Chat now with support
Chat with Support

Defender 6.6 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Push Notifications Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Expiry tab

This tab allows you to configure expiry settings for Defender passwords and token PINs. These settings only apply if authentication requires a Defender password and/or a token protected with a PIN. On this tab, you can use the following options:

  • Enable Defender Password Expiry  Causes the Defender password to expire after the number of days specified in the Expire after option.
  • Enable PIN Expiry  Causes the token PIN to expire after the number of days specified in the Expire after option.
  • Allow authentication with expired Active Directory password  Enables the user to authenticate via Defender even if the user’s Active Directory password has expired. This option only has effect if the authentication method selected for the user is Active Directory password, Active Directory Password with Token or Token with Active Directory password.
  • Allow expired Active Directory password to be changed  Enables the user to change an expired Active Directory password. This setting can only be used if the method used by the user to communicate with Defender also supports the password change option.

Logon Hours tab

This tab allows you to configure a time slot when authentication via Defender is permitted or denied to the user. Click and drag in the grid to select the time slot in which you want to permit or deny authentication via Defender.

On this tab, you can use the following options:

Logon permitted  Select this option to allow authentication via Defender in the selected time slot. The time slot during which authentication is allowed is marked in blue.

  • Logon denied  Select this option to deny authentication via Defender in the selected time slot. The time slot during which authentication is denied is marked in white.
  • Permit All  Click to permit authentication via Defender at all times.
  • Deny All  Click to deny authentication via Defender at all times.
  • Invert  Click to change the selected time slot from permit to deny or vice versa.

SMS Token tab

This tab allows you to configure settings for sending SMS messages containing one-time passwords to users’ SMS-capable devices. On this tab, you can use the following options:

  • Enable SMS token  Enables the SMS token for the users to whom this Defender Security Policy applies.
  • Send SMS to user as required  Enables Defender to send an SMS message containing new one-time passwords to the user when the user is about to expend the one-time passwords provided in the previous SMS message.
  • Only send SMS when user enters keyword  Causes the Defender Security Server to send an SMS message containing one-time passwords only when the user enters the specified trigger keyword during authentication.
  • Responses per SMS  Allows you to specify the number of one-time passwords you want to include in each SMS message to be sent to the user. You can specify a value from 1 to 10.
  • Keyword  Specify the keyword that will trigger the sending of an SMS message containing one-time passwords to the user. The keyword works as a trigger when it is entered by the user during authentication. If the SMS token has a PIN assigned, you can specify that PIN as the trigger keyword as well.

    You can select the Use AD Password check box to make the user’s Active Directory password act as the keyword that causes the Defender Security Server to send the SMS message.

    If this check box is selected and an account lockout policy is enforced in the domain, then a number of unsuccessful authentication attempts may lock out the user’s Active Directory account. Use this check box with caution.

  • Phone attribute  Select the Active Directory attribute that stores user’s mobile phone number to which you want to send SMS messages containing one-time passwords.
  • Mobile provider URL  Type the URL of the mobile service provider through which you want to send SMS messages containing one-time passwords.
  • [USERID]  Type the user name of the account under which you want to access the mobile service provider’s Web site.
  • [PASSWORD]  Type the password that matches the user name in the [USERID] text box.
  • POST Data  Click this button to enter the information you want to send to the mobile service provider at the URL specified on this tab. The default POST data provided in this option is only applicable to the 2sms mobile service provider. Contact your mobile service provider for more information about the syntax you need to use in this option.
  • Test  Click to test the settings specified on this tab.

E-mail Token tab

This tab allows you to configure settings for sending e-mail messages containing one-time passwords to the users. On this tab, you can use the following options:

  • Enable e-mail token  Enables the e-mail token for the users to whom this Defender Security Policy applies.
  • Send e-mail to user as required  Enables Defender to send an e-mail message containing new one-time passwords to the user when the user is about to expend the one-time passwords provided in the previous e-mail message.
  • Only send e-mail when user enters keyword  Causes the Defender Security Server to send an e-mail message containing one-time passwords only when the user enters the specified trigger keyword during authentication.
  • Responses per e-mail  Specify the number of one-time passwords you want to include in each e-mail message. The one-time passwords must be used sequentially. The penultimate or last one-time password triggers the sending of a new e-mail containing one-time passwords.
  • Keyword  Specify the keyword that will trigger the sending of an e-mail message containing one-time passwords to the user. The keyword works as a trigger when it is entered by the user during authentication. If the e-mail token has a PIN assigned, you can specify that PIN as the trigger keyword as well.

    You can select the Use AD Password check box to make the user’s Active Directory password act as the keyword that causes the Defender Security Server to send the SMS message.

    If this check box is selected and an account lockout policy is enforced in the domain, then a number of unsuccessful authentication attempts may lock out the user’s Active Directory account. Use this check box with caution.

  • E-mail attribute  Select the Active Directory attribute that stores user’s e-mail address to which you want to send e-mail messages containing one-time passwords.
  • Subject  Type the subject line you want to display in the Subject field of the e-mail messages containing one-time passwords.
  • From address  Type the e-mail address you want to appear in the From field of the e-mail messages containing one-time passwords.
  • Send copy to  Type the e-mail address to which you want to send copies of the e-mail messages containing one-time passwords.
  • Mail Content  Click this button to view and edit the text that will be included in the body of each e-mail message containing one-time passwords. The [RESPONSES] variable indicates the position in the text at which the one-time passwords appear. If the [RESPONSES] variable is missing, the one-time passwords appear at the foot of the text.
  • Mail Server  Click this button to specify the SMTP server you want to use for sending e-mail messages containing one-time passwords. In the dialog box that opens, use the following options:
    • Name  Type the name or IP Address of the SMTP server.
    • Port  Type the port number used by the SMTP server. The default port is 25.
    • Authentication  Select the authentication method required by the SMTP server, and then type the user name and password of the access account you want to use.
  • Test  Click to test the settings on this tab by sending a test e-mail message to the address you specify.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating