Sign In
Upload
Download
Table of Contents
Contents
Add to my manuals
Delete from my manuals
Share
URL of this page:
HTML Link:
Bookmark this page
Add
Manual will be automatically added to "My Manuals"
Print this page
×
Bookmark added
×
Added to my manuals
Manuals
Brands
ZyXEL Communications Manuals
Firewall
ZYWALL OTPV2 -
Support notes
ZyXEL Communications ZyWALL OTPv2 Support Notes
Support notes
Hide thumbs
Also See for ZyWALL OTPv2
:
Datasheet
(2 pages)
,
Support notes
(31 pages)
1
Table Of Contents
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
page
of
64
Go
/
64
Contents
Table of Contents
Bookmarks
Table of Contents
Table of Contents
1 Introduction
2 Server Installation
Pre-Requisites
Installation on Windows Server 2003 Enterprise Service Pack 1
Installation on Windows Server 2008 R2
3 OTP Authentication to an OTP-Protected Network Via SSL VPN over Zywall USG
Zywall USG Configuration
Safeword Server Configuration
Verify OTP Via Login from the Remote PC
4 OTP Authentication to an OTP-Protected Network Via Ipsec VPN Client over the Zywall USG
Zywall USG Configuration
Safeword Server Configurations
Zywall Ipsec VPN Client Configuration
Verify OTP Via Login from the VPN Client
5 OTP Troubleshooting
Advertisement
Quick Links
Download this manual
ZyWALL OTPv2
Support Notes
Revision 1.10
December, 2010
Written by CSO
Table of
Contents
Previous
Page
Next
Page
1
2
3
4
5
Advertisement
Table of Contents
Related Manuals for ZyXEL Communications ZyWALL OTPv2
Network Hardware ZyXEL Communications ZYWALL OTPV2 - SUPPORT NOTE V1 Support Notes
(31 pages)
Network Hardware ZyXEL Communications ZYWALL OTPV2 Datasheet
Enterprise security security accessory (2 pages)
Firewall ZyXEL Communications ZYWALL 35 User Manual
Internet security appliance (872 pages)
Firewall ZyXEL Communications ZYWALL 35 User Manual
Internet security appliance (832 pages)
Firewall ZyXEL Communications USG40 User Manual
Zywall/usg series (994 pages)
Firewall ZyXEL Communications ZYWALL 2 PLUS User Manual
Internet security appliance (678 pages)
Firewall ZyXEL Communications ZyWall ATP series User Manual
(852 pages)
Firewall ZyXEL Communications USG40 User Manual
Usg series (742 pages)
Firewall ZyXEL Communications ZyWall 2 Plus Quick Start Manual
Internet security appliance (137 pages)
Firewall ZyXEL Communications ZyWALL 110 Handbook
Security firewalls zywall/usg series (749 pages)
Firewall ZyXEL Communications 1050 Cli Reference Manual
Zld based (284 pages)
Firewall ZyXEL Communications ZyWALL 110 User Manual
(829 pages)
Firewall ZyXEL Communications ZyWall 110 User Manual
Security firewalls (815 pages)
Firewall ZyXEL Communications ZyWALL 110 Handbook & Instructions
(255 pages)
Firewall ZyXEL Communications 310 User Manual
Vpn firewall (562 pages)
Firewall ZyXEL Communications ZyWALL 1100 User Manual
Zywall/usg series (741 pages)
Summary of Contents for ZyXEL Communications ZyWALL OTPv2
Page 1
ZyWALL OTPv2 Support Notes Revision 1.10 December, 2010 Written by CSO...
Page 2: Table Of Contents
4.1 ZyWALL USG Configuration ......................... 52 4.2 SafeWord Server Configurations ......................55 4.3 ZyWALL IPSec VPN Client Configuration .................... 59 4.4 Verify OTP via Login from the VPN Client ................... 61 5. OTP Troubleshooting ............................63 All contents copyright © 2010 ZyXEL Communications Corporation.
Page 3: Introduction
The illustration shows the concept of Two-Factor authentication. User PIN and Token code User PIN is what you know and Token code is what you have. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 4
It stores the Token serial numbers and Token seed used to generate OTP. The database server listens on port 5010 by default and only the Administration service and Authentication engines can query it directly. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 5
SafeWord Administration Service. You can use this to import Tokens (add Token serial numbers to SafeWord database) or backup and restore Token data. It also lets you view and manage all imported Tokens. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 6
An agent can be installed only if it is supporting (base) software components exist. Otherwise the agent will not appear for selection in the installation components window. For example, the RADIUS server agent can only be installed when the IAS has already been set up. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 7: Server Installation
2.2 Installation on Windows Server 2003 Enterprise Service Pack 1 Step1. Prepare the Active Directory Click on Start > Manage Your Server to open the installation wizard. Click “Add or remove a role” to configure it. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 8
Select to install the Domain Controller (Active Directory). Fill in the full DNS name for the new domain. Click Next to continue the installation process. When the process is done, Active Directory will be installed and ready. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 9
Click Start > Control Panel > Add or Remove Programs > Windows Components Wizard > Networking Services > Internet Authentication Service to install the component. After the installation, you can execute it through Start > Administrative Tools > IAS. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 10
Below is a flow chart-type snapshot of the installation process and the step-by-step installation. Users can check for more detailed information in chapter 2 “Installing and Activating SafeWord 2008” of SafeWord 2008 Administration Guide on the SafeNet website. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 11
ZyXEL – ZyWALL OTPv2 Support Notes All contents copyright © 2010 ZyXEL Communications Corporation.
Page 12
Certificate is in the format NSXX-XXXX-XXXX-XXXX), then click OK. 3 If there is a new version available, the software will download it automatically during the installation process. 4 Review the License Agreement, then click Yes to accept it. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 13
7 Make your selections, and then click Next. 8 Make any needed changes in the Select Program Folder window, then click Next. 9 Review the information in the Start Copying Files window, then click Next. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 14
12 When the Host Address window appears, enter the Fully Qualified Domain Name to which this machine belongs, and then click Next. If you do not know the domain, click Query to obtain it from your DNS Server. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 15
“Finishing the installation”. 15 During installation, windows will appear and disappear, and the installation will take several minutes to complete. The InstallShield Wizard Complete window appears when the installation is finished. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 16
17 User can verify the server status to make sure the installation is correct. Click Start > Aladdin > SafeWord > Configuration > Server Configuration to enable the Utility. 18 Status of all the server components should be “Active” for a successful installation. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 17
(to verify) an Administrator password. This Administrator password is not your Windows Administrator password. If you have (or plan to have) multiple management consoles, you must use the same Administrator password for all installations. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 18
7 The SafeWord Activation window appears showing the license activation and token import progress. Upon completion, the activation file key.html is downloaded to <Install_Dir>\Aladdin\SafeWord\ImportData. This is the key to activate your software and your token All contents copyright © 2010 ZyXEL Communications Corporation.
Page 19
11 and continue. If you want to download the activation package for your customers to use, please create the RCR.txt file first and follow below steps for it. The process for creating RCR.txt file is All contents copyright © 2010 ZyXEL Communications Corporation.
Page 20
10 Right click on each link and select the Save Target As option. Save the files on to the SafeWord Server and unzip them. 11 Rename the license file to key.html. (For example, change the name from NSxx-xxxx-xxxx-xxxx.html to key.html) All contents copyright © 2010 ZyXEL Communications Corporation.
Page 21
14 To verify the activation, browse to <Install_Dir>\SERVERS\AdminServer\activation. A successfully processed license file will be renamed to key.activated.html. 15 After successful activation, the support expiration date will display a value of the valid expiration date. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 22
18 When the process is done, you will see the corresponding tokens are already in the Tokens folder. The SafeWord activation is complete. For more information, users can click the “SafeWord Activation” link to perform on-line activation. Please refer to the following manual: http://www.aladdin.com/pdf/safeword/Safeword-Products-Activation.pdf All contents copyright © 2010 ZyXEL Communications Corporation.
