Installation Guide Celestix HOTPin Appliance
Celestix HOTPin Installation Guide Document Number: HPN0030-946-003 Part Number: (CCD) 1005-00000015 Updated: June 28, 2013 Celestix HOTPin 2FA system software version 3.7 © 2013 Celestix Networks, Inc. All rights reserved. The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious.
Contents Introduction .................................................................................................................................................. 1 Installation Guide Usage Notes ...............................................................................................................1 Verify Package Contents ..........................................................................................................................4 Appliance Hardware Features .....................
Introduction Celestix Networks delivers an exceptional combination of perimeter security features, scalability, and simplicity in cost-efficient appliances. Ready-to-deploy appliances offer decreased complexity and easier management that reduce the risk and cost of security solutions.
NPS RADIUS client configurations can now be transferred to and from HOTPin server for backup or batch configuration. QR code authentication offers simplicity and security because scanning a code is easier and reduces exposure when using public, untrusted computers to access resources. The API SDK allows organizations to customize authentication communication. HOTPin Agent provides API extensions to allow authentication from any website login page.
For example, to access appliance static routes, hover over the Network option on the main menu bar, scroll to and hover over Routing, then scroll to and click Static Routes. The navigation path will be delineated as Network|Routing|Static Routes. While network interface connections are commonly referred to as NICs, ports and adapters, the document uses network adapters as a simplified reference. When discussing your HOTPin appliance, the document generally refers to the appliance.
Verify Package Contents The following identifies standard package items that may be included with your appliance. See the list below it for the items included with each appliance series.
Appliance Hardware Features Appliance Configurations Your appliance is a member of a versatile series of security products. The following table will help you to identify your configuration information.
Appliance Naming Conventions Your appliance name indicates the main components included in its hardware/software configuration. For example, if you purchased a WSA 4200, the appliance configuration would include an X4 appliance with the Forefront Unified Access Gateway application. Please Note: Celestix appliances are available in various configurations. Find the model number on the front panel display. HOTPin System Overview The HOTPin system provides secure two-factor authentication through a passcode.
This section provides a brief overview to help system administrators become familiar with the HOTPin system. It reviews authentication methods and summarizes the configuration for a standard deployment. It also provides information about how HOTPin works with Active Directory and notes for client software platforms that have special considerations. User Authentication HOTPin requires a user name and passcode for login.
Token Devices A token device, also referred to as a hard token device or hard token, generates token codes using an external key that must be imported to HOTPin. Once the key has been imported, it can then be assigned to a user account. The key on the server must be in sync with the device to produce valid token codes for login. Key fobs are a common token device. Token Providers Token providers send the token codes used in passcodes to users from the server.
Illustration 2 – General Setup Overview End users can complete steps 4-5 without administrator assistance if the HOTPin User Website is enabled for self-provisioning. Version Information The HOTPin application version is noted in the title on the main help page; see Help|Contents|HOTPin.
Import Token key download through client software Single sign-on User management includes the AD Synchronization and HOTPin User Website features, in addition to the ability to manually import accounts from AD. Token key download is the client software Import from Network feature that enables users to get token keys through the LAN. And HOTPin can be combined with AD to allow single sign-on to your network.
accounts to HOTPin (if not syncing with AD or enabling the HOTPin User Website to allow self-provisioning); instructions are in the HOTPin User Accounts section.
Install the Appliance The guide provides a system administrator with concise instructions for a base deployment. The document covers common installation requirements and is not intended to be comprehensive. Every network environment is different, and some installations may require additional configuration. Installation instructions first cover assumptions the guide takes into account for a common deployment to help administrators plan for the skills and resources they may need.
Network Settings The following general conditions apply to the instructions contained in this guide. Again, your network settings may differ and could require some adjustment to the general information presented herein. Your LAN is configured for DHCP. You will use DHCP initially to assign an IP address to the LAN0 network adapter. You can find the assigned IP address on the front panel display. Instructions generally refer to Active Directory (AD) as an example domain controller.
