Citrix Winview Application Note Security Dynamics Access Control Module (ACM) Hardware Security Solution ACM/1600, ACM/400, ACM/100 This application note is for informational use only and Citrix makes no representations or warranties with respect to the contents or use of this document or of any of third-party products discussed within. (April 4, 1995) Citrix Systems 210 University Drive Suite 700 Coral Springs, FL 33071 Phone (305) 755-0559 FAX (305) 341-6880 Overview: --------- This application note facilitates the configuration of the Security Dynamics Access Control system with Citrix "WinView for Networks" Application Server Software. The Security Dynamics Access Control system is a hardware security device that protects computer resources from access by unathorized users. The system comprises two major elements: 1. The Access Control Module (Hardware) ACM/1600-16 port, ACM/400-4 port or the ACM/100-1 port which is a highly secure communications controller that connects and disconnects the input/output lines to the protected host computer. 2. The SecurID card(s), credit card sized microprocessing unit(s) that calculate and display codes which change unpredictably at a specified interval, typically every 60 seconds. Together the SecurID card and the ACM form a system that recognizes, prevents, and records all unauthorized attempts at entry to a WinView Application Server, while access for valid users remains quick and easy. Disclaimer: ----------- The scenarios described in this document have been tested by Citrix Systems. Other variations to the scenarios described in this document may work, however they have not specifically been tested by Citrix. In order to recreate the configurations, you should use the specified revision levels of all software products described in this document and stay within the bounds of the features and functions described in this document. Please note that this application note is a living document and will be modified as new information and versions of the software described herein become availiable. Make sure you have the latest version of this document before you begin. The latest version is always available in the Citrix Forum on Compuserve. PLEASE FOLLOW THE SETUP INFORMATION INCLUDED IN THIS APPLICATION NOTE, WHEN CONFIGURING THE WINVIEW APPLICATION SERVER WITH THE SECURITY DYNAMICS ACM SYSTEM. Requirements: ------------- 1. Citrix WinView for Networks Version 2.21 or higher 2. Security Dynamics Equipment A. One of the following ACM's 1. ACM/1600 Hardware running software version 4.12A or later 2. ACM/400 Hardware running software version 1.12A or later 3. ACM/100 Hardware running software version 1.12A or later B. Credit card sized microprocessing SecurID cards. NOTE: One of which must be an Administrator level card. Setup: ------ Install WinView as per the WinView Installation Manual. Connect terminals, and Remote PC's as per the WinView Administration manual, without the SecurID product, to assure working configurations. Note: For asynchronous connectivity, modems or direct connect, it is recommended that the WinView Application Server be equipped with an intelligent multiport board such as a DigiBoard X/em series unit. There are two connectivity scenarios described utilizing the SecurID equipment. 1. PC direct-connect to a WinView Application Server (No Modems). 2. PC connected to a WinView Application Server via Modems. PC direct-connect to a WinView Application Server (No Modems) 1. Connect the ACM box between the MultiPort board and the direct connect PC. Use a modem cable between the PC and the DTE connector of the ACM. Use a null modem cable between the WinView Application Server Multiport board and the DCE of the ACM, as per Security Dynamics ACM Instruction Manual pages I-3,I-4, and I-5. 2. WinView Application Server settings: A. From the Workstation Configuration Menu configure a direct connect terminal for the MultiPort Card subsystem (Ex. DigiBoard Term1). Note the following Workstation settings: 1. Parity - (usually None) 2. Baud Rate select one: 38.4k, 19.2k, 9600 3. Stop Bits (usually 1) 4. Data Bits (usually 8) 5. Connection Type - Connect on DCD 6. Flow Control - check only: a. RTS input handshaking b. DTR/DSR enable c. CTS output handshaking All other settings are DISABLED 7. F4 to save terminal settings. 3. Remote Link (Citrix Client) Settings A. From the Remote Link main menu, select AppServer List and configure a direct connect terminal with the following settings: 1. Connection Type - ASYNC for a normal serial port, (16450 or 16550) or if you are using the Hayes ESP Accelrator Serial port card. INT14 if using an INT14 driver on the client side such as a DigiBoard 2-port intelligent serial card. 2. Emulation Mode - TTY 3. Modem Type - Direct Connect 4. Device Name: - COM1-4 depending the port you are using 5. Baud Rate - Match the Baud Rate that you selected in step 2A2. 6. Device Paramters - usually NONE,8,1 - match as per steps 2A1,2A3,2A4 7. Flow Control - RTS/CTS 8. XON Character - 101 9. XOFF Charcter - 103 10. Press F4 to save the configuration and exit. 4. From the Remote Link Main Menu select "Dial/Connect to server", and select the configuration you just created. You should receive a "Connecting" at the top left of the screen. Press return and you should receive a "Enter PASSCODE:" at the bottom left of the screen. If you are logging in for the first time, please follow the instructions in the ACM Instruction Manual for obtaining a pin and logging in starting at page user-5. NOTE: Use an "Administrator" level SecurID card so you will have the proper authorization to configure the ACM. 5. After you have obtained a pin and logged in to the ACM with administrator privileges the ACM Main ADMINISTRATION Menu should be displayed on your screen. A. Select 12, Channel Status and configure your channel as follows: 1. Baud Rate - Match as per selections in steps 2 and 3. Note: Auto can be used for 19.2k or 9600. For 38.4k needs to be explicitely stated. 2. Data and parity bits match as per selections in steps above. 3. Protocol -(d-d) DCD at modem and DCD at Host 4. Host Command Mode - N 5. Dialout - N 6. Select option 1 to return to the Main Administration Menu B. Select option 2, "Proceed to Host" - at this time you should see the WinView Application Server "YOUR_HOSTNAME!Login" in the top left of the screen. If you have configured a username on the WinView Application Server you should be able to login and access the WinView Application Server at this time. C. If this has worked, you can go back and configure other ports for your users as required. Connect a PC to a WinView Application Server (Modems) 1. Connect the ACM box between the MultiPort board and the Host modem of the WinView Application Server. Use a modem cable between the Host modem and the DTE of the ACM. Use a modem cable between the WinView Application Server Multiport board and the DCE of the ACM as per the Security Dynamics ACM Instruction manual pages I-3, I-4, and I-5. 2. WinView Application Server settings: A. From the Workstation Configuration Menu configure a direct connect terminal for the MultiPort Card subsystem (Ex. DigiBoard Term1). Note the following Workstation settings: 1. Parity - (usually None) 2. Baud Rate select one: 38.4k, 19.2k, 9600 3. Stop Bits (usually 1) 4. Data Bits (usually 8) 5. Connection Type - Connect on DCD 6. Flow Control - check only: a. RTS input handshaking b. DTR/DSR enable c. CTS output handshaking All other settings are DISABLED 7. F4 to save terminal settings. 3. Remote Link (Citrix Client) Settings A. From the Remote Link main menu, select AppServer List and configure a client modem connection with the following settings: 1. Connection Type - ASYNC for a normal serial port, (16450 or 16550) or if you are using the Hayes ESP Accelrator Serial port card. INT14 if using an INT14 driver on the client side such as a DigiBoard 2-port intelligent serial card. 2. Emulation Mode - TTY 3. Modem Type - Choose from the menu 4. Device Name: - COM1-4 depending the port you are using 5. Baud Rate - Match the Baud Rate that you selected in step 2A2. 6. Device Paramters - usually NONE,8,1 - match as per steps 2A1,2A3,2A4 7. Flow Control - RTS/CTS 8. XON Character - 101 9. XOFF Charcter - 103 10. Press F4 to save the configuration. 4. From the Remote Link Main Menu select "Dial/Connect to server", and select the configuration you just created. The client modem should dial, negotiate with the host modem and display a "Connecting" at the top left of the screen. Press return and you should receive a "Enter PASSCODE:" at the bottom left of the screen. If you are logging in for the first time, please follow the instructions in the ACM instruction Manual for obtaining a pin and logging in starting at page user-5. NOTE: Use an "Administrator" level SecurID card so you will have the proper authorization to configure the ACM. 5. After you have obtained a pin and logged in to the ACM with administrator privileges the ACM Main ADMINISTRATION Menu should be displayed on your screen. A. Select 12, Channel Status and configure your channel as follows: 1. Baud Rate - Match as per selections in steps 2 and 3. Note: Auto can be used for 19.2k or 9600. 38.4k needs to be explicitely stated. 2. Data and parity bits match as per selections in steps 2 and 3. 3. Protocol -(d-d) DCD at modem and DCD at Host 4. Host Command Mode - N 5. Dialout - N 6. Select option 1 to return to the Main Administration Menu B. Select option 2, Proceed to Host - at this time you should see the WinView Application Server "YOUR_HOSTNAME!Login" in the top left of the screen. If you have configured a username on the WinView Application Server you should be able to login and access the WinView Application Server. C. If this has worked, you can go back and configure other ports for your users as required. Operation: ---------- 1. When a connection has been made whether direct connect or modems (modems have dialed and established a connection), the user will press return and be prompted for a "PASSCODE". After the correct pin and securid card number have been presented, SecurID will authenticate the user. If this is successful the user will be allowed to "Proceed to Host" and login to the WinView Application Server. At this point, the SecurID equipment acts as a passthrough and WinView functions normally. Notes: ------ 1. Autologin features of WinView can be used if necessary, however some Administrators may consider this to "weaken" security measures. 2. If possible, a port should be reserved and configured for only an administrator to use. This will help facilitate ACM configuration changes for users. 3. At this time,the Security Dynamics ACM Hardware products support baud rates up to only 38,400, While todays modems in conjunction with WinView compression, and the proper hardware on both the Host and the client can be configured for baud rates up to 115,200. NOTE: Although 38,400 baud is available,the ACM will only autobaud (automatically detect connection baud rate) from 300 to 19,200 Baud. If using 38,400 baud, care must be taken to configure all connections at 38,400 baud. For example, without Security Dynamics, the Host,(WinView Application Server) would be equipped with an intelligent multiport card such as a DigiBoard X/em series board which supports baud rates up to 115,200. The client PC's equipped with the proper serial port card, such as an intelligent serial card, a Digiboard 2 port or a large buffer board like the Hayes ESP Accelerator card, can be configured to support baud rates as high as 115,200. Due to Modem hardware compression and WinView's software compression, modems are configured at roughly four times their stated baud rate, for example 14,400 modems are configured at 57,600 and 28,800 modems are configured at 115,200. Note: If using modems your telephone lines may not be able to support the higher speeds. If you experience random disconnections at the higher speeds, please refer to the Readme in your Remote Link directory or the System readme on the host entitled "Configuring Modems with the Application Server". 4. Make note of the proper cable(s) that must be used in host-to-ACM, and ACM-to-workstation/ACM-to-modem. The proper cable must be used for the configurations to function correctly. Troubleshooting Tips -------------------- 1. Verify that the proper cable(s) are being used in host-to-ACM (Modem cable), ACM-to-workstation Direct Connect(Null Modem cable), and ACM-to-modem (Modem cable). The proper cable must be used for the configurations to function correctly. Also be aware that certain ACM's (Call Security Dynamics technical support) require adapters to be used on the ACM for Host and Modem connections. 2. When creating Workstation Terminal Devices on the Application Server, verify that they were created as 'Direct Connect' devices, and not modem devices. If the device shows a modem name, then it it not a direct connect.