Page 23: Installation On Windows Server 2008 R2
Step1. Prepare the Active Directory Click Start > Administrator Tools > Server Manager to open the installation wizard. Click Roles > Add Roles to configure Server components. Select to install the Active Directory Domain Server. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 24
After the installation is ready, click the hyper link to run the Active Directory Domain Service installation wizard. The wizard page will appear for the installation. Select to create a new domain if installing on a new AD server. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 25
– ZyWALL OTPv2 Support Notes Fill in the full DNS name for the new domain. Select “Windows Server 2008 R2” as the functional level. The “DNS server” option is not mandatory for SafeWord server installation. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 26
Click Next to continue the installation process. After the process is done, the Active Directory will be installed and ready. You have to restart the computer for Active Directory Domain Services to take effect. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 27
Click Start > Administrator Tools > Server Manager to open the installation wizard. Click Roles > Add Roles to configure Server components. Select the Network Policy and Access Services and go into detail setting. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 28
Select to install the Network Policy Server. After the installation is complete, the results will be displayed on the page. You can execute it on Start > Administrative Tools > Network Policy Server. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 29
Below is a flow chart-type snapshot of the installation process and the step-by-step installation. Users can check more detail information in chapter 2 “Installing and Activating SafeWord 2008” of SafeWord 2008 Administration Guide on the SafeNet website. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 30
ZyXEL – ZyWALL OTPv2 Support Notes All contents copyright © 2010 ZyXEL Communications Corporation.
Page 31
Certificate is in the format NSXX-XXXX-XXXX-XXXX), then click OK. 3 If there is a new version available, the software will download it automatically during the installation process. 4 Review the License Agreement, then click Yes to accept it. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 32
9 Review the information in the Start Copying Files window, then click Next. 10 Select preferred user management. Here, leave the default setting “I will manage users in Active Directory”, then click Next. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 33
SafeWord Server is to be installed, then click Next. 14 During installation, windows will appear and disappear, and installation will take several minutes to complete. The InstallShield Wizard Complete window appears when the installation is finished. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 34
15 After the software installation is complete, go to Service to Start the SafeWord User Center service. 16 User can verify the server status to make sure the installation is correct. Click Start > Aladdin > SafeWord > Configuration > Server Configuration to enable the Utility. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 35
, before you can complete and submit an activation form. After activating, your information will be verified, and the activation key and token records will be downloaded automatically for ADUC, and manually if you are not using ADUC. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 36
Windows Administrator password. If you have (or plan to have) multiple management consoles, you must use the same Administrator password for all installations. 2 Click OK when done. 3 Right-click on the SafeWord folder and select Activate Product. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 37
9 The Activations Complete window displays with important download and installation information. To right click manually save the files from this window, on each file name, and then select the Save Target As option. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 38
5 Click the Continue button. The SafeWord Activation page appears. 6 Click the Browse button and retrieve the RCR.txt file you saved earlier in this process. The file name displays in the Support Data File field All contents copyright © 2010 ZyXEL Communications Corporation.
Page 39
13 Restart the SafeWord Administration Server and Authentication Engine by browsing to Start > Programs > Administrative Tools > Services, right click on SafeWord Administration Server and select Restart (repeat for the Authentication Engine). All contents copyright © 2010 ZyXEL Communications Corporation.
Page 40
15 After successfully activate, the support expiration date will display a value of the valid expiration date. 16 Import the token by click the Import Tokens button. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 41
18 When the process is done, you will see the corresponding tokens are already in the Tokens folder. The SafeWord activation is complete. For more information, users can click the “SafeWord Activation” link to perform on-line activation. Please refer to the following manual: http://www.aladdin.com/pdf/safeword/Safeword-Products-Activation.pdf All contents copyright © 2010 ZyXEL Communications Corporation.
