立即与支持人员聊天
与支持团队交流

Defender 6.5.1 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Push Notifications Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Software Tokens tab

In the User verification settings area, from the Deliver verification code to users via list, you can select a method for verifying the identity of users who request software tokens on the Defender Self-Service Portal.

Enabling user verification provides additional protection against unauthorized token requests and unsanctioned access to sensitive applications. With user verification enabled, in order to receive the requested software token, the users must verify their identity by entering a verification code provided by Defender. You can configure Defender to provide verification code to the users via an automated phone call, in an SMS message, or in an e-mail message.

The following diagram illustrates how user identity verification via e-mail works:

 

 

When a user requests a software token on the Defender Self-Service Portal, Defender sends an e-mail message to the user containing a verification code and link. To send the e-mail message, Defender uses the e-mail address specified for the user in the mail attribute in Active Directory.

To verify their identity and receive the requested software token, the user must either click the verification link in the e-mail message or enter verification code on the Defender Self-Service Portal.

The verification link and code provided in an e-mail message increase the security because they

  • Are hard to guess.
  • Expire after a certain configurable period of time.
  • Can only be used once.

You can select one of the following verification methods:

  • E-mail  When this method is selected, after requesting a software token, the user receives an e-mail message containing a verification link (URL) and code. To verify their identity and receive the token, the user must either click the link in the message or manually enter the provided verification code on the Defender Self-Service Portal.

    The E-mail message subject text box allows you to view and modify the default subject of the e-mail messages containing the verification link and code.

    The Verification code remains valid for (minutes) text box allows you to view and change the default period during which the verification link and code remain valid.

  • Automated phone call or SMS (TeleSign)  When this method is selected, after requesting a software token, the user receives a verification code via an automated phone call or SMS message. To verify their identity and receive the token, the user must manually enter the provided verification code on the Defender Self-Service Portal.

    With this method, Defender uses the TeleSign service. If you select this method, make sure you have a valid account in TeleSign and type your TeleSign customer ID and the REST API Key in the corresponding text boxes. For further details about TeleSign, please go to www.telesign.com.

    From the Use selected verification method list, select how the user will receive the verification code. You can select to provide the verification code via an automated phone call, SMS message, or let the user choose one of these delivery methods.

    To make an automated phone call or send SMS, Defender can use telephone numbers specified for the user in the following Active Directory attributes: telephoneNumber, homePhone, mobile, pager, and ipPhone. The user will be prompted to select one of these telephone numbers on the Defender Self-Service Portal.

  • Disable user verification  When this method is selected, users do not have to verify their identity in order to receive the software token requested on the Defender Self-Service Portal.

In the Token activation information delivery area, configure e-mail settings to send activation information for software tokens requested via the Defender Self-Service Portal.

  • You can use the following elements:
  • Users can specify delivery e-mail address  When this check box is selected, the users who request software tokens via self-service are prompted to specify a preferred e-mail address at which they want to receive the token activation information. When this check box is cleared, the users receive the token activation information at the e-mail address specified for them in Active Directory.
  • E-mail message subject  Allows you to view and edit the subject of e-mail messages containing activation information.

Hardware Tokens tab

In the Default hardware token list, select a hardware token that will be automatically selected for the users when they go to the universal token registration URL shown on the General tab.

E-mail Settings tab

Use the E-mail Settings tab to configure settings for sending e-mail messages to the Defender Self-Service Portal users.

In the SMTP server settings area, use the following options:

  • SMTP server  Type the name or IP address of the SMTP server you want to use for sending e-mail messages to the Defender Self-Service Portal users.
  • Port  Type the port number at which you want to connect to the SMTP server.
  • SMTP server requires authentication  Select this check box if the SMTP server requires authentication. Then, type the user name and password of the account with which you want to authenticate on the SMTP server.

In the Sender details area, use the following options:

  • From  Type the e-mail address you want to appear in the From field of the e-mail messages sent by the Defender Self-Service Portal.
  • Select how to address the user in e-mail messages  Select by which name you want to address the user in e-mail messages sent by the Defender Self-Service Portal.

PIN Settings tab

Use the PIN Settings tab to configure PIN settings for the tokens requested or registered via the Defender Self-Service Portal.

On this tab, you can use the following elements:

  • Require PIN for hardware tokens  Select this check box if you want all hardware tokens to require a PIN. When this check box is cleared, the hardware tokens do not require a PIN.
  • Require PIN for software tokens  Select this check box if you want all software tokens to require a PIN. When this check box is cleared, the software tokens do not require a PIN.
  • Minimum PIN length  Specify the minimum number of digits each PIN must contain.
  • Maximum PIN length  Specify the maximum number of digits each PIN can contain.

When you require users to enter a PIN set for a selected token, users should enter the PIN followed by the token response to access a resource protected by Defender. For example, if the PIN is 1234 and the response is 5678, users should enter 12345678 when prompted for authentication.

When users need to reset the PIN, they should enter the old and new PINs in the following format: <old PIN><new PIN><new PIN>. For example, if the old PIN is 1234 and the new PIN is 5678, users should enter the following: 123456785678.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级