« February 2010 | Main | April 2010 »

March 2010

March 26, 2010

Deploying AuthAnvil SoftTokens to Blackberry devices with BES Enterprise Express

It is an exciting time for Blackberry users. Recently Research In Motion released the Blackberry BES Server Enterprise Express, allowing small and midsized businesses to take advantage of these powerful smartphones on a Small Business Server. So now you can natively use Windows Mobile, iPhone and Blackberry devices to fully connect to your Exchange infrastructure on SBS.

Totally cool.

Of course, it also means that these devices can benefit from using an AuthAnvil SoftToken. Now when logging into Remote Web Workplace protected with AuthAnvil, your users can use these devices to generate the next one time password (OTP) to log in. That's right. No more need to care a hardware token when their Blackberry device can generate those same OTPs as the keyfob tokens. And you can use these devices to protect server and workstation logon, as well as VPN.

One problem though. A bug currently exists in the way a BES server handles digital certificates in the secure HTTP streams. It seems that RIM is aware of this problem and has issued KB article 20477 informing users they need to upgrade their BES server 4.1.7. Of course, at this point there isn't a fix for the Express edition, leaving SBS users on their own.

However, there is a workaround. Customers deploying AuthAnvil SoftTokens via BES Enterprise Express will need to ensure their users complete the following:

  1. On the BlackBerry smartphone, select Options>Security Options>Advanced Security Options>TLS and change the TLS Default from Proxy to Handheld.  This will allow the BlackBerry smartphone to parse the certificate directly, which does not have the problem with the Subject Alternative Name.
  2. Not all certificates require or use the Subject Alternative Name.  If you have control over the HTTPS site, you could import a new certificate without that field.

By doing this, you will be able to properly activate your SoftToken through the BES server. Once you securely receive your key, the AuthAnvil SoftToken will never need to communicate through BES again.

Many thanks to Sean Tindall from BulletProof InfoTech for helping us to properly evaluate, test and fix this issue on SBS 2008.

Posted at 03:36 PM in Tips & Tricks | | Comments (0) | TrackBack (0)

| |

March 19, 2010

Protecting access to Connectwise 2010 with AuthAnvil

Your Professional Services Automation (PSA) tool is one of your most vital pieces of your company if you are a Managed Service Provider (MSP). It is the heart of your business, where most of your most critical and sensitive information is stored.

With the latest release of ConnectWise 2010, you can now safeguard the access to that information with AuthAnvil. Yep. That's right. You can use the same AuthAnvil strong authentication credential to log into ConnectWise as you do with your desktop and server logins.

Setting it up is not really that hard:

Step 1 – Set up the AuthAnvil Setup Table

  1. Log into ConnectWise.
  2. Expand the Setup tab.
  3. Open Setup Tables.
  4. Enter “AuthAnvil” into the Table field and click search. This will return the AuthAnvil Setup Table.
     
  5. Open the AuthAnvil Setup Table.
  6. Select either http or https. NOTE: HTTP is an insecure protocol and is not recommended for a production environment.
  7. Enter your AuthAnvil server name or IP address. NOTE: In ConnectWise, unlike regular AuthAnvil Agents, you do not have to append /AuthAnvilSAS/SAS.asmx to the end of the URL. NOTE 2: If you are using an HTTPS connection, the server name must match the FQDN on the SSL certificate assigned to the server.
  8. Enter your AuthAnvil Site ID into the SiteID field.
  9. Click Save.
  10. Click the Test Connection button and verify successful connection.

    clip_image002

Step 2 – Assign members to use AuthAnvil for Two-Factor Authentication

  1. Log into ConnectWise.
  2. Expand the Setup tab.
  3. Open Members.
  4. Browse to a member that you would like to have use AuthAnvil authentication for ConnectWise login. 
  5. Make sure the member ID in ConnectWise matches the AuthAnvil username.
  6. Scroll to the bottom of the member screen and select AuthAnvil from the Service drop down.

    image
  7. Click Save.
  8. Repeat steps 3 – 7 for every member who needs to use AuthAnvil authentication.

Step 3 – Log into ConnectWise using an AuthAnvil-protected user

  1. Log into ConnectWise using the regular method. After you enter your username and password, you will be presented with the following screen:


  2. Enter your AuthAnvil PIN in the PIN field.
  3. Enter the next one-time password generated by your token in the Token field.
  4. Click Login.

That's it! Now you can selectively decide who needs strong authentication enforcement, and who does not. Sensitive accounts with critical information can now require an identity assurance check, using the very infrastructure you already have deployed to manage and safeguard remote access to client networks and systems.

Many thanks to the folks at ConnectWise for integrating AuthAnvil support right into their product. It is an excellent value add that really helps to safeguard the very information that is the HEART of an MSP business. Information assurance, along with identity assurance, is a critical component of any MSP, and we are pleased to see such integration with our partners.

Posted at 04:23 PM in In the Trenches, Tips & Tricks | | Comments (0) | TrackBack (0)

| |

Visit Our Company Website
Subscribe to this blog's feed

Categories

Archives

More...

Become a Fan

Connect With Us