Page 42: Otp Authentication To An Otp-Protected Network Via Ssl Vpn Over Zywall Usg
Note: ZyWALL OTP is a stand-alone product, which is not included in the ZyWALL USG package. Network Topology In this example, we will have one token and we will create user “OTP” who will log into ZyWALL USG with OTP. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 43: Zywall Usg Configuration
Enter the authentication port to RADIUS server, like Microsoft IAS; the default value is 1812. Enter the Shared secret to RADIUS server in Key field. Select the Group Membership Attribute; the default value is 11. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 44
1) Go to CONFIGURATION > Object > SSL Application and click the “Add” button to create an SSL VPN application object. 2) For example, create a web application to remotely access the FTP server via SSL VPN. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 45
Select the User/Group object to apply this policy to. Select the application object this policy applies to. Select the address object to be used if needed. Click the “OK” button to finish the configuration. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 46: Safeword Server Configuration
1) Enter the name for the rule. 2) The Client address is the ZyWALL USG’s interface IP address used to accesses the IAS. 3) Click the “Next” button for the next step. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 47
– ZyWALL OTPv2 Support Notes 4) Enter the Shared secret; the “Key” in ZyWALL USG AAA Server setting. 5) Click the “Finish” button to finish the configuration. 6) The new OTP client has been created. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 48
4) Enter the serial number of the assigned token. If needed, enter the PIN code for it. (This one is used as the Password when logging into the ZyWALL USG.) 5) After the configuration, you can click the “Tokens” link and check the token status. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 49
# Set this to 'on' to force SoftPin to precede the password 2) Search for the string: “ ” Pin_Before_Password=off 3) At the command “ ”, change the value to ‘on’. 4) Reload the SafeWord server. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 50: Verify Otp Via Login From The Remote Pc
Password generated by the token. 2) Click the “SSL VPN” button to submit login information. 3) Once the OTP works correctly, you will see the SSL application that configured to the user to use. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 51: Otp Authentication To An Otp-Protected Network Via Ipsec Vpn Client Over The Zywall Usg
Note: ZyWALL OTP is a stand-alone product, which is not included in the ZyWALL USG package. Network Topology In this example, we will have one token and we will create user “OTP” who will be the authenticator to establish the IPSec VPN tunnel to ZyWALL USG. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 52: Zywall Usg Configuration
Enter the authentication port of the RADIUS server, like Microsoft IAS; the default value is 1812. Enter the Shared secret to RADIUS server in Key field. Select the Group Membership Attribute; the default value is 11. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 53
Step4. Configure the IPSec VPN Gateway policy. 1) Go to CONFIGURATION > VPN > IPSec VPN and then navigate to the VPN Gateway page. 2) Enter the values for VPN phase-1 configuration. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 54
Step5. Configure the IPSec VPN Connection policy. 1) Go to CONFIGURATION > VPN > IPSec VPN and then navigate to the VPN Connection page. 2) Enter the values for VPN phase-2 configuration. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 55: Safeword Server Configurations
Step2. Create a RADIUS client. 1) Enter the name for the rule. 2) The Client address is the ZyWALL USG’s interface IP address which accesses to IAS. 3) Click the “Next” button for the next step. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 56
– ZyWALL OTPv2 Support Notes 4) Enter the Shared secret; the “Key” on ZyWALL USG AAA Server setting. 5) Click the “Finish” button to finish the configuration. 6) The new OTP client has been created. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 57
4) Enter the serial number of the assigned token. If needed, enter the PIN code for it (this one is used as the Password when logging into the ZyWALL USG). 5) After the configuration, you can click the “Tokens” link and check the token status. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 58
# Set this to 'on' to force SoftPin to precede the password 2) Search for the string: “ ” Pin_Before_Password=off 3) At the command “ ”, change the value to ‘on’. 4) Reload the SafeWord server. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 59: Zywall Ipsec Vpn Client Configuration
4.3 ZyWALL IPSec VPN Client Configurations Step1. Configure the IPSec VPN Phase1 policy. 1) Enter the values for VPN phase-1 configuration. 2) Click the “Advanced Setting” button and click the X-Auth Popup feature. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 60
1) Enter the values for VPN phase-2 configuration. 2) Click the “Save & Apply” button to finish the configuration and save it. 3) You can trigger the IPSec VPN tunnel by clicking the “Open Tunnel” button. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 61: Verify Otp Via Login From The Vpn Client
1) There is only a 10 second window to enter the authentication information into X-Auth window. If you use more time to finish it, the tunnel will fail to establish. You can see the message on VPN Console as in the picture below. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 62
You can see the VPN connection status is Connected on CONFIGURATION > VPN > IPSec VPN > VPN Connection page. Also can check the IPSec VPN SA on MONITOR > VPN Monitor > IPSec page. All contents copyright © 2010 ZyXEL Communications Corporation.
Page 63: Otp Troubleshooting
Does ACL entry restrict access to the requested resource? (5) Import token fail: If all/some import records are rejected: Check to see if the authenticators had been previously imported (the Event Viewer in ADUC, check by event type) All contents copyright © 2010 ZyXEL Communications Corporation.
Page 64
For Windows, use the “netstat –an” command, then search the output manually for active ports. Server(s) not responding Use the configuration utility to check the server status as below: Restart server(s). All contents copyright © 2010 ZyXEL Communications Corporation.
Table of Contents
Print
Rename the bookmark
Delete bookmark?
Delete from my manuals?
Login
Sign In
OR
Sign in with Facebook
Sign in with Google
Upload manual
Upload from disk
Upload from URL