description of the outgoing rule
Table 5-58: Comment
PortWise 4.7 Manual

Customized Resources
About Customized Resources

In PortWise 4.7, it is possible to register and perform access control on resources that do not belong to either of the
categories Web resources or tunnel resources, and are not displayed in the Application Portal. These kinds of resources,
for example bank accounts, are registered as customized resources.
Use customized resources when you wish to protect resources outside the Application Portal using access rules.
A customized resource has a resource host (or root) which may have one or several paths connected to it.
When using customized resource paths, you can set your own security levels with access rules for specific applications
and files. As of PortWise 4.7, you can also choose to allow customized resource paths to derive its authorization settings
(consisting of access rules and advanced settings) from the parent resource path.
Manage Customized Resource Hosts

Registered customized resource hosts and paths are listed on the Manage Customized Resources page in the Man-
age Resource Access section. You can add, edit, and delete customized resource hosts and paths.
You can specify one or several paths for each registered customized resource host. Each path can also have one or
several sub paths added to it.
Customized Resource Host Settings

Configuration of a customized resource hosts includes the following settings:
URI
You define a Uniform Resource Identifier (URI) for the customized resource host, specifying the IP address or DNS name
of the resource host.
Example
bean://<hostname>/account
PortWise 4.7 Manual

Access Rules
Advanced Settings
A number of advanced settings are available for configuration of the customized resource host.
Access Settings
You can select to connect via proxy, directing the connection to the tunnel resource through a proxy server.
There are a number of authorization settings available, enabling you to specify in detail how the specific customized
resource host will be accessed.
Path Match
You have the option to require an exact path match. When enabled, the defined access rules for this customized resource
path apply for this path only, and not for all paths beginning with this one.
When not selected, the access rules apply to this customized resource path and all paths beginning with this one, unless
a more significant resource is found under this path.
Automatic Access
You can configure the customized resource path to be accessed automatically. For resources where automatic access is
Expression of Will
Time-out
out.
By configuring time-out settings on the resource path, you can ensure the security of the resource path on a higher level,
or the opposite – specific resource paths may not need the same level of security or you may accept a longer time-out
period.
Information
Note that the setting Session Time-Out (on the Global User Account Settings page) ulti-
mately controls the validity time for a session.
PortWise 4.7 Manual

Settings
Customized Resource Host Settings
Display Name Yes Unique name used in the system to identify the customized resource
host.
Description No Describes the customized resource host.
URI Yes IP address or the DNS name of the resource host.

Connect via proxy No Not selected by default
Automatic access No For resources where Automatic access is activated, the user ses-
sion time-outs are not affected when the resource is requested
automatically.
Manage Customized Resource Paths

Registered customized resource hosts and paths are listed on the Manage Customized Resources page in the Man-
age Resource Access section. You can add, edit, and delete customized resource hosts and paths.
Customized Resource Path Settings

Configuration of a path to a customized resource host includes the following settings.
Path
When configuring a customized resource path you specify its path, i.e. the path to the subset of the customized resource
host. The path you specify is added to the path of the parent host or path to form the complete path.
PortWise 4.7 Manual

When registering a sub path, i.e. a path added to an existing customized resource path, the path to the parent resource
path is displayed for your convenience.
Authorization
If you do not want to set specific authorization (Access Rules and advanced settings) for the customized resource path,
you have the option to reuse the authorization specified for the parent resource host or path. Using this option, the
authorization set for the parent host or path is inherited to the customized resource path and the Access Rules and
Advanced Settings sections of the configuration are not displayed.
Access Rules
Note that for resource paths, access rules are not available for configuration if you have selected to use the authorization
of the parent path.
Advanced Settings
A number of advanced settings are available for configuration of the customized resource path.
Information
Note that the advanced settings are not available for configuration if you have selected
to use the authorization of the parent path.
Access Settings
You can select to connect via proxy, directing the connection to the resource through a proxy server.
There are a number of authorization settings available, enabling you to specify in detail how the specific customized
resource path will be accessed.
Path Match
You have the option to require an exact path match. When enabled, the defined access rules for this customized resource
path apply for this path only, and not for all paths beginning with this one.
When not selected, the access rules apply to this customized resource path and all paths beginning with this one, unless
a more significant resource is found under this path.
Automatic Access
You can configure the customized resource path to be accessed automatically. For resources where automatic access is
Expression of Will
PortWise 4.7 Manual

Time-out
out.
By configuring time-out settings on the resource path, you can ensure the security of the resource path on a higher
level, or the opposite – specific resource paths may not need the same level of security or you may accept a longer
time-out period.
Information
Note that the setting Session Time-Out (on the Global User Account Settings page)
ultimately controls the validity time for a session.
Settings
Parent Path No Available when adding a child resource path (a sub-path to another
resource path). Displays the path to the parent resource path. Not
editable.
Path Yes Path to the resource.
Use Parent Authorization No Available when adding a resource path (a path to another resource
host, or a sub-path to another path).
Selected by default
PortWise 4.7 Manual


Connect via proxy No Not selected by default
Automatic access No For resources where Automatic access is activated, the user ses-
sion time-outs are not affected when the resource is requested
automatically.
PortWise 4.7 Manual

SSO Domains
About SSO Domains

Single Sign-On (SSO) is a session/user authentication process, allowing users to enter their user credentials once to ac-
cess several resources. Single Sign-On authenticates users, offering instant access to applications, and eliminates future
authentication prompts when the user switches applications.
In PortWise 4.7, SSO domains are configured to enable Single Sign-On for resources using the same user credentials.
The SSO domain specifies how SSO will be used for the resources included in the domain. When user credentials are
modified, the changes are automatically applied to all resources in the SSO domain.
The SSO functionality in PortWise 4.7 is based on adaptive learning. When using SSO initially, the user is prompted for
user credentials once for each SSO domain, when first accessing a resource in the SSO domain. The user credentials are
then stored on the PortWise user account in the directory service, indefinitely or until changed. (You can also choose to
cache user credentials, which then are only valid during the session). After authentication, the user can access different
internal applications that are part of a Single Sign-On domain without the need for re-authentication.
PortWise 4.7 supports two methods of using SSO:
• Persistent SSO
Access to several resources without the need to re-authenticate for each resource
• Session-based SSO
Enables one-time-logon: users do not have to re-authenticate for each request
Access Rules
You define how and when Single Sign-On should be used by protecting the SSO domain with access rules. The access
rules specified for the SSO domain apply to the SSO functionality only, not to the resources in the SSO domain. For
example, if a user successfully accesses a resource in the SSO domain but the SSO access rule fails, the user is still free
to access resources in the domain. The user will be required to enter credentials for each resource, as if SSO was not
applied.
Domain Types
In PortWise 4.7, SSO domains are available in two domain types:
PortWise 4.7 Manual

• Text (default)
• Cookie
Depending on domain type, different domain attributes can be associated with the SSO domain.
Text
The domain type Text is used to send user credentials as text, with different attributes defining the information needed
for authentication.
Available domain attributes for the domain type Text are:
• User name
• Password
• Domain
Which domain attributes you add to the domain type depends on the authentication method used. The domain attri-
butes normally used for the different authentication methods are described below.
• NTLM
When using the Microsoft authentication method NTLM, all domain attributes for the domain type text (user
name, password, and domain) are added to the domain type.
• Basic
When using the authentication method Basic, the attributes user name and password are added to the do-
main type. Basic is the most commonly used authentication method for Web environments.
• Form-based
When using form-based logon for an SSO domain, the attributes user name and password are added to the
domain type.
To use form-based logon for an SSO domain, you need to design a Web form for access to each resource in
the SSO domain. This is done when adding or editing a resource: selecting form-based SSO will provide the
logon form and form response configuration.
Cookie
Cookie authentication is used to send authentication information in HTTP headers. When the domain type Cookie is
used, a cookie is set on the Access Point before proxying the request to the backend server.
A common use of cookie SSO is when back-end applications only want to read the authentication information at the
very first request.
Available attributes are:
• Cookie name
• Cookie value
• Cookie secure
• Cookie domain
PortWise 4.7 Manual

Manage SSO Domains

Registered SSO domains are listed on the Manage SSO Domains page in the Manage Resource Access section.
You can add, edit, and delete SSO domains.
SSO Domain Settings

Configuration of a path to a Web resource host includes settings described below.
Domain Type
For each SSO domain, you select domain type.
• Text (default)
• Cookie
Domain type Text is used for domains of the type NTLM, Basic, and Form-based. Domain type Cookie is used for do-
mains of the type Cookie.
SSO Restrictions
You have the option to choose how SSO credentials should be handled. When Cache on session only is selected, SSO
credentials are cached (kept in memory) and only valid during the user session.
When the option is not selected (default), the SSO credentials are stored persistently on the user account.
Note
When Domain Type is set to Cookie, this option is not available.
You have the option to enable a user inactivity check on the SSO domain. Specify a period of time (set in number of
days, weeks, or months) during which users are allowed to be inactive, i.e. not access the domain. When the period has
passed, credentials must be re-entered for access to the domain to be granted. This option is not available when Cache
on session only has been selected.
You also have the option to enable an absolute time limit check on the SSO domain. Specify a period of time (set in num-
ber of days, weeks, or months) during which users’ SSO credentials are valid. When the period has passed, credentials
must be re-entered for access to the domain to be granted. This setting is independent of user inactivity. This option is
not available when Cache on session only has been selected.
Domain Attributes
The domain attributes you can add to the SSO domain differ depending on SSO domain type. The domain attributes
refers to the user authentication settings, the settings that characterize the SSO domain.
Domain attribute settings for both SSO domain types are described below.
Domain Type Text

You can use all available attributes, but only add one of each (i.e. you can register a maximum of three domain attri-
butes for a domain of the type Text).
PortWise 4.7 Manual

Attribute Name
For each domain attribute, you define the type of attribute you specify.
• User name (default)
• Password
• Domain
• Ticket
Note
Ticket supersedes Password. If a SSO Domain is configured with both Password and
Ticket then Password will be ignored, because the ticket is used as password.
Attribute Restriction
Select how the attribute is presented on the HTML page the first time the user accesses the resource and needs to enter
SSO credentials.
• Editable
The attribute is presented as a text field in the logon form
• Hidden
The attribute and the attribute value are hidden in the logon form and is not visible for users
• Locked
The attribute and the value are locked in the logon form and cannot be edited by users
Note
The default value for Attribute Restriction is forced to Locked and cannot be altered
when Attribute Name is set to Ticket, because user shall not be able to alter the ticket
string.
Referenced By
You configure whether SSO credentials are entered manually or retrieved automatically. This is specified for both types
of domain attributes.
• User Attribute
The SSO credentials are retrieved from the user object in the directory service.
Example
samAccountName
theCompanyCookie
PortWise 4.7 Manual

• User Input (default)

The SSO credentials are entered by the user
• Static
The information entered in Attribute Value is displayed
Example
Portwise.com
Note
The default value for Referenced By is forced to Static and cannot be altered when
Attribute Name is set to Ticket.
Attribute Value
When you have configured the Referenced By setting to User Attribute or Static, you need to define the value for the
domain attribute.
Note
This parameter is ignored when Attribute Name is set to Ticket.
Domain Type Cookie

You can use all available attributes, but only add one of each (i.e. you can register a maximum of four domain attributes
for a domain of the type Cookie).
Attribute Name
For each domain attribute, you define the type of attribute you specify.
• Cookie name (default)
• Cookie value
• Cookie secure
• Cookie domain
Referenced By
You configure whether SSO credentials are entered manually or retrieved automatically. This is specified for both types
of domain attributes. Available options are:
• User Attribute
The SSO credentials are retrieved from the user object in the directory service.
Example
samAccountName
PortWise 4.7 Manual

theCompanyCookie
• Static
The information entered in Attribute Value is displayed
Example
Portwise.com
Attribute Value
Finally you define the value for the domain attribute.
Access Rules
Settings
Display Name Yes Unique name used in the system to identify the SSO domain.
Domain Type No Available options are: Text and Cookie.
Set to Text by default, it is used for domains of the type NTLM,
Basic, and Form-based.
Cache on session only No Not selected by default.

Enable inactivity check No Not selected by default.
User Inactivity No Time (in days, weeks, or months) users can choose not to access a
specific domain, before needing to provide credentials before access
can be granted.
Enable time limit check No Not selected by default.
Absolute Time Limit No Time in days, weeks, or months the user’s SSO credentials are valid,
before re-authentication is required, independent of user activity
regarding the SSO domain.
Table 8-64: SSO Restrictions

Attribute Name No Available options are:
User name
Password
Domain
Set to User name by default.
PortWise 4.7 Manual


Attribute Restriction No Available options are:
Editable
Hidden
Locked
Set to Editable by default.
Referenced By No Available options are:
User Attribute
User Input
Static
Set to User Input by default.
Attribute Value (Yes) Mandatory when User Attribute or Static is selected for Refer-
enced by.
Table 8-65: Domain Attribute Text

Attribute Name No Available options are:
Cookie name
Cookie value
Cookie secure
Cookie domain
Set to Cookie name by default.
Referenced By No Available options are: User Attribute and Static.
Set to Static by default.
Attribute Value Yes Domain attribute value.
Table 8-66: Domain Attribute Cookie
PortWise 4.7 Manual

PortWise 4.7 Manual

Access Rules
About Access Rules

Access rules are the basis of the PortWise 4.7 access control. Access rules define the specific requirements for access
control that you apply to a resource or SSO domain.
You can create general access rules that can be applied for any resource or SSO domain, as well as access rules that are
applied to specific resources or SSO domains only. In addition, you can define global access rules that are automatically
applied to all resources and SSO domains.
A number of different areas of requirements, or access rule types, are available in PortWise 4.7. You can use access rules
of different types in combination.
When adding access rules to a resource you can use the general access rules in combination with resource and SSO
domain specific access rules, combined with AND. You can only use OR for resource and SSO domain specific access
rules.
Access Rule Types

Available access rule types are listed below.
Authentication Method
An access rule of the type Authentication Method allows access to the resource protected by the access rule if the user
is authenticated with the defined authentication methods.
Several authentication methods can be used in combination, using arguments AND and/or OR.
User Group Membership

An access rule of the type User group membership allows access to the resource protected by the access rule if the user
is member in a defined user group.
Note that the access rule is dependent on user authentication: the user must be authenticated for the Policy Service
to be able to determine whether the user is a member of the allowed user group. As a result, the access rule must be
combined with an access rule of the type Authentication Method if it is to be used pre-authentication (for example in a
global access rule). It can be used on its own for example when applied to resources accessed through the Application
Portal.
Several user groups can be used in combination, using arguments AND and/or OR.
PortWise 4.7 Manual

IP Address of Incoming Client

An access rule of the type IP address of incoming client allows access to a resource protected by the access rule if the
incoming client comes from a specified IP address (or range of IP addresses).
Client Devices
An access rule of the type Client Devices allows access to a resource protected by the access rule if the user uses a
specified device, for example Web or WAP.
Date, Day, and/or Time

An access rule of the type Date, day, and/or time allows access to a resource protected by the access rule if the access
occurs during a specified time.
User Storage
An access rule of the type User storage allows access to a resource protected by the access rule if the user is stored in
a specified user storage location.
Note that the access rule is dependent on user authentication: the user must be authenticated for the Policy Service to be
able to determine whether the user is located in the allowed user storage. As a result, the access rule must be combined
with an access rule of the type Authentication method if it is to be used pre-authentication (for example in a global
access rule). It can be used on its own for example when applied to resources accessed through the Application Portal.
Assessment
An access rule of the type Assessment can be plug-in-based or customized. It allows or denies access to a resource
protected by the access rule if the result of a scan of the client computer matches specified client data requirements.
Abolishment
An access rule of the type Abolishment allows access to a resource protected by the access rule if the listener that will
be collecting information about the client is active. When the session ends, abolishment as specified in the abolishment
configuration is performed on the client.
Information
Note that abolishment can be configured to allow the user to decide whether created,
changed, or downloaded files should be deleted or not.
Access Point
An access rule of the type Access Point allows access to a resource protected by the access rule if the request comes
through a specified Access Point.
Identity Provider
An access rule of the type Identity Provider allows access to a resource protected by the access rule
Custom-defined Access Rule

A custom-defined access rule is tailored to meet specific needs. The custom-defined access rules are specified in sepa-
rate XML files. Custom-defined access rules can only be updated by editing the corresponding XML file.
PortWise 4.7 Manual

Managing Access Rules

In PortWise Administrator, you manage access rules in three different ways depending on the purpose of the rules:
• Manage access rules
You add, edit, and delete access rules to be available for all resources on the Manage Access Rules page in
Manage Resource Access.
• Manage global access rule
You add, edit, and delete access rules that should be included in a global access rule, and consequently be
applied to all resources, on the Manage Global Access Rule page in Manage Resource Access.
• Manage access rules for resource or SSO domain
You add, edit, and delete access rules for specific resources in connection with the resource: in the Access
Rules step of the add resource wizard, and on the Access Rules tab when editing the resource.
The different ways of managing access rules are described in the following sections.
Manage Access Rules

You add, edit, and delete access rules to be available for all resources on the Manage Access Rules page in Manage
Resource Access section.
The access rules you create here can be applied to resources, SSO domains or the global access rule. Registered access
rules are also listed and available for selection when adding or editing a resource, an SSO domain or the global access
rule.
When you create an access rule in Manage Access Rules, you specify a display name for the access rule. You then
add one or several access rules to the access rule.
If you create several access rules to be included in the rule, the access rules are by default separated by an OR statement,
i.e. only one of the access rules must be fulfilled for access to be allowed. To define that several access rules must be
fulfilled for access to be allowed, you can select to combine the access rules with an AND statement.
Included rules can be of different access rule types. For details regarding settings for the different access rule types, see
Access Rule Settings below.
Manage Global Access Rule

You add, edit, and delete access rules included in the global access rule on the Manage Global Access Rules page
in Manage Resource Access section.
When configuring the global access rule, you can select one or several registered access rules to include in the global
access rule, create one or several new access rules specifically for the global access rule, or use registered and new
access rules in combination.
Information
Note that if you select registered as well as create new access rules for the global access
rule, they are all required for access to resources and SSO domains to be allowed: they
are combined with an implicit AND statement.
PortWise 4.7 Manual

Access rules included in the global access rule can be of different access rule types. For details regarding settings for the
different access rule types, see Access Rule Settings below.
Once access rules have been created for and/or included in the global access rule and the configuration has been
published, these access rules are automatically applied to all resources and SSO domains in the system. All access rules
included in the global access rule are displayed in the access rules step of the add resource versus SSO domain wizard,
and on the Access Rules tab when editing a resource or SSO domain.
Selecting Registered Access Rules

Registered access rules are available for selection, but not for editing, when configuring the global access rule.
When you select several registered access rules, they must all be fulfilled in order for access to be allowed: i.e. they are
combined with an implicit AND statement.
Information
Note that if you select several registered access rules, they are used for authorization in
the order they are selected.
Creating New Access Rules

The access rules you create for the global access rule are specific for the global access rule, and cannot be applied to
individual resources or SSO domains.
The access rules you create are by default separated by an OR statement, i.e. only one of the access rules must be
fulfilled for access to be allowed. To define that several access rules must be fulfilled for access to be allowed, you can
select to combine the access rules with an AND statement.
Manage Access Rules for Resource or SSO Domain

Access rules are applied to resources and SSO domains as a part of the authorization configuration, to implement
resource access control. The access rules are managed in the access rules step of the add resource or SSO domain wiz-
ard, and on the Access Rules tab when editing the resource or SSO domain. Applying access rules to resources or SSO
domains is not mandatory.
When applying access rules to a resource or SSO domain you can select one or several registered access rules, create
one or several new access rules specifically for the resource or SSO domain, or use registered and new access rules in
combination.
Information
Note that if you select registered as well as create new access rules for the resource or
SSO domain, they are all required for access to be allowed: i.e. they are combined with
an implicit AND statement.
Access rules applied to the resource or SSO domain can be of different access rule types. For details regarding settings
for the different access rule types, see Access Rule Settings below.
PortWise 4.7 Manual

Selecting Registered Access rules

Registered access rules are available for selection, but not for editing, on the resource or SSO domain.
When you select several registered access rules, they must all be fulfilled in order for access to be allowed: i.e. they are
combined with an implicit AND statement.
Information
Note that if you select several registered access rules, they are used for authorization in
the order they are selected.
Creating New Access Rules

The access rules you create for the resource or SSO domain are specific for the individual resource or SSO domain, and
cannot be applied to other resources or SSO domains.
The access rules you create are by default separated by an OR statement, i.e. only one of the access rules must be
fulfilled for access to be allowed. To define that several access rules must be fulfilled for access to be allowed, you can
select to combine the access rules with an AND statement.
Global Access Rule

