Defender 5.8 - Administrator Guide

Chat now with support

Distributing Defender Soft Token for BlackBerry via BlackBerry Enterprise Service Distributing Defender Soft Token for BlackBerry by using a .jad file

Configuring GrIDsure token Enabling the use of Authy Enabling the use of Google Authenticator Configuring SMS token Configuring e-mail token Configuring VIP credentials

Enabling the use of VIP credentials Programming a VIP credential for a user

Configuring YubiKey

Yubico OTP mode OATH-HOTP mode

Defender Token Programming Wizard reference

Securing VPN access

Configuring Defender for remote access Configuration example

Configuring your remote access device

Step 1: Create an AAA server group, add Defender Security Server Step 2: Configure an IPsec connection profile

Configuring Defender

Step 1: Configure an Access Node Step 2: Specify users or groups for the Access Node

Using Defender VPN Integrator

Installing Defender VPN Integrator Configuring Defender VPN Integrator

Defender EAP Agent

Deploying Defender EAP Agent

Step 1: Install Defender EAP Agent Step 2: Configure Network Policy Server Step 3: Configure VPN connection on the client computer

Authenticating via EAP Agent

Securing Web sites

Installing ISAPI Agent Configuring ISAPI Agent Accessing Protected Website

Securing Windows-based computers

Installing Defender Desktop Login by using a wizard Performing an unattended installation of Defender Desktop Login Configuring Defender Desktop Login by using a configuration tool Configuring Defender Desktop Login by using Group Policy Defender Desktop Login Configuration tool reference

Securing PAM-enabled services

Installing Defender PAM Configuring Defender PAM

Step 1: Enable authentication for target service Step 2: Specify Defender Security Servers Step 3: Configure access control for users and services Step 4: Configure Defender objects in Active Directory

Testing Defender PAM configuration Defender PAM logging Auth arguments

Defender Management Portal (Web interface)

Installing the portal Opening the portal Specifying a service account for the portal Configuring the portal

Service Account tab Roles tab Log Receiver Service tab Reports tab

Portal roles Enabling automatic sign-in Configuring self-service for users

General tab Software Tokens tab Hardware Tokens tab E-mail Settings tab PIN Settings tab

Troubleshooting authentication issues

User Details tab Tokens tab Authentication Routes tab Authentications tab

Managing users Managing security tokens Viewing authentication statistics Viewing Defender Security Server warnings and logs Viewing token requests from users Using Defender reports

Generating a report

Audit trail Authentication requests Authentication activity Authentication violations Defender Security Server configuration License information Proxied users RADIUS payloads Tokens Active, inactive, and locked users User details

Report scheduling settings Viewing a generated report Deleting generated reports Viewing a list of scheduled reports Deleting scheduled reports

Managing portal database

Encrypting database Changing password for encrypted database Decrypting database

Defender Security Server log cache Log Receiver Service database

Delegating Defender roles, tasks, and functions

Steps to delegate roles, tasks, and functions Roles Service accounts Advanced control Full control Using control access rights

Automating administrative tasks

Installing Defender Management Shell Uninstalling Defender Management Shell Opening Defender Management Shell Getting help Cmdlets provided by Defender Management Shell

Administrative templates

Installing and configuring administrative templates Temporary Responses setting Active Roles Web Interface - Token Programming setting Mail Configuration setting ADSI Configuration setting

Integration with Active Roles

Installing Defender Integration Pack for Active Roles Commands added to the Active Roles Web Interface

Defender Properties Set Defender Password Program Defender Token

Enabling automatic deletion of tokens Delegating Defender roles or tasks

Integration with Cloud Access Manager Appendices

Appendix A: Enabling diagnostic logging

Administration Console Defender Core Token Operations SDK (DTSDK) Defender Security Server Desktop Login EAP Agent Integration Pack for Active Roles Management Portal Management Portal (reports) Management Shell Service Connection Point Soft Token for Windows Token Import Token Programming VPN Integrator Web Service API

Appendix B: Troubleshooting common authentication issues

Step 1: Gather required information Step 2: Analyze Defender Security Server log Step 3: Gather further diagnostics

Appendix C: Troubleshooting DIGIPASS token issues

Step 1: Determine type of failure Step 2: Verify Defender configuration Step 3: Gather further diagnostics

Appendix D: Defender classes and attributes in Active Directory

Classes defined by Defender

defender-tokenClass defender-danClass defender-dssClass defender-policyClass defender-licenseClass defender-radiusPayloadClass defender-tokenLicenseClass

