SMS PASSCODE ®
8 SYSTEM REQUIREMENTS
In this section, the system requirements are listed for each SMS PASSCODE® software component (cf. section 6).
Please note:
All SMS PASSCODE® components require the Microsoft .NET 3.5 SP1 Framework; except the Password Reset Web Site component, which requires the Microsoft .NET 4.5 Framework.
The SMS PASSCODE® Secure Device Provisioning component requires both the Microsoft .NET 3.5 SP1 and .NET 4.5 Framework.
Component Requirement
Database Service Supported operating systems:
o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 2012 (x64) o Windows Server 2012 R2 (x64)
Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand
If you are planning to enable the Active Directory Integration feature, it is recommended to install this component on a domain member server or a domain controller.
Web Administration Interface
Supported operating systems:
o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 2012 (x64) o Windows Server 2012 R2 (x64)
IIS 6.0, 7.0, 7.5, 8.0 or 8.5 required
Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand
It is recommended to install this component on the same server as the
Database Service component. However, it is possible to install this component on a separate server (cf. section 8.4, page 40).
Transmitter Service Supported operating systems:
o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 2012 (x64) o Windows Server 2012 R2 (x64)
Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand
An unused serial port6 (COM port) for each GSM modem.
An active SIM card for each GSM modem in use.
6 If the server does not have a free serial port, you may use a serial port server instead. When using this solution, you map a virtual serial port on the computer to a serial port on a device, which is connected to the network. SMS PASSCODE® has been tested with serial port servers (“Terminal Servers”) from Moxa (http://www.moxa.com/Zones/Serial_to_Ethernet). It is recommended to use secure serial port servers,
Component Requirement Load Balancing
Service
Supported operating systems:
o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 2012 (x64) o Windows Server 2012 R2 (x64)
Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand
Self Service Web Site Supported operating systems:
o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 2012 (x64) o Windows Server 2012 R2 (x64)
IIS 6.0, 7.0, 7.5, 8.0 or 8.5 required
Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand
Must be installed on a domain member server or a domain controller.
It is recommended to install this component on the same server as the
Database Service component. However, it is possible to install this component on a separate server (cf. section 8.4, page 40).
Citrix Web Interface Protection
Supported operating systems:
o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64)
Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand
You must install Citrix Web Interface on the server and publish at least one Web Interface before installing this component.
The following Citrix Web Interface versions are supported on Windows Server 2003 (x86/x64):
o Citrix Web Interface 4.6
o Citrix Web Interface 5.3.0, 5.4.0 and 5.4.2 o Citrix Access Essentials 2.0
The following Citrix Web Interface versions are supported on Windows Server 2008 (x86/x64) and Windows Server 2008 R2 x64:
o Citrix Web Interface 5.3.0, 5.4.0 and 5.4.2
AD and NDS authentication is supported.
which encrypt the network communication (e.g. Moxa Nport 6000 series). It is also advantageous to use
Component Requirement
RADIUS Protection Supported operating systems:
o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 2012 (x64) o Windows Server 2012 R2 (x64)
Please note: Only Windows Server Editions including the Internet Authentication Service (IAS) or Network Policy Service (NPS) are supported. This means, that Windows Server 2003 Web Edition, Windows Server 2008 Web Edition, Windows Server 2012 Hyper-V Edition and Windows Server 2012 Storage Edition are not feasible.
Windows Server 2003: Internet Authentication Service (IAS) must be installed before installing this component.
Windows Server 2008 (R2) and Windows Server 2012 (R2): Network Policy Service (NPS) must be installed before installing this component.
Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand
Supported RADIUS clients: All RADIUS clients that support the PAP or MS-CHAP v2 authentication protocol. The best user experience is achieved using RADIUS clients that support PAP with Challenge Response. Among others the following RADIUS clients support Challenge Response: o Cisco VPN Concentrator 3000
min. Cisco VPN client 4.8 (PC)
min. Cisco VPN client 4.9 (MAC)
o Check Point FW-1/VPN-1 NG/FP3
Check Point VPN-1 SecuRemote Connection Client o Citrix Access Gateway 4.x8
Standard Edition (min. ver. 4.5)
Enterprise Edition o Citrix Access Gateway 5.0
o Microsoft Intelligent Application / Unified Access Gateway (IAG/UAG)
o WatchGuard Firebox
WatchGuard Windows VPN Client Please contact your SMS PASSCODE® reseller or
[email protected] for further information regarding supported RADIUS clients.
7 Please note, that versions 5.0.00.x - 5.0.01.x had problems with the RADIUS challenge/response implementation. You must upgrade to a newer version of the Cisco VPN client 5.x.
