ZyXEL Communications ZYWALL OTPV2 -, Support Notes

Page 1: ...ZyWALL OTPv2 Support Notes Revision 1 10 December 2010 Written by CSO ...

Page 2: ...8 R2 23 3 OTP Authentication to an OTP protected Network via SSL VPN over ZyWALL USG 42 3 1 ZyWALL USG Configuration 43 3 2 SafeWord Server Configuration 46 3 3 Verify OTP via Login from the Remote PC 50 4 OTP Authentication to an OTP protected Network via IPSec VPN Client over the ZyWALL USG 51 4 1 ZyWALL USG Configuration 52 4 2 SafeWord Server Configurations 55 4 3 ZyWALL IPSec VPN Client Confi...

Page 3: ...ted network Two Factor Authentication Two factor authentication is an optimum security methodology because it requires something you have your ZyWALL OTP Token and something you know your secure password or PIN A two factor system is far more secure than using just a password since many skilled hackers can quite easily access password only protected computers and networks The illustration shows th...

Page 4: ...Database server Administration server Authentication engine Management console integrated in Windows Server AD RADIUS Agents IAS clients SafeWord Core Server The SafeWord Core Server consists of 3 main components Database server MySQL installed by default The SafeWord database serves as the repository for token records independent of the management mode It stores the Token serial numbers and Token...

Page 5: ... is listening on port 5040 by default Authentication engine AAA runs the authentication engine that verifies that the passcode supplied with an access request is correct for the token assigned to a specific user It listens on port 5031 by default Management Console AD The Management console integrated in Microsoft AD is the interface used to directly update the database via the SafeWord Administra...

Page 6: ...sitory and the Authentication service It verifies that the passcode supplied with an access request is correct for the token assigned to a specific user An agent can be installed only if it is supporting base software components exist Otherwise the agent will not appear for selection in the installation components window For example the RADIUS server agent can only be installed when the IAS has al...

Page 7: ...recommended RAM 1 GB min 4 GB recommended Disk space 3 to 5 GB min Software requirements of the system Server OS 32 or 64 bit Windows Server 2003 2008 or Windows Server 2008 R2 Have a working Active Directory environment Have IAS server installed for RADIUS authentication 2 2 Installation on Windows Server 2003 Enterprise Service Pack 1 Step1 Prepare the Active Directory Click on Start Manage Your...

Page 8: ...010 ZyXEL Communications Corporation 8 Select to install the Domain Controller Active Directory Fill in the full DNS name for the new domain Click Next to continue the installation process When the process is done Active Directory will be installed and ready ...

Page 9: ...ons Corporation 9 Step2 Prepare the IAS Server Click Start Control Panel Add or Remove Programs Windows Components Wizard Networking Services Internet Authentication Service to install the component After the installation you can execute it through Start Administrative Tools IAS ...

Page 10: ...p support microsoft com kb 907265 Note Port 5040 must be open between the remote ADUC server and the server running the Admin Service You may customize this port IAS NPS Agent IAS must be functioning and configured for RADIUS authentication policies secret keys firewall ports and user permissions must be set correctly and users must be able to successfully authenticate to IAS before installing thi...

Page 11: ...ZyXEL ZyWALL OTPv2 Support Notes All contents copyright 2010 ZyXEL Communications Corporation 11 ...

Page 12: ...feWord 2008 2 Enter your product serial number located on your product package and or on the Activation Certificate is in the format NSXX XXXX XXXX XXXX then click OK 3 If there is a new version available the software will download it automatically during the installation process 4 Review the License Agreement then click Yes to accept it ...

Page 13: ...control subfolders and files only Server Operators modify SYSTEM full control 6 The Select Components window for the specific version of SafeWord you selected appears In the ZyXEL pack user needs to select the components as below SafeWord Server Management Snap in for Active Directory IAS NPS RADIUS Agent Note Only components that can be installed on your system will display If any of the above co...

Page 14: ...sonalizing your SafeWord installation by defining a unique Encryption Key and Signing Key on the Database Security pane Each key must be16 characters in length and must remain the same for the life of the installation Click Next when all needed changes have been made Tip A small exclamation point displayed next to a Port field indicates that port is already in use by another process and you must s...

Page 15: ...ver is to be installed then click Next 14 If you selected the IAS Agent for installation on Server 2003 you will be prompted to restart the IAS service by clicking Yes If installing on Server 2008 the Restart window will not appear and you may skip to Finishing the installation 15 During installation windows will appear and disappear and the installation will take several minutes to complete The I...

Page 16: ...llation is complete go to Services to Start the SafeWord User Center service 17 User can verify the server status to make sure the installation is correct Click Start Aladdin SafeWord Configuration Server Configuration to enable the Utility 18 Status of all the server components should be Active for a successful installation ...

Page 17: ...xxx xxxx Registering on the portal There are two methods of activating SafeWord 2008 using ADUC or directly from Aladdin s Website if not using ADUC In either case you must sign in and register on the Aladdin portal at https portal aladdin com before you can complete and submit an activation form After activating your information will be verified and the activation key and token records will be do...

Page 18: ...d the Token Group ID s if you are importing token records for the product you are activating E g Activation Software Serial Number example NSXX XXXX XXXX XXXX Token Group ID example TKXX XXXX XXXX XXXX 6 Complete the activation form then click Submit 7 The SafeWord Activation window appears showing the license activation and token import progress Upon completion the activation file key html is dow...

Page 19: ...the SafeWord database by opening ADUC and then expanding the SafeWord Node The Tokens sub folder will display with the imported tokens 12If the key activated html file exists the activation is complete If the file does not exist please refer to the manual activation process Activating manually via Website If you don t use ADUC to activate SafeWord server you might need to activate it manually For ...

Page 20: ...rs 4 Enter your product SafeWord Software Serial Number in the SafeWord SoftWare Serial Number field For example NSXX XXXX XXXX XXXX 5 Click the Continue button The SafeWord Activation page appears 6 Click the Browse button and retrieve the RCR txt file you saved earlier in this process The file name displays in the Support Data File field 7 Enter the product Token Group ID in the Token Group ID f...

Page 21: ...e activation to fail 13Restart the SafeWord Administration Server and Authentication Engine by browsing to Start Programs Administrative Tools Services right click on SafeWord Administration Server and select Restart repeat for the Authentication Engine 14To verify the activation browse to Install_Dir SERVERS AdminServer activation A successfully processed license file will be renamed to key activ...

Page 22: ... dat file which was in the downloaded zip file 18When the process is done you will see the corresponding tokens are already in the Tokens folder The SafeWord activation is complete For more information users can click the SafeWord Activation link to perform on line activation Please refer to the following manual http www aladdin com pdf safeword Safeword Products Activation pdf ...

Page 23: ...ns Corporation 23 2 3 Installation on Windows Server 2008 R2 Step1 Prepare the Active Directory Click Start Administrator Tools Server Manager to open the installation wizard Click Roles Add Roles to configure Server components Select to install the Active Directory Domain Server ...

Page 24: ...lready contains NET framework version greater than 2 0 thus you don t need to install it again After the installation is ready click the hyper link to run the Active Directory Domain Service installation wizard The wizard page will appear for the installation Select to create a new domain if installing on a new AD server ...

Page 25: ...All contents copyright 2010 ZyXEL Communications Corporation 25 Fill in the full DNS name for the new domain Select Windows Server 2008 R2 as the functional level The DNS server option is not mandatory for SafeWord server installation ...

Page 26: ... 26 Fill in the password for the Administrator account strong password is a requirement Click Next to continue the installation process After the process is done the Active Directory will be installed and ready You have to restart the computer for Active Directory Domain Services to take effect ...

