Citrix Winview Application Note Digital Pathways, Inc. Defender Series Hardware Security Solution Defender 5000 This application note is for informational use only and Citrix makes no representations or warranties with respect to the contents or use of this document or of any of third-party products discussed within. (November 16, 1994) Citrix Systems 210 University Drive Suite 700 Coral Springs, FL 33071 Phone (305) 755-0559 FAX (305) 341-6880 Overview: --------- This application note facilitates the configuration of the Digital Pathways Defender 5000 system with Citrix "WinView for Networks" Application Server Software. The Digital Pathways Defender 5000 system is a hardware security device that protects computer resources from access by unathorized users. The system comprises: 1. A Digital Pathways Defender 5000 Chassis with the following options: A. An FPU (Flexible Processing Unit) which contains communication ports for supervisory use, and controls the Defender 5000 Chassis. B. One or more FSB/HSB (Flexible Serial Board/High speed Serial Board) cards, which contain the communication ports. These communication ports will have modems attached, or be directly connected to the clients, through which Defender 5000 will intercept incoming calls and execute the programmed security measures. 2. Optional Software/Hardware DES (Data Encryption Standard) Token Encryption. A. WinSNK/DOSSNK - software based SecureNet Key. B. Hardware SNK - Handheld Calculator Size Hardware SecureNet Key. The Defender 5000 is a unique system that recognizes, prevents, and records all unauthorized attempts at entry to a WinView Application Server, while access for valid users remains quick and easy. It is easily upgradable, totally configurable, and has a built-in scipting language, Lingo, which allows further customizations, such as user menus for host access. Modems can be assigned different functions, such as callback request, callback, dial-in, and dialout. Disclaimer: ----------- The scenarios described in this document have been tested by Citrix Systems. Other variations to the scenarios described in this document may work, however they have not specifically been tested by Citrix. In order to recreate the configurations, you should use the specified revision levels of all software products described in this document and stay within the bounds of the features and functions described in this document. Please note that this application note is a living document and will be modified as new information and versions of the software described herein become availiable. Make sure you have the latest version of this document before you begin. The latest version is always available in the Citrix Forum on Compuserve. Requirements: ------------- 1. Citrix WinView for Networks Version 2.21 or higher 2. Digital Pathways Equipment A. Defender 5000 Chassis B. FPU (Flexible Processing Unit) Defender Chassis CPU C. One or more of the following serial cards: 1. FSB (Flexible Serial Board) for speeds up to 19,200bps 2. HSB (Hish-speed Serial Board) for speeds up to 230,400bps Setup: ------ Install WinView as per the WinView Installation Manual. Connect terminals, and Remote PC's as per the WinView Administration manual, without the Defender product, to assure working configurations. Note: For asynchronous connectivity, modems or direct connect, it is recommended that the WinView Application Server be equipped with an intelligent multiport board such as a DigiBoard X/em series unit. There are two connectivity scenarios described utilizing the Defender equipment. For either scenario, install and configure the Defender 5000 as per the instruction manual. Section 4 covers hardware/software installation. After configuring the Defender, read section 3 of the manual, which explains all security modes available. 1. PC direct-connect to a WinView Application Server through Defender (No Modems). 2. PC connected to a WinView Application Server through Defender via Modems. PC direct-connect to a WinView Application Server (No Modems) 1. Connect the Defender between the MultiPort board and the direct connect PC. A. Connect a terminal or PC to a console port on the FPU as per Digital Pathways Operations Manual page 4-4. B. Initialize FPU memory (full reset) as per Digital Pathways Operations Manual page 4-4. C. Select a host-modem port on a Defender FSB/HSB board. D. Use a null modem cable between the PC and the modem connector of the selected host-modem port. E. Use a modem cable between the WinView Application Server Multiport board and the host connector of the selected host-modem port, as per Digital Pathways Operations Manual section 11. F. Login as a supervisor on the console, and configure Defender modems,hosts, and users, and security as per section 4 of the Operations Manual. 2. WinView Application Server settings: A. From the Workstation Configuration Menu configure a direct connect terminal for the MultiPort Card subsystem (Ex. DigiBoard Term1). Note the following Workstation settings: 1. Parity - (usually None) 2. Baud Rate : 9600 - 19,200bps for FSB, 9600 - 115,200bps for HSB 3. Stop Bits (usually 1) 4. Data Bits (usually 8) 5. Connection Type - Connect on DCD 6. Flow Control - check only: a. RTS input handshaking b. DTR/DSR enable c. CTS output handshaking All other settings are DISABLED 7. F4 to save terminal settings. 3. Remote Link (Citrix Client) Settings A. From the Remote Link main menu, select AppServer List and configure a direct connect terminal with the following settings: 1. Connection Type - ASYNC for a normal serial port, (16450 or 16550) or if you are using the Hayes ESP Accelrator Serial port card. INT14 if using an INT14 driver on the client side such as a DigiBoard 2-port intelligent serial card. 2. Emulation Mode - TTY 3. Modem Type - Direct Connect 4. Device Name: - COM1-4 depending the port you are using 5. Baud Rate - Match the Baud Rate that you selected in step 2A2. 6. Device Paramters - usually NONE,8,1 - match as per steps 2A1,2A3,2A4 7. Flow Control - RTS/CTS 8. XON Character - 101 9. XOFF Charcter - 103 10. Press F4 to save the configuration and exit. 4. A. From the Remote Link Main Menu select "Dial/Connect to server", and select the configuration you just created. You should receive a "Connecting" at the top left of the screen. Press return and you should receive a a message from Defender, and a request for ID. Use an ID/Password combination that you created in step 1F. After a short delay, and Rlink/WinView ICA negotiation, WinView login should commence. B. If this has worked, you can go back and configure other ports for your users as required. Connect a PC to a WinView Application Server (Modems) 1. Connect the Defender between the MultiPort board and the direct connect PC. A. Connect a terminal or PC to a console port on the FPU as per Digital Pathways Operations Manual page 4-4. B. Initialize FPU memory (full reset) as per Digital Pathways Operations Manual page 4-4. C. Select a host-modem port on a Defender FSB/HSB board. D. Use a modem cable between the modem and the modem connector of the selected host-modem port. E. Login as a supervisor on the console, and configure Defender modems, hosts, users, and security as per section 4 of the Operations Manual. F. Use a modem cable between the WinView Application Server Multiport board and the host connector of the selected host-modem port, as per Digital Pathways Operations Manual section 11. 2. WinView Application Server settings: A. From the Workstation Configuration Menu configure a direct connect terminal for the MultiPort Card subsystem (Ex. DigiBoard Term1). Note the following Workstation settings: 1. Parity - (usually None) 2. Baud Rate : 9600 - 19,200bps for FSB, 9600 - 115,200bps for HSB 3. Stop Bits (usually 1) 4. Data Bits (usually 8) 5. Connection Type - Connect on DCD 6. Flow Control - check only: a. RTS input handshaking b. DTR/DSR enable c. CTS output handshaking All other settings are DISABLED 7. F4 to save terminal settings. 3. Remote Link (Citrix Client) Settings A. From the Remote Link main menu, select AppServer List and configure a client modem connection with the following settings: 1. Connection Type - ASYNC for a normal serial port, (16450 or 16550) or if you are using the Hayes ESP Accelrator Serial port card. INT14 if using an INT14 driver on the client side such as a DigiBoard 2-port intelligent serial card. 2. Emulation Mode - TTY 3. Modem Type - Choose from the menu 4. Device Name: - COM1-4 depending the port you are using 5. Baud Rate - Match the Baud Rate that you selected in step 1A2. 6. Device Paramters - usually NONE,8,1 - match as per steps 1A1,1A3,1A4 7. Flow Control - RTS/CTS 8. XON Character - 101 9. XOFF Charcter - 103 10. Press F4 to save the configuration. 4. A. From the Remote Link Main Menu select "Dial/Connect to server", and select the configuration you just created. The client modem should dial, negotiate with the host modem and display a "Connecting" at the top left of the screen. Press return, and you should receive a message from defender, and a request for ID. Use an ID/Password combination created in step 1E. After a short delay, and Rlink/WinView ICA negotiation, WinView login will begin. B. If this has worked, you can go back and configure other ports for your users as required. Operation: ---------- 1. When a connection has been made, whether direct-connect or modems have dialed and established a connection, the user will press return and be prompted for an ID. After the correct ID/Password combination has been presented, Defender will authenticate the user. If this is successful the user will be "Kicked" to the Host and login to the WinView Application Server. At this point, the Defender equipment acts as a passthrough and WinView functions normally. Optional Security Enhancements ------------------------------ This section will cover the usage of the optional WinSNK/DOSSNK encrypted token software from Digital Pathways, Inc., and usage of the callback feature of the Defender 5000. 1. Soft Tokens Soft tokens are alphanumeric sequences that are created by scrambling a number or word using a predefined encryption key. In the Defender 5000 system, the encryption key is entered within each user record, and also when the WinSNK/DOSSNK diskettes are prepared. Soft tokens are a security enhancement, and thus provide a greater method of protection, other than ID/Password combinations. This section will cover the setup and usage of soft tokens, Defender 5000, and the WinView Application Server. Usage of Digital Pathways, Inc's SNK programs are supported only with Rlink (modem dial-in). Direct connect is NOT supported, because the SNK hot-key program monitors the COM port, and will only function when it senses a connection. A. Connect a PC to a WinView Application Server ( Modems) 1. Setup A. Setup the Defender 5000 and WinView Application server as per the instructions above for Modems. No special changes are needed, or required. B. Setup the WinSNK diskettes as per the SNK manual for all users who will use SNK. Note the PIN, User ID, Password, and encryption key, as they will be needed in the next step. C. Setup the User ID's for which the SNK diskettes were created in step B. D. Setup additional Defender 5000 information as per the Digital Pathways Operations Manual. The sections that must be changed are security classes, and user records. E. Setup the WinSNK software on the client PC's. 2. Usage A. Usage of Rlink with SNK's is almost exactly as it would be without it, except that when a connection is made, the 'hot-key' is pressed, and the SNK program takes over and automates the login to the Defender 5000. 2. Callback system The Defender 5000's callback system is a second option for enhancing the security of dial-in system. It allows the configuration of a modem for receiving callback requests, and another modem for the actual callback. The number that the user is called back at is preset into their UserID record file for that user. Callback is supported only under Rlink (modems). 1. Setup A. Setup Defender 5000 and the WinView Application Server as per the instructions above for Modem usage. B. Configure security classes and user ID's to allow callback as per the Digital Pathways Operations Manual section 3. Make sure the User ID has access to the host that the CB program will run on, and that the phone number the user is to be called back at is entered. C. Configure a modem port to run the RQ (Callback Request) program. This is done under [S]tatus, [B]ox, [P]rogram. This is covered in section 3 of the Operations Manual. D. Configure a modem port to run the CB (Callback) program. This is also covered in section 3 of the Operations Manual. When selecting [M]odem type, edit the record for the modem you chose/created, and blank out the option for [C]onnected, so that the Defender 5000 detects carrier from signal lines, and not the modem results. Enable autobaud by changing option [9] Read Baud From Connect: to 'OFF' . E. Callback SNK can be enabled under the security class assigned for the callback users you wish to have SNK's. This is entered under [C]lass, [S]ecurity. This will tell Defender 5000 to give a 4-digit token to the user when it has approved Callback,, and request the same number upon successful modem connection on callback. F. Within Rlink, after you have selected the correct modem, modify the initialization string to include 'S0=1' (without the quotes) to tell the modem to answer on the first ring. 2. Usage A. Create an entry for the Callback Request port modem, and dial it. B. After connection, and entering UserID/Password combination, the Defender 5000 will give the token if enabled. Otherwise, it will hang up and call back through one of the Callback ports. C. When the Defender 5000 calls back, the modem should answer automatically If tokens are not used, pressing once or twice will connect the user to the WinView Application Server. If tokens are enabled, press once or twice, and Defender 5000 will request the token, and if correct, the user will be passed on to the WinView Application Server. Notes: ------ 1. Callback and Soft Tokens are not supported with Direct-Connect system 2. Autologin features of WinView can be used if necessary, however, some Administrators may consider this to "weaken" security measures. 3. At this time the Defender 5000 Hardware products support baud rates up to 19,200bps with the FSB, and 230,400bps with the HSB, while todays modems in conjunction with WinView compression, and the proper hardware on both the Host and the client can be configured for baud rates up to 115,200. For use with WinView Application Servers, 115,200 is the maximum supported speed. For example, without Defender 5000, the Host,(WinView Application Server) would be equipped with an intelligent multiport card such as a DigiBoard X/em series board which supports baud rates up to 115,200. The client PC's equipped with the proper serial port card, such as an intelligent serial card, a Digiboard 2 port or a large buffer board like the Hayes ESP Accelerator card, can be configured to support baud rates as high as 115,200. Due to Modem hardware compression and WinView's software compression, modems are configured at roughly four times their stated baud rate, for example 14,400 modems are configured at 57,600 and 28,800 modems are configured at 115,200. Note: If using modems, your telephone lines may not be able to support the higher speeds. If you experience random disconnections at the higher speeds, please refer to the Readme in your Remote Link directory or the System readme on the host entitled "Configuring Modems with the Application Server". Problems: --------- There are no known problems at this time.