User Management Settings
To start the adminGUI locally:
Start/Programs/Bomgar/Local Security Server Administration.
Or click the desktop shortcut
To start the GUI remotely open a Microsoft web browser and enter the following
By default the page will always open at the Local Users page.
This menu allows you to search and administer your LDAP (Directory Server) based users. You can enable users for two factor authentication; manage PIN’s, manage mobile numbers and email addresses, resend passcodes and set static passcodes.
In the left side window, select the domain you wish to interrogate (Only required if you have multiple domains configured). If you leave the fields blank, all of your LDAP users will be displayed.
To restrict this list enter one or more characters in First Name, Last Name or Login ID.
For example if you want to manage the user QA, enter “Q” in the Login ID field and press search.
A list of all users with a Login ID starting with "Q" will be displayed.
Select the user you want to manage and you will see the following screen options
Unmanaged / Disabled / Enabled / In Case of Emergency
The first option is to set the user’s relationship with Bomgar Verify. Unmanaged means that the Bomgar Verify server has no data for this user, and the user is not consuming a license. Disabled means there is data for this user, and the user is consuming a license, but cannot authenticate. Enabled means there is data for this user, the user is consuming a license and can authenticate. ICE is only displayed if you are license for ICE users. Selecting ICE means that the user will consume an ICE license and will be able to authenticate if Emergency access mode is set.
Permanent or Temporary User
When enabling a user, the account can be setup as a permanent account or a temporary account.
If set to a temp user, then start and end dates with specific hours can be set. At the end of this time the user is automatically unmanaged.
When a user is enabled and Self Helpdesk or SecurPassword is active, users are sent an enrolment message. Enable the "Enrol Secret questions checkbox" if you wish users to be able to use the Self Helpdesk or SecurPassword secret questions. (See 4 Config)
Select either None, Helpdesk, Config or Full administration rights for this user. This controls what remote management capabilities the user has. Full allows full access to all areas. Config allows a user to change Config, Radius settings and access the Log Viewer, but cannot see or change users. Helpdesk allows access to the Users and Log Viewer sections only. (The users they can see and change will be restricted by their domain and Helpdesk group if configured).
The PIN component can either be the existing Domain password or a traditional static numeric PIN that the user will use when authenticating. This traditional PIN can be up to 8 digits. (See 4 Config)
If this user already has a mobile phone number defined in LDAP, this field will be populated. If not you MUST enter one if you want to send passcodes via SMS.
This option is displayed if passcodes are allowed via email (See 4 Config)
Send Simple SMS
This option allows a RAW (simple) SMS to be sent, this caters for some countries or carriers that do not support the PDU mode of SMS.
Displays the number of failed logins since the last good authentication. This can be set to have between 3-10 bad authentications before the user is disabled. Once disabled no more passcodes are sent. You can reset this count back to 0 by checking Reset
One Time Code
If this mode is selected, passcodes can only be used once. This mode is the most secure as any attempt to re-use passcodes will fail. Further options include the ability to have 3 passcodes in each SMS message. Or the ability to use a "real time" delivery of the SMS message.
This mode automates the process of changing passwords every xxx days. Day codes are reusable passcodes that are automatically changed every (x) days (Configurable see Chapter 4.0) . At a pre-defined day and time (Configurable see Chapter 4.0) the next required passcode is sent to this user’s mobile phone. A valid passcode is the current or the previously sent code.
Select this option if your security requirements only need passwords to change every xx days.
Note: Day codes can be set up so that they are not sent over a weekend. Also new Day code's will only be sent if the old one has been used (Configurable see Chapter 4.0) Pin & day codes can be used to automatically update user Microsoft Active Directory passwords (Configurable see Chapter 4.0)
This mode supports the use of a "Soft Token", this will be available for main stream smart phones such as Apple’s iPhone, Blackberry, Android and Windows 7 phone, Windows 7, 1.1 and 10 desktop will also be supported. Please see Apple App Store, OVI, Blackberry Shop or Bomgar Verify web site for more details.
When a user is deployed, they can select to use a soft token, the phone will then scan a QR code upon the enrolment page to configure the "seed" record and activate the user for "Soft token" mode.
The GUI User tab will then show if the soft token has Push enabled, for example Push=IOS.
