Chat now with support

Live-Hilfe anfordern
Registrierung abschließen

Anmelden

Preisinformationen anfragen

Vertrieb kontaktieren

Defender 6.1 - Administration Guide

Inhaltsnavigation

Getting started

Features and benefits What you can do with Defender

Authenticating VPN users Authenticating Web site users Authenticating users of Windows-based computers

Deploying Defender

Step 1: Install required Defender components Step 2: Configure Defender Security Server Step 3: Create and configure objects in Active Directory

Defender Security Policy Defender Security Server Access Node

Step 4: Program and assign security tokens to users Defender Setup Wizard reference Defender Security Server Configuration tool reference

Communication ports Upgrading Defender

Upgrading Defender Security Server and Administration Console Upgrading Defender Management Portal Upgrading Management Shell

User interface for managing licenses Adding a license Removing a license

Managing Defender objects in Active Directory

Managing user objects

Managing tokens for a user

Tokens list buttons Authentication Details area elements

Resetting passphrase for a user Managing Defender Security Policy for a user Managing RADIUS payload for a user

Managing security token objects

Importing hardware token objects Assigning a hardware token object to a user Modifying token object properties

General tab Details tab Assigned Users

Import Wizard reference

Managing Defender Security Policies

Creating a Defender Security Policy object

New Object - Defender Policy Wizard reference

Defender Rollout Mode

Automatically Switching to Token Authentication Manually switching to token authentication

Modifying Defender Security Policy object properties

General tab Account tab Expiry tab Logon Hours tab SMS Token tab E-mail Token tab GrIDsure Token tab

Default Defender Security Policy

Managing Access Nodes

Creating an Access Node

New Object - Defender Access Node Wizard reference

Modifying Access Node properties

General tab Servers tab Members tab Policy tab RADIUS Payload tab

Managing Defender Security Servers

Creating a Defender Security Server object Modify Defender Security Server object properties

General tab Security Server tab Prompts tab Policy tab RADIUS Payload tab

Creating a RADIUS payload object

RADIUS payload attributes

Configuring security tokens

Configuring Defender Soft Token Configuring GrIDsure token Enabling the use of Authy Enabling the use of Google Authenticator Configuring SMS token Configuring e-mail token Configuring VIP credentials

Enabling the use of VIP credentials Programming a VIP credential for a user

Configuring YubiKey

Yubico OTP mode OATH-HOTP mode

Defender Token Programming Wizard reference

Securing VPN access

Configuring Defender for remote access Configuration example

Configuring your remote access device

Step 1: Create an AAA server group, add Defender Security Server Step 2: Configure an IPsec connection profile

Configuring Defender

Step 1: Configure an Access Node Step 2: Specify users or groups for the Access Node

Using Defender VPN Integrator

Installing Defender VPN Integrator Configuring Defender VPN Integrator

Defender EAP Agent

Deploying Defender EAP Agent

Step 1: Install Defender EAP Agent Step 2: Configure Network Policy Server Step 3: Configure VPN connection on the client computer

Authenticating via EAP Agent

Securing Web sites

Installing ISAPI Agent Configuring ISAPI Agent Accessing Protected Website

Securing Windows-based computers

Installing Defender Desktop Login by using a wizard Performing an unattended installation of Defender Desktop Login Configuring Defender Desktop Login by using a configuration tool Configuring Defender Desktop Login by using Group Policy Defender Desktop Login Configuration tool reference

Defender Management Portal (Web interface)

Installing the portal Opening the portal Specifying a service account for the portal Configuring the portal

Service Account tab Roles tab Log Receiver Service tab Reports tab

Portal roles Enabling automatic sign-in Configuring self-service for users

General tab Software Tokens tab Hardware Tokens tab E-mail Settings tab PIN Settings tab

Troubleshooting authentication issues

User Details tab Tokens tab Authentication Routes tab Authentications tab

Managing users Managing security tokens Viewing authentication statistics Viewing Defender Security Server warnings and logs Viewing token requests from users Using Defender reports

Generating a report

Audit trail Authentication requests Authentication activity Authentication violations Defender Security Server configuration License information Proxied users RADIUS payloads Tokens Active, inactive, and locked users User details

Report scheduling settings Viewing a generated report Deleting generated reports Viewing a list of scheduled reports Deleting scheduled reports

Managing portal database

Encrypting database Changing password for encrypted database Decrypting database

Defender Security Server log cache Log Receiver Service database

Securing PAM-enabled services

Installing Defender PAM Configuring Defender PAM

Step 1: Enable authentication for target service Step 2: Specify Defender Security Servers Step 3: Configure access control for users and services Step 4: Configure Defender objects in Active Directory

Testing Defender PAM configuration Defender PAM logging Auth arguments

Delegating Defender roles, tasks, and functions

Steps to delegate roles, tasks, and functions Roles Service accounts Advanced control Full control Using control access rights

Automating administrative tasks

Installing Defender Management Shell Uninstalling Defender Management Shell Opening Defender Management Shell Getting help Cmdlets provided by Defender Management Shell

Administrative templates

Installing administrative templates Configuring administrative templates Temporary Responses setting Active Roles Web Interface - Token Programming setting Mail Configuration setting ADSI Configuration setting Updating Administrative templates from .adm to .admx

Domain Controller Client computer

Integration with Active Roles

Installing Defender Integration Pack for Active Roles Commands added to the Active Roles Web Interface

Defender Properties Set Defender Password Program Defender Token

Enabling additional features via Group Policy Enabling automatic deletion of tokens Delegating Defender roles or tasks Upgrading Defender Integration Pack for Active Roles Uninstalling Defender Integration Pack for Active Roles Push Notifications

Appendix A: Enabling diagnostic logging

Administration Console Defender Core Token Operations SDK (DTSDK) Defender Security Server Desktop Login EAP Agent Integration Pack for Active Roles Management Portal Management Portal (reports) Management Shell Service Connection Point Soft Token for Windows Token Import Token Programming VPN Integrator Web Service API Product information tool

Appendix B: Troubleshooting common authentication issues

Step 1: Gather required information Step 2: Analyze Defender Security Server log Step 3: Gather further diagnostics

Appendix C: Troubleshooting DIGIPASS token issues

Step 1: Determine type of failure Step 2: Verify Defender configuration Step 3: Gather further diagnostics

Appendix D: Defender classes and attributes in Active Directory

Classes defined by Defender

defender-tokenClass defender-danClass defender-dssClass defender-policyClass defender-licenseClass defender-radiusPayloadClass defender-tokenLicenseClass

Classes extended by Defender

Attributes defined by Defender

defender-tokenType defender-tokenData defender-userTokenData defender-tokenUsersDNs defender-tokenDate defender-dssDNs defender-dssMembers defender-danKey defender-id defender-violationCount defender-resetCount defender-lastLogon defender-objectActive defender-prompts defender-authMethods defender-lockoutThreshold defender-lockoutDuration defender-lockoutTime defender-policy defender-policyMembers defender-danType defender-userIdType defender-subnetMask defender-accessCategories defender-danMembers defender-danDNs defender-dssVersion defender-radiusPayloadDn defender-radiusPayloadMembers defender-radiusPayloadData defender-radiusPayloadGroups defender-radiusPayloadGroupsDN defender-radiusPayloadInherit defender-policyAutoUnlock defender-policyMobileUsers defender-policyMaximumPasswordAge defender-policyMaximumPINAge defender-policyPasswordChangeFlags defender-policyPasswordFilter defender-policyGINAOptions defender-policyLoginTimes defender-notificationId

Appendix E: Defender Event Log messages

Defender VPN Integrator messages Defender Report Scheduler messages Defender Administration Console messages

Appendix F: Defender Client SDK

Installing Defender Client SDK Application Programming Interfaces (APIs)

IAuthenticator, IAuthenticator2, and IAuthenticator3 interfaces

Authenticate method challengeMessage property sessionID property timeout property

IAuthenticator2 and IAuthenticator3 interfaces

challengeMessageId property challengeMessageData property

IAuthenticator3 interface

AddPayload method GetGridData method GetAuthenticationImage method SetGridResetPIPAttribute method payload property grIDsureMessage property grIDsureGridType property

IAuthInfo interface

userIdType property isUserDefenderAuthenticated property

Defender Security Server messages

Appendix G: Defender Web Service API

AddSoftwareTokenToUser method AddTokenToUser method GetTokensForUser method RemoveAllTokensFromUser method RemoveDefenderPassword method RemovePinFromUserToken method RemoveTemporaryResponse method RemoveTokenFromUser method ResetDefenderToken method ResetDefenderViolationCount method SetDefenderPassword method SetPinOnUserToken method SetTemporaryResponse method TestDefenderToken method

AssignedSoftwareToken type AssignedToken type ProgrammableSoftwareTokenType type TokenList type UserTokenDetail type DefenderResult type UserViolationCount type TemporaryResponse type

Defender Token Programming Wizard reference

Table 57:
Defender Token Programming Wizard reference
Wizard step	Your action
Select Token Type	You can select one of the following options: Software token Allows you to program and assign a software token, such as Defender Soft Token, e-mail token, GrIDsure token, or SMS token. Hardware token Allows you to program and assign a hardware token, such as DIGIPASS or YubiKey. This option does not support hardware VIP credentials. Symantec VIP credential Allows you to program and assign a software or hardware VIP credential. This option becomes available after you enable the use of VIP credentials. For details, see Enabling the use of VIP credentials.
Select Software Token	Click to select the software token you want to program and assign to the user.
Activation Settings	Select the Expire token activation code after check box if you want to set a validity time period (in days) for the code with which the user must activate the software token. Then, specify the number of days during which you want the token activation code to remain valid. The token activation code is generated when you complete this wizard. Leave the Expire token activation code after text box cleared if you do not want to limit the validity time period of the token activation code.
Activation and Passphrase Settings	In this step, you can select the following check boxes: Expire token activation code after Select this check box if you want to set a validity time period (in days) for the code with which the user must activate the software token. Then, specify the number of days during which you want the token activation code to remain valid. The token activation code is generated when you complete this wizard. Alert user about failed passphrase attempts Select this check box to notify the user when the user has entered an incorrect passphrase when unlocking the token. Optionally, you can select the Lock token passphrase after check box to lock the passphrase after the user has expended the specified number of attempts to unlock the token. Token requires a passphrase Select this check box to enforce the user to configure a passphrase for using with the token. When this check box is cleared, no passphrase is required. If you select this check box, you can optionally select the Passphrase must be strong check box, which requires the user to configure a passphrase that is at least six characters long, includes uppercase and lowercase characters, and numbers or special characters.
Mode, Encryption, and Response	Use the options in this step to specify an operation mode (synchronous or challenge-response), encryption method, and response length for the software token.
Select Password Algorithm	Select the one-time password algorithm you want Google Authenticator to use. You can select one of the following algorithms: Time based (TOTP) One-time password remains valid for a particular amount of time. Then, Google Authenticator automatically generates a new one-time password. Counter based (HOTP) One-time password remains valid until the user manually generates a new one-time password in Google Authenticator. Note that the algorithm you select in this wizard is only used if the user activates Google Authenticator with a QR code. If the user activates Google Authenticator by manually typing the activation code, the one-time password algorithm specified by the user in Google Authenticator during activation takes precedence over the option you select in this wizard.
Select Token Location	Specify the Active Directory container in which you want to store the token object. If you change the default location, ensure that the Defender Security Server service account and the Defender administrator account have sufficient permissions for the new location you specify.
Activation Code Distribution	Specify options for saving the token activation code. In this step, you can use the following options: One file for all users Saves token activation codes for all users to a single file. Individual file for each user Saves token activation code for each user to an individual file. File Location Specify path to the folder in which you want to create files containing token activation codes. File Name Specify name for the file in which you want to store token activation codes. If a file with such name does not exist, it will be created. Append activation codes to existing file If you select this option and the file with the specified name already exists in the specified location, the wizard appends the activation codes to the file without overwriting its contents. If you leave this check box cleared, the existing file’s contents will be overwritten with the new token activation codes.
Action for Existing GrIDsure Tokens	This step shows up if the selected users already have a GrIDsure token assigned. Each user can only have one GrIDsure token assigned. Select one of the following options: Overwrite existing tokens Creates new GrIDsure token objects which overwrite the existing GrIDsure token objects assigned to the users. As a result, the users will have to configure their GrIDsure Personal Identification Pattern (PIP) the next time they access a protected resource. Keep using existing tokens Does not create new GrIDsure token objects for the users who already have GrIDsure tokens assigned.
VIP Credential Activation	Enter the credential ID shown on the VIP credential you want to assign to the user. Make sure you register that credential ID with Symantec.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen

© ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz Cookie Preference Center