If a global access rule has been configured in the system, the access rules included in the global access rule are auto-
matically applied to the resource or SSO domain and displayed for reference. It is not possible to edit or delete the access
rules included in the global access rule on individual resources or SSO domains.
Access Rule Settings
When creating an access rule of the type Authentication Method, you select one or several authentication methods that
the user must use to access a resource protected by the access rule.
All registered and enabled authentication methods are available for selection.
You can select several authentication methods for the access rule. You then specify if the authentication methods are
to be combined in a logical AND or OR statement. OR is selected by default.
Select OR if the user should be able to choose which of the listed authentication methods to use for authentication.
Select AND if all listed authentication methods are to be used to authenticate the user.
If you select AND, note that the order in which the methods are selected will correspond to the order in which the
authentication methods will be used to authenticate the user.
User Group Membership

When creating an access rule of the type User group membership, you define one or several user groups that the user
must belong to in order to access a resource protected by the access rule.
You start by searching for user group names. The wildcard character * is supported, and can be entered anywhere in
the search string. User groups that match the search are displayed in a list.
You can select several user groups for the access rule. You then specify if the user groups are to be combined in a logical
AND or OR statement. OR is selected by default.
PortWise 4.7 Manual

Select OR if the user has to be a member of at least one of the listed user groups. Select AND if the user has to be a
member of all listed user groups.
IP Address
When creating an access rule of the type IP address, you specify an IP address, several IP addresses, or a range of IP
addresses that the incoming client must have to access a resource protected by the access rule.
Several IP addresses are separated with a comma sign. A range of IP addresses is specified using a hyphen.
Example
192.168.12.12 – 192.168.12.98.
Client Device
When creating an access rule of the type Client device, you specify one or several devices that the user must use to ac-
cess a resource protected by the access rule.
Devices available for selection are the devices specified on the Manage Device Definitions page in the Manage
System section.
Note that you can also specify restrictions for the individual devices. The device restrictions (with Deny, Warn, and Ac-
cept permissions) are managed on the Client Access tab on the Manage Global Access Point Settings page in
the Manage System section.
Date, Day, and/or Time

When creating an access rule of the type Date, day, and/or time, you specify during which date period, weekdays, and/
or time the user is allowed to access a resource protected by the access rule.
You can select whether to specify date period, weekdays, time period, or a combination.
The date period can be one specific date or a period between two given dates. You specify start date and end date for
the period. Year, month, and date are formatted according to your browser’s language settings (for example, m/d/yy).
Example
12/1/06 – 12/31/06
One or several weekdays can be specified by selecting Monday through Sunday. You specify start time and end time for
the time period (hour and minute formatted according to your browser’s language settings).
Example
12:00 AM – 8:00 PM
User Storage
When creating an access rule of the type User storage, you specify in which user storage the user must be stored to be
allowed to access a resource protected by the access rule. All registered user storages are available for selection.
PortWise 4.7 Manual

Assessment
When creating an access rule of the type Assessment, you either specify a plug-in to use or manually specify assessment
requirements. The client computer is assessed through a client scan performed to match the client data with specified
requirements.
Plug-In
When using a plug-in, you select which plug-in to use and configure it according to its requirements. If the plug-in you
would like to use is not available in the drop-down list, you can upload the plug-in.
Custom
When not using a plug-in, you specify one or several information paths and requirements for client data per operating
system. Currently, you can create client data requirements for Windows only. Future versions of PortWise will support
other operating systems. You also select whether an assessment result matching this client data should result in that
access to a resource protected by the access rule is allowed or denied.
You specify the requirements for client data by defining values to be matched on the client computer.
Example
Allow access when a process name matches yourantivirussoftware.exe
Client data is collected in a number of information types, i.e. areas of client data. Available information types and cor-
responding client data that you can specify requirements for are listed below.
Microsoft Windows
Information
Note that when Wildcard match is selected, a first and last * is applied by default to
the Matching Rule. Only use wildcard characters inside the matching rule:
Example: C:\note*.exe
PortWise 4.7 Manual

Client Data Information Type Client Scan Settings Matching Rules

File Information File attributes Information path of the type File attributes:
File digest File r (read-only)
File name Can not be automatically d (directory)
File time created created if Wildcard match e (encrypted)
File time last written is used h (hidden)
s (system file)
t (temporary)
File name:
\SystemRoot\System32\smss.
exe
File digest:
08d26906c74805bee8de-
ca4c7be8c7f5
File time created:
01/16/2004 22:38
File time last written:
09/07/2004 15:21
File time last accessed:
03/03/2005 06:04
Directory information Attributes Information path of the type Attributes:
Directory digest Directory r (read-only)
Directory name Can not be automatically d (directory)
created if Wildcard match Directory digest:
is used 08d26906c74805bee8de-
ca4c7be8c7f5
Directory name:
\SystemRoot\System32\
Registry key information Registry name Information path of the type Registry name:
Registry type Registry Sub Key HKEY_LOCAL_MACHINE\
Registry value Can not be automatically SOFTWARE\Microsoft\Cryp-
created if Wildcard match tography\MachineGuid
is used Registry type:
value or subkey
Registry value:
87e4d320-ee1a-4321-93eb-
34db24ae5ec6
Registry subkey information Registry name Information path of the type Registry name:
Registry type Registry Sub Key HKEY_LOCAL_MACHINE\
Registry value Can not be automatically SOFTWARE\Microsoft\Cryp-
created if Wildcard match tography\MachineGuid
is used Registry type:
value or subkey
Registry value:
87e4d320-ee1a-4321-93eb-
34db24ae5ec6
PortWise 4.7 Manual

Client Data Information Type Client Scan Settings Matching Rules

Process information Process digest Enable collection of process Process name:
Process name information *Mozilla.exe
Process ID Process digest:
84885f9b82f4d-
55c6146ebf6065d75d2
Process ID:
1184
Windows user information Windows logon domain Enable collection of process Windows logon domain:
Windows logon server information PORTWISE
Windows alternative domains Windows alternative
Windows user name domains:
PORTWISE1, PORTWISE 2
Windows user name:
userid
Windows logon server:
SRV-EXCHANG
Windows domain information Computer name Enable collection of process Computer name:
LAN group information USERDEV
Major version LAN group:
Minor version PORTWISE
Platform ID Major version:
3
Minor version:
1
Platform ID:
100
Network interface information Description Enable collection of process Physical address:
Name information 00502239056e
Physical address Name:
N/A
Description:
MS TCP Loopback interface
UDP port information Local address Enable collection of process
Local port information
TCP port information Local address Enable collection of process Local address:
Local port information 127.0.0.1
Remote address Local port:
Remote port 8300
State Remote address:
127.0.0.1
Remote port:
3662
State:
Established
Table 8-67: Client Data
Linux
Available in a future release
PortWise 4.7 Manual

Mac OS X
Information
Note that the client scan paths you add when creating the assessment access rule are
added to the Client Scan tab on the Manage Assessment page.
A user feedback message is provided by default, regardless if you use the plug-in based or the custom version of the
access rule. The feedback message is displayed when the user fails to authenticate using the assessment access rule,
i.e. when the client data does not match the specified requirements. You can edit the feedback message to provide the
desired level of detail.
Abolishment
When creating an access rule of the type Abolishment, you enable abolishment as defined on the Manage Abolish-
ment page in the Manage System section. No settings are made on the access rule itself.
Abolishment is then performed on the client computer when the user session ends. It entails cleaning of client cache and
browser history, as well as deletion of created, edited, or downloaded files of specified file types.
Access Point
When creating an access rule of the type Access Point, you specify one or several Access Points that the resource access
requests must come through for the user to be allowed to access a resource protected by the access rule.
All registered Access Points are available for selection.
Identity provider
When creating an access rule of the type identity provider, you select the applicable identity provider from a list of reg-
istered identity providers. You manage identity providers in the Manage Identity Federation section.
Custom-defined
When creating an access rule of the type Custom-defined, you specify one or several custom-defined access rules that
the user must fulfill to be allowed to access a resource protected by the access rule.
All available custom-defined access rules (XML files) are available for selection. You can also upload a new custom-
defined access rule.
Manage Global Access Rule

The global access rule is managed on the Manage Global Access Rule page in the Manage Resource Access
section. Once specified, the access rules included in the global access rule are automatically applied to all resources and
SSO domains in the system.
When you specify the global access rule, you can select available access rules and/or create new access rules. The
process of creating access rules to be included in the global access rule is the same as that of creating ordinary access
rules. However, the global access rules you create are only available in the Manage Global Access Rule section, and
cannot be applied to individual resources or SSO domains.
When you add or edit resources or SSO domains, you can see which access rules that are automatically applied to the
resource or SSO domain in the Access Rules step of the add resource/SSO domain wizard, and on the Access Rules tab
when editing the resource or SSO domain.
PortWise 4.7 Manual

Settings
Available Authentication Methods No Lists authentication methods enabled in the system.
Selected Authentication Methods Yes Lists authentication methods selected to be included in the access
rule.
Combine with OR No Selected by default.
Combine with AND No Not selected by default.
Table 8-68: Authentication Methods

User Group Criteria No The wildcard character * is supported, and can be entered any-
where in the search string.
Available User Groups No Lists available user groups according to your configuration, or
filtered after a search.
Selected User Groups Yes Lists user groups selected in the Available User Groups list.
Table 8-69: User Group Membership

IP Address Yes When several IP addresses have been entered, the incoming client
must be within the range to access the resource.
Table 8-70: IP Address of Incoming Client

Available Devices No Lists available supported devices.
Selected Devices Yes To access the resource, the user must use one of the listed devices.
Table 8-71: Client Device

Specify date period No Can be combined with one or all of the available options.
Specify days No Can be combined with one or both of the available options.
Specify time period No Can be combined with one or both of the available options.
Date Period No Format is defined according to your browser’s language settings.
Monday-Friday No All weekdays are available for selection, to specify weekday or
weekdays when access to the resource is allowed.
PortWise 4.7 Manual


Time Period No Start and end time of the specified Time Period. Format complies
to your browser’s language settings.
Table 8-72: Date, Day, and/or Time

User Storage No All registered user storage locations are available for selection.
Table 8-73: User Storage

Plug-in No The first plug-in in the list is selected by default.
Custom No Not selected by default.
Table 8-74: Assessment Type

Display Name Yes Name used in the system to identify the access rule.
Operating System Yes The operating system the access rule applies to.
Available option is Windows.
Information Type Yes Available options for Windows are:
File information
Directory information
Registry information
Process information
Windows user information
Windows domain information
Network interface information
UDP port information
TCP port information
Set to File information by default.
Deny access No Not selected by default.
Table 8-75: Assessment Criteria
PortWise 4.7 Manual


Client Data Yes Lists available client data according to the information type defined
on the Select Criteria page.
Matching Restriction Yes Available options are: Match and Wildcard match.
Set to Match by default.
Matching Rules Yes Value matching Client Data according to restriction set in
Matching Restriction.
Environment variables can be used.
Table 8-76: Assessment Requirement

Feedback Message No Feedback message displayed to users when access is denied due to
failed assessment.
Table 8-77: Assessment Feedback

Upload Plug-in No Name of the plug-in to be uploaded for use with the access rule.
Table 8-78: Assessment Upload Plug-in

Available Access Points No Lists available registered access points.
Selected Access Points No Lists access points selected in the Available Access Points box.
To access the resource, the request must come through one of the
listed Access Points.
Table 8-79: Access Point

Identity Provider No Lists registered identity providers.
Table 8-80: Identity Provider
PortWise 4.7 Manual


Available Access Rules No Lists uploaded custom-defined access rules.
Selected Access Rules Yes Lists uploaded custom-defined access rules selected to be included
in the access rule.
Custom-defined access rule No Display name of custom-defined access rule to be uploaded.
Table 8-81: Custom-defined
PortWise 4.7 Manual

Application Portal
About Application Portal
The Application Portal is the PortWise Web portal that users log on to in order to access corporate applications from
remote locations. In the Application Portal, the applications - registered resources - are displayed as icons with link
texts. In PortWise Administrator, these icons and link texts that form the graphical representation of the resources are
called Application Portal items.
Application Portal items can be created for the following resource types:
• Web resources
• Tunnel sets
• External sites
All Web resources and tunnel sets configured to be displayed in the Application Portal are automatically associated with
an Application Portal item. Application Portal items can also be manually created for Web resources or tunnel sets. Note
that for Web resources, it is possible to configure a shortcut. The shortcut enables users to access the resource directly
in a Web browser, without the need to log on to the Application Portal.
You can also create Application Portal items for external sites, i.e. external URLs not registered as Web resources.
Access Client
Users access the Application Portal through the use of PortWise Access Client. The Access Client is available as a Mi-
crosoft Windows executable (loaded over the Application Portal by either an ActiveX component or a Java applet) and
as a pure Java applet.
The Windows version of the Access Client is also available on an installation CD, for installations on client computers
using Windows. When using the installable Access Client, users do not need to use the Application Portal but are able
to access resources directly from their PC. They also have the opportunity to edit preferences in as well as add favorites
(frequently visited applications) to their Access Client.
Manage Application Portal

Registered Application Portal items are listed on the Manage Application Portal page in the Manage Resource
Access. You can add, edit, and delete Application Portal items.
PortWise 4.7 Manual

An Application Portal item can be created in two different ways: automatically or manually. When you configure a
resource to be displayed in the Application Portal, an Application Portal item is automatically created and added to the
Manage Application Portal page. You can also manually create Application Portal items on the Manage Applica-
tion Portal page. You then associate the items with the corresponding Web resource or tunnel set.
You can also register Application Portal items not associated with a registered resource, for example an external Web
site.
Application Portal Item Settings

When you create an Application Portal item manually, you select which registered Web resource or tunnel set to display
in the Application Portal. For external sites, you specify the external URL instead.
Icon
You select which icon that should represent the resource in the Application Portal. You can browse for an icon in an icon
library, or upload an icon of your choice. The icon must be of the type .gif, .jpeg, or .png and must not exceed 10kB in
size.
Link Text
You enter a link text to be displayed below the icon. The link texts are sorted in alphabetical order in the Application
Portal, providing you with an opportunity to affect how the resources are displayed.
Information
Note that in the Registered Application Portal Items list on the Manage Application
Portal page, the link text is displayed in the Display Name column.
Shortcut
For Web resources, you can define a shortcut allowing users to access the resource without accessing the Application
Portal. The users enter the address to the Access Point and the shortcut in a browser window to access the resource
directly.
Example
http://www.AccessPoint.com/Shortcut
URL Query String

For Web resources, you can also define a URL query string. The string is added to the Web resource address when it
is selected in the Application Portal. Use queries to retrieve data, or to ask for additional operations such as inserting,
updating, or deleting data.
Example
http://www.portwise.com/index.php?id=2&page=1
PortWise 4.7 Manual

Protocol
For Web resources, you can also configure what protocol to use between the Access Point and the Web resource back-
end server. This setting is only available if both HTTP and HTTPS can be used to access the resource.
Settings
Web Resource No Selected by default.
Tunnel Set No Type of resource for the Application Portal item.
External Site No Type of resource for the Application Portal item.
Table 8-82: Application Portal Item

Make resource available in Application No Not selected by default.
Portal
Icon (Yes) Path to the image file that symbolizes the external site in the Ap-
plication Portal.
Portal is selected.
Link Text (Yes) Link text that represents the external site in the Application Portal.
URL Query No Query string added to the Web resource address when item is
selected in the Application Portal.
Shortcut (Yes) Mandatory when Hide Resource in URL is selected.
Hide Resource in URL No When selected, Shortcut is mandatory.
Protocol No This setting is only available if both HTTP and HTTPS can be used
to access the resource, according to the Web resource configura-
tion.
Set to HTTP by default.
Table 8-83: Web Resource

Portal
Icon (Yes) Path to the image file that symbolizes the tunnel set in the Applica-
tion Portal.
Portal is selected.
Link Text (Yes) Link text that represents the tunnel set in the Application Portal.
Table 8-84: Tunnel Set
PortWise 4.7 Manual


Portal
Icon (Yes) Path to the image file that symbolizes the external site in the Ap-
plication Portal.
Portal is selected.
Link Text (Yes) Link text that represents the external site in the Application Portal.
Shortcut (Yes) Mandatory when Hide Resource in URL is selected.
Hide Resource in URL No When selected, Shortcut is mandatory.
External URL No URL to the external site the Application Portal item refer to.
Table 8-85: External Site
PortWise 4.7 Manual

Identity Federation
About Identity Federation

Here, you manage all Identity Federation settings, including the internal SAML 2.0 settings which include selecting
certificates to enable PortWise 4.7 to act as a Service Provider or an Identity Provider.
A federated environment involves at least three roles:
• Service Provider
Decides what requests to allow
• Identity Provider
Provides the security information
• Subject
The user associated with the Identity Information
SAML 2.0 (Security Assertion Markup Language) is an XML standard for using SSO between online business partners,
that is, between an identity provider and a service provider.
SAML 2.0 relies on assertions and defines three kinds of attribute statements that can be carried within an assertion:
• Authentication statements
Authentication statements are issued by the identity provider. They define who issued the assertion, the
authenticated subject, validity period, plus other authentication related information.
• Attribute statements
• Authorization decision statements
These identify what users are entitled to do (for example permissions to buy a specified item).
Assertions
In PortWise 4.7, only one assertion attribute is exposed per assertion. Attributes are mapped against existing attributes
in user storage and the Directory service.
The key concept of SAML 2.0 assertions is a subject (a principal, someone who can be authenticated, within the context
of a particular security domain) about which something is being asserted.
PortWise 4.7 Manual

A trust is set up between the service provider and the identity provider using certificates. The Identity Provider uses
server certificates to sign the SAML 2.0 responses, and the Service Providers use server certificates to validate their
SAML 2.0 responses.
PortWise 4.7 can be configured to act as either a Service Provider or an Identity Provider.
Preconditions
Before starting to configure your Identity Federation settings, make sure you have completed the following tasks:
• Server Certificates used when creating service providers are added using the Add Server Certificate wizard in
the Manage Certificates section
• Hosts used as Service Providers are added using the Add Web Resource Host wizard in the Manage Re-
source Access section
• CA Certificates used when creating Identity Providers are added using the Add CA Certificate wizard in the
Manage Certificates section
Depending on how you use PortWise 4.7, as identity or service provider, you select appropriate certificates, add Web
resource hosts, and specify exact paths to these Web resources.
Service Provider
Typically there are a number of service providers that use assertions about users in order to control access and provide
customized service, and subsequently become an asserting party: the identity provider.
Service providers use this information, depending on its access policies, to grant access to local resources.
Identity Provider
Identity providers assert users’ identities to relying parties, the service providers.
Manage Identity Federation Settings
Global Identity Federation Settings

You specify which server certificate to use for signing and validation of assertions.
To add server certificates, use the Add Server Certificate wizard on the Manage Certificates page.
Service Providers
You specify a registered Web resource host as service provider. You can also specify an exact path to Web resource.
On the Assertion tab, you can edit the time in minutes to specify the length of the SAML 2.0 session. By default, the
session time is set to 15 minutes.
You specify which subject is being asserted by selecting either User ID or E-mail as the unique identifier.
SAML 2.0 Attributes are mapped against existing user attributes in user storage and the directory service.
PortWise 4.7 Manual

Identity Providers
When adding an identity provider, you select a CA certificate and specify an attribute to map against existing user at-
tributes in user storage and the directory service.
Settings
Enable Service Provider No Selected by default.
Display Name Yes Unique name used in the system to identify the service provider.
Web Resource Host Yes List of available Web resource hosts.
Path No Exact path to the selected Web Resource Host used as service
provider.
CA Certificate Yes List of available CA certificates.
Table 8-86: Service Provider

SAML Attribute Yes Name of the SAML 2.0 attribute statement.
User Attribute Yes Directory service attribute name for the user that is to be added as
the SAML 2.0 attribute statement value.
Table 8-87: Attribute Statement Settings

Validity No Length of the SAML 2.0 session.
Subject No Available options are: User ID and E-mail.
Set to User ID by default.
Add Client IP No Not selected by default.
Table 8-88: Assertion Settings

Enable Identity Provider No Not selected by default.
Display Name Yes Unique name used in the system to identify the identity provider.
CA Certificate Yes List of available CA certificates.
Table 8-89: Identity Provider
PortWise 4.7 Manual


Attribute Yes Directory service attribute name for a user that contain the SAML
subject attribute value.
Table 8-90: Attribute Mapping
PortWise 4.7 Manual

PortWise 4.7 Manual

PortWise 4.7 Manual

Manage System 257
9
Manage System
About Manage System

In the Manage System section, you manage the system properties and global settings for the different services in the
PortWise network: the Access Point, Policy Service, Authentication Service, and Administration Service.
This section also contains the End-Point Integrity feature Assessment and End-Point Protection feature Abolishment, as
well as the identity management with configuration of Delegated Management and the Directory Service used.
You manage the global Notification Settings here, in effect the SMS and e-mail channels, which are used for Alerts, and
for distribution of SMS and e-mail messages.
Device Definition management allows adding, editing, and deleting of device definitions which are used for access rules
of the type Device and Device Control in the Access Point, for example.
PortWise 4.7 Manual

