Configuration

Start the Bomgar Verify Admin GUI and select the “Config” menu.

The Config page has fourteen sections that can be configured:

These allow parameter changes to be made to the Bomgar Verify Security Server, all of these settings can be applied on a per Domain basis. All except "Logging" as this is a global setting for the whole Security Server.

Start the Bomgar Verify Admin GUI and select the “Config” menu.

The Config page has 15 sections that can be configured:

Admin GUI Config Menu

License Upgrade

License Upgrade

The current existing license can be upgraded easily by copying and pasting the new license string into the “upgrade license” window within the Config page. Confirm replacement by clicking “update”. The User count is rechecked daily but can be forced by selecting “Force Recount Now"

Thereafter "Enable Per Domain License Quota" can be enabled, this allows a quota to be applied per domain. The LDAP domain can be selected from the drop down menu bar, once selected a quota of licensed users can then be applied to this domain.

Tokenless Types

Tokenless Types

There are two enable boxes for the Token types, and each of these can be assigned upon a per domain basis. The first dictates what Token types are available for the relevant domain. The second is for enabling the user to switch between different Token types via the "Manage My Token" page (https://machine.domain.com/secenrol).

Passcodes can be delivered via SMS.

Passcodes can be delivered via email, email setup is via the Advanced config wizard. User is then setup for "Passcodes via Email" under the "User" tab of the admin GUI. Bomgar Verify does not believe that the user should be given the option to select email, a SMTP is not an encrypted protocol and may not be using TLS. Bomgar Verify believes that administrators should be in control as to whether email is used for passcode delivery. An example; Blackberry systems encrypt email delivery to the end device.

The default is to “pre-load” the SMS delivery, the passcode is sent when a user is first enabled and refreshed at time of logon.

The system can be enabled so that either a single or three One Time Passcodes are sent within each SMS message. This caters for users who are in an area that has weak or erratic mobile phone signal.

Bomgar Verify have the ability to send the passcode in “real time”. Once enabled the system has the ability to deliver a “real time” passcode that the user requests. The passcode then has a certain amount of time to live before expiry (configured in minutes 1-99). To enable this function tick the checkbox and set the prompt that user should see (default = Enter your 6 digit passcode). The real time SMS delivery can be enabled upon a user basis or can be set globally for new users by enabling the “New User have real time by default” checkbox.

The Day Code mode automates the process of changing passcodes every set number of days, this can be in the range of 1-99 days. Day codes are reusable passcodes that are automatically changed every xx days (Global Default User Days) at a pre-defined day and time (Day Code Send Time). Global Default User Days is used on all new users as the default and can be changed for each user. Additional logic can be applied where a new Day code is only sent if the previous one has been authenticated.

To enable the use of Soft Tokens upon the Bomgar Verify server check the “Enable” box, this must be completed for all Bomgar Verify servers that are to be used for “Soft Token” support.This will allow Soft Token to be used on a Mobile phone. To support a PC or Mac based Soft Tokens, enable the checkbox “Allow Laptops”. The soft token refresh rate can be set to 60 seconds if preferred but the default is 30.

SE Administrators can allow users to use Oneswipe Online (push) and Oneswipe Offline (QR Code /NFC Offline Logon) per domain. Access to soft tokens can be protected by either a biometric Touch ID or the phones security access PIN code. You can only use Protect App with Touch ID or PIN if you have not enabled push, as push requires your pin to be entered at the login to initiate a push request.

Voice Call, brings the ability for a real time interactive voice call for users who cannot receive a SMS.

NOTES: Day Code usage

Note: All servers in all domains must have the same Day Code Send Time set (allowing for any time zone differences) such that they all run at the same time.

The next required passcode will be sent to this user’s mobile phone at 16:00 by default (Day Code Send Time). If "Only Send New Day Code If Used" is selected then the next required Day Code is only sent if the current or previous day codes have been used.

Note: A valid passcode is the current or the previously sent code; this eliminates any SMS delays or intermittent signal loss within a 24 hour period.

TMP and Static Code

TMP Static Code

This setting allows what should happen to a user when they have exhausted their temporary static code status; the global setting allows either reverting to a One Time Passcode or a Day code.

When testing is beneficial to have the ability to allow a "Static code", as SMS or Voice gateways may not be ready or available. This feature allows end to end testing prior to the gateways going live.

All of these settings can be assigned upon a per domain basis.

 

Pin Management

PIN Management

Pin Management will setup the Security server to either use Microsoft Windows password as the Pin for each respective user enabled upon the system, or will use Bomgar Verify to separately manage it.

If set to Bomgar Verify, the Pin can be between 4-8 numeric or alphanumeric. The Pin can be set by the administrator or the user via the enrolment process.

All of these settings can be assigned upon a per domain basis.