Page 27: ...EL Communications Corporation 27 Step2 Prepare the NPS Server Click Start Administrator Tools Server Manager to open the installation wizard Click Roles Add Roles to configure Server components Select the Network Policy and Access Services and go into detail setting ...

Page 28: ...ts copyright 2010 ZyXEL Communications Corporation 28 Select to install the Network Policy Server After the installation is complete the results will be displayed on the page You can execute it on Start Administrative Tools Network Policy Server ...

Page 29: ...ed Note Port 5040 must be open between the remote ADUC server and the server running the Admin Service You may customize this port NPS Agent NPS must be functioning and configured for RADIUS authentication policies secret keys firewall ports and user permissions must be set correctly and users must be able to successfully authenticate to NPS before installing this Agent Port 1812 must be open in a...

Page 30: ...ZyXEL ZyWALL OTPv2 Support Notes All contents copyright 2010 ZyXEL Communications Corporation 30 ...

Page 31: ...feWord 2008 2 Enter your product serial number located on your product package and or on the Activation Certificate is in the format NSXX XXXX XXXX XXXX then click OK 3 If there is a new version available the software will download it automatically during the installation process 4 Review the License Agreement then click Yes to accept it ...

Page 32: ... modify SYSTEM full control 6 The Select Components window for the specific version of SafeWord you selected appears In ZyXEL pack user needs to select the components as below SafeWord Server Management Snap in for Active Directory IAS NPS RADIUS Agent Note Only components that can be installed on your system will display If above component cannot display please check the prerequisites 7 Make your...

Page 33: ... A small exclamation point displayed next to a Port field indicates that port is already in use by another process and you must select a different port 12 When the Host Address window appears enter the Fully Qualified Domain Name to which this machine belongs and then click Next If you do not know the domain click Query to obtain it from your DNS Server 13 If your SafeWord Server is not being inst...

Page 34: ... Corporation 34 15 After the software installation is complete go to Service to Start the SafeWord User Center service 16 User can verify the server status to make sure the installation is correct Click Start Aladdin SafeWord Configuration Server Configuration to enable the Utility ...

Page 35: ...numeric code in the form of this example NSxx xxxx xxxx xxxx You will need the serial number to obtain your product activation key Token Group ID Your Token Group ID is a 16 digit alphanumeric code in the form of this example TKxx xxxx xxxx xxxx Registering on the portal There are two methods of activating SafeWord 2008 using ADUC or directly from Aladdin s Website if not using ADUC In either case...

Page 36: ...ick on the SafeWord folder you will be prompted to enter and re enter to verify an Administrator password This Administrator password is not your Windows Administrator password If you have or plan to have multiple management consoles you must use the same Administrator password for all installations 2 Click OK when done 3 Right click on the SafeWord folder and select Activate Product ...

Page 37: ...ow appears showing the license activation and token import progress Upon completion the activation file key html is downloaded to Install_Dir Aladdin SafeWord ImportData This is the key to activate your software and your token data records You should back up these files in case you need to reactivate the product or re import token records later The Administration Server and Authentication Engine s...

Page 38: ...mport dat 1 If you are simply obtaining the latest activation package key html file import dat please jump to 11 and continue it If you want to download the activation package for your customers to use please create the RCR txt file first and follow below steps for it The process for creating RCR txt file is described below A On the SafeWord installation server select Start Programs Aladdin SafeWo...

Page 39: ...ect the Save Target As option Save the files on to the SafeWord Server and unzip them 11 Rename the license file to key html For example change the name from NSxx xxxx xxxx xxxx html to key html 12 Save the key html file to the following directory Install_Dir SafeWord SERVERS AdminServer activation Important Ensure the file name is key html Using any variation key htm or key html html for instance...

Page 40: ...erify the activation browse to Install_Dir SERVERS AdminServer activation The successfully processed license file is renamed key activated html 15 After successfully activate the support expiration date will display a value of the valid expiration date 16 Import the token by click the Import Tokens button ...

