1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Firewall
  5. ZYWALL OTPV2 -
  6. Support notes

ZyXEL Communications ZyWALL OTPv2 Support Notes

Support notes
Hide thumbs Also See for ZyWALL OTPv2:
Table of Contents

Advertisement

Quick Links

Download this manual
ZyWALL OTPv2
Support Notes
Revision 1.10
December, 2010
Written by CSO

Advertisement

Table of Contents
loading

Related Manuals for ZyXEL Communications ZyWALL OTPv2

Summary of Contents for ZyXEL Communications ZyWALL OTPv2

  • Page 1 ZyWALL OTPv2 Support Notes Revision 1.10 December, 2010 Written by CSO...

  • Page 2: Table Of Contents

    4.1 ZyWALL USG Configuration ......................... 52 4.2 SafeWord Server Configurations ......................55 4.3 ZyWALL IPSec VPN Client Configuration .................... 59 4.4 Verify OTP via Login from the VPN Client ................... 61 5. OTP Troubleshooting ............................63 All contents copyright © 2010 ZyXEL Communications Corporation.

  • Page 3: Introduction

    The illustration shows the concept of Two-Factor authentication. User PIN and Token code User PIN is what you know and Token code is what you have. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 4 It stores the Token serial numbers and Token seed used to generate OTP. The database server listens on port 5010 by default and only the Administration service and Authentication engines can query it directly. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 5 SafeWord Administration Service. You can use this to import Tokens (add Token serial numbers to SafeWord database) or backup and restore Token data. It also lets you view and manage all imported Tokens. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 6 An agent can be installed only if it is supporting (base) software components exist. Otherwise the agent will not appear for selection in the installation components window. For example, the RADIUS server agent can only be installed when the IAS has already been set up. All contents copyright © 2010 ZyXEL Communications Corporation.

  • Page 7: Server Installation

    2.2 Installation on Windows Server 2003 Enterprise Service Pack 1 Step1. Prepare the Active Directory Click on Start > Manage Your Server to open the installation wizard. Click “Add or remove a role” to configure it. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 8 Select to install the Domain Controller (Active Directory). Fill in the full DNS name for the new domain. Click Next to continue the installation process. When the process is done, Active Directory will be installed and ready. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 9 Click Start > Control Panel > Add or Remove Programs > Windows Components Wizard > Networking Services > Internet Authentication Service to install the component. After the installation, you can execute it through Start > Administrative Tools > IAS. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 10 Below is a flow chart-type snapshot of the installation process and the step-by-step installation. Users can check for more detailed information in chapter 2 “Installing and Activating SafeWord 2008” of SafeWord 2008 Administration Guide on the SafeNet website. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 11 ZyXEL – ZyWALL OTPv2 Support Notes All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 12 Certificate is in the format NSXX-XXXX-XXXX-XXXX), then click OK. 3 If there is a new version available, the software will download it automatically during the installation process. 4 Review the License Agreement, then click Yes to accept it. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 13 7 Make your selections, and then click Next. 8 Make any needed changes in the Select Program Folder window, then click Next. 9 Review the information in the Start Copying Files window, then click Next. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 14 12 When the Host Address window appears, enter the Fully Qualified Domain Name to which this machine belongs, and then click Next. If you do not know the domain, click Query to obtain it from your DNS Server. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 15 “Finishing the installation”. 15 During installation, windows will appear and disappear, and the installation will take several minutes to complete. The InstallShield Wizard Complete window appears when the installation is finished. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 16 17 User can verify the server status to make sure the installation is correct. Click Start > Aladdin > SafeWord > Configuration > Server Configuration to enable the Utility. 18 Status of all the server components should be “Active” for a successful installation. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 17 (to verify) an Administrator password. This Administrator password is not your Windows Administrator password. If you have (or plan to have) multiple management consoles, you must use the same Administrator password for all installations. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 18 7 The SafeWord Activation window appears showing the license activation and token import progress. Upon completion, the activation file key.html is downloaded to <Install_Dir>\Aladdin\SafeWord\ImportData. This is the key to activate your software and your token All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 19 11 and continue. If you want to download the activation package for your customers to use, please create the RCR.txt file first and follow below steps for it. The process for creating RCR.txt file is All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 20 10 Right click on each link and select the Save Target As option. Save the files on to the SafeWord Server and unzip them. 11 Rename the license file to key.html. (For example, change the name from NSxx-xxxx-xxxx-xxxx.html to key.html) All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 21 14 To verify the activation, browse to <Install_Dir>\SERVERS\AdminServer\activation. A successfully processed license file will be renamed to key.activated.html. 15 After successful activation, the support expiration date will display a value of the valid expiration date. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 22 18 When the process is done, you will see the corresponding tokens are already in the Tokens folder. The SafeWord activation is complete. For more information, users can click the “SafeWord Activation” link to perform on-line activation. Please refer to the following manual: http://www.aladdin.com/pdf/safeword/Safeword-Products-Activation.pdf All contents copyright © 2010 ZyXEL Communications Corporation.

