Download the latest RWWGuard Setup from Scorpion Software Corp’s website athttp://www.scorpionsoft.com/downloads.
- Double click on the EXE file to begin the installation.
- The setup program will prompt you for standard path information like where to install the files, and analyze your IIS configuration to make the proper Virtual Directory for the management console. It will then backup the original Remote Web Workplace files, and install all the new appropriate files.
- After installation, the setup program will launch the locally defined web browser to the RWWGuard Manager console, typically installed to:https://servername/RWWGuardManager/
- You can log in to the RWWGuard Manager with normal administrator domain credentials.
On installation RWWGuard is initially disabled. RWWGuard must be configured to communicate to a strong authentication server before it can start offering two-factor authentication to remote users.
When you first log into the RWWGuard Manager, you will be presented with the dashboard, which will have no useful stats. Once RWWGuard has been in use for a while, the dashboard stats will begin to offer insight to the state of your password login metrics in your organization.
To configure RWWGuard, log into the RWWGuard Manager and select the Settings tab.
Note: After making changes to the settings for RWWGuard you MUST press the“Save Settings” button before it will be applied. Leaving the page will abandon all changed settings not yet saved.
Selecting the Authentication Mode
When you select “RADIUS” for “Authentication Mode”, RWWGuard will communicate to a RADIUS server with the configured shared secret. If you select “Two Factor Auth”, RWWGuard will communicate via SOAP/XML web services directly with an Two Factor Auth Strong Authentication System.
Configuring RADIUS settings
RWWGuard can be configured to communicate with a RADIUS server to validate an OTP Passcode. In the “RADIUS Settings” you need to configure the IP address where the RADIUS server lies, and the Shared Secret that will be used to communicate securely.
Note: You may need to configure the firewall on SBS2003 to allow for RADIUS to be spoken to/from the server. The RADIUS protocol uses UDP port 1812.
Note: The Shared Secret must match IDENTICALLY between the RADIUS server and RWWGuard.
Configuring Two Factor Auth settings
RWWGuard can communicate via web services directly with an Two Factor Auth server to validate an OTP Passcode. In the “Two Factor Auth Settings” you need to configure the URL andAdmin URL to where the Two Factor Auth SAS service lies.
Example: https://localhost/Two Factor AuthSAS/SAS.asmx
If you wish to use a different Two Factor Auth server to authentication the user when logging in as the named account “Administrator”, you can point the Admin URL to the destination Two Factor Auth server. This is useful for external IT staff and MSPs who manage multiple networks and want to control their techs access from a central Two Factor Auth system.
Note: You may need to configure the firewall on SBS2003 to allow for HTTPS to be spoken to/from the server. For safety and security of the user PIN and OTP, it is NOT recommended to use the clear text HTTP protocol.
Note: The SBS Server where RWWGuard resides MUST trust the remote digital certificate if connecting to an external Two Factor Auth server. The easiest way to test this is to go to the URL of the remote Two Factor Auth server from the SBS server with a browser. If a prompt for the certificate is shown, make sure you add it to the Trusted Root Certificate Authorities store.
Note: You may need to configure the Directory Security IP address restrictions in IIS to allow external access to the Two Factor Auth Web Service. You will also need to configure the IP address of the SBS box where RWWGuard resides within Two Factor Auth to get authorization to authenticate remotely. If using Two Factor Auth on the same machine as RWWGuard, you can use localhost, which is pre-configured.
When you select “Yes” for “Enable RWWGuard”, a new “OTP Passcode” field is present on the RWW logon page.
Force two-factor authentication
When you select “Yes” for “Force OTP Auth”, all users logging in from Remote Web Workplace will be required to enter in an OTP Passcode unless their name is in the exception list. If you select “No”, then no users are required to enter in an OTP Passcode unless their name is in the exception list.
When you select “Yes” for “Allow Impersonation”, you give the option to your users to employ a different username when completing the OTP auth by clicking “Show Advanced”. If you want to FORCE that the user matches the same username for both Active Directory and OTP auth, select “No”.
Note: If you select “No”, you need to dedicate a token for each account.
Note: Two Factor Auth users do not need to use this feature. You can configure Grouped User to accomplish this same goal.
RWWGuard is licensed on a yearly subscription model. You can see when your copy of RWWGuard expires here. If you need to activate a new license key to update the expiration, you can select the “Activate new license” link to do so.
The exception list is designed to OVERRIDE the default behaviour of RWWGuard for certain users. If “Force OTP Auth” is enabled, then anyone in the exception list is not required to provide an OTP Passcode. If “Force OTP Auth” is NOT enabled, then anyone in the exception list IS required to do so.
When RWW-Guard is installed but not enabled, it will continue to provide detailed audit logging in the RWW-Guard Event Log. It looks and acts EXACTLY like the traditional Remote Web Workplace logon page, with the one caveat that RWW-Guard does not currently support the “Change Password” functionality if an Active Directory password expires.
When RWW-Guard is enabled, a new OTP Passcode field is added to the logon form.If a user is required to provide an OTP Passcode, the username is sent along with the OTP Passcode to the configured RADIUS or Two Factor Auth source. On success, the active directory credentials are then verifies, and finally logon to Remote Web Workplace occurs.
Using alternate strong authentication credentials
There may be times where the username you wish to send to the RADIUS server does not match your Active Directory username. You can do this by clicking the “Show Advanced” link beside the OTP Passcode field and filling out the “User name” field.
An example where this could be useful is by using user “Bob’s” two-factor authentication credentials to logon to the “Administrator” account. In this way, you know that it was “Bob” that logged in to the Administrator account over the Internet, and not “Alice”.
Note: If you disable Impersonation, this feature is NOT available. See section above on “Allowing Impersonation”.
Reviewing Audit Logs
Viewing the Authentication Logs
RWWGuard provides detailed audit logs for all users who use Remote Web Workplace. Included in this are the following fields:
- Active Directory Username
- Strong Auth Account
- Logon Time
- IP Address
Note: The Strong Auth Account will match the Active Directory Username unless the alternate username field was used in the RWWGuard Advanced logon form.
Viewing Failed Logons in the SBS Daily Report
RWWGuard stores its authentication logs in a custom Event Log catalogue. Because of this, during the generation of the daily “Server Performance Report” any failed logon attempts will be shown in the report.
Congratulations! There is always so much to see in a new product, and you have just successfully completed an installation and review of the key features of Scorpion Software’s RWWGuard product.
While this Installation Guide can only cover the highlights of RWWGuard in action, we have been able to see several key points:
- RWWGuard is easy to set up and install. As a built in web application on SBS2003, it blends easily with your existing management process.
- RWWGuard protects your small business and enhances its remote access security with the addition of two-factor authentication directly into Remote Web Workplace.
- RWWGuard puts daily, comprehensible failed logon reports in the hands of the administrators who need them through the daily SBS report.
- RWWGuard not only highlights logon failures, it allows the administrator to go from high-level detection to detailed analysis of current password policies.
Appendix A – Testing RWWGuard without a Strong Authentication Server
If you don’t currently have a strong authentication server available you can still test RWWGuard on your server. If you set the IP Address in the “RADIUS Settings” to 0.0.0.0, the password stored in the “Shared Secret” field will be used as the valid OTP Passcode. All other features within RWWGuard will continue to work the same way.
Note: This should be done for TESTING purposes only.