Network Information Worksheet (example) Property Network Information (example) Computer Name Explanation The appliance must be assigned a computer name. The computer name must be 15 alphanumeric characters or less. This information is needed in: Quick Setup : Server Name Administrator Password [Celest1x] (default) The administrator password is the password used to log on to the appliance.
1. Select a secure location where only authorized personnel can access the appliance. 2. Mount the appliance on your rack: a. Use all the provided screws to attach mounting hardware to the front right and left of the appliance. b. Attach the appliance to the front supports of your equipment rack using a screw (not provided) for each of the holes on each of the brackets. For example: Caution: Do not place the appliance on the floor. Keep it in an upright position.
Please Note: Your appliance hardware may look somewhat different from the example. Most deployments will, however, connect to the network in a similar fashion. Network Interface LED indicators: Each of the network adaptors contains a pair of lights to help identify connection speed and usage. See below for details (listed by model number): 1500/3200/4200/5200 Right light – displays connection speed (unlit 10Mbps, green 100 Mbps, orange 1000 Mbps).
Front Panel Controls Overview The front panel contains an LED display and jog dial. These controls allow you to view system information and to directly manage some configuration settings on the appliance. You will use these controls to complete your appliance configuration. Front Panel Display The front panel display operates in two modes: Idle mode – the default mode; status screens cycle through display.
To connect your appliance to a power source: 1. Connect the power cable from your power source (typically a UPS) to the power inlet on the rear panel. The power cable is included in the appliance packaging. 2. The display will show the System Off message: Power On/Off Your Appliance Power on and boot the appliance by pressing the Jog Dial. It is possible to power off your appliance by pressing the Jog Dial for 5 seconds.
Configure the HOTPin System This section provides instructions for the appliance setup and configuration that is required for all deployments. The first topic walks you through general network configuration for the appliance. The second topic guides you through both required and optional HOTPin application configuration.
Configure Initial Access The appliance can be deployed in a network that does not use DHCP, but it is generally easier to start setup with a DHCP-assigned IP address for your internal network (LAN0) adapter. If you need to assign IP addresses to any adapters manually, you will use the Jog Dial/front panel as explained in the next section, Configure IP Address without DHCP. Configure IP Address without DHCP Skip this section if your network uses DHCP.
If you need to configure other adapters, you can repeat the instructions above as necessary, or you can follow the steps in the Quick Setup Steps : Interfaces section. Access the Web User Interface You are now ready to configure your appliance using the web UI. If the LAN IP address was assigned through DHCP, use the Jog Dial on the appliance front panel to scroll to LAN and note the assigned IP address.
The main HOTPin screen is accessed when you click the HOTPin in the menu bar: Illustration 5 - HOTPin Main Screen Quick Setup Steps The following sections provide instructions for basic appliance configuration. They are presented in the order in which you should complete them. You can access Quick Setup through the Start menu in the web UI. Interfaces The Interfaces function provides access to appliance network adapter configuration.
Status – indicates Up for adapters with connected cables; indicates Down for either an unused adapter or a connection issue. General Properties Select a connector to enable the General Properties button. Use this function to assign DHCP or static address configurations. A static address includes these settings: Internet Protocol (IP) address Subnet mask Gateway address You can also specify automatic or preferred DNS server settings on this screen.
Time zone: select a city that represents your time zone from the drop menu. Automatically adjust clock for daylight savings: select to instruct the server to change time according to daylight saving/standard time. Administrator Password Your appliance ships with a default administrator password. You should change the password when you set up your appliance as this password is public knowledge.
To add or change server or domain settings: Important: You will need to reboot the server to complete these steps. 1. Navigate to Network|Server Name. 2. Enter information for the following fields: • Server Name – specify a name for your appliance. • DNS suffix – optional; this field sets the primary DNS suffix. Specify the DNS suffix to create a fully qualified server name.