  • Page 23: Installation On Windows Server 2008 R2

    Step1. Prepare the Active Directory Click Start > Administrator Tools > Server Manager to open the installation wizard. Click Roles > Add Roles to configure Server components. Select to install the Active Directory Domain Server. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 24 After the installation is ready, click the hyper link to run the Active Directory Domain Service installation wizard. The wizard page will appear for the installation. Select to create a new domain if installing on a new AD server. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 25 – ZyWALL OTPv2 Support Notes Fill in the full DNS name for the new domain. Select “Windows Server 2008 R2” as the functional level. The “DNS server” option is not mandatory for SafeWord server installation. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 26 Click Next to continue the installation process. After the process is done, the Active Directory will be installed and ready. You have to restart the computer for Active Directory Domain Services to take effect. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 27 Click Start > Administrator Tools > Server Manager to open the installation wizard. Click Roles > Add Roles to configure Server components. Select the Network Policy and Access Services and go into detail setting. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 28 Select to install the Network Policy Server. After the installation is complete, the results will be displayed on the page. You can execute it on Start > Administrative Tools > Network Policy Server. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 29 Below is a flow chart-type snapshot of the installation process and the step-by-step installation. Users can check more detail information in chapter 2 “Installing and Activating SafeWord 2008” of SafeWord 2008 Administration Guide on the SafeNet website. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 30 ZyXEL – ZyWALL OTPv2 Support Notes All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 31 Certificate is in the format NSXX-XXXX-XXXX-XXXX), then click OK. 3 If there is a new version available, the software will download it automatically during the installation process. 4 Review the License Agreement, then click Yes to accept it. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 32 9 Review the information in the Start Copying Files window, then click Next. 10 Select preferred user management. Here, leave the default setting “I will manage users in Active Directory”, then click Next. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 33 SafeWord Server is to be installed, then click Next. 14 During installation, windows will appear and disappear, and installation will take several minutes to complete. The InstallShield Wizard Complete window appears when the installation is finished. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 34 15 After the software installation is complete, go to Service to Start the SafeWord User Center service. 16 User can verify the server status to make sure the installation is correct. Click Start > Aladdin > SafeWord > Configuration > Server Configuration to enable the Utility. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 35 , before you can complete and submit an activation form. After activating, your information will be verified, and the activation key and token records will be downloaded automatically for ADUC, and manually if you are not using ADUC. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 36 Windows Administrator password. If you have (or plan to have) multiple management consoles, you must use the same Administrator password for all installations. 2 Click OK when done. 3 Right-click on the SafeWord folder and select Activate Product. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 37 9 The Activations Complete window displays with important download and installation information. To right click manually save the files from this window, on each file name, and then select the Save Target As option. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 38 5 Click the Continue button. The SafeWord Activation page appears. 6 Click the Browse button and retrieve the RCR.txt file you saved earlier in this process. The file name displays in the Support Data File field All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 39 13 Restart the SafeWord Administration Server and Authentication Engine by browsing to Start > Programs > Administrative Tools > Services, right click on SafeWord Administration Server and select Restart (repeat for the Authentication Engine). All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 40 15 After successfully activate, the support expiration date will display a value of the valid expiration date. 16 Import the token by click the Import Tokens button. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 41 18 When the process is done, you will see the corresponding tokens are already in the Tokens folder. The SafeWord activation is complete. For more information, users can click the “SafeWord Activation” link to perform on-line activation. Please refer to the following manual: http://www.aladdin.com/pdf/safeword/Safeword-Products-Activation.pdf All contents copyright © 2010 ZyXEL Communications Corporation.

  • Page 42: Otp Authentication To An Otp-Protected Network Via Ssl Vpn Over Zywall Usg

    Note: ZyWALL OTP is a stand-alone product, which is not included in the ZyWALL USG package. Network Topology In this example, we will have one token and we will create user “OTP” who will log into ZyWALL USG with OTP. All contents copyright © 2010 ZyXEL Communications Corporation.

  • Page 43: Zywall Usg Configuration

    Enter the authentication port to RADIUS server, like Microsoft IAS; the default value is 1812.  Enter the Shared secret to RADIUS server in Key field.  Select the Group Membership Attribute; the default value is 11. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 44 1) Go to CONFIGURATION > Object > SSL Application and click the “Add” button to create an SSL VPN application object. 2) For example, create a web application to remotely access the FTP server via SSL VPN. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 45 Select the User/Group object to apply this policy to.  Select the application object this policy applies to.  Select the address object to be used if needed.  Click the “OK” button to finish the configuration. All contents copyright © 2010 ZyXEL Communications Corporation.