258 Manage System
PortWise 4.7 Manual

Manage System 259
Abolishment
About Abolishment
The end-point protection solution in PortWise 4.7 consists of the concept Abolishment, which focuses on client clean
upon completion of the session.
Web browsers leave traces such as browser history and browser cache after a session has ended. Abolishment simpli-
fies the secure cleanup of a client computer through removing cached content on the client, browser history, as well as
downloaded, created, or edited files.
Abolishment is used as a basis for access control. A resource is protected by an abolishment access rule based on abol-
ishment settings specifying what should be cleaned on the client after the session is completed. When a user attempts
to access the resource, access is allowed only if the abolishment client is running, ensuring that abolishment will be
performed when the session is completed.
When abolishment is performed, cache and Web browser history is deleted according to the abolishment configuration.
As to files downloaded, created, or edited during the session, you can configure whether or not the user should be
notified and able to choose which files to delete.
Information
Note that in the dialog displayed to the end-user, the Abolishment client is called the
End-Point Protection client.
Manage Abolishment
Abolishment settings are managed on the Manage Abolishment page in the Manage System section of PortWise
Administrator.
Abolishment settings are available on three tabs: General Settings, Cache Cleaner, and Advanced.
General Settings
On this tab, you specify which file types should be monitored on the client. You also define whether a user should
receive a notification message regarding downloaded, created, or edited files of these types upon completion of the
PortWise 4.7 Manual

260 Manage System
session, allowing the user to decide which – if any – files should be deleted. If you select not to notify the user, down-
loaded, created, or edited files of the specified file types will be deleted automatically the session is completed.
Monitor Files
Specify which file types should be monitored on the client, and deleted automatically when the session is ended or as
a result of the notification message to the user. The file types are specified per operating system in comma-separated
lists.
The example below displays the file types specified for Windows by default.
Example
doc, docx, xls, xlsx, ppt, pptx, pdf, txt, zip, exe
Notification
When the options Enable delete and Notify user are selected, the PortWise Abolishment dialog will be displayed
when users log off the Application Portal.
The PortWise Abolishment dialog contains a list of downloaded and/or created files, with the option to select which
files to delete. The user may select not to delete any files.
You can customize the notify message displayed in the PortWise Abolishment dialog. The default message Abolish-
ment is requested. Select the files you want to delete is provided.
Note
If if the option to notify user is not selected, all downloaded, created, or edited files of
the specified file types will be deleted automatically when the session is completed.
Settings
Windows (Yes) Files types to be deleted when the session is ended.
Enable delete No Selected by default.
Notify user No Selected by default.
Notify message (Yes) Message used in the Abolishment dialog when users can select
which files to delete.
Set to Abolishment is requested. Select the files you want
to delete by default.
Cache Cleaner
On this tab, you specify per operating system what the cache cleaning should include.
PortWise 4.7 Manual

Manage System 261
• Microsoft Windows
Internet Explorer history and typed URLs
Internet Explorer cache entries
• Linux
• Macintosh
When you select to clean cache entries, you specify a URL filter to define which cache entries to delete. The URL filter is
matched to the cache entries. The wildcard character * is supported. When used alone, all cache entries are deleted.
The URL filter is mapped to cache entries in the Windows folder Temporary Internet Files, in the Internet Address
column. The cache cleaner removes all cached session information in this column from the start of the session until it
is ended.
Examples
* removes all cache entries
https* removes all cache entries downloaded from a secure server
http://www.thesecurecompany.com/* removes all entries from that particular server
URL Filter is set to * by default.
Settings
Enable clean of Internet Explorer history No Not selected by default.
and typed URLs
Enable clean of Internet Explorer cache No Not selected by default.
entries
URL Filter (Yes) Set to * by default.
Table 9-2: Cache Cleaner Windows Settings
Advanced
On this tab, you manage advanced abolishment settings.
Display Resources in Application Portal

Select this option to display resources protected by an abolishment access rule in the Application Portal prior to the
client scan. When selected, resources are displayed even though the user may not have access to them.
When not selected, only resources that the user is allowed access to are displayed.
PortWise 4.7 Manual

262 Manage System
Abolishment Client Loader

You specify which type of loader to use for the abolishment client.
The options are:
• ActiveX - Java Applet
• ActiveX
• Java Applet
When the ActiveX - Java Applet option is selected, the loader uses ActiveX when available. If not it uses the Java
Applet.
Settings
Display resources in Application Portal No Resources protected by an Abolishment access rule are displayed in
the Application Portal, regardless if the listener collecting informa-
tion about the client is active or not.
Abolishment Client Loader Yes Set to ActiveX - Java Applet by default.
PortWise 4.7 Manual

Manage System 263
Access Points
About Access Points

Access Points handle access between users connecting from external networks and the applications on the internal
network, usually from the Internet to an intranet, both for corporate and commercial use.
The Access Point functionality can be divided into Web access, WAP access, and access via the Access Client. The Web
and WAP access supports a secure connection to information that is presented in HTML and WML formats in standard
Web and WAP browsers. By using the Access Client, secure access is enabled from more advanced TCP/IP clients such
as Telnet. See the sections Manage Tunnel Resources and Manage Tunnel Sets for more information.
PortWise 4.7 Manual

264 Manage System
Web and WAP Access

Users can connect to the Access Point through any standard browser supporting SSL 3.0. WAP device users can connect
to the Access Point via the WAP gateway and then receive WML pages.
Internet Channels
Access Points can operate in any network that supports TCP/IP with ports open for both HTTP and SSL. OpenSSL algo-
rithms are supported, with no limitation of key lengths.
Authentication
The Access Point supports a number of authentication methods used to identify and verify identification of users. Au-
thentication methods range from static passwords to one-time passwords generated by PortWise Mobile ID or by third
party products.
Access Control
Advanced access control is implemented in the Access Point. Access control can be based on group membership, for
example, and is performed on both incoming and outbound traffic.
The Access Point provides access control in conjunction with a firewall and the access control in internal systems. The
firewall access control is performed when users interact with the system. The access control is performed on the same
level of security as the firewall, i.e. on both IP level and port level.
PortWise 4.7 Manual

Manage System 265
Access control capabilities can be expanded by using the Policy Service, which adds advanced authorization rules to
the solution.
Encryption
Encryption is supported from the client and when connecting to internal systems. The Access Point supports OpenSSL
algorithms, with no limitations of key lengths.
Digital Signatures
Access Points provide for validation of digital signatures when integrated with a Public Key Infrastructure (PKI) solu-
tion.
Session Handling
The session to the client is handled by the use of cookies. The Access Point communicates with internal systems using
normal HTTP or SSL session. Cookies generated from internal systems are never passed on from the Access Point to
the client.
Session handling is important for security reasons, as the normal Web client is a silent client. Using advanced security
solutions, a security context will also exist apart from the cookie or variable.
The Access Client

The Access Client allows for tunneling of raw TCP and UDP data from and to an internal server. The traffic is encrypted
with the same strength as used in the Web browser.
The Access Client is available in two versions. One is a native Windows application that can be installed as a desktop
application, or downloaded from the PortWise Application Portal using either an ActiveX component (Internet Explorer
only) or a Java Applet. The other is a pure Java version, used for Mac and Linux.
When using the ActiveX component to download the Access Client, the user is required to have administrator rights
on the client. In PortWise versions prior to PortWise 4.0.1, this resulted in failure to load tunnel sets if user rights were
insufficient. As of PortWise 4.0.1, however, the native Windows Access Client will try to load a fallback tunnel set if a
dynamic tunnel fails to load due to insufficient user rights.
Manage Access Points

A first Access Point was added to the system during the Setup System wizard. This Access Point resource host and its
corresponding paths are added as a Web resource in the Manage Resources section. Consequently, you can protect
specific parts of the Access Point with access rules as well as configure authorization settings and set encryption levels.
The authorization setting and encryption level set for that Access Point is valid for all Access Points. Authorization for
other Access Points can be controlled through path and device definitions.
Registered Access Points are listed on the Manage Access Points page in the PortWise Administrator. You can add,
edit, and delete Access Points. A number of settings can be specified globally, to apply to all Access Points. Examples
are settings for client access, performance, trusted gateways, and cipher suites.
If you have an external load balancing product installed, you can manage load balancing between Access Points.
Access Point Settings

Configuration of an Access Point includes the settings described below.
PortWise 4.7 Manual

266 Manage System
Internal Host
The internal host of the Access Point is the IP address used in the internal communication between the Access Point
and the Policy Service. To verify the identity of a connecting Access Point, the Policy Service uses this address with the
Access Point service ID.
It is not recommended to use the IP address 0.0.0.0. To listen to all local IP addresses, use the Listen on all interfaces
option. When selected, the services listens to all specified IP addresses and not only to the specified IP address.
Sandbox Port
The sandbox port is an additional port for redirecting requests from the Application Portal port. Defining a redirect port
can be useful when running within a sandbox on a Linux machine.
Additional Listeners
It is possible to add one or several additional listeners to an Access Point, for Web traffic or load balancing purposes.
Additional listeners are additional ports or IP addresses the Access Point listens to. The configuration will not be distrib-
uted to other proxies in a load balanced environment.
It is possible to specify separate SSL certificates for each additional listener. When HTTPS listeners are set up, you need
to specify a server certificate.
Settings
Service ID No Identification number automatically assigned to the Access Point
when it is created.
Display Name Yes Unique name used in the system to identify the Access Point.
Internal Host Yes IP address used in the internal communication between the Access
Point and the Policy Service.
Application Portal Host Yes IP address or DNS name where to bind all incoming external traffic
to the Application Portal.
Application Portal Port Yes HTTPS port for incoming traffic to the Application Portal.
Sandbox Port No Additional port for redirecting request from the Application Portal
Port.
Server Certificate Yes List of server certificates that the Access Point uses in the external
communication.
Listen on all interfaces No Specifies what interfaces the service listens to.
Support crypto cards No Not selected by default.
Distribute key files automatically No Selected by default.
PortWise 4.7 Manual

Manage System 267

Host Yes IP address or DNS name of the additional listener.
Port Yes Port for incoming HTTP or HTTPS traffic.
Sandbox Port No Additional port for redirecting request from the Application Portal
Port.
Server Certificate (Yes) List of server certificates that the Access Point uses in the external
communication.
Mandatory if HTTPS is used.
Type No Available options are: Web and Load Balance.
Set to Web by default.
Listen on all interfaces No Not selected by default.
Table 9-5: Additional Listener
Manage Global Access Point Settings
Advanced Settings
Internal Cookies
You can define what kind of client data that will be sent as cookies in internal requests. Client data includes user ID,
client IP, session ID and session ID cookie.
This is an example of what an internal cookie can look like in the HTTP request:
Example
Cookie: WA_T=45; WA_UID=test; WA_WASID=0c351d862cea55cc; WA_AM=PortWise Password; WA_
CLIP=192.168.139.1; WA_SEPO=443; WA_SSL=256; WA_INTERNAL_ID=3.0.259121969733801860.147627430
34494641120710727875
Session Control
You can configure client session control using the WAAK (Web access authentication key) option. Plain HTTP only is not
as secure as WAAK. It is also possible to set the strength of the secure authentication cookie.
The Web access session ID (WASID) is a random hexadecimal value generated by the Access Point.
When the Bind session to client IP option is selected, the client session is allowed to move from one computer to another
if the client does not change the source IP during the session.
Use the Duplicate user name login reverse action to ensure that two users cannot log on with the same user name until
the first session is logged out or timed out.
Cookie Persistence
You have the option to select if all session cookies are transformed to persistent cookies. Note that this only apply to
resources protected by Abolishment and for Internet Explorer users.
PortWise 4.7 Manual

268 Manage System
When selected, two parts of the system are affected:

• The Abolishment client will make sure all persistent cookies are removed from the client when performing the
abolishment.
• The Access Point will transform the session cookies to persistent cookies in runtime as soon as the user client
is successfully authenticated using Abolish.
Cache Control
It is possible to select whether to use Cache-Control: no store to disallow browser cache on HTTP/1.1 clients. When
selected, the header Cache-Control: no store is used, and Internet Explorer users are able to view Word documents, Excel
files, PowerPoint files and PDF files and still not cache data. When not selected, the header Pragma:no_cache is used.
Internal Host Address

Control the internal host access by requiring that every internal host contacting the access point over SSL have a valid
certificate.
Client Access
Settings for communication between clients and Access Points include whether error messages should be displayed to
the user in SSL v2 communication, if server headers should be hidden, and an option to select which authentication
method should be used when a user accesses /wa/auth without the parameter authmech specified.
Bad URIs
Lists URIs to be handled as forbidden requests. The purpose of the URIs is to detect when a user makes an attempt to
access a URL that would normally be protected with access rules. It is strongly recommended to keep the default URIs.
Example
*\* A URI can not contain backslash
*%5c* A URI can not contain the URL encoding of backslash
*%2f* A URI can not contain the URL encoding of slash
*/../* A URI can not contain “/../”
*/%2e%2e/* A URI can not contain “/../” where both dots are URL encoded
*/.%2e/* A URI can not contain “/../” where the second dot is URL encoded
*/%2e./* A URI can not contain “/../” where the first dot is URL encoded
*/./* A URI can not contain “/./”
*/%2e/* A URI can not contain “/./ where the dot is URL encoded
*//* A URI can not contain double slash
Cipher Suites
When an SSL connection is initialized, the client and server determine a common cipher value to be used for key ex-
change and encryption. Various cipher values offer different types of encryption algorithms and levels of security.
You can select which protocols for cipher suites to support, as well as define which types of cipher suites to support.
PortWise 4.7 Manual

Manage System 269
Available protocols are TLS v1.0, SSL v3.0, and SSL v2.0.
Client Access
Client Access Settings/WAP Client Settings
Define Web versus WAP default pages displayed when accessing the /root, as well as welcome pages displayed after
successful logon.
Information
You can specify default and welcome pages for specific devices using device control.
Device Control
Specify stricter control over, for example, client browsers connecting to the Access Point using device access restrictions.
You can warn users using a certain browser, or disallow others to enter. To exercise device control, you register device
settings and device access restrictions. When registering device settings, you specify which type of session handling the
Access Point will use for a specific device. This can be useful for devices that, for example, cannot handle cookies.
Available options are URL session, WAP agent, and/or Basic authentication.
Use device access restrictions to map devices with permissions Deny, Warn or Accept. Device access restrictions are
controlled in the order they are listed. On first match the restriction takes effect, independent of whether it is a Deny,
Warn or Accept restriction.
Performance
Performance Settings
Enhance the performance of your Access Points by configuring Access Point performance settings. Performance settings
include the possibility to set time-outs for idle connections. You can also limit the number of TCP connections that the
operating system is able to queue, and allow the Access Point to cache SSL sessions for communication with internal
servers.
Data Compression Settings

Use data compression to represent dynamic and static Web files as accurately as possible using the fewest number of
bits. Dynamic files are Web files located on the Access Point that contains user variables.
You can also list what file types to compress, for example html/txt, or use the wildcard character * to compress all file
types.
Trusted Gateways
Register trusted IP addresses, for example WAP gateways or HTTP proxies, as trusted gateways.
Trusted in this context means that even though a client connecting to the Access Point may not have secure connection,
incoming traffic from the specified IP address and the specified port is automatically assumed to have a specified level
of security (128 bit encryption) added.
Users are not redirected to HTTPS when coming from a trusted gateway.
PortWise 4.7 Manual

270 Manage System
About Load Balancing

Load balancing entails distribution of client sessions between two or more Access Points to handle situations with a
large number of requests.
Access Points can be load balanced with an external load-balancing product to gain redundancy and handle heavy
loads. Load balancing enables Access Points to share sessions among each other, so that requests may be processed
correctly no matter which server receives the request.
Load balancing in the Access Point provides for the following benefits:
• Compatibility with third part load balancing products
• Session sharing
• Fail-over functionality
• Session mirroring
• Central administration
The load-balancing product needs to support “SSL session resistance”. When not supported, unnecessary traffic be-
tween the Access Points is created, and the SSL handshakes are heavier. Access Points use a specific TCP port for the
interchange of session data. The default port is set to 16972.
The Access Point uses a specific TCP port for the interchange of session data. The default port is set to 1697. The traffic
can be either in plain data or SSL. SSL is recommended unless the network is totally private.
Optionally the servers may have two or three network cards each:
• Network card 1: Client communication
• Network card 2: Proxy session interchange communication
• Network card 3: Intranet communication
To achieve full redundancy, set up the servers in pairs, where each Access Point shares the session with another Access
Point.
Manage Load Balancing

You can enable multi-host sessions for Access Point load balancing. When enabled, Access Points can communicate
sessions and enable central configuration.
You specify a sticky cookie to be used by the load balancing machine to identify which Access Point to load balance
the client to.
It is also possible to configure the number of communication worker threads dealing with the message queue for session
communication between the proxies.
Mirrored Access Points

Two Access Points can be configured to mirror each other’s sessions. Upon each change in a session, the change is
synchronized with the mirror server to make redundancy possible.
In order to register a pair of mirrored Access Points, the Access Points must be configured with additional listeners of
the type load balancing. The pair of mirrored Access Points are configured by specifying primary and secondary servers
versus listeners.
PortWise 4.7 Manual

Manage System 271
Settings
User ID No Not selected by default.
Client IP No Not selected by default.
Server Port No Not selected by default.
SSL Strength No Not selected by default.
Last used authentication method No Not selected by default.
Max inactivity time in seconds No Not selected by default.
Session ID cookie No Not selected by default.
System Session ID No Not selected by default.
Table 9-6: Internal Cookies

Web access authentication key (WAAK) No Selected by default.
is secure
Strength of WAAK Yes Strength in bits of the secure authentication cookie.
Random Value of WASID Yes Number of bits in the random value.
Bind session to client IP No Not selected by default.
Allow duplicate user name logon No Selected by default.
Duplicate user name logon reverse No Not selected by default.
action
Show shutdown message No Not selected by default.
Table 9-7: Session Control

Enable secure use of persistent cookies No Not selected by default.
Table 9-7: Cookie Persistence

Use “Cache-Control: no store” to disal- No Method for HTTP/1.1 clients to disallow browser cache.
low browser cache on HTTP/1.1 clients Selected by default.
Table 9-8: Cache Control
PortWise 4.7 Manual

272 Manage System

Validate server certificate No Not selected by default.
Table 9-9: Internal Host Access

Show error on SSL v2.0 access No Not selected by default.
Hide server header No Selected by default.
Default authentication method No Authentication method used when user accesses /wa/auth without
the parameter authmech specified.
Table 9-10: Client Access

Bad URIs No Important: It is recommended that you keep the listed URIs.
Table 9-11: Bad URI

TLS v1.0 No Selected by default.
SSL v3.0 No Selected by default.
SSL v2.0 No Selected by default.
Table 9-12: Supported Cipher Suites Protocols

Cipher Suites Supported No Supported by default:
TLS_RSA_WITH_AES_256_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
PortWise 4.7 Manual

Manage System 273

Cipher Suites Not Supported No Not supported by default:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_MD5
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
Table 9-13: TLS v1.0 and SSL v3.0 Cipher Suites

Cipher Suites Supported No Supported by default:
SSL_CK_DES_192_EDE3_CBC_WITH_MD5
SSL_CK_RC2_128_CBC_WITH_MD5
SSL_CK_RC4_128_WITH_MD5
Cipher Suites Not Supported No Not supported by default;
SSL_CK_RC4_64_WITH_MD5
SSL_CK_DES_64_CBC_WITH_MD5
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
SSL_CK_RC4_128_EXPORT40_WITH_MD5
Table 9-14: SSL v2.0 Cipher Suites

Default Page Yes Path to the main page for the Application Portal where applicable
authentication methods are listed.
Set to /wa/auth by default.
Welcome Page Yes Path to the Application Portal or page configured as start page
after a successful logon.
Set to /wa/_welcome.html by default.
Table 9-15: Client Access

Device No Set to Any device by default.
Device does not support cookies No Not selected by default.
Device cannot authenticate using HTML No Not selected by default.
or WML forms
File Extension No When no additional file extension is entered, only HTML is used.
PortWise 4.7 Manual

274 Manage System

Default Page No Main page for the device.
Welcome Page No Welcome page after a successful logon.
GUI Constant No Name of a constant that can be used in the HTML or WML pages.
GUI Constant Value No GUI Constant Value
Table 9-16: Device Settings

Device No WAP phone
Device does not support cookies No Selected
File Extension No .wml
Default Page No /wa/auth
Welcome Page /wa/_welcome.wml
Table 9-17: Pre-configured WAP Settings

Device No PDA
File Extension No .pda.html
Default Page No /wa/auth
Welcome Page /wa/_welcome.pda.html
Table 9-18: Pre-configured PDA Settings

Max Working Threads Yes Number of threads handling requests.
Connection time-out Yes Time, in seconds, a connection can be idle before it is closed.
UDP Tunnel time-out Yes Time, in seconds, a UDP tunnel connection can be idle before it is
closed.
Garbage Collection Interval Yes Time, in minutes, between Garbage Collection, or session objects.
Size of Socket Listening Backlog Yes Number of TCP connections that the operating system is able to
queue.
Max Tunnel Connections Yes Maximum number of concurrent TCP tunnel connections towards
the internal servers.
Cache Internal SSL Sessions No Selected by default.
PortWise 4.7 Manual

Manage System 275

No Delay on Tunnel Connections No Selected by default.
Table 9-19: Performance Settings