 

Mobile Number Settings

Mobile Number Settings

The system can be setup to validate the mobile number that is entered into the system. The first check is to make sure the mobile number is of a certain length (length 5-18), in addition any number that is entered that is not recognised can be automatically preceded with a set number. Numbers can be removed between specified characters, as can specified characters, leading numbers can be removed or replaced and country codes manipulated as required.

All of these settings can be assigned upon a per domain basis.

 

Integrated Desktop

Direct Password Control

Integrated Desktop is achieved by generating a new day code (or week code) for enabled users and sending it to the users registered mobile phone. This is used in combination with the user’s secret PIN. The PIN can be alphanumeric to surpass any Windows security policy that requires an amount of upper and lower case characters. The day code is written in real time to the Active Directory at time of generation.

 

Sophos SafeGuard Support allows Bomgar Verify to provide 2FA support for Sophos Safeguard, to enable, tick the “sync to Sophos SafeGuard” box, then enter Sophos Security Officer credentials, click “update” when complete. For more details on Sophos SafeGuard integration, please see the following integration guide:http://www.securenvoy.com/integrationguides/sophossafeguardsecuraccess.pdf

All of these settings can be assigned upon a per domain basis.

Understanding Direct Password Control

Password Automation will change and send out the new Domain password via SMS to all enabled users. This is the dynamic component of the Domain login; a separate static Pin is required to make up and complete the Domain authentication, which is managed by Bomgar Verify. Setting the correct level of upper and lower case characters as well as numeric, allows the passcode to meet Domain Security policy requirements. Enabling Password Automation is on per user basis.

Note: Bomgar Verify recommends that Integrated desktop mode uses SSL over LDAP (SDLAP 636) to fully meet all of the above stated requirements of a password reset.

To meet a domain password policy, it is recommended that the PIN is a combination of both upper and lower case. Example PIN = Se12, Passcode =234765, Domain password = Se12234765

Integrated Desktop Management is only supported when using a Daycode, one time passcodes are not supported.

To enable the integrated desktop mode of Bomgar Verify, we first need to understand the password reset process.

LDAP Password Modification

The first technique that is always attempted is an LDAP-based password modification. The core of this technique involves modifying the unicodePwd attribute directly. SetPassword does one modification with the “Replace” modification type specified, and “ChangePassword” does two modifications with a Delete and an Add specified, in that order. Active Directory enforces a restriction that any modification to the unicodePwd attribute must be made over an encrypted channel with a cipher strength of 128 bits. Otherwise, the server will reject the attempted modification. This helps ensure that the plaintext password is not intercepted on the network.

Therefore, with this in mind, there are only two ways to accomplish an encrypted tunnel for password modification:

Active Directory supports two mechanisms for channel encryption: SSL and Kerberos. However, only SSL supports the minimum 128-bit cipher strength on all Active Directory platforms. Kerberos-based encryption has been strengthened to meet this requirement on Windows Server 2003 and above. Because the function attempts to work with either version of Active Directory, it always selects only SSL for the channel encryption technique. This is unfortunate, because Kerberos-based encryption works out of the box with Active Directory, but SSL requires additional configuration steps including the acquisition of proper SSL certificates for each participating domain controller.

Account Lockout Settings

Account Lock Settings

This can be set between 3-10 concurrent bad authentications since the last good authentication, before the user is disabled. Once disabled, no more passcodes are sent and the user is denied access. If using SMS, the user is sent an alert SMS explaining that their account is now locked.

User accounts can be automatically disabled if there is no authentication activity for (xx) number of days (configurable, default is 90).

User accounts that do not complete an enrolment request are disabled, (configurable, default is 30 days).

All of these settings can be assigned upon a per domain basis.

GUI Settings

GUI Settings

 

The administration interface is configurable, so that only certain elements are displayed. Use the checkboxes to configure the Admin interface.

These are as follows:

  • GUI Style White Background checkbox changes between light and dark interface
  • Display private mobile checkbox. Private mobile Checkbox is displayed or hidden in admin GUI
  • Radius attribute settings configure and control Radius settings
  • Offline laptops settings Enable/disable offline passcodes for Integrated Desktop Logon

All of these settings can be assigned upon a per domain basis.

Emergency Helpdesk

Emergency Helpdesk

 

Self Helpdesk allows users to assign themselves a temporary code or change their mobile number in the event that they have no phone signal or no access to their mobile phone. This section controls whether this is enabled, and whether the user can set their own mobile number, the maximum number of days a temporary code can be assigned and how often the helpdesk can be used within a period of time.

All of these settings can be assigned upon a per domain basis.

To use the Self Helpdesk, a user must first enrol and provide answers to two security questions. The enrolment request is sent automatically when a user is first enabled. (This will only occur if the “Allow Helpdesk To Be Used” checkbox has been enabled).

