The IIS 6 Module Configuration writes to an .xml file named vmfiltercfg.xml in the installation directory. It is possible to edit this file directly instead of using the IIS 6 Module Configuration. Increment the Revision number by 1 to have your changes take effect.
Note
This option is recommended only for advanced users. The IIS 6 Module Configuration GUI will prevent most common configuration mistakes, but there are no such checks made when edits are made directly to the configuration file.
Incorrect changes to the configuration file may cause the IIS 6 Module to stop working.
Example configuration file
<VASCO>
<Revision type="unsigned" data="13"/>
<Enabled type="unsigned" data="1"/>
<Tracing>
<Trace-Header type="unsigned" data="31"/>
<Trace-Mask type="unsigned" data="0x00000000"/>
<Trace-File type="string" data="C:\Program Files\VASCO\Digipass Pack for OWA Basic Authentication\log\vmiis.trace"/>
</Tracing>
<Idle-Timeout type="unsigned" data="5"/>
<Modify-Auth-Headers type="unsigned" data="0"/>
<Component-Type type="string" data="Outlook Web Access"/>
<Error-Page type="string" data=""/>
<Encoding type="string" data="UTF-8"/>
<Realm type="string" data=""/>
<Attribute-Group type="string" data=""/>
<Use-Attribute-For-User-Name type="unsigned" data="0"/>
<Use-Attribute-For-Password type="unsigned" data="0"/>
<AAL3>
<SEAL>
<Local-Address type="string" data="10.2.20.90"/>
<Connection-List>
<Load-Balancing type="bool" data="false"/>
<Connection00>
<Name type="string" data="main_server"/>
<Address type="string" data="10.2.10.101"/>
<Port type="unsigned" data="20003"/>
<Server-Type type="string" data="Primary"/>
<Nr-Connections type="unsigned" data="10"/>
<Min-Reconnect-Interval type="unsigned" data="30"/>
<Max-Reconnect-Interval type="unsigned" data="300"/>
<Timeout type="unsigned" data="60"/>
The configuration file is UTF8 encoded. Non-UTF8 encoded characters should not be added to the configuration file, or it will not load.
© 2007 VASCO Data Security Inc. 32
3.2.1 Configuration Settings
The table below lists the options, their default values, and a brief explanation of each.
Table 2 – Configuration Options
Option Name Default Value Notes
Revision 1 The current revision of the configuration. This is incremented each time the configuration is changed and allows the IIS 6 Module to automatically reload its configuration parameters.
If you have manually changed configuration settings in the file, increment this setting by 1 so that your changes take effect.
Enabled 1 Whether the IIS 6 Module is enabled or disabled. If disabled,
does not block access, but does not intercept authentication requests – they pass through unmodified.
Default-Component-Type Outlook Web Access Default Component type to specify when connecting to an Authentication Server.
Trace/Trace-Header 31 The tracing header fields that have been enabled. This is a bitmask constructed by adding the following values:
1 Enable the Date field 2 Enable the Time field 4 Enable the Tracing level field 8 Enable the Thread ID field 16 Enable the File field 32 Enable the Line field
eg. for DATE,TIME,LEVEL = 1 + 2 + 4 = 7
A value of 0 will result in no header being added to the trace output.
Trace/Trace-Mask 0x00000000 Hexadecimal or decimal values:
Trace/Trace-File <installation directory>\
Log\vmiis.trace
The absolute path and filename of the file to which internal state tracing will be written. The file but not the path will be created by the filter / extension if it does not exist.
If this option is blank, the IIS 6 Module will not output tracing.
AAL3/SEAL/Local-Address 127.0.0.1 The local IP address to be used when connecting to Authentication Servers.
AAL3/SEAL/ Connection-List/Load-Balancing
False Whether load balancing is enabled for connections to Authentication Servers.
AAL3/SEAL/ Connection-List/
Connection <number>/ Name
<blank> Text to display in the Servers list on the Configuration.
AAL3/SEAL/ Connection-List/
Connection <number>/
Address
127.0.0.1 IP Address of the Authentication Server.
AAL3/SEAL/ Connection-List/
Connection<number>/ Port
20003 Port to use in connecting to the Authentication Server.
© 2007 VASCO Data Security Inc. 33
Hex Decimal
0x00000000 0 No tracing
0x0010000E 1048590 Configuration and error messages only
0xFFFFFFFF 4294967295 All levels enabled.
Option Name Default Value Notes
AAL3/SEAL/ Connection-List/
Connection<number>/
Server-Type
Primary Either Primary or Backup Authentication Server. This setting affects load-balancing.
AAL3/SEAL/ Connection-List/
Connection <number>/
Nr-Connections
10 The maximum number of concurrent connections which the IIS 6 Module may hold open to the Authentication Server.
AAL3/SEAL/ Connection-List/
Connection <number>/Min-Reconnect-Interval
30 The minimum amount of time that the IIS 6 Module will leave between attempts to reconnect to a higher-priority server after losing connection to it.
AAL3/SEAL/ Connection-List/
Connection <number>/Max-Reconnect-Interval
300 The maximum amount of time that the IIS 6 Module will leave between attempts to reconnect to a higher-priority server after losing connection to it.
Idle-Timeout 5 Session idle timeout.
Modify-Auth-Headers 0 A boolean flag indicates whether the filter should perform manipulation of the raw authentication headers within the request. If modification of the headers is not required this should be disabled to improve the performance of the filter.
0 False. The headers will not be modified 1 True. The headers will be modified if necessary NOTE: Enabling this feature requires IIS to be restarted.
Error-Page <blank> This option allows you to specify a HTML page which will be presented to a User if their login is rejected by the IIS 6 Module.
Realm <blank> Not used for OWA 2007.
Encoding UTF-8 The character encoding to use in sending a login request to the web site. This allows the use of international character sets (see 3.2.2 Modify Character Set Used)
Attribute-Group <blank> The Attribute Group name to use in retrieving credentials from a Digipass User account.
Use-Attribute-For-User-Name 0 If this option is enabled, the IIS 6 Module will retrieve a User-Name attribute from a Digipass User account. It will replace the User ID entered during login with the attribute value before passing the request to the web site.
0 Disabled. The User ID will not be replaced with the User attribute.
1 Enabled. The User ID will be replaced with the User-Name attribute.
Use-Attribute-For-Password 0 If this option is enabled, the IIS 6 Module will retrieve a Password attribute from a Digipass User account. It will replace the password entered during login with the attribute value before passing the request to the web site.
0 Disabled. The password will not be replaced with the User attribute.
1 Enabled. The password will be replaced with the Password User attribute.
© 2007 VASCO Data Security Inc. 34
3.2.2 Modify Character Set Used
If you are using non-Western European characters, the IIS 6 Module may need to be configured to use a specific character set when submitting login requests to the web site.
The character set to be used can be modified in the IIS 6 Module configuration file (vmfiltercfg.xml) in the <installation directory>\bin directory. Edit the Encoding setting to the desired character set code – these are listed in the table below.
Caution
The IIS 6 Module can only be configured to use a single character set – it is not able to handle multiple character sets simultaneously.
Table 3 - Character Set Codes
Language ISO code Windows code Other code(s)
Arabic ISO-8859-6 CP1256
Baltic ISO-8859-4 or ISO-8859-13 CP1257
Central European ISO-8859-2 CP1257
© 2007 VASCO Data Security Inc. 35