No additional user overhead is required. The “Soft Token” can also be re-synched by entering two following passcodes. Please see section 6.1 for more information
For users who wish to use a Voice token, select this option, when the user logs on with UserID and PIN (password) they will receive a real time voice call and will then follow instructions in the voice message. At the same time their logon screen will present a OTP. To use this feature requires a version 7 IIS agent or RADIUS with challenge-response supported.
Tmp Static Code
Passcodes of up to 14 characters can be entered. The user can use this agreed static passcode multiple times for up to the number of days entered. After this time has passed, this user is automatically switched back to One Time Code’s and sent their next required passcode. This mode is intended for users that have lost their mobile phone or will be out of contact from a mobile signal for a number of days.
This is a reusable static passcode; it must be 6 characters long. Should only be used for testing.
Press this button to update this user with any entered/amended setting
Press this button to resend a passcode and update any changes to this user.
Note: Users being enabled will automatically be sent a passcode. When using default of “Pre Load for SMS delivery
Press the button to cause a manual refresh of the displayed user information.
Deploying Users via Admin GUI
Launch the Bomgar Verify admin GUI via the desktop shortcut or program link
Click upon search to find any user within the domain, select your user by clicking upon appropriate link
Enable user, assign a mobile number (if required) and select One Time passcode, click “update” when complete
System will return an OK message, user will receive a passcode (default pre-load) if user set to receive a real time, no code will be sent.
Test logon with either Radius based connection or with IIS web Agent
Scripting With Microsoft PowerShell V3
Note: AdminAPI.dll is a 32bit assembly so you MUST start the 32bit version of PowerShell V3
Start PowerShell V3 - Start – Accessories – Windows PowerShell - Windows PowerShell (x86)
Enter the following commands in PowerShell V3 to load the adminAPI (assumes Bomgar Verify is installed in the default location on a 64bit OS):-
Example: list all methods and properties of AdminDll.dll
$admin | Get-Member
Example: list the existing user (DN of CN=aaa1,CN=Users,DC=dev,DC=com)
Example: change an existing user (DN of CN=aaa1,CN=Users,DC=dev,DC=com) mobile number to 123456
Example: list the existing user with a UserID of aaa1 (Note required version 7.1.504 or higher)
Example: change an existing user (DN of CN=aaa1,CN=Users,DC=dev,DC=com) Admin to FULL
$admin.Admin = ([securenvoy.admin+eAdmin]::FULL)
Example: change an existing UserID aaa1 to Disabled (Note required version 7.1.504 or higher as getdn is used)
$admin.Enabled = ([securenvoy.admin+eEnabled]::DISABLED)
Note: Bomgar Verify PowerShell sample scripts can be found in “C:\Program Files (x86)\Bomgar\Security Server\SDK\admin\power shell samples”
Soft Token Support
Bomgar Verify now provides soft tokens for your phone to generate one time passcodes (OTP) for two factor authentication that can be checked by your company's Bomgar Verify server. End-users have total flexibility with zero admin or overhead costs providing a mobile security solution to suit the user.
Multiple soft tokens can be enrolled and used within the same app for multiple Bomgar Verify servers eliminating the need to carry multiple hardware tokens or install multiple soft token apps. The latest Bomgar Verify server v6 allows user far greater choice of security - either tokenless SMS two factor authentication or now with this soft token.
Users can simply log on to your company's Bomgar Verify server enrolment portal and can switch themselves to use the soft token. Then they simple scan the presented QRCode to transfer their unique seed record to the app. Bomgar Verify Soft Tokens provide an innovative and simple solution to end users requiring a flexible method of two factor tokenless authentication without fuss or administration overhead.
Support for Google Authenticator
Bomgar Verify soft tokens for your phone or desktop can be used to generate one time passcode (OTP) for two factor authentication that can be checked by your companies Bomgar Verify server or Google’s cloud login.
Please note that there is decreased security upon the "Google" Soft token, as it has no copy protection at enrolment. Bomgar Verify recommend that the Bomgar Verify soft token be used where possible.
More flexibility for the User
The latest Bomgar Verify server V6 allows user far greater choice of security - either tokenless SMS two factor authentication or a soft token downloaded as an app such as this. Available free of charge to current customers from either Bomgar Verify or Google Authentication, soft tokens are suitable for most types of mobile devices i.e. iPhones, iPads, Blackberry’s, Android phones, Mac and Windows operating systems including Vista and Windows 7.
A simple process
For the organisation there is nothing they need to do. It is all down to personal preference of the end-user to choose whether they want their two factor authentication passcode sent via SMS or via their app.