Page 41: ...ownloaded zip file 18 When the process is done you will see the corresponding tokens are already in the Tokens folder The SafeWord activation is complete For more information users can click the SafeWord Activation link to perform on line activation Please refer to the following manual http www aladdin com pdf safeword Safeword Products Activation pdf ...

Page 42: ...efer to the SafeWord installation guide in Chapter 2 For more details please check the SafeNet website for the installation documentation 2 Create the user accounts on the ZyWALL USG and in the SafeWord server 3 Import each token s database file into the server 4 Assign the users to the OTP tokens on the SafeWord server 5 Configure the SafeWord installation as a RADIUS server in the ZyWALL USG Obj...

Page 43: ...pe ext user on the User configuration page 3 Click the OK button to finish the configuration on this page Step2 Configure the AAA Server 1 Go to CONFIGURATION Object AAA Server and then navigate to the RADIUS page 2 Configure the SafeWord server as Enter the IP address of the SafeWord server in the server address Enter the authentication port to RADIUS server like Microsoft IAS the default value i...

Page 44: ...ick the Edit button to modify the default authentication method 2 In the edit page click Add to add the group radius into method list Step4 Create the SSL Application s according to your needs 1 Go to CONFIGURATION Object SSL Application and click the Add button to create an SSL VPN application object 2 For example create a web application to remotely access the FTP server via SSL VPN ...

Page 45: ...URATION VPN SSL VPN and click the Add button to create an SSL VPN access policy 2 Configure the access policy as Enter the policy name and description Select the User Group object to apply this policy to Select the application object this policy applies to Select the address object to be used if needed Click the OK button to finish the configuration ...

Page 46: ...p1 Create a RADIUS client 1 Take Microsoft IAS as an example 2 Right click the RADIUS Client folder and click New RADIUS Client to add a new setting Step2 Create a RADIUS client 1 Enter the name for the rule 2 The Client address is the ZyWALL USG s interface IP address used to accesses the IAS 3 Click the Next button for the next step ...

Page 47: ...Notes All contents copyright 2010 ZyXEL Communications Corporation 47 4 Enter the Shared secret the Key in ZyWALL USG AAA Server setting 5 Click the Finish button to finish the configuration 6 The new OTP client has been created ...

Page 48: ...ers 2 Click the Users folder to list all users and groups in RADIUS server 3 Right click the OTP user and then click Properties Go to the SafeWord tab 4 Enter the serial number of the assigned token If needed enter the PIN code for it This one is used as the Password when logging into the ZyWALL USG 5 After the configuration you can click the Tokens link and check the token status ...

Page 49: ...ss Step5 Change the sequence of entering OTP and PIN for authentication By Safenet default setting the password entry sequence is OTP PIN You should change this sequence to match ZyWALL USG s behavior PIN OTP Here is the instruction for this 1 Go to C Program files Aladdin SafeWord Servers Shared folder and open the file SCCservers ini use Notepad for editing 2 Search for the string Set this to on...

Page 50: ...om the Remote PC Step1 Login into the device 1 Enter the user name password PIN code which configured in chapter 3 2 step 3 and the One Time Password generated by the token 2 Click the SSL VPN button to submit login information 3 Once the OTP works correctly you will see the SSL application that configured to the user to use ...

Page 51: ...he SafeWord installation guide in Chapter 2 For more details please check the SafeNet website for the installation documentation 2 Create the user accounts on the ZyWALL USG and in the SafeWord server 3 Import each token s database file into the server 4 Assign the users to the OTP tokens on the SafeWord server 5 Configure the SafeWord as a RADIUS server in the ZyWALL USG Object AAA Server screens...

Page 52: ... ext user on the User configuration page 3 Click the OK button to finish the configuration on this page Step2 Configure the AAA Server 1 Go to CONFIGURATION Object AAA Server and then navigate to the RADIUS page 2 Configure the SafeWord server as Enter the IP address of the SafeWord server in the server address Enter the authentication port of the RADIUS server like Microsoft IAS the default value...