  • Page 46: Safeword Server Configuration

    1) Enter the name for the rule. 2) The Client address is the ZyWALL USG’s interface IP address used to accesses the IAS. 3) Click the “Next” button for the next step. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 47 – ZyWALL OTPv2 Support Notes 4) Enter the Shared secret; the “Key” in ZyWALL USG AAA Server setting. 5) Click the “Finish” button to finish the configuration. 6) The new OTP client has been created. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 48 4) Enter the serial number of the assigned token. If needed, enter the PIN code for it. (This one is used as the Password when logging into the ZyWALL USG.) 5) After the configuration, you can click the “Tokens” link and check the token status. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 49 # Set this to 'on' to force SoftPin to precede the password 2) Search for the string: “ ” Pin_Before_Password=off 3) At the command “ ”, change the value to ‘on’. 4) Reload the SafeWord server. All contents copyright © 2010 ZyXEL Communications Corporation.

  • Page 50: Verify Otp Via Login From The Remote Pc

    Password generated by the token. 2) Click the “SSL VPN” button to submit login information. 3) Once the OTP works correctly, you will see the SSL application that configured to the user to use. All contents copyright © 2010 ZyXEL Communications Corporation.

  • Page 51: Otp Authentication To An Otp-Protected Network Via Ipsec Vpn Client Over The Zywall Usg

    Note: ZyWALL OTP is a stand-alone product, which is not included in the ZyWALL USG package. Network Topology In this example, we will have one token and we will create user “OTP” who will be the authenticator to establish the IPSec VPN tunnel to ZyWALL USG. All contents copyright © 2010 ZyXEL Communications Corporation.

  • Page 52: Zywall Usg Configuration

    Enter the authentication port of the RADIUS server, like Microsoft IAS; the default value is 1812.  Enter the Shared secret to RADIUS server in Key field.  Select the Group Membership Attribute; the default value is 11. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 53 Step4. Configure the IPSec VPN Gateway policy. 1) Go to CONFIGURATION > VPN > IPSec VPN and then navigate to the VPN Gateway page. 2) Enter the values for VPN phase-1 configuration. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 54 Step5. Configure the IPSec VPN Connection policy. 1) Go to CONFIGURATION > VPN > IPSec VPN and then navigate to the VPN Connection page. 2) Enter the values for VPN phase-2 configuration. All contents copyright © 2010 ZyXEL Communications Corporation.

  • Page 55: Safeword Server Configurations

    Step2. Create a RADIUS client. 1) Enter the name for the rule. 2) The Client address is the ZyWALL USG’s interface IP address which accesses to IAS. 3) Click the “Next” button for the next step. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 56 – ZyWALL OTPv2 Support Notes 4) Enter the Shared secret; the “Key” on ZyWALL USG AAA Server setting. 5) Click the “Finish” button to finish the configuration. 6) The new OTP client has been created. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 57 4) Enter the serial number of the assigned token. If needed, enter the PIN code for it (this one is used as the Password when logging into the ZyWALL USG). 5) After the configuration, you can click the “Tokens” link and check the token status. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 58 # Set this to 'on' to force SoftPin to precede the password 2) Search for the string: “ ” Pin_Before_Password=off 3) At the command “ ”, change the value to ‘on’. 4) Reload the SafeWord server. All contents copyright © 2010 ZyXEL Communications Corporation.

  • Page 59: Zywall Ipsec Vpn Client Configuration

    4.3 ZyWALL IPSec VPN Client Configurations Step1. Configure the IPSec VPN Phase1 policy. 1) Enter the values for VPN phase-1 configuration. 2) Click the “Advanced Setting” button and click the X-Auth Popup feature. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 60 1) Enter the values for VPN phase-2 configuration. 2) Click the “Save & Apply” button to finish the configuration and save it. 3) You can trigger the IPSec VPN tunnel by clicking the “Open Tunnel” button. All contents copyright © 2010 ZyXEL Communications Corporation.

  • Page 61: Verify Otp Via Login From The Vpn Client

    1) There is only a 10 second window to enter the authentication information into X-Auth window. If you use more time to finish it, the tunnel will fail to establish. You can see the message on VPN Console as in the picture below. All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 62 You can see the VPN connection status is Connected on CONFIGURATION > VPN > IPSec VPN > VPN Connection page. Also can check the IPSec VPN SA on MONITOR > VPN Monitor > IPSec page. All contents copyright © 2010 ZyXEL Communications Corporation.

  • Page 63: Otp Troubleshooting

    Does ACL entry restrict access to the requested resource? (5) Import token fail: If all/some import records are rejected:  Check to see if the authenticators had been previously imported (the Event Viewer in ADUC, check by event type) All contents copyright © 2010 ZyXEL Communications Corporation.
  • Page 64 For Windows, use the “netstat –an” command, then search the output manually for active ports. Server(s) not responding  Use the configuration utility to check the server status as below:  Restart server(s). All contents copyright © 2010 ZyXEL Communications Corporation.

Table of Contents