3. Enter a User name and Password in the text fields provided. 4. Click OK. 5. You will be prompted to reboot your appliance to complete the above changes: • • Click OK to proceed with restarting your appliance. Click Cancel to skip restarting your appliance. (You will need to restart the appliance later to complete the membership changes to Network|Server Membership.) The web UI will refresh and open to the Quick Setup screen after the appliance has finished the configuration change.
5. Enter a send address in the From field. 6. Enter your network’s SMTP gateway name or IP address in the With field. 7. To test the email delivery, click Test Settings. Note: The alert email function will indicate whether a test email was sent. If the test email is not received after the alert email feature indicates that one was sent, the error is most likely due to SMTP server settings.
Configure AD Synchronization – if you want to streamline user management by linking the HOTPin user database to designated Active Directory OUs and/or groups. Import External Token Keys – if you provide users with devices like hard tokens. Configure Token Providers – if you will allow users to authenticate without client software or hard token devices; necessary if you want use email or compatible services like SMS to deliver token codes.
To upload and configure your HOTPin license: 1. Save the license file (license.xml) to your appliance. Caution: Do not change the name of the file; files of a different name will cause an error during upload. 2. Navigate to HOTPin|License. 3. Under Upload new license, click the Browse button to navigate to the license file. 4. Click OK to install the license. 5. A message displays when the license import has successfully completed. 6. Click Cancel to return to the main HOTPin screen. • • 7.
General Tab The general system settings provide configuration options for user-related functionality. Authentication Note: For both Authentication items, a lower value offers higher security, a higher value offers more flexibility. Maximum Authentication Failures – determines the number of login failures before a user is locked out of the system (each successful authentication resets the authentication failure counter).
OTP messages the next time they need to authenticate. The send-ahead code will be valid for the duration of the Sent code TTL. Client Software Require key passphrase – sets the system default requirement option (includes the HOTPin User Website). When checked, the Require key passphrase setting will force users to create a passphrase in the client software application when the token key is imported.
Enable event log trimming – select to delete Event Log items that do not fall with the specified save period. Note: Trimmed events are removed from the HOTPin Server database, but are not deleted from the Windows event log. Save the last – specify the period for which event log items will be saved. Archive trimmed events – select to save log items as text files before they are deleted from the Event Log; archived events are saved in Log Files (HOTPin|Log Files|Help|Current Page).
Enable the User Website The HOTPin User Website is an appliance-hosted site on the local area network that can allow authenticated users to provision HOTPin accounts, client software, token keys, and instructions. You can enable or disable user selfprovisioning on the User Website screen.
Administrator Tasks for User Account Setup User Site w/ All Features Enabled User Site Disabled Provide user site URL Create account Assign token generation method Provide: User Login Information Sheet Client Software Hard Token Device Token Provider Provide client software Import external keys Provide instruction document Provide instruction document Provide token devices Provide key configuration Provide: User Login Info. Sheet Login instructions Provide: User Login Info.
Website Access Once enabled, default access to the site is: https://(appliance host name|IP):8098/hotpin/ Examples: https://acme.com:8098/HOTPin/ https://192.168.20.1:8098/HOTPin/ The site is not enabled by default; it must be turned on by administrators. Import from Network Feature The client software Import from Network feature lets users securely import token key configuration from a LAN connection to the user site.
to manage their HOTPin accounts. The AD Settings tab provides the configuration that allows HOTPin to connect to Active Directory. To enable the user provisioning website: 1. Navigate to HOTPin|User Website. 2. Select Enable user website to allow access to the HOTPin User Website. 3. Click OK to return to the main HOTPin screen when you are done. Please Note: To disable the site, deselect the Enable user website checkbox. If you disable the user site, the AD Settings tab configuration will be erased.
User Account – where users view/edit user account information. Token Key – where users generate a token key configuration to use in client software. Client Software – where users download client software installation files and instructions. Documentation – where users access general HOTPin documents. See Configure Website Settings for information. AD Settings – configure HOTPin access to AD.
Allow users to login with HOTPin OTP – enable login with a HOTPin token code (OTP). Allow QR code authentication – enable QR codes that client software can use for login. Response host address – optional setting to specify the user website's IP address. The QR login feature will use whatever address is entered into the browser when the QR code is created; this field will override the browser URL and is used in deployments where client software would not be able to resolve the address otherwise.
Import key configuration over the network – required for the client software Import from Network function. This feature is not visible on the user website; it requires valid AD credentials and a network connection. Download key configuration (key, QR code, string) – required to allow users to get key configuration; users select an option compatible with their client device.
Note: Validation occurs when you click the OK button after configuring settings. Primary server IP address/host – enter AD server information. Secondary server IP address/host – optional; enter information for an additional AD server. Authenticate against – select the authentication service type. Group membership – optional; this feature can be used to restrict end user access to self-provisioning functionality. If you enter a group name, only members of that group will be able to use HOTPin.
the platform (for example, the iOS client must be downloaded from Apple’s App Store). The user provisioning website must be enabled to support end users with iOS client software versions prior to 3.0 as they can only import token key configuration through the network. A user account must be enabled to allow users to log in to the user site. Configure AD Synchronization Synchronization allows administrators to link the HOTPin user database to Active Directory (AD) user account information.
Illustration 10 - AD Synchronization Screen The following topics provide an overview to explain automatic user account management through synchronization, and instructions for the wizard. Synchronization Overview The overview first covers the exclusion list, a synchronization process component that informs how you will deploy syncing.
the exclusion list; otherwise they will be deleted after the next sync interval. Sync Process Functionality To set up synchronization you will need to understand how HOTPin links to AD, and how administrative actions result in changes to the HOTPin database. Active Directory/HOTPin Synchronization Links The following table explains the relationship between AD and HOTPin accounts. It illustrates the required information that AD properties must contain to populate HOTPin fields.
If an account in AD is: The sync update action in HOTPin will be: Added If an account in HOTPin is: Account added Deleted *Account deleted No sync action, account remains *Account deleted Account added & noted in exclusion list Account added & not noted in exclusion list No sync action, account still deleted HOTPin account noted in exclusion is deleted No sync action, account still deleted (and still in the exclusion list) AD-linked account noted in exclusion list is deleted Account is added AD
4. Click Next. 5. On the Sync Settings screen, complete the following to add/update user accounts: Note: At least one OU or group must be selected. a. Select OU – click to access the list of Organizational Units: • • Select checkboxes to add. Click OK. b. Select Groups – click to access a list of AD groups: Note: The wizard hides built-in groups by default; select Show Builtin Groups to display those options. • Select checkboxes to add. • Click OK. c.
6. Click Next. 7. On the Exclude Users screen, you will designate AD accounts that should not be added/changed in HOTPin, and/or HOTPin accounts that are not based on AD accounts. Complete the following: a. Exclude these usernames from Sync – select to enable the exclude function. b. Exclude AD Users – click to access the list of AD users: • • Select checkboxes for accounts to exclude. Click OK.
HOTPin User Website Compatibility If you deploy both the AD Synchronization and HOTPin User Website features, you should limit end user editing functionality to avoid issues where the sync process overwrites information they might enter.
2. Select Manual Sync. 3. Click Next. 4. Click Finish. 5. Synchronization results are displayed. See Synchronization Result Details below for information. 6. Click Close to return to the HOTPin screen. Synchronization Result Details User Name – lists HOTPin user name. Full Name – displays descriptive name; usually first and last. Sync Status – displays sync outcome.