Page 53: ...CONFIGURATION Object Auth Method and click the Edit button to modify the default authentication method 2 In the edit page click Add to add the group radius into the method list Step4 Configure the IPSec VPN Gateway policy 1 Go to CONFIGURATION VPN IPSec VPN and then navigate to the VPN Gateway page 2 Enter the values for VPN phase 1 configuration ...

Page 54: ...munications Corporation 54 3 Enable the Extended Authentication and choose Server Mode method Step5 Configure the IPSec VPN Connection policy 1 Go to CONFIGURATION VPN IPSec VPN and then navigate to the VPN Connection page 2 Enter the values for VPN phase 2 configuration ...

Page 55: ...tep1 Create a RADIUS client 1 Take Microsoft IAS as an example 2 Right click the RADIUS Client folder and click New RADIUS Client to add a new setting Step2 Create a RADIUS client 1 Enter the name for the rule 2 The Client address is the ZyWALL USG s interface IP address which accesses to IAS 3 Click the Next button for the next step ...

Page 56: ...Notes All contents copyright 2010 ZyXEL Communications Corporation 56 4 Enter the Shared secret the Key on ZyWALL USG AAA Server setting 5 Click the Finish button to finish the configuration 6 The new OTP client has been created ...

Page 57: ...puters 2 Click the Users folder to list all users and groups in the RADIUS server 3 Right click the OTP user and then click Properties Go to SafeWord tab 4 Enter the serial number of the assigned token If needed enter the PIN code for it this one is used as the Password when logging into the ZyWALL USG 5 After the configuration you can click the Tokens link and check the token status ...

Page 58: ...tep5 Change the sequence of entering OTP and PIN for authentication By Safenet default setting the password entry sequence is OTP PIN You should change this sequence to match ZyWALL USG s behavior PIN OTP Here is the instruction for this 1 Go to C Program files Aladdin SafeWord Servers Shared folder and open the file SCCservers ini use Notepad for editing 2 Search for the string Set this to on to ...

Page 59: ...ight 2010 ZyXEL Communications Corporation 59 4 3 ZyWALL IPSec VPN Client Configurations Step1 Configure the IPSec VPN Phase1 policy 1 Enter the values for VPN phase 1 configuration 2 Click the Advanced Setting button and click the X Auth Popup feature ...

Page 60: ... Communications Corporation 60 Step2 Configure the IPSec VPN Phase2 policy 1 Enter the values for VPN phase 2 configuration 2 Click the Save Apply button to finish the configuration and save it 3 You can trigger the IPSec VPN tunnel by clicking the Open Tunnel button ...

Page 61: ...de because it is a dynamic tunnel 2 When doing the Phase 1 authentication the authentication window will pop up for the X Auth login 3 Enter the user name into the Login field and PIN code password in the Password field Step2 Establish the IPSec VPN tunnel 1 There is only a 10 second window to enter the authentication information into X Auth window If you use more time to finish it the tunnel will...

Page 62: ...e VPN tunnel is established successfully you will see the following message exchange on your VPN Console Step3 Check the VPN tunnel status You can see the VPN connection status is Connected on CONFIGURATION VPN IPSec VPN VPN Connection page Also can check the IPSec VPN SA on MONITOR VPN Monitor IPSec page ...

Page 63: ...rifying signature Class not registered Please run existing Auto Updater which will fail Go to Program Files Aladdin SafeWord Patches launch setup_aua exe manually patches AUA to newest version 4 Authentication If authentication fails Verify proper entry of token password Check has token been imported Verify match between token serial number and serial number of token assigned in user record Verify...

Page 64: ...unications Corporation 64 6 Server status How to determine if a port is active For Windows use the netstat an command then search the output manually for active ports Server s not responding Use the configuration utility to check the server status as below Restart server s ...