The security questions are read from a template file to allow for customisation. The file path is Security Server\Data\ENROLMENTTEMPLATE\questions.txt within the Bomgar Verify installation directory (e.g. for 32-bit installations

C:\Program Files\Bomgar\Security server\Data\ENROLMENTTEMPLATE\questions.txt ).

For 64-bit installations

C:\Program Files (x86)\Bomgar\Security server\Data\ENROLMENTTEMPLATE\questions.txt ).

Note: Enable helpdesk by ticking the checkbox and then set parameters of what the user can do, example change own mobile number. When a user is deployed they are sent a URL link to "Enroll." This can either be sent via email or SMS.

SecurPassword

Migration Unmanaged User Proxy Authentication

Migration (Unmanaged User Proxy Authentication)

 

The Migration feature allows users to be migrated to a Bomgar Verify solution from an existing password-only or token solution. Once configured, users can be migrated in stages as required, allowing a smoother transition.

All of these settings can be assigned upon a per domain basis

 

Migrations from Password-Only

Users that have not been enabled within Bomgar Verify will need to be members of a group named “sepasswordonly”. This group must be configured within the directory server prior to deployment. These users will then be allowed to authenticate using only their username and password. Once migrated to Bomgar Verify, they can be removed from this group and have a full 2FA experience.

Migration from Third-party Two Factor Token Server

RADIUS authentication is configured to use the Bomgar Verify server. If the user is not enabled within Bomgar Verify, the Bomgar Verify server will act as a proxy, and forward the RADIUS request to the configured third party token server.

Up to two configured third party token servers are supported. IP address, port, shared secret, and timeout information is required. Once configured, the test button will initiate an interactive logon.

Automatic Group Deployment

Bomgar Verify Security Server has the ability to provision users. This can be completed with the Deployment wizard (recommended for first time user deployments) as it allows an extremely granular approach to how users are deployed. Or with the Automatic Group Deployment within the admin GUI. This caters for ongoing deployments of users.

The Deployment Wizard is a tool that allows enterprises to carry out an initial deployment to a high number of users easily. It is customisable so that passcodes can be sent via SMS or Emailed to users in one seamless mechanism. This tool can be used in one of two ways, via a graphical user interface for manually deployments or in command line mode for scripts or batch jobs to use. This is a separate Bomgar Verify tool, that is accessed from "Start" - "Programs" - "Bomgar" - "Deployment Wizard"

Automatic Group Deployment

The Automatic Group Deployment is an embedded feature that allows simple ongoing provisioning of users, a dedicated group of users (only one group per domain is supported) is monitored, any user added to this group is automatically deployed with the options set in the GUI. If a user is removed from the group, they are automatically unmanaged.

Bomgar Verify has the ability to automatically provision users with its Automatic Group Deployment option. All of these settings can be assigned upon a per domain basis.

The following options are able to be set:

Enable Automatic Deployment

Enables or disables the automatic deployment option, an additional setting allows a time in minutes to be set. This is how often the Automatic Deployment should check for users being added or removed from a group.

Deployment Type

ICE (In Case of Emergency) for emergency users, business continuity, disaster recovery.

Send Passcodes to Mobile / Email

Example - User will stay explicit to the mode of deployment, if deployed with a passcode to mobile, they will always receive a passcode via SMS. As long as the mobile attribute is populated. If not, the system will check and then deploy the user by email, the user will then follow the enrolment instructions in the email to update their own mobile number into Bomgar Verify. If user deployed via email, they will always stay in this mode.

Note: Mobile or email attribute must be populated.

One Time Code / Real time

Select users to have a One time passcode in "Pre-Load" mode or use "Real time delivery".

Soft Token

Users are deployed with an enrolment message to setup their soft token.

Day Code

Users are deployed with a Day Code, the code refresh in (n) days can be set, this is global setting for all deployed users.

Note: If a group is declared in the Automatic Group deployment option, the user will be enabled and provisioned or unmanaged depending on whether they are a member of the declared group. If "Allow any group" is selected, all users in the domain will only be provisioned. Caution, this should cause a high number of users to be provisioned.

Logging

Logging

Bomgar Verify has three supported options for logging information. They are –

  • Bomgar Verify log file. This resides locally upon the machine
  • Microsoft Event Log. Bomgar Verify writes log information to the Application Log.
  • Syslog server. Enter the details of your Syslog server.

 

In Case of Emergency

In Case of Emergency (ICE)

ICE (In Case Of Emergency) allows the ability to turn on strong, two-factor authentication, for all users in the event of an emergency. The user’s existing Microsoft password is the first factor, and a passcode sent to the user’s mobile phone is the second. There is no need for the user to enrol and remember an additional PIN, and no need for extra tokens or smart cards.

The ICE message content can be directly edited in the admin GUI.

Thereafter a "return to work" message can be configured, once the emergency is over, this is sent when ICE is turned off.

All of these settings can be assigned upon a per domain basis