8 Please note, that Citrix Access Gateway 4.x Advanced Edition does NOT support Challenge Response.
Component Requirement Cloud Application
Protection
Supported operating systems:
o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 20129 (x64)
Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand
Microsoft AD FS 2.0 must be installed before installing this component10.
ISA/TMG Web Site Protection
Supported scenarios:
o Windows Server 2003 x86 with Microsoft ISA Server 2006 SP1 installed.
o Windows Server 2008 x64 with Microsoft TMG 2010 installed.
o Windows Server 2008 R2 x64 with Microsoft TMG 2010 installed.
Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand
IIS Web Site Protection
Supported operating systems:
o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 2012 (x64) o Windows Server 2012 R2 (x64)
Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand
IIS 6.0, 7.0, 7.5, 8.0 or 8.5 required
Windows Logon Protection
Supported operating systems:
o Windows XP (x86/x64)11 o Windows Server 2003 (x86/x64) o Windows Vista (x86/x64)11 o Windows 7 (x86/x64)11 o Windows 8 (x86/x64)11 o Windows 8.1 (x86/x64)11
o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 2012 (x64) o Windows Server 2012 R2 (x64)
Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand
Terminal Service / Remote Desktop is supported
Secure Device Provisioning (for ActiveSync devices)
Supported on Windows Servers with the Exchange Client Access Server (CAS) role installed beforehand.
The following versions of Microsoft Exchange Server are supported:
Exchange Server 2010
Exchange Server 2013
Component Requirement Password Reset Web
Site
Supported operating systems:
o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 2012 (x64) o Windows Server 2012 R2 (x64)
Pre-requisite: Microsoft .NET Framework 4.5 installed beforehand
IIS 7.0, 7.5, 8.0 or 8.5 required
A certificate is required to protect communication with the Password Reset Web Site using SSL/TLS.
Password Reset Backend Service
Supported operating systems:
o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 2012 (x64) o Windows Server 2012 R2 (x64)
Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand
It is recommended to install a certificate on relevant domain controller(s) to encrypt the communication between the Password Reset Backend Service and the domain controller(s) using SSL/TLS.
8.1 Requirements for Location and Behavior Aware Authentication
Location and behavior aware authentication12 is the overall term for making use of Passcode Policies, Authentication Policies and User IP Histories to achieve a more advanced and secure authentication experience. The pre-requisite for this to work is that the SMS PASSCODE® system must be able to collect the correct end-user IP address that an authentication attempt originates from.
9 Windows Server 2012 R2 is NOT supported yet
10 On Windows Server 2012 please note, that AD FS 2.0 is not supported on Hyper-V, Storage or MultiPoint Editions.
11 It is not recommended to install Windows Logon Protection on laptops because SMS PASSCODE® logon is only possible when the laptop is able to connect to a SMS PASSCODE® Transmitter Service.
Since this connection is typically established via the network, the laptop may lose its connection to the Transmitter service when it is undocked – and thereby prohibit user authentication.
12 Please read section 14.1 (page 105) for more details about location and behavior aware authentication
The table below lists the pre-requisites for this with respect to the different types of authentication clients supported by SMS PASSCODE®:
Authentication Client Pre-requisite for collection of end-user IP addresses Citrix Web Interface Protection
The pre-requisites for all web-based authentication clients are the same. These clients are basically running on an Internet Information Server (IIS) that reports the end-user IP address of the web client to the SMS PASSCODE® system.
A problem might be that the IIS in question is located behind a reverse-proxy (e.g. Citrix Secure Gateway, Citrix Access Gateway or ISA/TMG) or other type of network device (e.g.
network load balancer), that hides the real end-user IP address from the IIS. If this is the case, you have two options for regaining access to the real end-user IP address:
Re-configure the network device to report the real end-user IP address to the IIS.
Configure the network device to report the real end-user IP address as an HTTP header value. SMS PASSCODE® can then be configured to retrieve end-user IP addresses from this specific HTTP header (cf.
section 20.2, page 392).
RADIUS Protection End-user IP addresses are collected from the Calling Station ID attribute of the RADIUS packets received from the RADIUS client. I.e. end-user IP addresses are collected successfully, only when the RADIUS client supports reporting of end-user IP addresses.
ISA/TMG Web Site Protection In a typical setup, ISA/TMG Servers will receive real end-user IP addresses without any problems.
However, a problem might be that an ISA/TMG Server is located behind a network device (e.g. network load balancer), that hides the real end-user IP address from the ISA/TMG. If this is the case, you must re-configure the network device to report the real end-user IP address to the ISA/TMG.
Windows Logon Protection When accessing the SMS PASSCODE® protected machine using RDP, the correct end-user IP address of the RDP client is collected.
However, please note that when an RD Gateway is involved, the RD Gateway will act as the RDP client, i.e. the IP address of the RD Gateway will then be reported.
If you still would like to get the correct end-user IP address in this case, consider providing external access only through an RD Web site protected by SMS PASSCODE® multi-factor authentication. Collection of end-user IP addresses can then be enabled on the RD Web Site instead.
Important: Collection of end-user IP addresses is disabled by default
By default, collection of end-user IP addresses is disabled for all authentication clients installed.
You must use the SMS PASSCODE® Configuration Tool to enable collection of end-user IP addresses – and this must be done explicitly for every authentication client where this is wanted. Please read section 20.2 (page 392) for more details.
WARNING: Enabling collection of end-user IP addresses should only be done by network experts having a deep understanding whether the IP addresses are collected correctly in a trustworthy manner.
8.2 Terminal Service / Remote Desktop Service Protection
Access to Terminal Services or Remote Desktop Services can be protected by SMS PASSCODE® authentication in several ways.
Windows Server 2003: When using Terminal Services on Windows Server 2003, please install the SMS PASSCODE® Windows Logon Protection component on each Terminal Service host requiring SMS PASSCODE® protection.
Windows Server 2008 (R2): When using Terminal Services / Remote Desktop Services on Windows Server 2008 (R2) you have two options to implement SMS PASSCODE®
authentication:
1. Protecting a TS / RD Web Access site directly on the IIS:
Install the SMS PASSCODE® IIS Web Site Protection component on the server hosting the TS / RD Web Access site. It is mandatory, that the TS / RD Web Access site and the TS / RD Gateway site are installed on the same IIS. If the RD Web Access site is hosted on a Windows Server 2008 R2, then form-based authentication and single sign-on (SSO) is supported13.
2. Protecting Windows Logon on all TS / RD session host servers:
Install the SMS PASSCODE® Windows Logon Protection component directly on each Terminal Service / Remote Desktop Service session host requiring SMS PASSCODE® protection.
Windows Server 2012 (R2): When using Remote Desktop Services on Windows Server 2012, please install the SMS PASSCODE® Windows Logon Protection component on each RD Session host server requiring SMS PASSCODE® protection.
Please refer to sections 11.2.3 and 11.2.4 for details about setting up TS / RDS Protection.
8.3 SharePoint Portal Server Protection
SMS PASSCODE® supports protection of Microsoft SharePoint Portal Server (version 2003 and newer). Please refer to section 11.2.6 (page 71) for more details regarding SharePoint Portal server protection.
13 If you experience any of the problems during single sign-on described in the MS support article
http://support.microsoft.com/kb/977507, then please contact [email protected] to get assistance.
8.4 Installing Web Sites on a Non-DB Server in the same Domain
As mentioned in the system requirements table in section 7 it is recommended to install the SMS PASSCODE® Web Administration Interface and SMS PASSCODE® Self Service Web Site (if installed) on the same server as the SMS PASSCODE® Database service. However, it is possible to install any of the web sites on a separate server. This section describes how to install any of the web sites on a separate server that is a member of the same domain as the DB server14.
The steps to install one of the web sites on a separate server in the same domain are described below. Please note that you need to create a dedicated domain user that is used for the connection between the site(s) and the DB service.
1. Create a new domain user that is dedicated for being used for remote access to the DB service.
2. Log on to the server where the SMS PASSCODE® Database component is installed.
Locate the folder containing the DB files. The default location is:
C:\Program Files\SMS PASSCODE\Database
Assign read and write permissions to this folder for the user created in step 1.
3. Restart the SMS PASSCODE® Database service. Now the dedicated user will have read and write access to the SMS PASSCODE® database from any other server.
4. Install the SMS PASSCODE® web site (Web Administration Interface or Self Service Site) on a separate server (cf. section 13.2, page 76). This server is called the web site server below.
5. On the web site server, locate the secret.dat file in the SMS PASSCODE® installation folder. The default location is:
C:\Program Files\SMS PASSCODE\secret.dat
Assign read permissions to this file for the user created in step 1.
6. On the web site server, open the IIS manager and go to the Application Pools section:
a. In case of the SMS PASSCODE® Web Administration Interface: Select the Application Pool SMS PASSCODE AppPool, and then click the Advanced Settings… link in the Actions pane:
b. In case of the SMS PASSCODE® Self Service Web Site: Select the Application Pool SMS PASSCODE Self Service AppPool, and then click the Advanced Settings…
link in the Actions pane.