Compress Static Web Files (Yes) Selected by default.
Compress Dynamic Web Files No Not selected by default.
File Types to Compress (Yes) Mandatory when Compress Static Web Files or Compress
Dynamic Web Files are selected.
Table 9-20: Data Compression Settings

IP Address Yes Trusted IP address to the gateway.
Port Yes Set to 80 by default.
Table 9-21: Trusted Gateways
PortWise 4.7 Manual

276 Manage System
PortWise 4.7 Manual

Manage System 277
About Administration Service

You manage all administration and configuration of PortWise on the Administration Service. It distributes your user ac-
count settings to the user storages and configuration changes to the PortWise network: the Access Point, Policy Service,
and Authentication Service. The PortWise Administration Service is the hub of the PortWise network, and the PortWise
Administrator its interface.
Information
Only one Administration Service can be configured per PortWise network.
PortWise 4.7 Manual

278 Manage System
Configuration
The main configuration file (RemoteConfiguration.xml) is stored on the Administration Service. Local configuration files
stored on the different PortWise services are only used initially to contact the Administration Service. The current con-
figuration is pushed to the different services in runtime through the publish functionality in the PortWise Administrator.
The services do not need to be restarted to retrieve the configuration.
A history of the ten latest configurations is saved. A previous configuration can be retrieved by using the restore func-
tionality in the PortWise Administration Service.
Manage Administration Service

Configuration of the Administration Service includes specifying the internal communication, that is the communication
between the Administration Service and the PortWise network, as well as specifying the external communication, that
is the communication between clients and the Administration Service. The server certificate that the Administration
Service uses in HTTPS communication is also specified.
Administration Service Settings

When initially setting up PortWise through Setup System, the PortWise Administrator by default listens to host 127.0.0.1
and port 8300 for communication within the PortWise network. If PortWise services are installed on different machines,
PortWise 4.7 Manual

Manage System 279
or if external IP addresses are used for other reasons, the default settings for Internal Host, Administrator HTTP Host,
and Administrator HTTPS Host should be changed.
Settings
Internal Host Yes IP address or DNS name of the host for internal traffic in the
PortWise network.
Internal Communication Port Yes Set to 8300 by default.
Table 9-22: Internal Communication Settings

Administrator HTTP Host Yes IP address or DNS name of the host for HTTP traffic.
Administrator HTTP Port Yes Port for the HTTP Host.
Administrator HTTPS Host Yes IP address or DNS name of the host for HTTPS traffic.
Administrator HTTPS Port Yes Port for the HTTPS Host.
Server Certificate Yes Server certificate the Administration Service uses in HTTPS com-
munication.
Table 9-23: External Communication Settings
PortWise 4.7 Manual

280 Manage System
PortWise 4.7 Manual

Manage System 281
Assessment
About Assessment
The end-point integrity solution in PortWise consists of the Assessment concept, which focuses on access control based
on client restrictions.
Assessment is used to define how a client must be constituted, and to allow or deny access to resources accordingly.
A resource or SSO domain is protected by an assessment access rule, detailing client scan paths per operating system.
Client scan paths define the information that will be scanned during the client scan.
When a user attempts to access the resource, a client scan is performed and a subsequent assessment of the client
constitutes the basis of the access decision.
Information
Note that in the dialog displayed to the end-user, the client scan is called the End-Point
Integrity scan.
An alternative to registering client scan paths is to use the plug-ins available for specific client scans.
PortWise supports assessment on Microsoft Windows. Future releases will support additional operating systems.
Client data paths can be specified for the following areas:
• File information
• Registry information
• Process information
• Windows user information
• Windows domain information
• Network interface information
• UDP port information
• TCP port information
PortWise 4.7 Manual

282 Manage System
Manage Assessment
You manage assessment settings on the Manage Assessment page in the Manage System section.
Manage Assessment consists of three tabs:
• Advanced Settings
• Plug-ins
General Settings
On this tab, you configure the client scan settings which include settings for a real time scan as well as the client scan
path. Note that you need to add an assessment access rule in order for these settings to take effect. Access rules are
managed on the Manage Access Rules page in the Manage Resource Access section.
Real Time Scan

The client scan is performed the first time a resource protected by an assessment access rule is requested. To allow the
client scan to continue to assess the client computer during the session, you can enable a real time scan. When the real
time scan is enabled, the client will be scanned at the specified interval (default is set to 120 seconds) after the initial
scan.
Information
The real time scan is a global setting: when enabled, it applies to all resources protected
by an assessment access rule.
Client Scan Paths

There are several plug-ins available for use in assessment access rules, defining the client data required. When not using
a plug-in, you specify one or several client scan paths.
Client scan paths are used to specify paths to information types to collect during client scans. You define the information
paths per operating system. For Windows, you can define file, directory, registry key, or registry subkey paths.
Information
The client scan paths you add when creating assessment access rules are added to the
list on this tab.
You can select several check boxes to scan for different information, even if only part of the information is used as a
basis for assessment in accordance with specified access rules.
Information
If you create client scan paths (that require collection of information) when creating an
assessment access rule, the corresponding check boxes are selected automatically on this
page.
Available information types and corresponding client data that you can specify requirements for are displayed in the
table below.
PortWise 4.7 Manual

Manage System 283
Windows
Information type Client Data Client Scan Settings
File information File attributes Information path of the type File
File name
File digest
File time created
File time last written
Directory information Directory Name Information path of the type Directory
Attributes
Registry key information Registry name Information path of the type Registry Key
Registry type
Registry value
Registry subkey information Registry name Information path of the type Registry Subkey
Registry type
Registry value
Process information Process digest Enable collection of process information
Process name
Process ID
Windows user information Windows logon domain Enable collection of Windows information
Windows alternative domains
Windows user name
Windows logon server
Windows domain information Computer name Enable collection of Windows information
LAN group
Major version
Minor version
Platform ID
Network interface information Network interface address Enable collection of network information
TCP local address
TCP remote address
TCP status
TCP port information Local address Enable collection of network information
Local port
Remote address
Remote port
State
UDP local address Local address Enable collection of network information
Local port
Table 9-24: Windows Information Types
Linux
Mac OS X
PortWise 4.7 Manual

284 Manage System
Settings
Enable real time scan No Not selected by default.
Interval (Yes) Mandatory if Enable real time scan is selected.
Table 9-25: Real Time Scan

Operating System Yes Available option is: Windows
Information Type Yes Available options are:
For Windows:
File
Directory
Registry Key
Registry Subkey.
Set to File by default.
Information Path Yes Address to the selected information type.
Table 9-26: Client Scan Path

Enable collection of network information No Not selected by default.
Enable collection of process information No Not selected by default.
Enable collection of Windows informa- No Not selected by default.
tion
Table 9-27: Windows
Advanced Settings
On this tab, you manage advanced assessment settings.
Display Resources in Application Portal

Select this option to display resources protected by assessment access rules in the Application Portal before the client
scan has been performed. Resources are then displayed even though the user may not have access to them.
When the option is not selected, only resources that the user is allowed access to are displayed. This is applicable when
an assessment access rule is included in the global access rule, resulting in the client scan being performed before the
user enters the Application Portal.
Assessment Client Loader

You specify which type of loader to use for the assessment client.
The options are:
PortWise 4.7 Manual

Manage System 285
• ActiveX - Java Applet

• ActiveX
• Java Applet
When the ActiveX - Java Applet option is selected, the loader uses ActiveX when available. If not it uses the Java
Applet.
Settings
Display resources in Application portal No Resources protected by an Assessment access rule are displayed in
the Application Portal before the client scan has been performed.
Abolishment Client Loader Yes Set to ActiveX- Java Applet by default.
Plug-ins
On this tab, you add or delete plug-ins to be used in assessment access rules, as a basis for the client scan. The plug-ins
displayed here are located in the following folder: <PortWise installation folder>/files/policy-service/ep/plugins.
File names, version numbers, and descriptions of the plug-ins are displayed.
You can add a plug-in to this list by uploading it to the correct folder location. Use the Browse button to locate the
plug-in. The plug-in is uploaded when you click Save.
Settings
Plug-in No The name of the plug-in to upload.
Table 9-29: Upload Plug-in
PortWise 4.7 Manual

286 Manage System
PortWise 4.7 Manual

Manage System 287
Authentication Methods
About Authentication Methods

Authentication methods are used as requirements in access rules for authentication. An access rule can combine several
authentication methods and other requirements.
Different authentication methods provide various levels of security. The rule of thumb is: the more complex an authen-
tication method, the more certain the identification of the individual.
When adding authentication methods, you are allowed to specify settings using extended properties. These include,
for example, Save credentials for SSO domain, Allow user not listed in any User Storage, or Lock user ID for session and
many more depending on which authentication method you choose.
The following authentication methods are supported in PortWise 4.7:
• PortWise authentication: Web, Challenge, Synchronized, OATH, Mobile Text, and Password
• RADIUS authentication: SecurID, SafeWord, and General RADIUS
• LDAP authentication
• Active Directory authentication
• IBM authentication: Tivoli and RACF
• Novell eDirectory authentication
• Basic authenticat+ion
• NTLM authentication
• Extended User Bind authentication
• E-ID authentication
• E-ID Signer authentication
• Form-based authentication
• Windows integrated login
• Custom-defined authentication method
You can configure a total of 15 authentication methods.
PortWise 4.7 Manual

288 Manage System
PortWise Authentication Methods

The PortWise authentication methods are Password, Web, Synchronized, OATH, Challenge, and Mobile Text. They are
all based on the RADIUS protocol.
All PortWise authentication methods can be used on your laptop or desktop computer.
When using the Synchronized or Challenge methods, users install client applications on the device being used. When
using the Web authentication method, the installed client is either an ActiveX component or a Java applet.
Which authentication method to choose depends on your users’ needs. Consider the importance of mobility, device
flexibility, and level of security. Refer to each authentication method for more detailed information.
All authentication methods use various levels of security, based on complexity.
Authentication Method Device Type RADIUS Client Activity RADIUS Server Activity
PortWise Mobile Text PC User ID + Password Challenge: One-Time Pass-
PDA word (OTP) by SMS
Cell Phone
User ID + OTP Accept or Reject
PortWise Password PC User ID + Password Accept or Reject

PortWise Challenge PC User ID Challenge
PDA
Cell Phone User ID + OTP Accept or Reject
(OTP: Seed+PIN+Challenge)
PortWise Synchronized PC User ID + OTP Accept or Reject
PDA (OTP synchronized between
Cell Phone client and server)
PortWise OATH PC User ID + OTP Accept, Reject or resynchro-
PDA (OTP synchronized between nize
Cell Phone client and server)
PortWise Web PC User ID RADIUS package:
Configuration
Encryption Key
Challenge
Password Accept or Reject
RADIUS package
Table 9-30: PortWise Authentication RADIUS Activity
About PortWise Mobile Text

The PortWise Mobile Text authentication method is based on a combination of a PIN and one-time password (OTP)
distributed via a SMS channel.
When using Mobile Text authentication, users enter the PIN code on the Web logon page while an OTP is generated and
distributed to the user’s cell phone.
The PortWise Mobile Text authentication method can be used on a mobile device such as a handheld PC or a cell phone,
as well as on an ordinary desktop PC or Macintosh computer.
Mobile Text supports the following distribution channels:
PortWise 4.7 Manual

Manage System 289
Protocol Native SMS Distributors Server Instances

SMTP Telia HTTPS Kannel
CIMD Netsize
SMPP Verisign HTTPS
Table 9-31: Mobile Text Distribution Channels
You can configure several channels. Configure more than one SMS channel to be used in case the primary fails.
All authentication and notification messages are sent via mobile text to the cell phone number or e-mail address regis-
tered to that specific user account. This is done on the User Account PortWise Authentication Settings page.
When Allow Two-step Authentication is selected, the authentication is distributed over two sessions: the first one
to make the server send the OTP to the mobile phone; and the second one to logon with the OTP.
The authentication method Mobile Text relies on the RADIUS protocol.
About PortWise Web

When using the authentication method PortWise Web, users enter their user ID and a Java applet or ActiveX component
is launched, prompting the users to enter a password or PIN. The password or PIN is then hashed and encrypted before
it is returned to the server.
Information
PortWise Web can not be used for tunnel resource access when using the installable
Access Client stand-alone.
When a new PortWise user account is registered and the PortWise Web authentication method is enabled, the pass-
word or PIN is created and distributed to the user.
Note
PortWise Web authentication method only can be used with the Access Point.
PortWise Web can be used for authentication on your laptop or desktop computer.
The Web authentication method relies on the RADIUS protocol.
About PortWise Challenge

The PortWise authentication method Challenge can be used for authentication in a Web browser, WAP client, or with
a PDA. Users enter their user ID, and are prompted (challenged) to provide private information (the response) to be
allowed access.
The challenge-response technique is most often used with a hardware token that generates the response. In PortWise
Challenge, however, the Mobile ID software client generates the response. Users enter their PIN in the Mobile ID Chal-
lenge client and the OTP is created instantaneously.
Mobile ID clients can be installed and stored on a mobile device such as a handheld PC or a cell phone, as well as on
your laptop or desktop computer.
The PortWise Challenge authentication method relies on the RADIUS protocol.
PortWise 4.7 Manual

290 Manage System
About PortWise Password

The authentication method PortWise Password is based on static password authentication. A static password is created
and maintained for authenticating remote access with a RADIUS client.
The PortWise Password authentication method relies on the RADIUS protocol.
About PortWise Synchronized

The authentication method PortWise Synchronized can be used for authentication in a Web browser, WAP client, or with
a PDA. Users enter their user ID and are prompted to enter a one-time password (OTP) to be allowed access.
In PortWise Synchronized, a software client (Mobile ID) is integrated, generating the OTP. Users enter their PIN in the
Mobile ID client and the OTP is created instantaneously.
The Mobile ID client can be installed and stored on a mobile device, such as a handheld PC or a cell phone, as well as
on your laptop or desktop computer.
The authentication method PortWise Synchronized relies on the RADIUS protocol.
About PortWise OATH

The authentication method PortWise OATH can be used for authentication in a Web browser, WAP client, or with a PDA.
Users enter their user ID and are prompted to enter a one-time password (OTP) to be allowed access.
In PortWise OATH, a hardware token is required, generating the OTP. How the OTP is achieved is vendor dependent. See
documentation from OATH token vendor for that information.
The authentication method PortWise OATH relies on the RADIUS protocol.
Additional Authentication Methods

These are the supported additional authentication methods:
• SafeWord
This authentication method supports Secure Computing SafeWord hardware tokens, which generates an OTP.
• SecurID
This authentication method supports RSA SecurID tokens that generate an OTP.
• LDAP
This authentication method performs normal LDAP bind.
• Active Directory
The Active Directory authentication method is an LDAP bind authentication method with the possibility to offer
the user to change password. This functionality is only supported with Microsoft Active Directory (AD) servers.
The directory service must be configured for SSL communication since this functionality is only allowed over
SSL.
• IBM Tivoli and IBM RACF
The IBM authentication methods are LDAP bind authentication method with the possibility to offer the user to
change password.
The Novell eDirectory authentication method is an LDAP bind authentication method with the possibility to
offer the user to change password.
PortWise 4.7 Manual

Manage System 291
The User Certificate authentication method leverages user/certificate attribute mapping. If and only if there
is an exact, unique match between the configured certificate attribute and the user attribute, the user is
authenticated.
• NTLM
The NTLM authentication method is an authentication protocol used in various Microsoft network protocol
implementations.
• Basic
This authentication method performs a basic authentication according to RFC 2617, “HTTP Authentication:
Basic and Digest Access Authentication”.
• General RADIUS
The general RADIUS authentication method is an authentication protocol that can be used with any RADIUS-
compliant authentication server.
• Extended User Bind
The Extended User Bind authentication method adds an extended form of user data retrieval, parsing and
matching with user presented certificate and the LDAP user object.
• Form Based Authentication
• Windows Integrated Login
Windows Integrated Login authentication enables Windows domain credentials to be reused. For example,
users do not have to log on to the Application Portal when it is protected by Windows Integrated Login
authentication. User credentials are retrieved from the client, and not entered by the user.
• E-ID
A consortium of Scandinavian banks has agreed on a standard service for electronic authorization and signing
over the Internet.
• E-ID Signer
Using E-ID, the client can authorize an order or a document by signing.
Manage Authentication Methods

You add authentication methods using the Add Authentication Method wizard. Each step of the wizard is represented
by a tab when editing a specific authentication method.
The steps and tabs are:
• General settings
• RADIUS replies
• Extended properties
Note
The settings for all available authentication methods are listed in the Settings section
below.
PortWise 4.7 Manual

292 Manage System
General Settings
All authentication methods have a display name and the option to enable the authentication method. All authentication
methods are enabled by default. For the PortWise authentication methods, the display name is used as display name in
the Select Authentication Method dialog when logging on to the Application Portal.
Some authentication methods (listed below) have a template specification, which defines the physical appearance of the
authentication method logon dialog. The specified Template Name is sent to the Policy Service enabled application
which has a corresponding template file on the local server.
All PortWise Mobile ID authentication methods, and most of the supported additional authentication methods (listed
below), need one or several authentication method servers.
The authentication method server settings include:
• Host and port
• Different search methods to locate users in the directory service structure for authentication
Settings
Enable authentication method No Selected by default.
Display Name Yes Unique name used in the system to identify the authentication
method.
Table 9-32: Common General Settings

Template Name No Template presented to the user.
Template Specification Yes Set of values used by the template.
Table 9-33: Active Directory Authentication

Table 9-34: Basic Authentication

Table 9-35: Challenge Authentication

PortWise 4.7 Manual

Manage System 293

Class Name Yes Executable authentication method implementation.
Certificate Authority No CA used to validate the identity of the individual holding of the
user certificate.
Table 9-36: Customer-defined Authentication

Table 9-37: Form-Based Authentication

Table 9-38: General RADIUS Authentication

Table 9-39: LDAP Authentication

Template Name Yes Template presented to the user.
Allow Two-Step Authentication No Not selected by default.
Table 9-40: Mobile Text Authentication

Table 9-41: NTLM Authentication

Table 9-42: Password Authentication
PortWise 4.7 Manual

294 Manage System

Table 9-43: SafeWord Authentication

Table 9-44: SecurID Authentication

Table 9-45: Synchronized Authentication

Table 9-46: OATH Authentication

Certificate Authority Yes CA used to validate the identity of the individual holding the user
certificate.
Table 9-47: User Certificate Authentication

Table 9-48: Web Authentication

Table 9-49: Windows Integerated Logon Authentication

PortWise 4.7 Manual

Manage System 295
Table 9-50: IBM Tivoli Authentication

Table 9-51: IBM RACF Authentication

Table 9-52: Novell eDirectory Authentication
PortWise 4.7 Manual

296 Manage System
Authentication Method Server

You need to register at least one Authentication method server for authentication methods using RADIUS.
You specify host, port, and time-out interval in milliseconds. You also need to specify a shared secret, used when au-
thenticating users with this authentication method.
Settings
Note
Only the PortWise authentication methods and the additional methods Active Directo-
ry, E-ID, E-ID Signer, Custom-defined, Extended User Bind, Form Based, General RADIUS,
NTLM, SafeWord, and Windows Integrated Login require a registered authentication
method server.

Host Yes IP address or the DNS name of the authentication method server.
Table 9-53: Common Authentication Method Server Settings

Port Yes Port for the authentication method server.
Account Yes Distinguished Name or Principal Name of the administrator for the
Active Directory server.
Time-out Yes Time the client waits for an authentication method server reply
before trying to connect to the next authentication method server
in the list.
Password Yes Password used when binding to the Active Directory server.
Root DN Yes Root DN in Active Directory where the system searches for the
user.
Table 9-54: Active Directory Authentication

Path Yes Underlying path on host.
Path must start with an /.
Set to / as default.
in the list.
PortWise 4.7 Manual

Manage System 297

Service Identifier Yes Parameter that is identical to the service identifier configured in
the Nexus MultiID core server.
Service Connection Time-out No Maximum time for a server connection to be established.
Server Unavailable Interval No Number of connection retries for servers which are not responding.
Table 9-55: E-ID Authentication

in the list.
Path Yes Underlying path on host.
Set to / as default.
Service Identifier Yes Parameter that is identical to the service identifier configured in
the Nexus MultiID core server.
Service Connection Time-out No Maximum time for a server connection to be established.
Server Unavailable Interval No Number of connection retries for servers which are not respond-
ing.
Table 9-56: E-ID Signer

in the list.
Path Yes Path to the logon page that is accessed by the authentication
method server during the authentication process.
Use SSL No Protocol to use in the communication.
Server Certificate No Server certificate used to validate the certificates presented by
other servers.
Table 9-57: Basic Authentication
PortWise 4.7 Manual

298 Manage System

Display Name Yes Lists Display Names of registered Authentication Services.
Time-out Yes Time the client waits for an authentication server reply before try-
ing to connect to the next authentication method server in the list.
Listen to all interfaces No Refers to internal traffic between the Policy Service and the
authentication method server.
Table 9-58: Challenge Authentication

Table 9-59: Customer-defined Authentication

User Root DN Yes Defines the directory service root, where to start to search for
users.
Attribute Name Yes Name for user objects in the directory service, usually object class.
Attribute Value Yes Object class for user objects in the directory service.
Search Scope Yes Search scope used when searching for objects in the directory
service.
Sub-tree
Object Level
One Level
Set to Sub-tree by default.
User DN Yes User DN used when performing the search.
User Password Yes User password used when performing the search.
Table 9-60: Extended User Bind Authentication

PortWise 4.7 Manual

Manage System 299

in the list.
Use SSL No Protocol used in the communication.
other servers.
Table 9-61: Form-based Authentication


Table 9-63: Mobile Text Authentication

Time-out Yes Time the client waits for an authentication method server reply be-
fore trying to connect to the next authentication server in the list.
PortWise 4.7 Manual

300 Manage System

Domain Yes Domain the authentication method server belongs to.
other servers.
Table 9-64: NTLM Authentication

Table 9-65: Password Authentication

in the list.
Shared Secret Yes Secret shared between the RADIUS client and the RADIUS server.

PortWise 4.7 Manual

Manage System 301
Table 9-67: Synchronized Authentication

Table 9-68: OATH Authentication

Table 9-69: Web Authentication

directory server.
in the list.
Password Yes Password used when binding to the directory server.
Users Root DN Yes Root DN in IBM Tivoli where the system will search for users.
Password Policy DN Yes Password Policy DN specifies the location of the IBM Tivoli Pass-
word Policy object.
PortWise 4.7 Manual

302 Manage System
Table 9-70: IBM Tivoli Authentication

directory server.
in the list.
Users Root DN Yes Root DN in IBM RACF where the system will search for users.
Expiration message (reg-exp) Yes When user logs in the IBM RACF will return an error message
when password is expired, specify the error code here if other than
the default.
Table 9-71: IBM RACF Authentication

directory server.
in the list.
Users Root DN Yes Root DN in Novell eDirectory where the system will search for
users.
Table 9-72: Novell eDirectory Authentication

Time-out Yes Time in milliseconds the client waits for an authentication method
server reply before trying to connect to the next authentication
server in the list.
PortWise 4.7 Manual

Manage System 303

other servers.
Table 9-73: Windows Integrated Login Authentication
RADIUS Replies
All authentication methods using RADIUS have a number of pre-configured RADIUS replies associated. These replies
can be edited, and it is also possible to add new ones.
Each RADIUS reply consists of a name and a so called matching string, which is the actual reply presented to users.
When the name and string match, the authentication method responds using the appropriate template specification,
set in Template Name on the General Settings page.
Example
Name: WebCurrentPwd
Matching String: Enter current password. Challenge %. Configuration %
Settings
Note
Only PortWise Mobile ID authentication methods and General RADIUS, SafeWord, and
SecurID support RADIUS replies.

Name Yes Name of the RADIUS reply.
RADIUS Reply Matching String Yes Textual string used by the authentication method to match the
RADIUS server challenge text.
Table 9-74: Common RADIUS Replies Settings


PortWise 4.7 Manual

304 Manage System

Table 9-77: SecurID Authentication
Extended Properties
Authentication methods may also have a number of extended properties, allowing you to further customize how au-
thentication should be handled.
Some extended properties are used uniquely for specific authentication methods; others are global Policy Service set-
tings that does not affect the authentication method behavior. To facilitate administration however, they are managed
on each applicable authentication method.
The global Policy Service settings used as extended properties are:
User attribute
When specified, only users associated with the specified user ID attribute are allowed authentication.
Applicable when the authentication method uses a different attribute name than the default attribute name for au-
thentication.
Example
mail (As opposed to default attribute names cn or samAccountName.)
User name may not change during session

This extended property is added to the authentication method by default.
When set to true, only the user ID associated with a user account is allowed authentication.
Before authentication, the Policy Service searches the directory service for the user ID using specified search rules. If the
user ID has a PortWise account (or a PortWise account can be created), and the user ID exactly matches the PortWise
account the user is allowed for authentication.
If the user ID cannot be found, or if the user ID used for authentication does not match the PortWise account, the user
is not allowed for authentication.
Applicable when you want to restrict the use of different user IDs, to eliminate the possibility for several different users
to authenticate during one session.
Set to true by default.
Allow user not listed in any User Storage

When set to true, users can be authenticated without a PortWise user account. All access rules of the type user group
membership are ignored.
Information
Note the following when using this extended property with the authentication method
E-ID:
When set to true, and the E-ID certificate attribute and E-ID user attribute are not speci-
PortWise 4.7 Manual

Manage System 305
fied, the user ID is set to Subject DN from the certificate.
When set to true, and the E-ID certificate attribute is specified as for example “cn”, the
user ID is set to the certificate’s cn.
Set to false by default.
PortWise account required before authentication

When set to true, only user IDs associated with a user account are allowed for authentication.
Before authentication, the Policy Service searches the directory service for the user ID using specified search rules. If the
user ID has a PortWise account (or a PortWise account can be created), the user is allowed for authentication.
If the user ID cannot be found in the directory service, the user is not allowed for authentication.
Important
It is not recommended to add this extended property to authentication methods where
user ID only is used initially for authentication. This can be considered a security threat,
since it will entail a possibility to identify which user IDs are known versus unknown.
Save credentials for SSO domain

When specified, the Policy Service performs an SSO credential update after successful authentication using the creden-
tials provided by the user.
Lock User ID to Session

When set to true, the user ID is locked for this session to ensure that the user ID is not used for several requests simul-
taneously. This will result in a two-step challenge, performed for user ID and password respectively.
All extended properties for each authentication method are listed below.
Settings
Extended Property Used In Comment
User attribute All This is a global Policy Service setting.
User attribute User Certificate User storage attribute that is mapped to the certificate
attribute.
User name may not change during All This is a global Policy Service setting, added to the
session authentication method by default.
Allow user not listed in any User All This is a global Policy Service setting.
Storage Set to false by default
PortWise account required before All This is a global Policy Service setting.
authentication Set to false by default
PortWise 4.7 Manual

306 Manage System

Save credentials for SSO Domain Active Directory This is a global Policy Service setting.
Basic
Custom-defined
Form-based
LDAP
NTLM
Password
Lock User ID to Session General RADIUS This is a global Policy Service setting.
SafeWord Set to true by default
SecurID
Warning before password expires Active Directory This extended property is added to the Active Directory
General RADIUS authentication method by default.
Locale Active Directory This extended property is added to the authentication
General RADIUS method by default.
Set to US (American English) by default.
Mandatory.
E-ID user attribute E-ID LDAP user attribute used to map user to user in directory
service.
Mandatory when E-ID certificate attribute mapping
is specified for mapping.
Enable IBM CBT E-ID The IBM CBT client.
This extended property is added to the E-ID authentication
methods by default.
Enable Nexus Personal E-ID The Nexus Personal client.
methods by default.
Enable Netmaker NetID E-ID The Netmaker NetID client.
methods by default.
Enable Nexus Personal XML DigSig E-ID The Nexus Personal client which authenticates using a
plugin generating XML DigSig signatures..
methods by default.
Nexus Personal CA Names E-ID Specify a list of CA Certificate Display Names of the
issuers of the user certificates used for the Nexus Personal
client. Wildcards can be used.
If not specified, a list of all certificates available for the
user is presented at logon.
Netmaker NetID CA Names E-ID Specify a list of CA Certificate Display Names of the issu-
ers of the user certificates used for the Netmaker NetID
client. Wildcards can be used.
If not specified, a list of all certificates available for the
user is presented at logon.
PortWise 4.7 Manual

Manage System 307

E-ID certificate attribute mapping E-ID LDAP certificate attribute used to map user to correct
certificate.
Mandatory when E-ID user attribute is specified for
mapping.
OSIF Provider ID IBM-CBT E-ID What Provider ID to use when communicating with OSIF
when validating signatures created using IBM CBT
OSIF Provider ID Nexus Personal E-ID What Provider ID to use when communicating with OSIF
when validating signatures created using client SSL with
Nexus Personal
OSIF Provider ID Netmaker NetID E-ID What Provider ID to use when communicating with OSIF
when validating signatures created using client SSL with
Netmaker NetID
OSIF Provider ID Nexus Personal XML E-ID What Provider ID to use when communicating with OSIF
DigSig when validating signatures created using Nexus Personal’s
authentication plugin creating XML DigSig signatures.
OSIF Service Communication protocol E-ID If HTTP or HTTP over SSL (HTTPS) is to be used, HTTPS is
default.
Example: “http://”
OSIF Policy parameter E-ID The policy to set in each message sent to OSIF server.
Service Host Alternative FQDN E-ID Used in verification requests sent to OSIF. Variable is
named “host” in
the OSIF specification.
Keys for additional extended proper- Custom-defined Additional extended properties.
ties
User bind attribute Extended User Bind (UBA) Actual value of the user attribute to be bound to.
UBAX Extended User Bind Integer (0-4) that contains the user attributes used in the
pattern below.
UBA pattern Extended User Bind One or several UBAX, concatenated by the sign ‘+’ and
any character within quotation marks.
Certificate bind attribute Extended User Bind (CBA) Actual certificate attribute to be bound to.
CBAX Extended User Bind Integer (0-4) that contains the user attributes used in the
pattern below.
CBA pattern Extended User Bind One or several CBAX, concatenated by the sign ‘+’ and
any character within quotation marks.
Method Form-based Set to POST by default.
Mandatory.
Form action Form-based Path that defines the URL to GET or POST data to.
Mandatory.
Form data Form-based Definition of data sent to the server.
The variables [$username], [$password] and [$domain]
can be used for dynamic replacement with internal user
name, password and NTLM domain.
Mandatory.
PortWise 4.7 Manual

308 Manage System

Verification URL Form-based Path that defines the URL to where the response from the
form action is sent to verify if the log on has succeeded or
not. Must be an absolute URL.
If no path is entered, the response of the POST or GET is
evaluated.
Form response Form-based Text string included in the response and is used to decide
if the authentication is successful or unsuccessful.
Mandatory.
Form response interpretation Form-based When set to Success, the authentication is treated as
successful if the text specified in Form Response is
included in the response.
When set to another value, the authentication is treated
as not successful if the text specified in Form Response
is included in the response.
Additional headers Form-based Defines additional headers that is added to the internal
request and sent to the resource.
Several additional headers can be added, containing a
name and a value.
Certificate attribute mapping User Certificate Certificate attribute to map to the user attribute in user
storage. Note that you need to enter both a certificate
attribute and a user attribute for a successful mapping.
OCSP AIA User Certificate If this extended property is enabled then an OCSP request
will be performed to verify the revocation status of the
client certificate. The OCSP Provider URL will be retrieved
from the Authority Information Access extension (AIA) in
the client certificate.

OCSP Responder URL User Certificate Specifies the OCSP Responder URL. Set this extended
property when client certificates don’t have the AIA exten-
sion. If this extended property is specified then an OCSP
request will be performed to verify the revocation status
of the client certificate. This setting overrides the “OCSP
AIA” extended property.
For example: http://ocsp.example.net:80

OCSP Certificate Name User Certificate This extended property specifies the OCSP Certificate to
use when performing OCSP requests. The OCSP server
may require another certificate than the CA certificate
associated with this method then set value to the CA
Certificate’s display name.
PortWise 4.7 Manual

Manage System 309

Enable certificate logging User Certificate If this extended property is enabled the system will log to
a dedicated certificate log file. The name of the method is
used as filename and the log format is (all log-elements
are separated by space):
• Date (yyyy-mm-dd)
• Time (hh:mm:ss)
• Level (INFO|WARNING)
• Certificate method name
• Issuer-DN
• Subject-DN
• Not before date (yyyy-mm-dd)
• Not after date (yyyy-mm-dd)
Set to false by default

Certificate log folder User Certificate This extended property specifies in which folder to place
the certificate log file.
Set to logs by default.

Certificate log rotation max files User Certificate This extended property specifies max number of rotated
certificate log files.
Certificate log rotation max size (kB) User Certificate This extended property specifies max size of each certifi-
cate log file.

Certificate logging on successful User Certificate If this extended property is disabled then the system will
authentication only log also when certificate authentication fails.

ActiveSync DeviceID Locking Active Directory Enabled this extended property when using ActiveSync.
Password When enabled, the system will lock the device ID to the
LDAP user. The device ID is registered automatically when
General RADIUS performing the first synch. To register a new phone or
Form-based PDA, simply remove the user’s custom defined attribute
Challenge “DeviceID” and re-synch.

Force create user All If this extended property is enabled then the PortWise ac-
count will be created on successful login. When disabled,
the PortWise account is only created and linked if the user
is found in any User Storage.
PortWise 4.7 Manual

310 Manage System

Create user on failed logon All If this extended property is enabled then the PortWise
account will be created on failed logon. It is recommended
to enable this when the back-end authentication service is
unable to lock user after a number of invalid authentica-
tion attempts.

Reveal RADIUS reject reason Password If this extended property is enabled then the reject reason
Web will be displayed to the client.
Synchronized
Mobile Text Set to false by default.
Challenge
OATH
RADIUS character encoding Password This extended property specifies the character encoding
Web that will be used when formatting all RADIUS attribute
Synchronized values.
Mobile Text
Challenge Set to UTF-8 by default.
OATH
Use Admin for password change IBM RACF If this extended property is enabled then the password-
change is performed using the administrator’s credentials
from the mechanism server.
Table 9-78: Extended Properties
PortWise 4.7 Manual

Manage System 311
About Authentication Services

The Authentication Service handles authentication of users accessing resources. The Authentication Service supports
the PortWise RADIUS authentication methods: Mobile Text , Web, Challenge, Password, OATH, and Synchronized.
You configure the Authentication Service to handle access requests through available authentication methods using the
RADIUS protocol. Depending on which authentication methods you use, the Authentication Service is set up to respond
to the access requests accordingly: by accepting, rejecting, or challenging the request.
The Authentication Service may also proxy authentication requests to an authentication server using third-party authen-
tication methods, for example RSA SecurID, or Secure Computing SafeWord. In this scenario, you configure a RADIUS
back-end server as an authentication server.
You can use one or several Authentication Services and RADIUS back-end servers simultaneously.
PortWise 4.7 Manual

312 Manage System
Manage Authentication Services

Registered Authentication Services are listed on the Manage Authentication Services page. You can add, edit, and
delete Authentication Services. A number of settings can be specified globally, to apply to all Authentication Services.
The global settings include RADIUS authentication and password/PIN settings.
Authentication Service Settings

Internal Communication
Authentication Service settings include internal host, which defines the IP address or DNS name of the Authentication
Service, and internal port, both used for communication in the PortWise network.
For internal host, avoid using the IP address 0.0.0.0 to listen to all local IP addresses. Instead, use the Listen on all
interfaces option that specifies what interfaces the service listens to. When selected, the service listens to all specified
IP addresses. When not selected, the services only listens to the IP address specified as internal host.
Key Files
You can define that key files should be distributed automatically. Using this option, key files are automatically distributed
from the Administration Service to the Authentication Service after the Authentication Service has been installed. Not
selecting this option will keep the system more secure, but the administrator will be required to copy key files manu-
ally.
Server Certificate
The Server Certificate defines the certificate used when the authentication service performs TLS handshaking (for ex-
ample authenticating with the PEAP-MSCHAPv2 protocol). If PEAP-MSCHAPv2 authentication protocol is used, you
need to assign a server certificate. If not, PEAP-MSCHAPv2 authentication will fail.
All available server certificates are available for selection. Server certificates are managed in the Manage Certificates
section of PortWise Administrator.
Additional Listeners
You can register additional listeners for the Authentication Service, i.e. additional IP addresses or DNS names that the
Authentication Service listens to. The listeners you add are added to the list of hosts available in the RADIUS accounting
section.
RADIUS Accounting
When RADIUS accounting is enabled, the system responds to RADIUS accounting packets sent from RADIUS clients. The
system logs the incoming RADIUS packet and replies with an accounting response packet. Accounting packets can also
contain information about when a user logs in and out of a system.
You select host (internal host or registered additional listener) and specify port for the system that sends the accounting
response message.
You can also select if the system should be listening on all interfaces or not regarding RADIUS accounting traffic.
PortWise 4.7 Manual

Manage System 313
Settings
Service ID No Identification number automatically assigned to the Authentication
Service when it is created.
Display Name Yes Unique name used in the system to identify the Authentication
Service.
Internal Host Yes IP address or DNS name of the Authentication Service, used for
communication in the PortWise network.
Internal Communication Port No Port used for internal communication in the PortWise network.
Listen on all interfaces No Specifies what interfaces the service listens to.
Distribute key files automatically No Defines whether or not key files should be automatically distrib-
uted from the Administration Service to the Authentication Service
after the Authentication Service has been installed.

Server Certificate No Lists all registered server certificates.
Table 9-80: Server Certificate Settings

Enable RADIUS accounting No Not selected by default.
Host (Yes) IP address or DNS name of the system that sends the accounting
response message.
Mandatory when Enable RADIUS accounting is selected.
Port (Yes) Port for the system that sends the accounting response message.
Mandatory when Enable RADIUS accounting is selected.
Listen on all interfaces No Not selected by default.
Table 9-81: RADIUS Accounting Settings

Listener Yes IP address or DNS name of the additional listener.
Table 9-82: Additional Listener Settings
PortWise 4.7 Manual

314 Manage System
Manage Global Authentication Service Settings
RADIUS Authentication
A number of settings are available for RADIUS authentication.
Drop unknown sessions

When selected, an access request by an unknown RADIUS session is dropped. If not, the server sends the reply Access
Denied.
Drop unknown users

When selected, an access request by an unknown user is dropped and the Authentication Service ignores the request
without reply.
When not selected, the Authentication Service accepts the request, but the authentication will fail resulting in an access
reject message. This setting can be useful for chained authentication.
Proxy unknown users

When selected, unknown users are authenticated using another RADIUS server. The Authentication Service tries to
proxy the request to the configured RADIUS back-end server. If the request is not serviced, the Authentication Service
will handle the request according to Drop Unknown Users.
This setting takes precedence over Drop Unknown users if both are selected.
Reveal reject reason

When selected, the reason why a request has been rejected is revealed to the RADIUS client.
Session Time-out
You define a number of seconds that the state attribute is valid. The RADIUS session times out after this time limit. Set
to 180 seconds by default. The server will discard a RADIUS session after this time span (if not used, then the time is
reset)
RADIUS Encoding
When the system receives a RADIUS package, it normally transforms the data to strings according to the UTF-8 standard.
Some RADIUS clients do not support the UTF-8 standard. If this is the case another standard needs to be specified.
Set to UTF-8 by default.
Settings
Drop unknown sessions No Not selected by default.
Drop unknown users No Not selected by default.
Proxy unknown users No Not selected by default.
Reveal reject reason No Not selected by default.
Session time-out Yes Number of seconds (1-999) the state attribute is valid.
PortWise 4.7 Manual

Manage System 315

RADIUS encoding No Set to UTF-8 by default.
Table 9-83: RADIUS Authentication Settings
Password/PIN
On this tab, you define global password and PIN restrictions for PortWise authentication methods.
PortWise Mobile Text

Available global password settings for PortWise Mobile Text are listed below. Default values are displayed in paren-
thesis.
Available global password settings:
• Minimum (6) and maximum (16) number of characters
• Minimum number of letters (2) and numbers (2)
• Allow sequentially-repeated characters (true)
• Disallowed characters (empty)
Note: disallowing the usage of any character will reduce the password complexity level; impairing general
security.
• Password validity period in days (90)
When set to 0, the password does not expire.
• Password history size in number of saved passwords not eligible for reuse (5)
The user cannot reuse any of the passwords saved in the password history when changing password.
• OTP length in number of characters (6)
• Alphabet base for OTP.
Tip: exclude characters and numbers that can easily be confused, such as 0/o/O, and 1/i/I/l/L. (23456789ab-
cdefghjkmnpqrstuvxyzABCDEFGHJKMNPQRSTUVXYZ)
• Notification message (Your OTP is {0}. Enter it to login with Mobile Text)
• Allow two-step authentication.
When selected, authentication is split in two sessions: one to make the server send the OTP to the mobile
phone, and one to login with the OTP (off).
PortWise Web
Available global password settings for PortWise Web are listed below. Default values are displayed in parenthesis.
PortWise 4.7 Manual

316 Manage System

security.
• Keyboard appearance: fixed, shift, or random (random)
• Allow use of desktop keyboard for numbers (off)
PortWise Challenge
Available global PIN settings for PortWise Challenge are listed below. Default values are displayed in parenthesis.
Available global PIN settings:
• PIN validity period in days (90)
When set to 0, the PIN does not expire.
• PIN history size in number of PINs (5)
The user cannot reuse any of the PINs saved in the PIN history when changing PIN.
• Support value signing (off)
PortWise Password
Available global password settings for PortWise Password are listed below. Default values are displayed in parenthe-
sis.
security.
PortWise Synchronized
Available global PIN settings for PortWise Synchronized are listed below. Default values are displayed in parenthesis.
PortWise 4.7 Manual

Manage System 317

• PIN validity period in days (90)
When set to 0, the PIN does not expire.
• PIN history size in number of PINs (5)
The user cannot reuse any of the PINs saved in the PIN history when changing PIN.
• Number of logon attempts allowed before user is prompted for new OTP (3)
• Number of logon attempts allowed before user is denied access (10)
PortWise OATH
Available global PIN settings for PortWise OATH are listed below.
• Offset before prompt: minimum (0), maximum (99), default (3)
Set to 0 to disable
• Look-ahead window size: minumum (0), maximum (1000), default (50)
Set to 0 to disable
Settings
Minimum Yes Minimum number of characters (1-64) for the PortWise Web
password.
Maximum Yes Maximum number of characters (1-64) for the PortWise Web
password.
Minimum No Minimum amount of numbers (0-64) the PortWise Web password
must contain.
Minimum No Minimum amount of letters (0-64) the Web client password must
contain.
Allow sequentially-repeated characters No Allow characters in the password to be sequentially-repeated.
Set to True by default.
Disallowed characters No Characters that are not allowed to be used as members in the
password.
Note: disallowing the usage of any character will reduce the pass-
word complexity level; impairing general security.
Empty by default.
Password expires in No Number of days (0-999) the PortWise Web password lasts before
it must be changed.
PortWise 4.7 Manual

318 Manage System

Password history size No Number of saved passwords (0-19) used by a specific user account
for the authentication method Web.
Keyboard Appearance No Password generator keyboard appearance.
Fixed
Shift
Random
Set to Random by default.
Allow use of desktop keyboard for No Not selected by default.
numbers
Table 9-84: PortWise Web Authentication Settings

PIN expires in No Number of days (0-999) before Challenge PIN must be changed.
PIN history size No Number of saved PINs (0-19) used by a specific user account for
the authentication method Challenge.
Support value signing No Not selected by default.
Table 9-85: PortWise Challenge Authentication Settings

PIN expires in No Number of days (0-999) before Challenge PIN must be changed.
PIN history size No Number of saved PINs (0-19) used by a specific user account for
the authentication method Challenge.
Offset before prompt No Number of tries allowed (0-99) before the user is prompted to
generate next one-time-password, OTP.
Offset before access denied No Number of tries allowed (0-99) before the user is denied access to
requested resource.
Table 9-86: PortWise Synchronized Authentication Settings

Offset before prompt Yes this is the number of unused HOTPs that will trigger the resyn-
chronization procedure.
Range: 0-99, 3 is the default value. Set to 0 to disable.
PortWise 4.7 Manual

Manage System 319

Look-ahead window size Yes maximum number of ‘next’ HOTP-server values to check against
the received client
HOTP. When the maximum number of authorized attempts is
reached, the server
will lock out the account. Range: 0-1000, 50 is the default value.
Set to 0 to disable.
Table 9-87: PortWise OATH Authentication Settings

password.
password.
must contain.
contain.
password.
Note: disallowing the usage of any character will reduce the
password complexity level; impairing general security.
Empty by default.
Password expires in No Number of days (0-999) the PortWise Web password lasts before
it must be changed.
OTP Length Yes Number of characters (4-32) of the generated OTP.
Generate OTP from No Alphabet generating OTP.
Notification Message No Body of the OTP message.
Allow two-step authentication No Not selected by default.
PortWise 4.7 Manual

320 Manage System
Table 9-88: PortWise Mobile Text Authentication Settings

password.
password.
must contain.
contain.
password.
Note: disallowing the usage of any character will reduce the pass-
word complexity level; impairing general security.
Empty by default.
Password expires in No Number of days (0-999) the PortWise Web password lasts before it
must be changed.
Table 9-89: PortWise Password Authentication Settings
E-mail Messages
On this tab, you define the e-mail messages sent to users to notify them of new or changed passwords, PINs, or
seeds.
Information
There is no limitation as to allowed number of characters for e-mail messages.
General settings include e-mail recipients, as well as message subject line, header, and footer.
In addition, you can specify different password/PIN/seed messages per authentication method.
E-mail Addresses
In addition to sending e-mail notifications to the users whose accounts have changed due to new or changed pass-
words, PINS, or seeds, you have the option to specify additional recipients.
PortWise 4.7 Manual

Manage System 321
Enter e-mail addresses for one or several (use semicolon to separate several addresses) recipients who will receive e-
mail notifications of such events.
E-mail Messages
Specify the message subject line, header and footer.
Default values are listed below:
• Subject line
“Your Authentication Service account has changed”
• Header
“{0} your account {1} has changed“
(The variable {0} is replaced with the user’s name, {1} with the user ID.)
• Footer
“Changed by {2}, PortWise Administrator”
(The variable {2} is replaced with the name of the administrator.)
New Password Entered/New PIN Entered

You can specify, per PortWise authentication method, the message used to notify users (and any additional recipients)
of new passwords or PINs to use when authenticating. The message is available for all PortWise authentication meth-
ods.
The default text is, according to respective authentication method:
“Your new PIN/password for Mobile Text/Web/Challenge/Synchronized/Password Authentication is {0}.”
The {0} variable will be replaced with generated password or PIN.
Use Directory Password

For PortWise Mobile Text and PortWise Password, you can specify the message used to notify users (and any additional
recipients) to use the password specified in the directory service when authenticating.
The default text is:
“Your password has changed”.
If the directory service passwords are used instead of the password generated by PortWise, it is strongly recommended
that you change the default text provided here to texts that describe which password should be used.
Use Mapped Password/Use Mapped PIN

You can specify, per authentication method, the message used to notify users (and any additional recipients) to use their
mapped password or PIN when authenticating. The message is available for all PortWise authentication methods.
The default text is:
“Your password has changed”.
If the directory service passwords, or mapped passwords, are used, it is strongly recommended that you change the
default texts to texts that describe which password should be used.
Seed
For PortWise Synchronized and PortWise Challenge, you can specify the message used to notify users (and any ad-
ditional recipients) of new seeds to use in the Mobile ID clients Synchronized and Challenge.
PortWise 4.7 Manual

322 Manage System

“Your new seed for Challenge/Synchronized Authentication is {0}.”
The {0} variable will be replaced with generated seed.
It is possible to distribute the mode Challenge or Synchronized together with the seed, resulting in a pre-configured
Mobile ID Challenge or Synchronized client with injected seed.
To achieve this, use the variables mode=c for Challenge and mode=s for Synchronized.
In the example below, the seed notification includes instructions for Mobile ID client download, a seed, and a variable
which is used to pre-configure the client with PortWise Challenge.
Example
Download your Mobile ID client from http://<distribution service host>:<distribution service
port>/?seed={0}&mode=c
This renders a Mobile ID client with a pre-configured seed when using a supported mobile phone. Other devices receive
the seed displayed on screen.
Settings
E-mail Addresses to Notify Yes Additional e-mail addresses (separated by an ; character) the
notification message is sent to.
Table 9-86: Additional E-mail Address

Subject No Message subject line.
Set to Your Authentication Service Account has changed
by default.
Header No Message header.
Set to {0} your account ({1}) has changed by default.
Footer No Message footer.
Set to Changed by {2}, Authentication Service Administra-
tor by default.
Table 9-87: E-mail Messages Settings

New Password Entered No Message for new Mobile Text passwords.
Set to Your new password for Mobile Text Authentication
is {0} by default.
Use Directory Password No Message sent when the user uses the directory password for logon
with Mobile Text.
Set to Your password for Mobile Text Authentication has
changed by default.
PortWise 4.7 Manual

Manage System 323

Use Mapped Password No Message sent when the mapped password is used for logon with
Mobile Text.
changed by default.

New Password Entered No Message for new Web passwords.
Set to Your new password for Web Authentication is {0}
by default.
Web auhentication.
Set to Your password for Web Authentication has changed
by default.

New PIN Entered No Message for new Challenge PINs.
Set to Your new PIN for Challenge Authentication is {0} by
default.
Use Mapped PIN No Message sent when the mapped password is used for logon with
Challenge.
Set to Your PIN for Challenge Authentication has changed
by default.
Seed No Message for new Challenge seeds.
Set to Your new seed for Challenge Authentication is {0}
by default.

New PIN Entered No Message for new Synchronized PINs.
Set to Your new PIN for Synchronized Authentication is {0}
by default.
Synchronized.
Set to Your PIN for Synchronized Authentication has
changed by default.
Seed No Message for new Synchronized seeds.
Set to Your new seed for Synchronized Authentication is
{0} by default.
PortWise 4.7 Manual

324 Manage System

Offset before prompt Yes This is the number of unused HOTPs that will trigger the resynchro-
nization procedure.
Range: 0-99, 3 is the default value. Set to 0 to disable
Look-ahead window size Yes maximum number of ‘next’ HOTP-server values to check against
the received client
HOTP. When the maximum number of authorized attempts is
reached, the server
will lock out the account. Range: 0-1000, 50 is the default value.
Set to 0 to disable.
Table 9-92: PortWise OATH Authentication Settings

New Password Entered No Message for new Passwords.
Set to Your new password for Password Authentication is
{0} by default.
with Password authentication.
Set to Your password for Password Authentication has
changed by default.
Password authentication.
changed by default.
SMS/Screen Messages
On this tab, you define the SMS/Screen messages sent and displayed respectively to users to notify them of new or
changed passwords, PINS, or seeds.
General settings include header and footer of the SMS/Screen message.
In addition, you can specify different password/PIN/seed messages per authentication method.
New Password Entered/New PIN Entered

You can specify, per PortWise authentication method, the message used to notify users (and any additional recipients) of
new passwords or PINs to use when authenticating. The message is available for all PortWise authentication methods.
Mobile Text/Web/Challenge/Synchronized/Password PIN/password: {0}.
The {0} variable will be replaced with generated password or PIN.
PortWise 4.7 Manual

Manage System 325
Use Directory Password

For PortWise Mobile Text and PortWise Password, you can specify the message used to notify users (and any additional
recipients) to use the password specified in the directory service when authenticating.
The default text is: Your password for Mobile Text/Web/Challenge/Synchronized/Password has changed
If the users will use their directory service passwords instead of the password generated by PortWise, it is strongly
recommended that you change the default text provided here to texts that describe which password should be used.
Use Mapped Password/Use Mapped PIN

You can specify, per authentication method, the message used to notify users (and any additional recipients) to use their
mapped password or PIN when authenticating. The message is available for all PortWise authentication methods.
The default text is: Your password for Mobile Text/Web/Challenge/Synchronized/Password has changed
If the users should use their directory service passwords, or mapped passwords, it is strongly recommended that you
change the default texts to texts that describe which password should be used.
Seed
For PortWise Synchronized and PortWise Challenge, you can specify the message used to notify users (and any ad-
ditional recipients) of new seeds to use in the Mobile ID clients Synchronized and Challenge.
“Your new seed for Challenge/Synchronized Authentication is {0}.”
The {0} variable will be replaced with generated seed.
It is possible to distribute the mode Challenge or Synchronized together with the seed, resulting in a pre-configured
Mobile ID Challenge or Synchronized client with injected seed.
To achieve this, use the variables mode=c for Challenge and mode=s for Synchronized.
In the example below, the seed notification includes instructions for Mobile ID client download, a seed, and a variable
which is used to pre-configure the client with PortWise Challenge.
Example
Download your Mobile ID client from http://<distribution service host>:<distribution service
port>/?seed={0}&mode=c
This renders a Mobile ID client with a pre-configured seed when using a supported mobile phone. Other devices receive
the seed displayed on screen.
Settings
Header No Start of the message.
Set to Account Changed by default.
Footer No End of the message.
Table 9-93: SMS/Screen Messages Settings
PortWise 4.7 Manual

326 Manage System

New Password Entered No Message for new Mobile Text passwords.
Set to Mobile Text password: {0} by default.
with Mobile Text.
changed by default.
Mobile Text.
changed by default.

New Password Entered No Message for new Web passwords.
Set to Web password: {0} by default.
Web authentication.
Set to Your password for Web Authentication has changed
by default.

New PIN Entered No Message for new Challenge PINs.
Set to Challenge PIN: {0} by default.
Challenge.
Set to Your PIN for Challenge Authentication has changed
by default.
Seed No Message for new Challenge seeds.
Set to Challenge seed: {0} by default.

New PIN Entered No Message for new Synchronized PINs.
Set to Synchronized PIN: {0} by default.
Synchronized.
Set to Your PIN for Synchronized Authentication has
changed by default.
Seed No Message for new Synchronized seeds.
Set to Synchronized seed: {0} by default.
PortWise 4.7 Manual

Manage System 327

New Password Entered No Message for new passwords for Password authentication.
Set to Password Authentication password: {0} by default.
Use Directory Password No Message sent when the user uses the directory password for
logon with Password authentication.
changed by default.
Password authentication.
changed by default.
PortWise 4.7 Manual

328 Manage System
PortWise 4.7 Manual

Manage System 329
Certificates
About Certificates
A Certificate Authority (CA) issues client certificates used in authentication. In order to authenticate a user, a CA cer-
tificate is needed.
Some client certificates issued by a CA may be stolen, or in some other way be subject to unintended usage. To cancel
an already issued client certificate the client certificate validation routine checks against a list of cancelled client certifi-
cates. This list is called Certificate Revocation List (CRL). The CRL is distributed through a CRL Distribution Point (CDP).
Supported CDP Protocols are HTTP and LDAP.
Rooted at the “root CA”, every subordinate CA depends on a chain of trust between the issuers up to the root point. If
a CA is compromised, the whole CA and its subordinate CAs are invalid. To check weather a CA is valid or not, the CA
issuers produces an Authority Revocation Lists (ARL) stating which subordinate CAs that are not to be trusted.
If you want to use PKI you have to configure each CA you wish to use. You can then use the configured CA when you
add authentication methods of the type User Certificate.
Each CA requires a new authentication method, a feature which makes it possible to have several CAs configured and
enabled and then be able to configure which CAs that are valid for a specific resource. This is a powerful feature since
the trustworthiness of a CA can vary.
There are two prerequisites for managing Certificate Authorities:
• A X.509 v3 certificate must be stored in some persistent form on the application host.
• A CA Root in your user storage in order to create CA objects.
Registered Server Certificates

Manage server certificates when establishing communication with users. It is possible to specify a server certificate for
each additional listener for the Access Point which enables you to have specific certificates for each IP address or port.
Registered Client Certificate

When SSL is selected, the client certificate is used when communicating with the resources.
Only one client certificate can be specified.
PortWise 4.7 Manual

330 Manage System
Manage Certificates
In PortWise, you manage three types of certificates:
• Certificate authorities
• Server certificates
• Client certificates
All settings are described in their respective section below.
Certificate Authority Settings

You register certificate authorities (CA) to be used for validation of certificates.
You specify a display name for the CA and connect a CA certificate to it. You then select to use a control revocation list
(CRL) or to perform no revocation checks at all. When use of CRL is selected, an additional step of the Add Certificate
Authority wizard is displayed.
With CRLs, you need to specify at least one control distribution point (CDP) which verifies the certificates issued by the
CA.
CRL settings include:
Address
This can either be an LDAP address (RFC2255):
Example
ldap://192.168.96.52/CN=win2k%20root%20CA,CN=test-win2k-ad,CN=CDP,CN=Public%20Key%20Services,CN=Service
s,CN=Configuration,DC=win2k-ad,DC=thesecurecompany,DC=com?certificateRevocationList?base?objectclass=cRLDistrib
utionPoint
Or an HTTP address:
Example
http://www.posten.se:80/ldap/crl.cer
Fetch time adjustment

Adjusted time in seconds, allowed interval is 86,400-86,400, when revocation information is retrieved, com-
pared to the set time for revocation information fetching.
Useful when there is latency when the CA issues a new CRL, this can occur if there are replicated directories involved.
This option is set to 0 by default.
Update time
When this option is selected, a custom update time is enabled and the defined update time stored in the system is used.
When not selected, the attribute Next Update Time from the CRL is used.
This setting is not selected by default.
PortWise 4.7 Manual

Manage System 331
Retry interval
Interval in seconds, allowed interval is 0 – 31536000, for CRL retrieving if it cannot be obtained.
This option is set to 300 by default.
You also specify an Invalid Action for the CA to determine how users authenticated with a user certificate should be
handled if the required and requested CRLs cannot be obtained.
Available Invalid Action options are:
• Denied
Authentication is denied for all users authenticated by user certificate.
• Allowed
Certificate revocation control is performed using the previous retrieved CRL. The system will log that an invalid
CRL is used. When a required and requested CRL cannot be obtained, this defines how to handle users,
authenticated by user certificate.
Server Certificate Settings

You register PEM formatted server certificates to be used when establishing communication with end users.
NOTE
PEM is the default format for OpenSSL. It stores data in Base64 encoded DER format,
surrounded by ASCII headers, suitable for text mode transfers between systems. DER
on the other hand can contain all of private keys, public keys and certificates. It stores
data according to the ASN1 DER format. It is headerless, whereas PEM is a text header
wrapped DER. This is the default format for most browsers.
You can specify server certificates for specific IP addresses and ports, which is useful when managing additional listen-
ers.
You specify a display name for the server certificate and connect a certificate to it. Use the View Certificate Details link
for certificate details.
You need to save a private key for the certificate. The key needs to be a PKCS#8 key in either DER or PEM format.
You can also specify a password to be used if the information is encrypted.
A CA is required to complete the entire certificate chain. A specific CA certificate for the server certificate can be se-
lected if the browser does not have the root or intermediate CA used to verify the server certificate
PortWise 4.7 Manual

332 Manage System
Client Certificate Settings

You register PEM formatted client certificates to be used in resource communication using SSL.
Information
You can only specify one client certificate per PortWise installation.
You specify a display name for the client certificate and connect a certificate to it. Use the View Certificate Details link
for certificate details.
You need to save a private key for the certificate. The key need to be a PKCS#8 key in either DER or PEM format.
You can also specify a password to be used if the information is encrypted.
Settings

Enable Certificate Authority No Not selected by default
Table 9-99: Certificate Authority Settings

CRL Invalid Action No Set to Denied by default.
Table 9-100: Certificate Revocation Control

Address Yes Address to the CDP, entered in URL format.
Fetch Time Adjustment No Adjusted time in seconds (86,400-86,400), when revocation
information is retrieved, compared to the set time for revocation
information fetching.
Update Time No Not selected by default.
Define interval for CRL retrieving (Yes) Interval in seconds (0 - 31536000) for the CRL retrieving.
Mandatory when Update Time is selected.
Retry Interval No Interval in seconds (0 - 31536000) for the CRL retrieving if it can-
not be obtained.
Information
You should use OCSP as certificate revocation control when possible. If you specify both
CRL and OCSP, then the CRL checked is performed first and if certificate not found a
OCSP request is performed as a secondary control.
PortWise 4.7 Manual

Manage System 333
Table 9-95: Control Distribution Point Settings

Display Name Yes Unique name used in the system to identify the server certificate.
Certificate information Yes PEM formatted certificate.
Key Yes Private key for the certificate.
Password No Password to use if the information is encrypted.
CA Certificate No One or several CA certificates used to complete the entire certifi-
cate chain.
Table 9-101: Server Certificate Settings

Display Name Yes Unique name used in the system to identify the client certificate.
Certificate Yes PEM formatted certificate.
Key No Private key for the certificate.
Password No Password used when the information is encrypted.
Table 9-102: Client Certificate Settings
PortWise 4.7 Manual

334 Manage System
PortWise 4.7 Manual

Manage System 335
Device Definitions
About Device Definitions

In PortWise devices are used in numerous settings such as in access rules for examples or in the global Access Point
setting Device Control which controls access for specific devices.
Devices are defined using device definitions which define how HTTP headers in requests are interpreted to identify
specific devices. Access Points detect a device based on its HTTP headers.
When creating access rules of the type Client Device, device definitions are used to protect a resource.
Device definitions are also used for Client Firewalls when creating incoming firewall rules (managed in the Manage
Resource Access section).
Manage Device Definitions

You define a device by entering name=value pairs, where the name refers to the HTTP header and the value to the value
of the HTTP header. The wildcard character * can be used.
One or several definitions can be defined.
When several definitions are listed, the logical operation AND is applied automatically.
If you want to use the logical operator OR to separate the definitions, enter a pipe symbol ‘|’ as a divider.
When started with an exclamation mark, ‘!’, the logical operator NOT applies to the entire row.
Example
User-Agent=*MSIE*
!User-Agent=*opera* | User-Agent=*safari*
User-Agent=*netscape* | User-Agent=*mozilla*
PortWise 4.7 Manual

336 Manage System
Settings
Display Name Yes Name used in the system to identify the device definition.
Definition Yes Prerequisites the device must fulfill in order to be identified cor-
rectly.
PortWise 4.7 Manual

Manage System 337
About Delegated Management

PortWise supports delegated management enabling you to create different administrative roles with different privileges
and responsibilities.
Each role can be assigned to one or several users stored in the registered user storage location.
Information
The roles Help Desk and Super Administrator are predefined roles, and they cannot be
deleted.
Roles are used as alert receivers in the Monitor System section, Manage Alerts page.
Selected roles receive notification messages about selected alert events. If you plan to use the new role for alerts, you
need to ensure that selected users have registered e-mail addresses and/or cell phone numbers
A role can be assigned to Administrators.
Manage Delegated Management

Delegated management is managed through roles.
You can add any number of roles and assign them one or several of the pre-configured privileges available. All privileges
can be combined.
No privileges are selected by default.
Available privileges include:
• Help desk administration
Entitles the role to add, edit, and delete all settings saved for a user account
• User account management
Entitles the role access to all functionality available in the Manage Accounts and Storages section
• Resource management
Entitles the role to add, edit, and delete resources, both resource hosts and resource paths and to manage
Application Portal items
• Resource path management
Entitles the role to add, edit, and delete resource paths for selected resource hosts
• View logs
Entitles the role to view logs using the Log Viewer for all servers in the PortWise network
• Publish
Entitles the role to publish the updated configuration
PortWise 4.7 Manual

338 Manage System
Role Settings
Role settings are displayed in tabs representing the privileges selected. Each privilege has a separate set of settings
available. The Add Role wizard is adjusted accordingly.
The privileges View logs and Publish is not editable, they allow for use of the functionality View logs and Publish
respectively.
General settings and Administrators are common settings for all roles, and described below:
Help Desk
Settings available for the predefined role Help Desk include:
This tab includes display name and description of the role as well as the option to add available privileges to
the role.
• User accounts
This tab includes the option to select user groups containing specific user accounts which the role will be
allowed to manage.
• Administrators
This tab includes the option to assign the role to existing administrators in user storage. You search for admin-
istrators by entering a user ID, the wildcard character * is allowed for a complete search.
Super Administrator
Settings available for the predefined role Super Administrator also include:
the role.
• Administrators
User Account Management

Settings available for the role User Accounts include:
the role.
• User accounts
This tab includes the option to select user groups containing specific user accounts which the role will be
allowed to manage.
• Administrators
PortWise 4.7 Manual

Manage System 339
Resources
the role.
• Resources
This tab includes the option to select registered resources which the role will be allowed to manage.
• Administrators
Settings
Display Name Yes Unique name used in the system to identify the role.
Description No Can be used to give a more detailed description about the role.

Help desk administration No This privilege entitles the role to add, edit, and delete all settings
saved for a user account.
User account management No This privilege entitles the role access to all functionality available
in the Manage Accounts and Storages section.
Resource management No This privilege entitles the role to add, edit, and delete resources,
both resource hosts and resource paths.
Resource path management No This privilege entitles the role to add, edit, and delete resource
paths for selected resource hosts.
PortWise 4.7 Manual

340 Manage System

View logs No This privilege entitles the role to view logs using the Log Viewer
for all servers in the PortWise network.
Publish No This privilege entitles the role to publish the updated configura-
tion.
Table 9-105: Privileges

Select User Group Yes Select user group in registered groups to make a selection of user
accounts the role is entitled to manage.
Table 9-106: User Accounts

User ID Yes The wildcard character are * is supported, representing any num-
ber of characters (including none).
Select one or several users in the Search Result list.
Table 9-107: Administrators
PortWise 4.7 Manual

Manage System 341
Directory Services
About Directory Services

PortWise support a number of directory services.
• OpenLDAP
• Other or Customized configuration of listed directory services
Information
It is possible to choose not to use a directory service with PortWise, but this entails
great limitations to PortWise functionality since it eliminates features associated with
the use of user storage and user accounts.
PortWise use the directory service for storage of user accounts and credentials for authorization and authentication.
A directory service supporting LDAP for storing for example user information is recommended when using PortWise.
A directory service was initially configured during the Setup System wizard.
Please refer to the chapter Manage Accounts and Storage for further information on how PortWise uses the direc-
tory service.
Manage Directory Services

On the Manage Directory Service page, you setup global settings for the directory service.
These settings include host and port, directory service administrator credentials, location DN, and time-out and retry
options.
You also configure how the communication between the directory service and PortWise should work. When SSL is
selected, the CA certificate used is required.
Please refer to your directory service manufacturer’s user manuals for details on your directory service management.
General Settings
You need to specify at least one IP address to or DNS name of to the primary host, but you also have the option to setup
a secondary host. A listening port is also required, usually this is set to 389 for LDAP and 636 for secure LDAP.
Directory service administrator credentials are also specified, for example as an DN, ID, or similar to an account with
read-and-write permissions on the directory service from the specified location. This is to enable PortWise to read and
store user information on the directory service.
PortWise 4.7 Manual

342 Manage System
To specify the Location DN, you can use the Show Tree functionality. This allows you to browse your directory service
structure to the exact applicable locations.
Furthermore, you specify the number of seconds, allowed range is 1-300, the Authentication Service waits for a connec-
tion, before the Secondary Host is connected. This is set 15 seconds by default.
The number of allowed retries for the Primary Host is set to 0 by default, When set to 0, each failed connection attempt
to the Primary Host result in that the Secondary Host is connected, when a secondary host has been configured.
It is possible to change type of directory service without the need to re-install or re-configure PortWise.
Communication Settings
You setup the communication between the directory service and PortWise by using the host and port specified in the
General Settings section. To secure this communication, you have the option to use SSL and a associated CA certifi-
cate. When SSL is used, the CA certificate is required.
This is not configured by default.
Advanced Settings
Information
Advanced settings are only available if you have selected Other or Customized configu-
ration of listed directory services.
You have the option to specify an Object Class which is used to store user accounts. Object classes allow you to control
which attributes are required and allowed in an entry.
Example
organizationUnit
An Object Class has three attributes:
Naming
This attribute is the relative name of the object class, it holds the object ID that is automatically generated by the sys-
tem.
Storing
This attribute is the common object class attribute name used to store the attributes of the storage objects.
Example
searchGuide (for Active Directory)
It specifies the attribute name used for storing all property data. It is recommended that the LDAP attribute size is at
least 5 kb or larger.
Unique name
This attribute is the common object class attribute name used to store the unique name (or a unique ID) of the storage
object.
PortWise 4.7 Manual

Manage System 343
Example
l (for locality)
Settings
Primary Host Yes IP address or DNS name of the primary directory service.
Secondary Host No IP address or DNS name of the secondary directory service.
Port Yes Listening port for the directory service.
Account Yes DN, ID or similar (depending on type of directory service) to an
administrative account with read- and write permissions on the
directory service.
Password Yes Password for Account.
Location DN Yes Location where PortWise users are stored.
Time-out Yes Number of seconds (1-300) the Authentication Service waits for a
connection, before the Secondary Host is connected.
Retries Yes Number of retries for the Primary Host.
Enable change of directory service type No Not selected by default.
It is strongly recommended that you do not change directory type
if you have active accounts registered.
Directory Service Type Yes Available options are:
Microsoft Active Directory
OpenLDAP
Sun Java System Directory Server
Novell eDirectory
Other or Customized configuration of listed directory
services.

Use SSL No Protocol used for communication with user storage.
CA Certificate No Available when Use SSL is selected.
Table 9-109: Communication Settings
Advanced Settings
Object Class No Name of the object class used to store PortWise users.
PortWise 4.7 Manual

344 Manage System
Naming Attribute No Relative name of the object class.

Storing Attribute No Common object class attribute name used to store the attributes of
the storage objects.
Unique Name Attribute No Common object class attribute name used to store the unique
name (or a unique ID) of the storage object.
PortWise 4.7 Manual

Manage System 345
Notification Settings
About Notification Settings

Notification settings are the required SMS and e-mail configuration for PortWise to be able to distribute messages and
information.
The notification settings are the communication channels used for alert, OTP, password and PIN distribution, and seed
notifications. You configure channels for SMS and e-mail.
Manage Notification Settings
E-mail Channel Settings

You need to specify an e-mail channel in three cases:
• When the setting Notification is set to E-mail or E-mail and Screen on the user account
• As a global user account setting
• When E-mail has been selected as Notification Channel for alerts in Manage Alerts
A host and a port for the e-mail server are required, with default set to localhost and 25 respectively.
You also specify a sender’s e-mail address.
Example
admin@portwise.com
Settings
Enable e-mail channel No Not selected by default.
PortWise 4.7 Manual

346 Manage System

Host Yes IP address or DNS name of the server that sends PIN, password
and seed to the receiver if Notification is set to E-mail for the
user.
Set to localhost by default.
Port Yes Port for the server.
Sender’s E-mail Address Yes Sender’s e-mail address for the PIN/password message.
Table 9-111: E-mail Channel Settings
SMS Channel Settings

You need to specify an SMS channel in three cases:
• When the setting Notification is set to SMS or SMS and Screen on the user account
• As a global user account setting
• When SMS has been selected as Notification Channel for alerts in Manage Alerts
It is possible to configure as many SMS channels as wished.

Each channel is handled by a plug-in (configured on the SMS plug-ins tab)
Default delivered plugins are:
• HTTP
• Netsize
• SMTP
• CIMD
• SMPP
Each one of these plug-ins have different settings depending on the requirements of that specific protocol.
It is also possible to write new plugins for integration with other gateway protocols.

URL Yes The URL of the HTTP Service.
Account Yes The service account that should be used to login to the HTTP
Service.
Password Yes The service account password that should be used to login to the
HTTP Service.
Use Basic Authentication If Basic Authentication should be used for this HTTP Service.
POST Data No The POST data that should be present in the HTTP Post.
Follow Redirects No If Redirects should be considered in the response parsing.
Use HTTP 1.1 No If HTTP version 1.1 shall be used for the Request. Selected by
default.
PortWise 4.7 Manual

Manage System 347

User Agent No Specify a User Agent if the HTTP Service require a particular User
Agent.
Additional Headers No Specify Additional Headers if the HTTP Service require any headers
present in the request.
Timeout Yes The timeout defined in milliseconds that will be used to wait for a
response from the HTTP Server. Set to 10000 by default.
Connection Timeout Yes The timeout defined in milliseconds that will be used to wait for a
connection to the HTTP Server. Set to 10000 by default.
Mobile Number Format tab
Remove No Characters that should be removed from the mobile number. E.g.
+()
Replace prefix No If the prefix of the mobile number is incorrect for the service it can
be replaced with a new prefix. E.g. replace 00 with +. In this case
enter 00 as Replace Prefix and + below as New Prefix
New prefix No The new prefix that shall replace the one triggered above.
Response Parsing tab
Success Response Codes The HTTP Response Codes that will indicate success, 200,201,202
selected by default.
Failure Response Codes The HTTP Response Codes that will indicate failure, 400,401,402
selected by default.
Success Response Body Contents in the HTTP Response Body that will indicate success
Failure Response Body Contents in the HTTP Response Body that will indicate failure
Table 9-112: HTTP channel settings

Host Address Yes The IP address or DNS name of the Netsize Server.
Port Yes The port of the Netsize Server.
Client Yes The client account that should be used for the Netsize Service
Account Yes The service account that should be used to login to the Netsize
Service.
Netsize Service.
response from the Netsize Server. Set to 15000 by default.
Message Class The Message Class for this message. Valid entries are: Default,
Immediate Display (Flash), Store on Mobile Phone, Store
on SIM, Store on Terminal Equipment. Please contact you
Netsize Vendor for further information about these settings.
PortWise 4.7 Manual

348 Manage System

+()
Table 9-113: Netsize channel settings

Host Address Yes The IP address or DNS name of the CIMD Server.
Port Yes The port of the CIMD Server.
Account Yes The service account that should be used to login to the CIMD
Service.
Netsize Service.
response from the Netsize Server. Set to 15000 by default.
+()
Table 9-114: CIMD channel settings

Host Address Yes The IP address or DNS name of the SMTP Server. Set to localhost
by default.
Port Yes The port of the CIMD Server.
Account Yes The service account that should be used to login to the SMTP
Service.
SMTP Service.
Start TLS Select this if TLS (Transport Layer Security) should be used.
response from the SMTP Server. Set to 10000 by default.
Close Socket Select this if the socket should be closed after communication
PortWise 4.7 Manual

Manage System 349

Debug mode Select this if debug mode should be enabled.
+()
Message tab
To No The e-mail address that should be used.
To Personal No The friendly name that should be placed in the to field
From No The e-mail address that should be used as the sender address.
From Personal No The friendly name that should be placed in the from field
Subject No The content of the Subject field
Message Body No The content of the Message Body
Table 9-115: SMTP channel settings

Host Address Yes The IP address or DNS name of the SMPP Server.
Port Yes The port of the SMPP Server.
response from the SMPP Server. Set to 15000 by default.
Keep Alive No Select this to keep the connection alive
System ID Yes The service account that should be used to login to the SMPP
Service.
SMPP Service.
System Type Defines the System Type. Please see SMPP Server documentation
for more Information.
Interface Version Yes The Interface version. Set to 52 by default.
Address TON Please see SMPP Server documentation for more Information.
Address NPI Please see SMPP Server documentation for more Information.
Address Range Please see SMPP Server documentation for more Information.
+()
PortWise 4.7 Manual

350 Manage System

Submission Parameters tab
Please see SMPP Server Documentation for information on settings
on this tab.
Table 9-116: SMPP channel settings
Variables
The following variables can be used in all texts, which will be replaced with the corresponding content from the user
account. Variables are used surrounded with brackets and preceeded with a dollar sign. E.g. [$user-mobile]
Variable Name Description
message The notification message that should be sent
user-id The id of the user
user-display-name The display name of the user
user-mobile The mobile-number of the user (processed)
user-mobile-raw The mobile-number of the user (unprocessed).
user-mail-address The mail address of the user.
administrator-id The ID of the Administrator.
PortWise 4.7 Manual

Manage System 351
Policy Services
About Policy Services

The Policy Service makes access decisions, authenticates, audits, and validates certificates as well as digital signatures.
Clients communicating with Policy Service interact via different access channels such as the Web or WAP.
The Policy Service makes the access decisions depending on access policies. These policies rely on who wants to have
PortWise 4.7 Manual

352 Manage System
access, which resource or service the user is requesting, which communication channel the request comes through, and
which authentication method that is needed. In PortWise, these policies are called Access Rules.
Access rules protect resources by allowing or denying access, and by specifying the requirements for a particular user,
resource, or communication channel. Additionally, business related conditions can be customized for different services.
For example, only customers who are allowed credit are able to use the ordering function.
The Policy Service provides complete control over authentication, and supports several authentication methods, such as
static and dynamic passwords, PKI, and challenge-response.
A number of systems for authentication can be integrated, and products not managed directly by the Policy Service can
be integrated using the Extension Programming Interface (XPI).
The Policy Service can connect to multiple authentication systems and CAs. By using caching technology, the solution
can scale to serve a large amount of users while sustaining high performance.
In a traditional solution, the user is first authenticated and then the user information is connected followed by the log
information. The Policy Service works with the requested service or communication channel as a starting point. Thus,
the resource and channel constitute the requirements for access, regarding authentication method and its associated
roles for that particular resource or service.
Manage Policy Services

You add, edit, and delete Policy Services on the Manage Policy Services page in Manage System.
General Settings
Policy Service configuration includes display name as well as the following general settings.
Service ID
When a Policy Service is added to the system, a service ID is automatically generated. The service ID is displayed for the
Policy Service in the Registered Policy Services list on the Manage Policy Service page, as well as when editing the
Policy Service.
The service ID must be entered when the service is installed.
Internal Host
IP address or DNS name of the Policy Service, used for communication in the PortWise network. Avoid using the IP ad-
dress 0.0.0.0 to listen to all local IP addresses. Instead, select the Listen on all interfaces check box.
Internal Port
Incoming port for the Policy Service. Set to 8301 by default.
Listen to All Interfaces

Specifies what interfaces the service listens to. When selected, the services listens to all specified IP addresses. When
not selected, the services only listens to the specified IP address. Not selected by default.
Distribute Key Files Automatically

Defines whether or not key files should be automatically distributed from the Administration Service to the Policy Service
after the Policy Service has been installed. Deselecting this option will keep the system more secure, but the administra-
tor is then required to copy key files manually. Selected by default.
PortWise 4.7 Manual

Manage System 353
XPI: Web Services

XPI (Extension Programming Interface) is the generic term for all PortWise public APIs. Currently PortWise offers four
different APIs:
• XPI: Web Services
A set of web services for authentication, authorization, user account and single sign-on value management.
• XPI: Authentication Methods
A framework for the development of custom authentication method plug-ins.
• XPI: End-Point Integrity
A framework for the development of custom End-Point Integrity plug-ins.
• XPI: Access Clients
A framework that enables third-party applications to use the PortWise Access Client functionality.
Please refer to the PortWise Extension Programming Interface (XPI) available documentation on the PortWise
dashboard.
The XPI: Web Services settings include specifying host and incoming port. If XPI: Web Services is enabled, you define
which server certificate to use.
Settings
Service ID No Identification number automatically assigned to the Policy Service
when it is created.
Display Name Yes Unique name used in the system to identify the Policy Service.
Internal Host Yes IP address or DNS name of the Policy Service, used for communica-
tion in the PortWise network.
Internal Port Yes Incoming port for the Policy Service.
Listen to all interfaces No Specifies what interfaces the service listens to.
Distribute key files automatically No Selected by default.
PortWise 4.7 Manual

354 Manage System

Enable XPI: Web Services No Not selected by default.
Host Yes IP address or DNS name of XPI: Web Services.
Port (Yes) Defines the incoming port for XPI: Web Services.
Server Certificate (Yes) Lists registered server certificates.
Mandatory when Enable XPI: Web Services is selected.
Table 9-113: XPI Settings
Manage Global Policy Service Settings
Communication Settings
The global settings for Policy Services include:
• Interval for checks for timed-out sessions
• Life-time in cache for a user
• Heartbeat interval for status checks
Information
This setting applies to the entire PortWise network
• Limit for number of missing heartbeats before the Policy Service re-connects to the network, if the server has
not answered the status request
Missing Heartbeat Limit and Heartbeat Interval creates a default time of 2 minutes (12x10 seconds).
• Option for the Policy Service to send cache specification to the Access Point, for the Access Point to cache
authorization decisions
Settings
Time-out Check Interval Yes Number of seconds (0-3600) checks for sessions that have timed-
out are performed.
User Life Time in Cache Yes Number of seconds (0-31536000) a user is cached before reloaded
from storage (despite user activity).
Heartbeat Interval Yes Interval in seconds (1-30) for when status checks are performed.
PortWise 4.7 Manual

Manage System 355

Missing Heartbeat Limit Yes Number of missing heartbeats allowed (1-100) before the Policy
Service re-connects to the network, if the server has not answered
the status request.
Send cache specification No Selected by default.
Table 9-114: Global Policy Service Settings
PortWise 4.7 Manual

356 Manage System
PortWise 4.7 Manual

Manage System 357
RADIUS Configuration
About RADIUS Configuration

The RADIUS protocol is supported by the PortWise authentication methods.
Mobile ID authentication refers to the Authentication Service and the PortWise authentication methods Web, Mobile
Text, Challenge, Synchronized, and Password.
A RADIUS client is the client connecting to a RADIUS server for authentication. Usually, the RADIUS server is the Au-
thentication Service, but it can proxy the access request to another authentication server, depending on which authen-
tication method being used. The PortWise authentication methods support the RADIUS protocol. A RADIUS client can
be the Policy Service, a firewall, or the RADIUS plug-in for the Policy Service.
The Policy Service is a RADIUS client with pre-configured settings. You can configure other RADIUS clients to connect
to the Authentication Service for authentication.
If the Authentication Service is used with the Policy Service as a RADIUS client, you need to configure PortWise authen-
tication methods in the Policy Service.
User groups are sent as an RADIUS attribute. Based on access rules of the type user group membership, the RADIUS
client will perform the access control.
RADIUS Back-end Servers

RADIUS back-end servers refer to authentication servers handling third-party authentication methods.
The Authentication Service can proxy access requests to one or several back-end servers.
A back-end server can be a RSA SecurID Server, for example.
Manage RADIUS Configuration

You can view, add, edit, and delete RADIUS clients that connect to the Authentication Service for authentication, as well
as to RADIUS back-end servers. Use the Manage RADIUS Back-End Servers page to add, edit, or delete back-end
servers used when the Authentication Services proxy authentication requests from unidentified users to other RADIUS
servers.
PortWise 4.7 Manual

358 Manage System
RADIUS Client Settings

The General Settings for the RADIUS client include IP address and a shared secret between the RADIUS client and the
Authentication Service.
You can also specify three different attributes:
• Accept
These attributes are sent to the RADIUS client as a response together with the Accept. Accept Attributes must
be specified in key-value pairs connected with an equal sign =.
Integer values can be entered either in decimal form (8192) or in hexadecimal form (0x2000).
• Challenge
These attributes are sent to the RADIUS client as a response together with Challenge. Challenge attributes
must be specified in key-value pairs connected with an equal sign =.
• Reject
These attributes are sent to the RADIUS client as a response together with Reject. Reject Attributes must be
specified in key-value pairs connected with an equal sign =.
Example
User-Name=John Smith
NAS-IP-Address=127.0.0.3
NAS-Port=8192
Settings
Client IP Yes IP address for the RADIUS client.
Shared Secret Yes Shared secret between the RADIUS client and the Authentication
Service.
Verify Shared Secret Yes Verification of Shared Secret.
PortWise 4.7 Manual

Manage System 359

Accept Attributes No Attributes sent to the RADIUS client as a response together with
Accept.
Challenge Attributes No Attributes sent to the RADIUS client as a response together with
Challenge.
Reject Attributes No Attributes sent to the RADIUS client as a response together with
Reject.
Table 9-116: Attributes
Manage RADIUS Back-End Servers

RADIUS back-end servers refer to authentication servers handling third-party authentication methods. The Authentica-
tion Service can proxy access requests to one or several back-end servers. A back-end server can be a RSA SecurID
Server, for example.
Information
Remember to select the Proxy unknown users check box on the Manage RADIUS
Authentication Settings page.
The RADIUS back-end server general settings include host (IP address or DNS name) port and a display name for the
back-end server.
You are required to specify the time in milliseconds (1000-99000) the Authentication Service waits for a back-end server
reply, before trying to connect next back-end server in the list.
You also need to specify a shared secret between the RADIUS back-end server and the Authentication Service.
Settings
Display Name Yes Unique name used in the system to identify the back-end server.
Host Yes IP address or DNS name of the back-end server.
Port Yes Port for the back-end server.
Time-out Yes Time in milliseconds (1000-99000) the Authentication Service
waits for a back-end server reply, before trying to connect next
back-end server in the list.
Shared Secret Yes Secret shared between the Authentication Service and the back-
end server.
Verify Shared Secret Yes Verification of Shared Secret.
PortWise 4.7 Manual

360 Manage System
PortWise 4.7 Manual

Manage System 361
MANAGE OATH CONFIGURATION

About OATH Configuration
On this page you manage various OATH (Open Authentication) configurations. These include import of tokens from file,
backup and restore of OATH database, configuration of scheduled backups, and configuration of the OATH database
connectivity.
Import
In this section you can import the file containing the seed and counter data for the hardware tokens that will be
used by your users. The first import alternative should be used when you receive tokens from a new provider. Use
the second alternative to add new tokens to an existing provider.
When importing new tokens data, the various import parameters should have been handed to you by the tokens
provider. These include the delimiter separating the different attributes (fields) and the position of token ID, seed,
and counter in the file. Note that if the seed and counter are base64 encoded the corresponding checkbox should
be checked. If importing to an already existing provider it is important that the new tokens has token IDs that does
not conflict with those already in the database. If entering a provider name which already exists in the database,
the tokens will be appended to the list of that provider.
An example of a row in a token file. Note that we choose to ignore data at position 1 below.
Example
00000100:8:3132333435363738393031323334353637383930:0
Delimiter: ‘:’
TokenId Position: 0
Seed Position: 2
Counter Position 3
PortWise 4.7 Manual

362 Manage System
OATH IMPORT Settings

Provider Name Yes Descriptive and unique name of OATH token provider
OTP Length (digits) (Yes) Length of the generated OTP, required by provider. Al-
lowed values are between 6 and 8
Delimiter Yes Symbol(s) separating fields in token file.
TokenId Position Yes The field position of TokenId within the token file, first
column being 0.
Seed Position Yes The field position of Seed within the token file, first
column being 0.
Counter Position Yes The field position of Counter within the token file, first
column being 0.
Token File Yes File containing OATH tokens, one token for each row and
with fields separated with the Delimiter symbol(s).
Base64 Encoded Yes Selected when seed and counter are base 64 encoded.
Table 9-118: OATH Import Settings
Confirm
Before importing a brief presentation page of what will be imported will be shown. The first part of the page
shows the entered data, Provider Name, OTP Length, Delimiter, and if seed and counter are base64 encoded. The
second part shows a row from the file showing how token ID, seed, and counter are read from the columns in the
file, giving the user a chance to stop the import if the positions entered was incorrect.
Import and Result

During import the progress is shown. Leaving this page during import is strongly discouraged since it will prevent
the import from completing and could negatively impact performance of Administrator and Authentication
Services. When the import has completed, a summary of the import is displayed with number of processed tokens,
successful and failed. For more detailed information on the import result see the log files for Administrator and
Authentication Services.
Backup OATH Database

OATH database is automatically scheduled for backup but you may also do an on-demand backup. The manual
backup is mainly intended for use when migrating from an internal database to an external one. Since the OATH
database changes very frequently (every time a user successfully logs in) the freshness of the manual backup can
not be guaranteed.
PortWise 4.7 Manual

Manage System 363
OATH IMPORT Settings

Backup reason Yes A comment on the reason for this backup. This comment
will be displayed next to the
backup file name on the restore page, e.g. “migrating to
another DB”.
Table 9-119: OATH Backup Settings
Configure OATH Backup Scheduling

To help keep a regular backup of the OATH database PortWise Administrator can be configured to do scheduled
backups, which is enabled by default. Disabling this feature is not recommended since hardware tokens will be
useless in the case of database failure. However, you can disable this feature if an external database is used and
the backups are handled by that DBMS.
Note that backups are resource-consuming. Therefore, it is recommended to run them at the point of day with
least load on the system. When deciding on how frequently to run backups you may use this formula as a guide-
line: divide the “look-ahead window size” setting by the average number of user log-ons per day.
To avoid flooding the system with backup files, rollover is used. Depending on the backup interval, the number of
useful backups can vary. Finally, to guarantee backups in the event of a system failure, remember to include the
backup directory ({PortWise Administrator}/plugins/root/download/oath/backup/scheduled) in the system backups.
OATH BACKUP SCHEDULING Settings

Enabled Yes Enable or disable scheduled backups.
Time of day Yes Backups will start at this time. In 24 hour format, hh:mm.
Interval in days Yes How often should the backups be done.
Backups to keep Yes This is the number of backups to keep, set 0 to disable
rollover, i.e. keep all backups.
Table 9-120: OATH Backup Scheduling Settings
Restore OATH Database

Database restore. Here, you can restore the database from three different sources:
• from a list of scheduled backups
• from the latest manual backup file
• from an arbitrary manual backup file stored externally
PortWise 4.7 Manual

364 Manage System
When clicking ‘Continue’ you will be prompted with a confirmation page.
OATH Database Connection

There are scenarios in which the built-in database used by default in PortWise can be considered insufficient; e.g.
the storage requirements surpass the capabilities of the built-in database, or if more than one Authentication
Service is used for load-balancing/high availability.
It is possible to change what database PortWise use for storing its OATH related data.
After the changes to the database connectivity settings have been published, it is required that the Authentica-
tion Service is restarted. This, since the Authentication Service only reads its database settings on startup.
Settings

Dialect Yes The hibernate database dialect.
URL Yes The URL to the database.
Driver Yes The driver used for the database; e.g. a jdbc-driver.
User Yes Database user used for logging in to the database.
Password No The password associated to the User-parameter above.
The password can be an empty string.
Confirm Password (Yes) The confirmation-field of the password. This must
exactly match the text entered in the field above. (This
field is required if the Password-field is used)
Table 9-121: OATH Database Connectivity Settings
PortWise 4.7 Manual

Glossary 365
10
Glossary
A
Access Rules
Define specific requirements for access to resources and SSO domains. The access rules can be used in combination for
more detailed access control. Example: (access rule A AND access rule B) AND (Access rule C OR access rule D).
ASCII
American Standard Code for Information Interchange. Standard 8 bit code used in data communications. Many files
interchanged from one software program to another and from IBM to Mac formats go through translation into ASCII.
ASN.1
Abbreviation for Abstract Syntax Notation one, a standard notation describing data structures for representing, encod-
ing, transmitting, and decoding data. ASN.1 provides a set of formal rules for describing the structure of objects that
are independent of machine-specific encoding techniques.
Authentication
The process of verifying the identity of an individual connecting to a system. Identities are verified through different
authentication methods. See also: Authentication Method, Access Rules
A procedure used to perform authentication. Different authentication methods provide different levels of proof when
identifying a user connecting to a system: from verifying basic static passwords to handling complex combinations of
challenges, encryption keys, and passwords. See also: Authentication
Authentication Server
A server used in application access control. For access to specific network resources, the server may itself store user
permissions and company policies or provide access to directories that contain the information. Examples of authentica-
tion servers are PortWise 4.7 Authentication Service, SecurID and SafeWord. See also: Authentication
Authorization
The process of granting or denying access to a system resource. See also: Authentication Method, Access Rules
PortWise 4.7 Manual

366 Glossary
B
BankID
BankID is a service that offers secure electronic identification and signature on the Internet, which is now legally binding
in the EU. The service has been developed by a number of large banks for use by members of the public, authorities,
companies, and other organizations.
Base64
A method of encoding binary data sent as an attachment through email. Base64 encoding divides three bytes of data
into four bytes of ASCII text, making the resulting file size approximately 33% larger.
Base DN
Identifies the root node of the LDAP data store pointing to the directory containing user data.
C
CA
Abbreviation for Certificate Authority, a trusted third-party organization or company that issues digital certificates. The
role of the CA is to validate the identity of the individual holding the certificate and to sign the certificate so that it
cannot be forged.
CA Certificate
Abbreviation for Certificate Authority Certificate, a certificate that identifies a certification authority. CA certificates
are used to decide whether to trust certificates issued by the CA, for example when a Web browser validates a server
certificate.
Cipher
A cryptographic algorithm used to encrypt and decrypt files and messages.
Client Certificate
An attachment to an electronic message used for security purposes. The client certificates are associated with user ac-
counts to authenticate users and give access to protected resources.
CDP
Abbreviation for Control Distribution Point.
Client Device
The software of a client that communicates with the server. The client device may include operating system, plug-ins,
specific configurations and the proxies/gateways that the client communicates through. Examples of client devices are:
Netscape 7, Windows, Macintosh, Internet Explorer and WAP-phone. A client device may be combination of entities. For
example, this combination may be present for a single device: Windows, Internet Explorer and Internet Explorer 6.
CRC
Abbreviation for Certificate Revocation Control. A control performed by the system to make sure that the user certificate
is not revoked.
CRL
Abbreviation for Certificate Revocation List. A document maintained and published by a certification authority that lists
certificates that have been revoked.
PortWise 4.7 Manual

Glossary 367
CVC
Abbreviation for Certificate Authority Validity Control, a control performed by the system on the user certificate to verify
that a trusted CA has issued the User Certificate.
D
A featured used to delegate administration of user accounts and resources to multiple administrators with different
privileges and responsibilities.
DER
Abbreviation for Distinguished Encoding Rules, used to encode ASN.1 objects for a consistent encoding using a binary
format. Microsoft Internet Explorer understands certificates downloaded in this format. See also: ASN.1
Device
See Client Device
Digital Certificate
Digital certificates are used to identify people and resources over networks such as the Internet. Digital certificates en-
able secure communication between two parties. A trusted third-party organization or company, Certificate Authority,
issues certificates. The certificate contains the public key and the name of its owner. The user certificate also carries the
digital signature of a Certification Authority to verify its integrity. See also: CA
Directory Service
A directory of names, profile information and machine addresses of every user and resource on the network. It is used
to manage user accounts and network permissions. When sent a user name, it returns the attributes of that individual,
which may include a telephone number as well as an e-mail address. Directory services use highly specialized databases
that are typically hierarchical in design and provide fast lookups.
Directory Service User Group
A user group containing all users belonging to a certain user group defined in an existing directory service.
Display Name
Defines the unique name used in the system to identify an object.
Distribution Channel
The media channel through which information is sent. For example, MobileID can send information via SMS or SMTP.
DMZ
Abbreviation for Demilitarized Zone, a middle ground between an organization’s trusted internal network and an un-
trusted, external network such as the Internet. It is recommended that the Access Point is placed in the DMZ.
DN
Abbreviation for Distinguished Name, used as primary key to entries in directory services. For example, a DN for where
users reside in the directory service could be cn=users,dc=mycompany,dc=com.
DNS
Abbreviation for Domain Name System, a name resolution system that allows users locate computers on a Unix network
or the Internet (TCP/IP network) by domain name. The DNS server maintains a database of domain names (host names)
PortWise 4.7 Manual

368 Glossary
and their corresponding IP addresses. For example, if www.mycompany.com was presented to a DNS server, the IP ad-
dress 204.0.8.51 would be returned.
E
Encryption
Any procedure used in cryptography to convert plaintext into ciphertext in order to prevent anyone except the intended
recipient from reading that data.
F
Firewall
A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both
hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users
from accessing private networks connected to the Internet, especially intranets. The firewall is normally installed at the
point where network connections enter a site, normally named DMZ.
FTP
Abbreviation for File Transfer Protocol, a protocol used to transmit files between computers on the Internet. See also:
TCP
H
Host
A computer, for example a server, that acts as a source of information or signals. It is connected to a TCP/IP network,
including the Internet. A host has a specific local or host number that, together with the network number, forms its
unique IP address.
HTTP
Abbreviation for HyperText Transfer Protocol, a protocol used to transmit files over the World Wide Web.
HTTPS
Abbreviation for HTTP with SSL encryption for security. See also: HTTP, SSL
L
LDAP
Acronym for Lightweight Directory Access Protocol, a client-server protocol for accessing and managing directory in-
formation.
Log Levels
Indicate the severity of a message stored in a log: fatal, warning, info, or debug.
PortWise 4.7 Manual

Glossary 369
M
MIME
Abbreviation for Multipurpose Internet Mail Extensions. A protocol for Internet e-mail that enables the transmission of
non-text data such as graphics, audio, video and other binary types of files.
N
NTLM
Abbreviation for NT LAN Manager, a protocol used for authentication.
O
OATH
OATH (Open AuTHentication) is an authentication method that uses OTP´s for authentication. OTP´s are generated from
a seed and a counter.
OpenSSL
An open source implementation of the SSL and TLS protocols. See also: SSL, TLS
OU
Abbreviation for Organizational Unit, a standard naming attribute used in LDAP. See also: LDAP
P
PEM
Acronym for Privacy Enhanced Mail, a standard for secure e-mail on the Internet. It supports encryption, digital signa-
tures and digital certificates as well as both private and public key methods.
PIN
Acronym for Personal Identification Number. A private code used for identification of an individual.
PKI
Abbreviation for Public Key Infrastructure, a framework for creating a secure method for exchanging information based
on public key cryptography.
Port
A port is usually an interface through which data are sent and received.
Proxy
A server that is placed between a client application, such as a Web browser, and a real server. It intercepts all requests
to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server.
PortWise 4.7 Manual

370 Glossary
R
RADIUS
Acronym for Remote Authentication Dial-In User Service, the de facto standard protocol for authentication servers.
RADIUS uses a challenge/response method for authentication.
Resource
A corporate application users can access from a remote location. Available resource types in PortWise 4.7 are Web
resources, tunnel resources, file share resources and customized resources.
Resource Host
Defines the computer where the resource is deployed. A resource host is identified through its unique IP address. A Web
resource host or customized resource host can have one or several paths connected to it.
Resource Path
Defines the route to a specific part of the web resource host or customized resource host, for example http://www.re-
sourcehost.com/path/, where the resource path defines a subset of the resource host. Resource paths are defined when
user access should be restricted to that specific subset only.
S
SAML
Acronym for Security Assertion Markup Language, an XML standard for exchanging authentication and authorization
data between an identity provider and a service provider. PortWise 4.7 supports SAML 2.0.
Seed
An initial value used to generate pseudorandom numbers. Used when authenticating with PortWise Challenge for
example.
Server Certificate
Server certificates ensure that communication between clients and application servers is secure and private. The clients
use the server certificate to authenticate the identity of the server and to encrypt information for the server, using SSL.
Shared Secret
A shared secret is used, for example, between the Authentication Service and a RADIUS client to mask passwords used
in authentication. The shared secret is set manually by the Administrator.
SMS
Abbreviation for Short Message Service, a service for sending messages of up to 160 characters (224 characters if using
a 5-bit mode) to cell phones that use Global System for Mobile (GSM) communication.
SMPP
Abbreviation for Short Message Peer-to-Peer protocol. SMPP is a telecommunications industry protocol for exchanging
SMS messages between SMS peer entities such as short message service centres.
SSL
Acronym for Secure Sockets Layer, a commonly used protocol for managing the security of a message transmission on
the internet. SSL uses the public- and private-key encryption system, which includes the use of a digital certificate.
PortWise 4.7 Manual

Glossary 371
SSO
Abbreviation for Single Sign-On, the ability for users to log on once to a network and be able to access all authorized
resources. A single sign-on program accepts the user’s name and password and automatically logs on to all appropriate
servers.
SSO Domain
A collection of resources that share the same logon credentials. A user can have logon credentials for several SSO
domains.
T
TCP
Abbreviation for Transport Control Protocol, a transport layer protocol that moves multiple packet data between ap-
plications. See also: FTP
TLS
Abbreviation for Transport Layer Security, a protocol intended to secure and authenticate communications across a
public networks by using data encryption. See also: SSL
Tunneling
A technology that enables a network to send its data via another network’s connections. Tunneling works by encap-
sulating a network protocol within packets carried by the second network. Tunnels are often used to transmit non-IP
protocols across IP networks.
U
UDP
Abbreviation for User Datagram Protocol, a transport layer protocol for the Internet. It is a datagram protocol which
adds a level of reliability and multiplexing to IP datagrams. It is defined in RFC 768.
URI
Abbreviation for Uniform Resource Identifier, a formatted string that serves as an identifier for a resource, typically on
the Internet. URIs are used in HTML to identify the anchors of hyperlinks. URIs in common practice include URLs. See
also: URL
URL
Abbreviation for Uniform Resource Locator, a unique, identifying address of any particular page on the Web. See also:
URI
User Certificate
See Client Certificate
User Group
A collection of users which share the same properties regarding access rights. There are three types of user groups: User
Location Group, User Property Group and Directory Service User Group.
User Location Group
A user group which contains all users located under a specific node in the directory tree.
PortWise 4.7 Manual

372 Glossary
User Property Group

A user group which contains all users with a specific user attribute.
User Storage
A directory service containing information about users, user groups, and user certificates
W
WAP
Acronym for Wireless Application Protocol. A set of communication protocol standards to enable access of online ser-
vices from a cell phone.
X
X.509
A specification for digital certificates published by the ITU-T (International Telecommunications Union - Telecommunica-
tion). It specifies information and attributes required for the identification of a person or system.
PortWise 4.7 Manual

Colophon I
Colophon
The PortWise Manual is a collaborative effort from many talented people, bringing together their collective
knowledge and expertise to bring you the PortWise Manual.
PortWise is always interested in feedback from our users. Please direct comments or questions to the PortWise
Documentation Team at documentation@portwise.com. Please include PortWise Manual in the subject line
in your e-mail.
PortWise 4.7 Manual

For additional information about PortWise, its products, or to
find the location of an office near you, please visit our web site
at www.portwise.com or e-mail us at info@portwise.com.
P/N: 700-180500-100

PortWise Manual

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PortWise Manual

Uploaded by

Copyright:

Available Formats

PortWise 4.

PortWise 4.7 Manual

PortWise 4.7 Technical Overview............................................................................................................25

PortWise 4.7 Manual

PortWise 4.7 Manual

PortWise 4.7 Manual

PortWise 4.7 Manual

Manage Monitor System.................................................................................................................................... 80

PortWise 4.7 Manual

Time Range............................................................................................................................................... 103

Manage Accounts and Storage.............................................................................................................115

Global User Account Settings...............................................................................................................117

PortWise 4.7 Manual

Manage User Import........................................................................................................................................125

PortWise 4.7 Manual

Enabling Authentication Methods for Self Service.............................................................................................155

Manage Resource Access......................................................................................................................157

Global Resource Settings......................................................................................................................159

PortWise 4.7 Manual

Manage Web Resource Paths.......................................................................................................................... 188

Tunnel Resource Networks....................................................................................................................197

PortWise 4.7 Manual

Check the Integrity of Connecting Application............................................................................................213

Access Rules.......................................................................................................................................... 233

PortWise 4.7 Manual

Manage Application Portal.............................................................................................................................. 247

Access Points........................................................................................................................................ 263

PortWise 4.7 Manual

PortWise 4.7 Manual

Manage Delegated Management.................................................................................................................... 337

Notification Settings............................................................................................................................ 345

PortWise 4.7 Manual

PortWise 4.7 Manual

PortWise 4.7 Manual

PortWise 4.7 Manual

Conventions Used in this Publication

Contacting PortWise Documentation Department

PortWise 4.7 Manual

PortWise 4.7 Manual

PortWise 4.7 Manual

PortWise 4.7 Manual

• Firewall and anti-virus software

Non-compliant devices may be refused entry, or be referred to software update sites.

How Does It Work?

PortWise 4.7 Manual

How Does It Work?

PortWise 4.7 Manual

How Does It Work?

All these objects can be eradicated.

How Does It Work?

PortWise 4.7 Manual

PortWise 4.7 Technical Overview

Figure 2-1: PortWise Architecture

PortWise 4.7 Manual

Figure 2-2: Default Listening Ports for the Access Point

Advanced Access Point Features

PortWise 4.7 Manual

Link Translation and DNS Mapping

Figure 2-3: Default Listening Ports for the Policy Service

PortWise 4.7 Manual

PortWise 4.7 Manual

PortWise 4.7 Manual

Figure 2-4: Default Listening Ports for the Authentication Service