Classes extended by Defender

Group User

Attributes defined by Defender

defender-tokenType defender-tokenData defender-userTokenData defender-tokenUsersDNs defender-tokenDate defender-dssDNs defender-dssMembers defender-danKey defender-id defender-violationCount defender-resetCount defender-lastLogon defender-objectActive defender-prompts defender-authMethods defender-lockoutThreshold defender-lockoutDuration defender-lockoutTime defender-policy defender-policyMembers defender-danType defender-userIdType defender-accessCategories defender-subnetMask defender-danMembers defender-danDNs defender-dssVersion defender-radiusPayloadDn defender-radiusPayloadMembers defender-radiusPayloadData defender-radiusPayloadGroups defender-radiusPayloadGroupsDN defender-radiusPayloadInherit defender-policyAutoUnlock defender-policyMobileUsers defender-policyMaximumPasswordAge defender-policyMaximumPINAge defender-policyPasswordChangeFlags defender-policyPasswordFilter defender-policyGINAOptions defender-policyLoginTimes

Appendix E: Defender Event Log messages

Defender VPN Integrator messages Defender Report Scheduler messages Defender Administration Console messages Defender Security Server messages

Appendix F: Defender Client SDK

Installing Defender Client SDK Application Programming Interfaces (APIs)

IAuthenticator, IAuthenticator2, and IAuthenticator3 interfaces IAuthenticator2 and IAuthenticator3 interfaces IAuthenticator3 interface IAuthInfo interface

Defender Security Server messages

Appendix G: Defender Web Service API

API methods

AddSoftwareTokenToUser method AddTokenToUser method GetTokensForUser method RemoveAllTokensFromUser method RemoveDefenderPassword method RemovePinFromUserToken method RemoveTemporaryResponse method RemoveTokenFromUser method ResetDefenderToken method ResetDefenderViolationCount method SetDefenderPassword method SetPinOnUserToken method SetTemporaryResponse method TestDefenderToken method

API types

AssignedSoftwareToken type AssignedToken type ProgrammableSoftwareTokenType type TokenList type UserTokenDetail type DefenderResult type UserViolationCount type TemporaryResponse type

Service Connection Point

To troubleshoot issues that may occur with the Log Receiver component of the Management Portal, you need to enable diagnostic logging for the Service Connection Point component.

To enable diagnostic logging for the Service Connection Point component

•

the Management Portal is installed or on the corresponding Defender Security Server computers, use Registry Editor to create the following value in the HKLM\SOFTWARE\PassGo Technologies\Defender registry key:

Value type: REG_DWORD

Value name: SCP Diagnostics

Value data: 1

The path to the log file is %ProgramData%\Dell\Defender\Diagnostics\scp.txt.

To disable diagnostic logging for the Service Connection Point component, delete the SCP Diagnostics value from the Defender registry key, or set the value data to 0.

Soft Token for Windows

To enable diagnostic logging for Soft Token for Windows on a 32-bit (x86) system

•

On a 32-bit computer where Soft Token for Windows is installed, use Registry Editor to create the following value in the HKLM\SOFTWARE\PassGo Technologies\PassGo Desktop Token registry key:

Value type: REG_DWORD

Value name: Diagnostics

Value data: 1

To enable diagnostic logging for Soft Token for Windows on a 64-bit (x64) system

•

On a 64-bit computer where Soft Token for Windows is installed, use Registry Editor to create the following value in the HKLM\SOFTWARE\Wow6432Node\PassGo Technologies\PassGo Desktop Token registry key:

Value type: REG_DWORD

Value name: Diagnostics

Value data: 1

The path to the log file is %ProgramData%\Dell\Defender\Diagnostics\Defender Desktop Token.txt.

To disable diagnostic logging for Soft Token for Windows, delete the Diagnostics value from the PassGo Desktop Token registry key, or set the value data to 0.

Token Import

Diagnostic logging for the token import operations is turned on by default. The path to the log file is %ProgramData%\Dell\Defender\Diagnostics\Token Import\Token Import.txt on the computer where Defender Administration Console is installed.

Token Programming

Diagnostic logging for the token programming operations is turned on by default. The path to the log file is %ProgramData%\Dell\Defender\Diagnostics\Token Programming\Token Programming.txt.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Defender 5.8 - Administrator Guide

Service Connection Point

Soft Token for Windows

Token Import

Token Programming