Bomgar Verify Installation Guide

Verify Server Topology

Bomgar Verify Security Server 8.1.501 introduces some exciting new features for the two-factor authentication (2FA) arena, including push notification technology and Near Field Communication (NFC). Push notifications work by sending messages to the notification center or the status bar of a user's smart phone. NFC allows customers to authenticate using their smart phone. These new features are dependent on the architectural topology of the Bomgar Verify Server implementation. This section of the guide has been created to provide some guidelines for selecting the correct topology to deliver all required features for each organization’s Bomgar Verify Security Server solution.

Note: It is important that the architectural topology of the Bomgar Verify Server implementation be decided prior to installation.

Internal Server With No External-Facing Web Portal

Internal Server (no external facing web portal)

Advantages of this topology

In this topology, there are not any external-facing portals, which means the portals cannot be accessed via the internet. Therefore, server hardening is not required, and the risk of attack to these portals is limited to internal users only.

Note: Bomgar Verify’s Manage My Token portal requires two-factor authentication.

Disadvantages of this topology

The following token types are not supported:

  • Oneswipe online push
  • Oneswipe offline NFC

In addition, users need to be on the internal local area network (LAN) or VPN to manage changes to their token types in the Manage My Token portal.

Internal Server With Web Resources Published Via a Reverse Proxy, SSL, VPN, etc.

Internal Server with web resources published via a Reverse Proxy (SSL VPN etc.)

The Manage My Token portal located in the Internet Information Services (IIS) default website, SecEnrol, must be published to the internet via a reverse proxy or load balance appliance.

Advantages of this topology

All token types are supported including oneswipe push and NFC. Users are able to manage their tokens externally from any internet location.

Disadvantages of this topology

The Manage My Token portal must be published to the internet. The risk of attack is to this portal and other portals is greater because it is exposed to external users.

Internal Server With Additional Edge Server Deployed in the DMZ

Internal Server with additional Edge Server deployed in the DMZ

When installing the Bomgar Verify Edge Server, Custom Install must be selected, and only the Manage My Token portal should be installed.

Advantages of this topology

All token types are supported, including oneswipe push and NFC. Users are able to manage their tokens externally from any internet location.

Disadvantages of this topology

The Manage My Token portal web service must be hardened using Microsoft’s recommended techniques or must be published through a DMZ-located reverse proxy. The risk of attack is to this portal and other portals is greater because it is exposed to external users.

Available Bomgar Verify Portals

All of the following Bomgar Verify portals can be published to the internet:

  • Admin Portal - enables the Bomgar Verify Security Server Admin console. It is not a recommended practice to publish this portal to the internet unless the organization is a cloud provider.
  • Manage my Token Portal - enables the token management portal. This portal may be required for initial enrollment of users and for on-going management of token types.
  • Lost Token Emergency Access Portal - allows end users to request a temporary code to disable their lost device.
  • Note: This portal is not protected with two-factor authentication and relies on a PIN and password combination along with answers to predefined secret questions for access. It is recommended that customers do not publish this to the internet and instead rely on a manual helpdesk process or internal LAN connection for access.
  • SecServer Portal - is required for Bomgar Verify if the Windows Logon Agent is being used for logging into remote laptops. This portal is not required if the organization is not using Windows Logon Agent or is only using the agent to protect internal servers and desktops.
  • SecRep - is installed by default on all server instances and is used to automate the replication of the server.ini file between multiple Bomgar Verify servers, when enabled.

Important

Do not publish SecRep to the internet because there is a risk of exposing configuration settings to external users.