Getting started
Features and benefits
What you can do with Defender
Managing Defender objects in Active Directory
Authenticating VPN users
Authenticating Web site users
Authenticating users of Windows-based computers
Deploying Defender
Step 1: Install required Defender components
Step 2: Configure Defender Security Server
Step 3: Create and configure objects in Active Directory
Step 4: Program and assign security tokens to users
Defender Setup Wizard reference
Defender Security Server Configuration tool reference
Communication ports
Licensing
Managing user objects
Configuring security tokens
Managing tokens for a user
Resetting passphrase for a user
Managing Defender Security Policy for a user
Managing RADIUS payload for a user
Managing security token objects
Importing hardware token objects
Assigning a hardware token object to a user
Modifying token object properties
Import Wizard reference
Managing Defender Security Policies
Creating a Defender Security Policy object
Modifying Defender Security Policy object properties
Managing Access Nodes
Managing Defender Security Servers
Creating a RADIUS payload object
General tab
Account tab
Expiry tab
Logon Hours tab
SMS Token tab
E-mail Token tab
GrIDsure Token tab
Default Defender Security Policy
Configuring Defender Soft Token
Securing VPN access
Distributing Defender Soft Token for BlackBerry via BlackBerry Enterprise Service
Distributing Defender Soft Token for BlackBerry by using a .jad file
Configuring GrIDsure token
Enabling the use of Authy
Enabling the use of Google Authenticator
Configuring SMS token
Configuring e-mail token
Configuring VIP credentials
Configuring YubiKey
Defender Token Programming Wizard reference
Configuring Defender for remote access
Configuration example
Securing Web sites
Securing Windows-based computers
Configuring your remote access device
Using Defender VPN Integrator
Defender EAP Agent
Step 1: Create an AAA server group, add Defender Security Server
Step 2: Configure an IPsec connection profile
Configuring Defender
Installing Defender Desktop Login by using a wizard
Performing an unattended installation of Defender Desktop Login
Configuring Defender Desktop Login by using a configuration tool
Configuring Defender Desktop Login by using Group Policy
Defender Desktop Login Configuration tool reference
Securing PAM-enabled services
Installing Defender PAM
Configuring Defender PAM
Defender Management Portal (Web interface)
Step 1: Enable authentication for target service
Step 2: Specify Defender Security Servers
Step 3: Configure access control for users and services
Step 4: Configure Defender objects in Active Directory
Testing Defender PAM configuration
Defender PAM logging
Auth arguments
Installing the portal
Opening the portal
Specifying a service account for the portal
Configuring the portal
Portal roles
Enabling automatic sign-in
Configuring self-service for users
Troubleshooting authentication issues
Managing users
Managing security tokens
Viewing authentication statistics
Viewing Defender Security Server warnings and logs
Viewing token requests from users
Using Defender reports
Delegating Defender roles, tasks, and functions
Generating a report
Managing portal database
Defender Security Server log cache
Log Receiver Service database
Audit trail
Authentication requests
Authentication activity
Authentication violations
Defender Security Server configuration
License information
Proxied users
RADIUS payloads
Tokens
Active, inactive, and locked users
User details
Report scheduling settings
Viewing a generated report
Deleting generated reports
Viewing a list of scheduled reports
Deleting scheduled reports
Steps to delegate roles, tasks, and functions
Roles
Service accounts
Advanced control
Full control
Using control access rights
Automating administrative tasks
Installing Defender Management Shell
Uninstalling Defender Management Shell
Opening Defender Management Shell
Getting help
Cmdlets provided by Defender Management Shell
Administrative templates
Installing and configuring administrative templates
Temporary Responses setting
Active Roles Web Interface - Token Programming setting
Mail Configuration setting
ADSI Configuration setting
Integration with Active Roles
Installing Defender Integration Pack for Active Roles
Commands added to the Active Roles Web Interface
Enabling automatic deletion of tokens
Delegating Defender roles or tasks
Integration with Cloud Access Manager
Appendices
Appendix A: Enabling diagnostic logging
Administration Console
Defender Core Token Operations SDK (DTSDK)
Defender Security Server
Desktop Login
EAP Agent
Integration Pack for Active Roles
Management Portal
Management Portal (reports)
Management Shell
Service Connection Point
Soft Token for Windows
Token Import
Token Programming
VPN Integrator
Web Service API
Appendix B: Troubleshooting common authentication issues
Step 1: Gather required information
Step 2: Analyze Defender Security Server log
Step 3: Gather further diagnostics
Appendix C: Troubleshooting DIGIPASS token issues
Step 1: Determine type of failure
Step 2: Verify Defender configuration
Step 3: Gather further diagnostics
Appendix D: Defender classes and attributes in Active Directory
Classes defined by Defender
Appendix E: Defender Event Log messages
defender-tokenClass
defender-danClass
defender-dssClass
defender-policyClass
defender-licenseClass
defender-radiusPayloadClass
defender-tokenLicenseClass
Classes extended by Defender
Attributes defined by Defender
defender-tokenType
defender-tokenData
defender-userTokenData
defender-tokenUsersDNs
defender-tokenDate
defender-dssDNs
defender-dssMembers
defender-danKey
defender-id
defender-violationCount
defender-resetCount
defender-lastLogon
defender-objectActive
defender-prompts
defender-authMethods
defender-lockoutThreshold
defender-lockoutDuration
defender-lockoutTime
defender-policy
defender-policyMembers
defender-danType
defender-userIdType
defender-accessCategories
defender-subnetMask
defender-danMembers
defender-danDNs
defender-dssVersion
defender-radiusPayloadDn
defender-radiusPayloadMembers
defender-radiusPayloadData
defender-radiusPayloadGroups
defender-radiusPayloadGroupsDN
defender-radiusPayloadInherit
defender-policyAutoUnlock
defender-policyMobileUsers
defender-policyMaximumPasswordAge
defender-policyMaximumPINAge
defender-policyPasswordChangeFlags
defender-policyPasswordFilter
defender-policyGINAOptions
defender-policyLoginTimes
Defender VPN Integrator messages
Defender Report Scheduler messages
Defender Administration Console messages
Defender Security Server messages
Appendix F: Defender Client SDK
Installing Defender Client SDK
Application Programming Interfaces (APIs)
Appendix G: Defender Web Service API
IAuthenticator, IAuthenticator2, and IAuthenticator3 interfaces
IAuthenticator2 and IAuthenticator3 interfaces
IAuthenticator3 interface
IAuthInfo interface
Defender Security Server messages
API methods
AddSoftwareTokenToUser method
AddTokenToUser method
GetTokensForUser method
RemoveAllTokensFromUser method
RemoveDefenderPassword method
RemovePinFromUserToken method
RemoveTemporaryResponse method
RemoveTokenFromUser method
ResetDefenderToken method
ResetDefenderViolationCount method
SetDefenderPassword method
SetPinOnUserToken method
SetTemporaryResponse method
TestDefenderToken method
API types
Integration with Active Roles
Active Roles offers a practical approach to automated user provisioning and administration, for maximum security and efficiency. Active Roles provides total control of user provisioning and administration for Active Directory. For more information about Active Roles, please go to quest.com/products/activeroles-server.
Installing Defender Integration Pack for Active Roles
Before installing the Defender Integration Pack for Active Roles, make sure the target system meets the system requirements listed in the Defender Release Notes.
|
1 |
On the target computer, run the ActiveRolesIntegrationPack.exe file supplied in the Defender installation package. |
|
• |
Active Roles Web Interface Extension Install this feature to be able to perform Defender-related tasks from the Active Roles Web Interface. The computer on which you plan to install this feature must have the Active Roles Web Interface installed. For more information about the commands this feature adds to the Active Roles Web Interface, see Commands added to the Active Roles Web Interface. |
|
• |
Active Roles Console Extension Install this feature to be able to perform Defender-related tasks from the Active Roles console (MMC Interface). After installing this feature, you can use the Active Roles console to manage Defender-related objects and perform Defender-related tasks. The steps you should perform in the Active Roles console to manage Defender objects are identical to those you perform in Microsoft’s Active Directory Users and Computers tool. For more information, see Managing Defender objects in Active Directory. |
To install the Defender Integration Pack for Active Roles Administration Service, run the ActiveRolesAdminServiceIntegrationPack.exe file supplied in the Defender installation package, and then complete the wizard.
Commands added to the Active Roles Web Interface
The Defender Integration Pack for Active Roles adds the Defender category to the Active Roles Web Interface:
Click the Defender category to access the commands added by the Defender Integration Pack for Active Roles to the Active Roles Web Interface.
|
• |
Defender Properties Allows you to administer tokens and view and manage the Defender properties for the selected user. |
|
• |
Set Defender Password Allows you to set a Defender password for the selected user. |
|
• |
Program Defender Token Allows you to program a security token for the selected user. |
Defender Properties
The Defender Properties command allows you to administer tokens, and view and manage the Defender properties for the selected user. Clicking this command opens the following page:
On this page, you can use the User tokens list to view and administer security tokens for the user, view the serial number of each security token assigned to the user, and if the tokens have a PIN configured.
Below the User tokens list, you can use the following elements:
|
• |
Add Click this button to search for existing token objects in Active Directory and assign them to the user if necessary. |
|
• |
Defender ID Allows you to view or change the Defender ID of the user. |
|
• |
Violation count Displays the number of unsuccessful authentication attempts for the user. To reset violation count for the user, click the Reset Violation Count button, and then click Save. |
|
• |
Reset count Displays how many times the violation count has been reset so far. |
|
• |
Last authentication Displays the time and date of user’s last successful authentication. |
In the Type column of the User tokens list, you can click a security token name to administer the token. On the page that opens, you can use the following buttons:
|
Click to set a new PIN for the token. On the page that opens, use the New PIN and Confirm PIN text boxes to type the new PIN. If you want the user to change the new PIN on first use, select the Expire PIN check box. When finished, click the Set PIN button. | |||||||||
| |||||||||
|
Click to open a page that allows you to test the token response for the selected token: In the Response text box, enter a token response, and then click Verify. | |||||||||