The user simply:
Logs into their companies Bomgar Verify server’s enrolment page (/secenrol) – cleverly they can authenticate themselves with their current user name and passcode
A barcode appears in the screen which the user scans with the camera button on their phone
Within seconds the user is authenticated and can start using their phone as a soft token.
4. In the case of the P.C. Soft Token, the user only has to authenticate with the built in interface in the client. The SEED is automatically deployed with no user intervention. (Please see P.C. Soft Token manual for more information)
|Mobile Phone "Soft Token"||P.C. "Soft Token"|
To provide support for a “Soft Token” the selected user can be deployed via SMS or email and then at the enrolment stage, the user can opt to use a “Soft Token”.
If the user is selected to only use a “Soft Token”, an email address must be used to provide the enrolment details.
The “Soft Token” can also be re-synched by entering two following passcodes.
Soft Token Security
Bomgar Verify Soft token, is OATH TOTP compliant, but with additional security enhancements to the OATH specification. These are:
Secure Copy protection locks the Seed record for generating passcodes to the phone. The innovative approach allows the Bomgar Verify security server to generate the first part of the seed, the second part of the seed is generated from a “Fingerprint” on the phone when the Soft Token application is run for enrolment and each time the Soft Token application is run to generate a passcode.
Protection of the Seed records. The Seed records are dynamically generated by the Server/phone and are stored with a FIPS 140 approved encryption algorithm, this encrypted data is generated and stored at the customer premise. Bomgar Verify do not store or keep any sensitive customer seed records.
Stored DATA. All stored authentication data is generated and encrypted with AES 256-bit encryption and is kept within the customer LDAP server. Bomgar Verify supports all LDAP v2 and v3 compliant directory servers, including:
Microsoft Active Directory, Microsoft ADLDS. Novell e-Dir, Sun/Oracle One Directory server IBM and Linux Open LDAP
The Bomgar Verify Security Server deletes the used passcode and any previous passcodes from the system, thereby alleviating any replay attacks from any used or any previous unused passcodes. This process is known as “Watermarking”.
Automatic Time Re-sync
When a user travels overseas, typically their phone will sync to the new country time once they have arrived at destination. The OATH compliant algorithm then derives passcodes based upon this new time, which could be many hours forward or backwards in time. Bomgar Verify has a unique approach that will handle users in this conundrum, where it allows complete unhindered World Wide travel for the user
One Swipe can be integrated into any existing HTML forms based logon page.
On the first login web form do the following:
Step 1 Add oneswipe.js and oneswipe.swf
Copy oneswipe.js and oneswipe.swf from the Bomgar Verify server’s install directory\ADMIN\js to the root location on your Website.
Browse to /oneswipe.js to confirm it’s URL location
Copy oneswipe.png from the Bomgar Verify server’s install directory\ADMIN\images\buttons to the root location on your Website.
Step 2 Add One-Swipe Smart Button Object
Locate the area you want the One-Swipe button / QRCode Scan panel to go and copy and paste the following:
- <img src="/oneswipe.png" onclick="se_oneswipe_username='USER';se_oneswipe_pin='PASSWORD';se_oneswipe_passcode='PASSCODE';se_oneswipe_submit='SEND'; (typeof se_oneswipe_click == 'function')?se_oneswipe_click():alert('OneSwipe script not found, please verify the location of oneswipe.js.');"/>
- <div id='se_oneswipe_status'></div>
- <canvas id='se_oneswipe_canvas' style='display:none'></canvas>
- <div id='outdiv' style='display:none; width: 300px;'></div>
Step 3 Change the blue text to the id of your input boxes
USER, PASSWORD, PASSCODE should be changed to the ID of your input boxes (or deleted, set to '' two single quotes if not used) and SEND the id of the send/login button (add id= to your <input> tags if it’s not present).
Note you can change width: 300px in the second to last line to suit your required qrcode scan video width.
USER=userid PASSWORD=password PASSCODE=passcode SEND=send
If you have passcode entry on a separate login form do the following:
Step 1 Add One-Swipe Script
Locate the close body tag </body> in the passcode entry form page and add the following just before this:
Step 2 Change the blue text to the id of your input boxes
PASSCODE should be changed to the ID of your passcode input box and SEND the id of the send/login button (add id= to your <input> tags if it’s not present).
If it’s possible to change the application page presented after login, do the following:
Locate the main <body> tag and add the following after this: