Citrix WinView Application Note Communication Devices Inc. (CDI) SafeGuard Security Solution (UniGuard, QuadGuard, MultiGuard and MegaGuard) This application note is for informational use only and Citrix makes no representations or warranties with respect to the contents or use of this document or of any of third-party products discussed within. (December 5, 1994) Citrix Systems 210 University Drive Suite 700 Coral Springs, FL 33071 Phone (305) 755-0559 FAX (305) 341-6880 Overview: --------- This application note facilitates the configuration of the CDI SafeGuard Security solution with Citrix "WinView for Networks" Application Server Software. The CDI SafeGuard Security product line is a hardware/software security device that protects computer resources from access by unauthorized users by using the DES (Data Encryption Standard) to encrypt user passwords uniquely for each session. The CDI SafeGuard product line provides Caller Authentication Access Control and Modem Management for dial access systems. The system is comprised of several components: 1. CDI SafeGuard hardware module UniGuard, QuadGuard, MultiGuard or MegaGuard which is a highly secure communications controller connects between the "WinView for Networks" and the modem bank. This hardware provides a "Firewall" of protection. 2. WinGuard - is a windows based software utility used by a remote caller. The software operates in conjunction with CDI's Tokens to communicate with a CDI SafeGuard family product. 3. DosGuard - is a DOS based software utility used by a remote caller. The software is RLINK compatible and operates in conjunction with CDI's Tokens to communicate with a CDI SafeGuard family product. 4. TokenMaster - is a software utility which will program the DES Tokens, SofTokens and load user information along with the encryption keys into the data base of the SafeGuard device. Together the CDI SafeGuard product line and programmable hardware and software tokens form a system that recognizes, encrypts, prevents, and records all unauthorized attempts at entry to a WinView Application Server, while access for valid users remains quick and easy. The system is easy to install, upgrade and network to multiple locations. Disclaimer: ----------- The scenarios described in this document have been tested by Citrix Systems. Other variations to the scenarios described in this document may work, however they have not specifically been tested by Citrix. In order to recreate the configurations, you should use the specified revision levels of all software products described in this document and stay within the bounds of the features and functions described in this document. Please note that this application note is a living document and will be modified as new information and versions of the software described herein become available. Make sure you have the latest version of this document before you begin. The latest version is always available in the Citrix Forum on Compuserve. Requirements: ------------- 1. Citrix WinView for Networks Version 2.21 or higher 2. CDI SafeGuard Product family A. One or more of the following SafeGuard family products 1. UniGuard - 1 pair of ports 2. QuadGuard - 4 pairs of ports 3. MultiGuard - 1 to 16 pairs of ports per rack 4. MegaGuard - 1 to 48 pairs of ports per rack B. WinGuard, DosGuard, hardware tokens, software tokens are optional as per your business requirements. C. TokenMaster software utility which will program the DES Tokens, SofTokens and load user information along with the encryption keys into the data base of the SafeGuard device. Setup: ------ Install WinView as per the WinView Installation Manual. Connect terminals, and Remote PC's as per the WinView Administration manual, without the CDI product, to assure working configurations. Note: For asynchronous connectivity, modems or direct connect, it is recommended that the WinView Application Server be equipped with an intelligent multiport board such as a DigiBoard X/em series unit. There are 5 connectivity scenarios described utilizing the CDI SafeGuard product line and tokens. 1. PC connected to a WinView Application Server via Modems. (Secure call thru) 2. PC connected to a WinView Application Server via Modems. (Pager Token) 3. PC connected to a WinView Application Server via Modems. (SofToken - DosGuard/WinGuard) 4. PC connected to a WinView Application Server via Modems. (HardToken - DosGuard/WinGuard) 5. PC connected to a WinView Applications server Connect a PC a WinView Application Server (No Modems) 1. Connect the CDI SafeGuard box between the MultiPort board and the direct connect PC. Use a null modem cable between the PC and the Modem connector of the CDI box. Use a straight cable between the WinView Application Server Multiport board and the Host connector of the CDI Secure Access Rack User Manual section 2A. The SafeGuard passes RTS, CTS, and DSR straight through the unit with no manipulation. LED's on the front panel of each card indicate DTR, DCD, TX, and RX from the host and modem ports. 2. WinView Application Server settings: A. From the Workstation Configuration Menu configure the connection for terminal or modem type depending on your scenario for the MultiPort Card subsystem (Ex. DigiBoard Term1). Note the following Workstation settings: 1. Parity - (usually None) 2. Baud Rate select one: 9600 - 115.2k 3. Stop Bits (usually 1) 4. Data Bits (usually 8) 5. Connection Type - Connect on DCD 6. Flow Control - check only: a. RTS input handshaking b. DTR/DSR enable c. CTS output handshaking All other settings are DISABLED 7. F4 to save terminal settings. 3. Remote Link (Citrix Client) Settings A. From the Remote Link main menu, select AppServer List and configure a direct connect terminal with the following settings: 1. Connection Type - ASYNC for a normal serial port, (16450 or 16550) or if you are using the Hayes ESP Accelerator Serial port card. INT14 if using an INT14 driver on the client side such as a DigiBoard 2-port intelligent serial card. 2. Emulation Mode - ICA if using DES Token , TTY for all other. 3. Modem Type - Direct Connect 4. Device Name: - COM1-4 depending the port you are using 5. Baud Rate - Match the Baud Rate that you selected in step 1A2. 6. Device Parameters - usually NONE,8,1 - match as per steps 1A1,1A3,1A4 7. Flow Control - NONE 8. XON Character - 101 9. XOFF Character - 103 10. Press F4 to save the configuration and exit. 4. Setup the SafeGuard unit as per the manual by connecting a terminal or PC to the PC port of the unit. This would include: A) Set the current Date and Time for accuracy in the audit trail information. B) Set the port up with the same baud rates as the WinView Application Server . A mismatched baud rate will cause unsuccessful logons to the SafeGuard unit and/or the WinView Application Server. DO NOT use the autobaud setting on the CDI box if you are using Tokens. It also not recommended to use autobaud with the WinView Application Server in the Secure Call Thru mode. Make sure security is enabled for each port in this menu. C. Load the database with all the user's attributes through the User menu. Connect a PC a WinView Application Server (Modems) 1. Connect the CDI SafeGuard box between the MultiPort board and the modem. Use a straight cable between the modem and the Modem connector of the CDI box. Use a straight cable between the WinView Application Server Multiport board and the Host connector of the CDI Secure Access Rack User Manual section 2A. The SafeGuard passes RTS, CTS, and DSR straight through the unit with no manipulation. LED's on the front panel of each card indicate DTR, DCD, TX, and RX from the host and modem ports. 2. WinView Application Server settings: A. From the Workstation Configuration Menu configure the connection for terminal or modem type depending on your scenario for the MultiPort Card subsystem (Ex. DigiBoard Term1). Note the following Workstation settings: 1. Parity - (usually None) 2. Baud Rate select one: 9600 - 115.2k 3. Stop Bits (usually 1) 4. Data Bits (usually 8) 5. Connection Type - Connect on DCD 6. Flow Control - check only: a. RTS input handshaking b. DTR/DSR enable c. CTS output handshaking All other settings are DISABLED 7. F4 to save terminal settings. 3. Remote Link (Citrix Client) Settings A. From the Remote Link main menu, select AppServer List and configure a direct connect terminal with the following settings: 1. Connection Type - ASYNC for a normal serial port, (16450 or 16550) or if you are using the Hayes ESP Accelerator Serial port card. INT14 if using an INT14 driver on the client side such as a DigiBoard 2-port intelligent serial card. 2. Emulation Mode - ICA if using DES Token , TTY for all other. 3. Modem Type - select type of modem being used 4. Device Name: - COM1-4 depending the port you are using 5. Baud Rate - Match the Baud Rate that you selected in step 1A2. 6. Device Parameters - usually NONE,8,1 - match as per steps 1A1,1A3,1A4 7. Flow Control - NONE 8. XON Character - 101 9. XOFF Character - 103 10. Press F4 to save the configuration and exit. 4. Setup the SafeGuard unit as per the manual by connecting a terminal or PC to the PC port of the unit. This would include: A) Set the current Date and Time for accuracy in the audit trail information. B) Set the port up with the same baud rates as the WinView Application Server . A mismatched baud rate will cause unsuccessful logons to the SafeGuard unit and/or the WinView Application Server. DO NOT use the autobaud setting on the CDI box if you are using Tokens. It also not recommended to use autobaud with the WinView Application Server in the Secure Call Thru mode. Make sure security is enabled for each port in this menu. C. Load the database with all the user's attributes through the User menu. Operation: ( using DES Token) ---------- 1. Invoke the DosGuard software. Enter your ID and Password that has previously been loaded into the SafeGuard unit. Enter the PIN number that has been assigned to your token. Select the proper COM port and INT14 if applicable. Now your authentication criteria will be in a TSR until you uninstall the TSR or disrupt DOS. 2. Place the SofToken diskette in one of the drives or the HardToken connector on one of the parallel ports of the PC. 3. From the Remote Link Main Menu select "Dial/Connect to server", and select the configuration you just created. Once a connection has been established DosGuard will automatically log you onto the SafeGuard Unit transparently. This will be done using DES encryption along with a unique session key. DosGuard will display ACCESS GRANTED for a successful attempt. If you receive ACCESS DENIED check your ID and PASSWORD for proper "case" ( upper lower) and their content. If you receive ACCESS DENIED immediately upon connection you have typed the wrong PIN number into DosGuard. Unload DosGuard by typing DOSGUARD /U at the DOS prompt and reinvoke DosGuard with the correct parameters. 1. After connection has been established, SafeGuard has authenticated the user between the WinView Application Server and the Client, the SafeGuard equipment acts as a passthrough and WinView functions normally. Operation: ( using Pager as a Token) ---------- 1. RLINK must be in the TTY mode and you should have your pager handy.. 2. From the Remote Link Main Menu select "Dial/Connect to server", and select the configuration you just created. Once a connection has been established you will be prompted to enter you ID. Enter your ID followed by a carrige return. The system will respond with "Sending challenge to pager". In about 40 seconds your pager should indicate that it has recieved a page. This page will be an 8 digit number. Enter that number. The system should resond with "HOST CONNECTED" and RLINK should detect ICA and automatically convert to ICA. 3. After connection has been established, SafeGuard has authenticated the user between the WinView Application Server and the Client, the SafeGuard equipment acts as a passthrough and WinView functions normally. Operation: ( using Secure Call Thru) ---------- 1. RLINK must be in the TTY.. 2. From the Remote Link Main Menu select "Dial/Connect to server", and select the configuration you just created. Once a connection has been established you will be prompted to enter your ID. Enter your ID followed by a carrige return. The system will respond with Enter Your Password>. Enter your password followed by a carrige return.. The system should resond with "HOST CONNECTED" and RLINK should detect ICA and automatically convert to ICA. 3. After connection has been established, SafeGuard has authenticated the user between the WinView Application Server and the Client, the SafeGuard equipment acts as a passthrough and WinView functions normally. Notes: ------ 1. DosGuard is the ONLY secure access software to allow the user to authenticate in native ICA mode transparently. This is very usefully for quicker logons along with no dropped logons due to failure to detect ICA from TTY. 2. Autologin features of WinView can be used if necessary, however some Administrators may consider this to "weaken" security measures. 3. The CDI SafeGuard will support the V.34 standard for 115.2K baud. Note: If using modems your telephone lines may not be able to support the higher speeds. If you experience random disconnection's at the higher speeds, please refer to the Readme in your Remote Link directory or the System reassume on the host entitled "Configuring Modems with the Application Server". Problems: --------- There are no known problems at this time. Vendor support: ------------------- CDI provides a technical support hotline from 8:00 AM til 5:00 PM EST Monday through Friday at 800-359-8561.