Illustration 12 - Token Keys Screen The token keys list provides the following summary information: Key ID – differentiates the key the device uses. Assigned To – lists the key’s designated user account. Manufacturer – identifies the hard token maker. Model – identifies the token device. Serial Number – unique identifier for the token device. Start Date – if included, displays the date the device is valid from.
Please Note: The import function uses an OATH-compliant Portable Symmetric Key Container (PSKC) file that contains information to populate the token keys list. To important external keys: 1. If necessary, navigate to HOTPin|Token Keys. 2. Click Import. 3. Complete the following: a. Browse – click to navigate to and select the PSKC file. b. PSKC file key – if required, enter the key used to encrypt the file. c.
To access token provider properties: 1. Navigate to HOTPin|Providers. 2. Select a provider from the list. 3. Click Properties. Properties will vary among the different providers. See the individual provider’s section for details about configuration. Provider Security Considerations This section discusses some issues that system administrators should review when considering the use of token providers in a HOTPin system deployment.
Test Provider Feature Each of the providers described in subsequent sections has a test feature that allows you to check the configuration you enter. It sends a code using the information you enter in the test tool, which allows you to check provider configuration without requiring valid HOTPin user data. Please Note: While either phone or email information is required, other fields are optional. To test provider application settings: 1. Expand the debugging tool by clicking Test Provider. 2.
static information to adapt customizable fields as necessary. Replaceable tags are defined in braces { } and available options are noted in each of the provider sections. Configure the Email OTP Token Provider The Email OTP Token Provider sends the next valid token code to a standard email address or an email-to-SMS address (text message). To access email provider properties: 1. Navigate to HOTPin|Providers. 2. Select the Email OTP Provider from the list. 3.
Subject – identifies the message; HOTPin OTP is the default static text. Message – message content; usually contains at least the {code} tag, which will be replaced with the current token code when HOTPin sends the message to the user. Replaceable Tags for the To, Subject, and Message fields: {user_name} – the user's login name. {user_full_name} – the user's full name. {email} – the user's email address. {phone} – the user's phone number. {code} – the next token code.
The following subsections explain the items on the Provider Properties page. Illustration 15 provides a reference. Illustration 15 - HTTP OTP Provider Properties Settings and Customizable Fields: In the Website URL field, enter the information required by your service provider along with replaceable tags for the HOTPin information you want to include in the sent code message. 55 | Page Website URL – the URL property defines the host and query string where the next token code will be sent.
HTTP samples: http://sms.server.com/service.aspx?ph={phone}&text={cod e} http://sms.server.com/service.aspx?ph={phone}&text=Toke n%20code%20{code} http://10.1.1.1:2000/service.aspx?ph={phone}&text={code} Secure sample passing a service login user name and password with token information: https://sms.server.com/service.
To access SMS provider properties: 1. Navigate to HOTPin|Providers. 2. Select the SMS OTP Provider from the list. 3. Click Properties to open the provider configuration screen. 4. Click OK to save the settings you entered. The following subsections explain the items on the Provider Properties page. Illustration 16 provides a reference.
and 30000 (30 seconds). Depending on the modem speed, this value may need to be adjusted to prevent timeout errors. Data bits – indicate the standard length of data bits per byte. RTS enabled – designate whether the Request to Send (RTS) signal is enabled during serial communication. AT Commands To send an SMS Message to the modem, configure the proper AT commands; each command must be on a separate line.
See the previous section Test Provider Feature for information about using the tool to check the configuration you entered. If you do not receive the test OTP, try the following troubleshooting steps: Confirm your provider configuration. Check the user information you entered. For more information about token provider settings, see Configure System Settings : Token Provider.
HOTPin User Accounts The HOTPin user information database is accessed through the Users section in the appliance web user interface. Each user has associated information such as login name, email address and token key. There are multiple ways to add user accounts, which include: A. Synchronizing with AD B. Users self-provisioning through the HOTPin User Website C. Importing from AD or a text file through the web UI D.
