Bomgar Verify Admin Guide

Verify Server Topology

Bomgar Verify Security Server 8.1 introduces some exciting new features into the two-factor authentication (2FA) arena, including push notification technology and Near Field Communication (NFC). Push notifications work by sending a message to the notification center or status bar of a users’ smartphone. NFC allows a customer to authenticate contactlessly using their smartphone. These new features are dependent on the architectural topology of the Bomgar Verify Server implementation. This section of the guide has been created to provide some guidelines for selecting the correct topology to deliver all required features of each organization’s Bomgar Verify Security Server solution.

Note: It is important that this decision is made in advance of installing the product.

Internal Server (No External-facing Web Portal)

Internal Server (no external facing web portal)

Advantages of this topology

No external Internet facing portals. Therefore no hardening of servers is required and the risk of attack to these portals is limited to internal users only.

Note: Bomgar Verify’s Manage My Token portal requires two-factor authentication.

Disadvantages of this topology

The following token types are not supported:

  • Oneswipe online push
  • Oneswipe offline NFC

In addition, a user will need to be on the internal local area network (LAN), or connected over VPN, to manage changes to their token types on the Manage My Token portal.

Internal Server with web resources published via a Reverse Proxy (SSL VPN etc.)

Internal Server with web resources published via a Reverse Proxy (SSL VPN etc.)

The Manage My Token portal located in IIS default website (SecEnrol) must be published to the Internet via a reverse proxy or load balancer appliance.

Advantages of this topology

All token types are supported including oneswipe push and NFC. Users are able to manage their tokens externally from any Internet location.

Disadvantages of this topology

Manage My Token portal must be published to the Internet. The risk of attack to this and other portals is exposed to external users.

Internal Server with additional Edge Server deployed in the DMZ

Internal Server with additional Edge Server deployed in the DMZ

When installing the Bomgar Verify Edge Server you should select custom install and install only the Manage My Token portal.

Advantages of this topology

All token types are supported including oneswipe push and NFC. Users are able to manage their tokens externally from any Internet location.

Disadvantages of this topology

The Manage My Token portal web service must be hardened using Microsoft’s recommended technics, although this could also be published through a DMZ located reverse proxy. The risk of attack to this and other portals is exposed to external users.

Available Bomgar Verify Portals

All Bomgar Verify portals that can be published to the Internet are:

  • Admin Portal - This provides the Bomgar Verify Security Server Admin console. It is not recommended to publish this to the Internet unless you are a cloud provider.
  • Manage my Token Portal - This may be required for initial enrolment and for ongoing management of token types, such as migrating to a new phone. See above details.
  • Lost Token Emergency Access Portal - This allows end users to request a temporary code whilst disabling their lost device via this self-service portal. Note: This portal is not protected with 2FA and relies on a combination of pin/password and answers to predefined secret questions. Typically customers would not publish this to the Internet and would rely on a manual helpdesk process or the user being connected to the internal LAN.
  • SecurPassword - This is part of the SecurPassword product and is only required if this function is being utilized. Allows end users to reset their Microsoft AD (or other LDAP) password and requires 2FA for access.
  • SecurMail Sender Portal - This is part of the SecurMail product and is only required if this function is being utilized. It allows a sender to create secure 2FA emails to recipients. Installing this portal will also add an additional IIS web service called SecUpload2, which is used to upload SecurMail file attachments. These are optional and only required to be published to the Internet if your senders need to create emails externally.
  • SecurMail Recipient Portal - This is part of the SecurMail product and is only required if this function is being utilized. This portal must be published to the Internet or recipients will not be able to retrieve their secure messages. This portal uses 2FA.
  • SecServer Portal - This portal is required for SecurAccess if you wish to use Windows Logon Agent externally on the Internet, for instance for logging in on a remote laptop. This is not required if you are not using Windows Logon Agent or only use the agent to protect internal servers and desktops. This portal is required for SecurMail if a recipient is connecting from an external Bomgar Verify Outlook Agent that is connecting across the Internet or a SecurMail phone app that is also connecting across the Internet.
  • SecRep - is installed by default on all server instances and is used to automate the replication of the server.ini file between multiple Bomgar Verify servers, if this function is enabled.

Important

Do not publish SecRep to the Internet, as this will risk exposing configuration settings to external threats.