Expiry tab
This tab allows you to configure expiry settings for Defender passwords and token PINs. These settings only apply if authentication requires a Defender password and/or a token protected with a PIN. On this tab, you can use the following options:
- Enable Defender Password Expiry Causes the Defender password to expire after the number of days specified in the Expire after option.
- Enable PIN Expiry Causes the token PIN to expire after the number of days specified in the Expire after option.
- Allow authentication with expired Active Directory password Enables the user to authenticate via Defender even if the user’s Active Directory password has expired. This option only has effect if the authentication method selected for the user is Active Directory password, Active Directory Password with Token or Token with Active Directory password.
- Allow expired Active Directory password to be changed Enables the user to change an expired Active Directory password. This setting can only be used if the method used by the user to communicate with Defender also supports the password change option.
Logon Hours tab
This tab allows you to configure a time slot when authentication via Defender is permitted or denied to the user. Click and drag in the grid to select the time slot in which you want to permit or deny authentication via Defender.
On this tab, you can use the following options:
Logon permitted Select this option to allow authentication via Defender in the selected time slot. The time slot during which authentication is allowed is marked in blue.
- Logon denied Select this option to deny authentication via Defender in the selected time slot. The time slot during which authentication is denied is marked in white.
- Permit All Click to permit authentication via Defender at all times.
- Deny All Click to deny authentication via Defender at all times.
- Invert Click to change the selected time slot from permit to deny or vice versa.
SMS Token tab
This tab allows you to configure settings for sending SMS messages containing one-time passwords to users’ SMS-capable devices. On this tab, you can use the following options:
- Enable SMS token Enables the SMS token for the users to whom this Defender Security Policy applies.
- Send SMS to user as required Enables Defender to send an SMS message containing new one-time passwords to the user when the user is about to expend the one-time passwords provided in the previous SMS message.
- Only send SMS when user enters keyword Causes the Defender Security Server to send an SMS message containing one-time passwords only when the user enters the specified trigger keyword during authentication.
- Responses per SMS Allows you to specify the number of one-time passwords you want to include in each SMS message to be sent to the user. You can specify a value from 1 to 10.
- Keyword Specify the keyword that will trigger the sending of an SMS message containing one-time passwords to the user. The keyword works as a trigger when it is entered by the user during authentication. If the SMS token has a PIN assigned, you can specify that PIN as the trigger keyword as well.
You can select the Use AD Password check box to make the user’s Active Directory password act as the keyword that causes the Defender Security Server to send the SMS message.
If this check box is selected and an account lockout policy is enforced in the domain, then a number of unsuccessful authentication attempts may lock out the user’s Active Directory account. Use this check box with caution.
- Phone attribute Select the Active Directory attribute that stores user’s mobile phone number to which you want to send SMS messages containing one-time passwords.
- Mobile provider URL Type the URL of the mobile service provider through which you want to send SMS messages containing one-time passwords.
- [USERID] Type the user name of the account under which you want to access the mobile service provider’s Web site.
- [PASSWORD] Type the password that matches the user name in the [USERID] text box.
- POST Data Click this button to enter the information you want to send to the mobile service provider at the URL specified on this tab. The default POST data provided in this option is only applicable to the 2sms mobile service provider. Contact your mobile service provider for more information about the syntax you need to use in this option.
- Test Click to test the settings specified on this tab.
E-mail Token tab
This tab allows you to configure settings for sending e-mail messages containing one-time passwords to the users. On this tab, you can use the following options:
- Enable e-mail token Enables the e-mail token for the users to whom this Defender Security Policy applies.
- Send e-mail to user as required Enables Defender to send an e-mail message containing new one-time passwords to the user when the user is about to expend the one-time passwords provided in the previous e-mail message.
- Only send e-mail when user enters keyword Causes the Defender Security Server to send an e-mail message containing one-time passwords only when the user enters the specified trigger keyword during authentication.
- Responses per e-mail Specify the number of one-time passwords you want to include in each e-mail message. The one-time passwords must be used sequentially. The penultimate or last one-time password triggers the sending of a new e-mail containing one-time passwords.
- Keyword Specify the keyword that will trigger the sending of an e-mail message containing one-time passwords to the user. The keyword works as a trigger when it is entered by the user during authentication. If the e-mail token has a PIN assigned, you can specify that PIN as the trigger keyword as well.
You can select the Use AD Password check box to make the user’s Active Directory password act as the keyword that causes the Defender Security Server to send the SMS message.
If this check box is selected and an account lockout policy is enforced in the domain, then a number of unsuccessful authentication attempts may lock out the user’s Active Directory account. Use this check box with caution.
- E-mail attribute Select the Active Directory attribute that stores user’s e-mail address to which you want to send e-mail messages containing one-time passwords.
- Subject Type the subject line you want to display in the Subject field of the e-mail messages containing one-time passwords.
- From address Type the e-mail address you want to appear in the From field of the e-mail messages containing one-time passwords.
- Send copy to Type the e-mail address to which you want to send copies of the e-mail messages containing one-time passwords.
- Mail Content Click this button to view and edit the text that will be included in the body of each e-mail message containing one-time passwords. The [RESPONSES] variable indicates the position in the text at which the one-time passwords appear. If the [RESPONSES] variable is missing, the one-time passwords appear at the foot of the text.
- Mail Server Click this button to specify the SMTP server you want to use for sending e-mail messages containing one-time passwords. In the dialog box that opens, use the following options:
- Name Type the name or IP Address of the SMTP server.
- Port Type the port number used by the SMTP server. The default port is 25.
- Authentication Select the authentication method required by the SMTP server, and then type the user name and password of the access account you want to use.
- Test Click to test the settings on this tab by sending a test e-mail message to the address you specify.