Manage User Accounts From the Users screen, accounts can be added manually or imported from a text file or Active Directory (AD). The following topics cover user property settings, adding/editing users individually, and both import methods. Then, instructions to add external keys to HOTPin accounts that will use hard tokens are covered. Please Note: In AD domains, HOTPin user names should be the same as the AD authentication property. See Active Directory for more information.
Token Override – Yes indicates the user account can log in without a token code. Token Provider – displays the token method assigned to the user account. Note: Your organization may have had additional customized options created (none) – indicates that users will either run client software on a user device (for example: mobile phone, PC) or use an external key (like a key fob hard token). Note: An external key can only be assigned by an administrator.
Creating a new key removes the user’s PIN; when PIN’s are required, users will need to reset them. Download Key – download or copy a user’s token key to a local computer as either a file, a QR code, or a string. See the Download Key topic for more information. Note: Key import methods vary by client device. See the devicespecific instructions for available import methods. Filter – enter criteria to selectively view list. Click to open and close filter options.
To add new users: 1. Navigate to HOTPin|Users. 2. Click New. 3. The New User screen opens. 4. Enter user information. See New User Property Settings below for information. 5. Click the OK button to finish adding a user and return to the Users screen. Important: You will not be able to add more users than are allowed by your user license. New User Property Settings User name – the user name should be between 4 and 128 characters and cannot include spaces.
phone, PC) unless an external key is then assigned. o OTP Email Provider – uses email or email-toSMS to send the token code to the user. o OTP HTTP Provider – generally used to send the code to an SMS server that will then send it to a user's mobile device. o OTP SMS Provider – sends the code through an SMS modem connected to your appliance that will then send it to a user's mobile device. Your organization may have had additional options created.
To edit user properties: 1. Navigate to HOTPin|Users. 2. Select one or more users from the list. 3. Click Properties. 4. Select the tab you want to edit. 5. Click OK save changes and return to the HOTPin screen. Important: If AD Synchronization is enabled, user email and phone data may be designated for syncing; if so, HOTPin accounts must be noted in the exclusion list to maintain changes entered through the web UI.
Email – edit the user's standard email or email-to-SMS address. The email address field is optional but may be needed by custom token providers. Note: The email-to-SMS messaging function requires a mobile provider service that supports it. Phone – edit the user's mobile phone number. This field is optional but may be needed by custom token providers. Account is enabled – select to enable user account, deselect to disable user account. Note: Disabled accounts count towards the user license limit.
Internal HOTPin key for client software or token provider. External Key for imported keys (as used in hard token devices). Key ID – displays the token’s unique ID relative to the user. The key ID is useful when validating that a user has the current token key installed in their client software token application. Key timestamp (UTC) – displays the token generation detail. Token provider – edit the assigned token method by selecting an option in the drop list.
For each of the options below, you will need to select the edit control checkboxes for the feature settings you want to change; that will enable the property to be selected and/or edited. General Tab Illustration 21 provides a reference for the General tab settings described below. Illustration 21 - Edit Group of Users General Tab View or edit the following properties for selected users: Account is enabled – check to activate accounts; uncheck to disable accounts.
Illustration 22 - Edit Group of User Token Tab View or edit the following properties for selected users: Note: If an account that has been assigned an external key is included in the selection, you will not be able to enable editing. Token provider – edit the assigned token method by selecting an option from the drop list. New PIN mode – select to require users to create new PINs at the next login.
2. Click Import. 3. On the Import Users screen, click Next. The import wizard takes you through the steps to add users to HOTPin. Those steps include: Welcome – the Welcome screen displays the number of available user licenses. The menu at the left of the screen indicates your progress in the wizard. Import Source – select either: Active Directory Text file The AD option requires credentials to import from the server.
Please Note: You will not be able to add more users than are allowed by your user license. In AD domains, HOTPin user names should be the same as the AD authentication property. See Active Directory for more information. As noted above, the subsequent sections provide details for completing user import.
Drill Down – displays a complete list of Active Directory information that can be expanded; select check boxes to include user(s) in the import. Use as a user name if found – choose an option that will designate an AD property as the HOTPin user name.
The following examples show the minimum and maximum information to be included in the users file. Minimum information examples: [Users] jsmith,John Smith mjane,Mary Jane Please Note: In the above example, all the users will be added with the default software token and will be active. Maximum information examples: [Users] jsmith,John Smith,Remote access user jsmith.,jsmith@acme.com,1.222.555.1111,,1 mjane,Mary Jane,Remote access user mjane,2225553333@txt.att.com,1.222.555.
7. Click OK. 8. Click OK to confirm assignment. 9. Click OK save changes and return to the HOTPin screen. Client Software Client software token applications, also referred to as client software, are programs that run on different user devices and are used to generate token codes. End users can download their own software if the HOTPin User Website is enabled. If not, you will need to download the software and provide it to your users.
The install file will download to the local machine. After downloading and installing the client software on the user device, a token key must be loaded into the client software to generate token codes for network login. Download User Token Key Client software needs to be configured with user information that is referred to as token key configuration. The configuration contains a key, data, and settings that are specific to the individual user account.
Key Configuration Formats The token key configuration comes in three formats, a file, QR code, or data string. The file option can be used with any device that has the ability to import a DAT file. The QR code requires that the device be present and have a camera through which it can scan the code. The string option is intended to be used with devices that have cut and paste functionality, but the string can also be entered manually.
Settings page, but administrators can override the default on the Download Key screen. QR Code Download property configuration options include: Passphrase – to maintain a secure process, you will need to create a passphrase to encrypt the configuration. The passphrase will then be used during import to the client application. The configuration will not be usable without the passphrase. The passphrase is case sensitive, should be between 6-16 characters, and cannot contain spaces.
See the Key Configuration Transfer topic below for information about providing the string to end users. Key Configuration Transfer After downloading a key configuration, adding it to client software depends on the device capabilities.
Create a System Image Once you have set up your appliance and configured the HOTPin application, creating a snapshot will provide an option to help remediate issues that may result from future system updates or changes. You have two options to access the system image functionality: • The web UI System Imaging feature (Maintenance|System Imaging). • The front panel display Last Good Version (LGV) feature (access through the Jog Dial).
Illustration 25 - System Imaging Screen To create a system image: 1. Navigate to Maintenance|System Imaging. 2. Click New. 3. Select the image type: • • 4. Online System Image – the appliance will continue to operate normally while the system image is run, which creates a larger file but doesn’t interrupt the services provided by the appliance.
LGV The LGV instructions below require direct access to the Celestix appliance. To create an LGV: Notes: You will need to shut down your appliance and then start it again to access the system recovery process. It may help to read through all of the instructions before starting the procedure. 1. Shutdown the appliance. 2. The front panel display shows the System Off message after shutdown has completed. 3.
Update Software The Software Update Service allows administrators to keep appliance software current through hotfixes, service packs, and upgrades. Software updates include the following applications: Windows Server Celestix Comet Celestix HOTPin After you have configured your appliance and created an image snapshot, use the Software Update Service to ensure you have the latest application patches for all your appliance software.
Appendices Use the links to jump to a topic: HOTPin Glossary Web User Interface Content Overview Additional Features API Extensions Safety Precautions Product Reclamation and Recycling Network Information Worksheet Form Celestix HOTPin Appliance Installation Guide Page | 84
HOTPin Glossary Note: Links in bold type navigate out of the Glossary. Active Directory group Groups can be designated in the AD Synchronization feature to automatically add, edit, or delete HOTPin user accounts. Active Directory organizational unit OUs can be designated in the AD Synchronization feature to automatically add, edit, or delete HOTPin user accounts. AD Synchronization Manage HOTPin user accounts automatically by linking the user database to AD. Also referred to as syncing.
custom token provider See token provider. default software token The client software token application is the default software token in the HOTPin system. exclusion list The exclusion list is an AD Synchronization feature that severs the link between the HOTPin user database and AD for individually specified accounts. event log The HOTPin event log records HOTPin system management and user authentication events.
HOTPin HOTPin is a system that provides two-factor authentication services for Celestix appliances. HOTPin normally uses a PIN and token code to create a passcode. You can also configure HOTPin for one-factor authentication using just the token code for authentication. The system includes a server application, client software token applications (client software) and token provider options.
Next Code The name of the screen button in client software applications that users click to generate a token code. NPS NPS, or Network Policy Server, is how Microsoft implements RADIUS. The NPS RADIUS feature allows you to configure RADIUS clients. It also provides access to the Windows NPS management application. NPS RADIUS See NPS. one-time password One-time passwords (OTPs) combine with PINs to create passcodes when PINs are required. When PINs are not required, OTPs serve as the user passcode.
portal page The web page a user will access to enter network system/HOTPin credentials. Also referred to as the login page. primary server The primary server is part of the HOTPin High Availability feature. The primary server provides authentication services under normal operating conditions. It is queried by a backup server for data so that the backup server can provide authentication services if the primary is unavailable. provider See token provider.
Settings The HOTPin server application web user interface page where administrators can access Authentication, Token Provider, and Client Software settings. shared secret RADIUS components (clients, proxies, and servers) use a password verify and encrypt communication they share. software token A software application that runs as a client on PCs or mobile devices to generate token codes for use in both single and two-factor authentication; also referred to as client software.
token key The HOTPin component that contains a user’s encryption configuration information. Client software must have a token key to generate valid token codes. Users must have a distinct key for each HOTPin system they access. token key configuration When a key is used in a token it includes some user data and other information like a counter and passphrase requirements. The additional information composes the token key configuration.
Web User Interface Content Overview The web UI menu structure is outlined below. Use it to quickly find the feature you need. The HOTPin User Website structure is outlined below.
Additional Features For information about configuring the following features, see the HOTPin online help. 93 | Page High Availability – deploys a primary and backup server for redundancy. NPS RADIUS – allows HOTPin to use Microsoft’s Network Policy Server to provide RADIUS authentication services. Agent Software – configure the HOTPin appliance for a UAG environment.
API Extensions The following features have sample code libraries in the HOTPin SDK. Agent 1.1 – extends agent functionality to allow authentication to any website login page. Authentication API for .NET/Java – creates an authentication communication channel for ASP .NET and Java-based websites and applications. QR Code Authentication for .Net/Java – allows authentication through a web page using client software. Contact your sales representative for more information: sales@celestix.
Safety Precautions Do not overload the AC supply branch circuit that provides power to the server. Do not disable the power cord grounding plug. The grounding plug is an important safety feature. Plug the power cord into a grounded electrical outlet that is easily accessible at all times. Unplug the power cord from the inlet on the appliance rear panel to disconnect power to the server. Do not place anything on the power cords or cables.
Product Reclamation and Recycling Celestix Networks is committed to environmentally responsible behavior. As part of this commitment, we work to comply with environmental standards such as the European Union’s Waste Electrical and Electronic Equipment (WEEE) Directive and the Restriction of Hazardous Substances (RoHS) Directive.
Network Information Worksheet Form Network Information Worksheet Form Property Network Information Computer Name Administrator Password [Celest1x] (default – change during setup) Workgroup or Domain name Network Adapters (LAN0) IP Address: Subnet Mask: Default Gateway: Primary/Secondary DNS Server: Static Routes: Network Address: Gateway Address: Network Adapters (LAN1) IP Address: Subnet Mask: Default Gateway: Primary/Secondary DNS Servers: Primary/Secondary WINS Servers: Network Adapters (LAN2 +)
