RSA SecurID Ready Implementation Guide

Last Modified: June 21, 2006

Partner Information
Product Information
Partner Name Web Site Product Name Version & Platform Product Description Ericom Software Ltd. www.ericom.com PowerTerm WebConnect Version 5.5 PowerTerm WebConnect Enterprise is a unique Server Based Computing solution that provides comprehensive and secure local and remote access to enterprise applications running on Windows Terminal Server and Legacy systems. As a multipurpose application, PowerTerm WebConnect enables corporations to simplify and optimize their IT infrastructure with a single connectivity solution, lowering TCO. In addition to Windows and Legacy application access, PowerTerm WebConnect provides enhanced security, centralized management tools, remote desktop support and more Remote Access

Product Category

Solution Summary
Partner Integration Overview
Authentication Methods Supported List Library Version Used RSA Authentication Manager Name Locking * RSA Authentication Manager Replica Support * Secondary RADIUS Server Support Location of Node Secret on Agent RSA Authentication Agent Host Type RSA SecurID User Specification RSA SecurID Protection of Administrative Users RSA Software Token and RSA SecurID 800 Automation Use of Cached Domain Credentials Native RSA SecurID Authentication 5.3.1.95 Yes Yes No Registry Net OS Designated Users Yes No No

1. Client connects to the PowerTerm WebConnect server, transmitting the users ID and PIN. Client communication is encrypted using SSL. 2. PowerTerm WebConnect server transmits the User ID and PIN to the RSA Authentication Manager for authentication. 3. RSA Authentication Manager authenticates the user. 4. PowerTerm WebConnect connects the client to the target system: a. Legacy host or b. Terminal server.

Product Requirements
Partner Product Requirements:
CPU Memory PowerTerm WebConnect 250 KB memory for each active session

Operating System
Platform Windows 2000/2003 or 2003 x64 Linux for x86 Linux for POWER Required Patches

Agent Host Configuration

To facilitate communication between the PowerTerm WebConnect and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the PowerTerm WebConnect within its database and contains information about communication and encryption. To create the Agent Host record, you will need the following information.
Host name of PowerTerm WebConnect Server IP Addresses of PowerTerm WebConnect Server

When adding the Agent Host Record, you should configure the PowerTerm WebConnect as Net OS. This setting is used by the RSA Authentication Manager to determine how communication with the PowerTerm WebConnect will occur.

Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network.

Please refer to the appropriate RSA Security documentation for additional information about Creating, Modifying and Managing Agent Host records.

Partner Authentication Agent Configuration

Before You Begin
This section provides instructions for integrating the partners product with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.

Documenting the Solution

1. Copy the sdconf.rec to windows/system32 2. Install PowerTerm WebConnect Server 5.5 3. Create new user in PowerTerm WebConnect. a. Launch the PowerTerm WebConnect Administration Tool b. Select Action | New | User - the Add User dialog appears:

c.

Fill the user properties i. Type the user name in the User Name field. ii. Click on the Password button, the Set Password dialog appears, press OK

iii. Check the Allow Concurrent Machine. iv. Select the Unlimited option in the Access Limit Mode field. 4. Configure PowerTerm WebConnect to authenticate to RSA Authentication Manager a. Launch the PowerTerm WebConnect Administration Tool. b. Open PtServer.ini - Select Files | Configurations | Main. c. In the [ConnectionPoint=Internet] section set the option RSA_SecurId_Required=True. This setting specifies that all client sessions on the PowerTerm WebConnect default port (port 4000) will be authenticated with RSA SecurID.

The Login Screen

How does it work?

A. New user a. The user types the user name in the User Name field and the token code in the Password field. b. The user gets a dialog box depend on the settings in server. The user required to create a PIN:

If no PIN was entered:

The user allowed to create a PIN:

The system generated a PIN or - The user allowed to create a PIN and pressed the OK button:

If an invalid PIN was entered:

B. Existing user a. The user gets the Login dialog and types the user name in the User Name field (usually already appears) and the PASSCODE (PIN + token code) in the Password field. C. PIN that has expired - The user gets a dialog box depend on the settings in server as described in a new user. D. Token code has been changed a. The user types the user name in the User Name field and the PASSCODE (PIN + token code) in the Password field b. The user gets a dialog

c.

The user gets the Login dialog again with the user name in the User Name field, and now types the PASSCODE (PIN + next token code) in the Password field.

Certification Checklist
Date Tested: June 21, 2006 Product Name RSA Authentication Manager PowerTerm WebConnect Certification Environment Version Information
6.1 5.5

Operating System
Windows 2003 Server Windows 2003 Server

RSA Native Protocol

New PIN Mode Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) User Selectable Deny 4 and 8 Digit PIN Deny Alphanumeric PIN PASSCODE 16 Digit PASSCODE 4 Digit Password Next Tokencode Mode Next Tokencode Mode Load Balancing / Reliability Testing Failover (3-10 Replicas) Name Locking Enabled No RSA Authentication Manager

RADIUS Protocol
Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) User Selectable Deny 4 and 8 Digit PIN Deny Alphanumeric PIN 16 Digit PASSCODE 4 Digit Password Next Tokencode Mode Failover Name Locking Enabled No RSA Authentication Manager N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Additional Functionality
RSA Software Token Automation System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode RSA SD800 Token Automation System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode Domain Credential Functionality Determine Cached Credential State Set Domain Credential Retrieve Domain Credential
MPR/PAR

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode Determine Cached Credential State Set Domain Credential Retrieve Domain Credential
= Pass

N/A N/A N/A N/A N/A N/A N/A N/A

= Fail N/A = Non-Available Function

Appendix
The following steps were taken to change the password prompt from password to PASSCODE 1. Locate and open up the Agent_X.html file in a text editor. (By default, it is located in the following location: C:\Program Files\Ericom Software\WebConnnect 5.5\web\windows). 2. Following the example below, add the /LDT_PASS=PASSCODE switch::
... </TABLE> <OBJECT ID=Downloader WIDTH=0 HEIGHT=0 STYLE="DISPLAY:none" CODEBASE="ptdownloader.cab#Version=5,5,0,6005" CLASSID="CLSID:7EC816D4-6FC3-4C58-A7DA-A770EE461602" VIEWASTEXT> <PARAM NAME="Src" VALUE="ptagent.cab"> <PARAM NAME="Parameters" VALUE="<WebServer> /SHORTCUT=BOTH /AUTOLOGIN=YES /LDT_PASS=PASSCODE">

... 3. Reload the web page. 4. The login prompt now displays PASSCODE instead of Password.

10