ZyWALL OTPv2 - download.from.zyxel.rudownload.from.zyxel.ru/91cd5567-8056-4839-a1ba... · components and SafeWord server to assigning the token to users, including the application

ZyWALL OTPv2

Support Notes

Revision 2.10

December, 2011

Written by CSO

ZyXEL – ZyWALL OTPv2 Support Notes

All contents copyright © 2011 ZyXEL Communications Corporation.

2

Table of Contents

1. Introduction 4

2. Server Installation 8

2.1 Pre-requisites ..................................................................................................................................................................... 8

2.2 Installation on Windows Server 2003 Enterprise Service Pack 1 ................................................................. 8

2.3 Installation on Windows Server 2008 R2 ............................................................................................................ 24

2.4 Activate the SafeWord Server and Import the physical tokens…………...…………………………………….37

2.5 Import the software tokens to your server…………………………………………………………………….………..43

3. OTP Authentication to an OTP-protected Network via SSL VPN over

ZyWALL USG 45

3.1.1 ZyWALL USG Configuration for External User………………………………………………………………………46

3.1.2 ZyWALL USG Configuration for External Group User…………………………………………………………….50

3.2.1 SafeWord Server Configuration for External User…………………………………………………………………54

3.2.1 SafeWord Server Configuration for External Group User………………………………………………………59

3.3.1 Verify OTP Ext-user via Login from the Remote……………………………………………………………………66

3.3.2Verify OTP Ext-group-user via Login from the Remote PC………………………….……………………….….67

4. OTP Authentication to an OTP-protected Network via IPSec VPN

Client over the ZyWALL USG 68

4.1.1 ZyWALL USG Configuration for External User………………………………………………………………………69

4.1.2 ZyWALL USG Configuration for External Group User…………………………………………………………….72

4.2.1 SafeWord Server Configurations for External User ...................................................................................... 76

4.2.2 SafeWord Server Configurations for External Group User ......................................................................... 81

4.3 ZyWALL IPSec VPN Client Configuration .............................................................................................................. 88

4.4 Verify OTP via Login from the VPN Client ............................................................................................................ 90

5. Mobile OTP Authentication to an OTP-protected Network 92

5.1 Creat the Safeware Token to your Windows computer…………………………………………………………….92

5.1 Creat the Safeware Token to your iPhone, iPad or MAC OS…...………………………………………………….97

5.1 Creat the Safeware Token to your Android OS…………..…………………………………………………………..103

6.advance scenario 109

6.1 A Lab of the「Guest for OTP」………………………………………………………………………………………………109

6.2.1 transfer license to new server(Safeword license back up)…………………………………………………..116



3

6.2.1 transfer license to new server(AD back up)……………………………………………………………………….119

7. OTP Troubleshooting 121



4

1. Introduction

This support note is a step by step guide, which covers OTP deployment from installation of the AD

components and SafeWord server to assigning the token to users, including the application with the SSL

VPN and IPsec VPN functions on ZyWALL USG. If you simply wish to enable user login to the SSL VPN via

OTP-code, you can skip to chapter 3 and follow the step by step guide to accomplish this.

One-Time Password (OTP) Authentication

One-Time Password (OTP) is an optimum security technology that enables a server to authenticate users

based on a password that is unique every time they try to access a protected network.

Two-Factor Authentication

Two-factor authentication is an optimum security methodology, because it requires something a user has

(a ZyWALL OTP Token) and something a user knows (a secure password or PIN). A two-factor system is

far more secure than using just a password, since many skilled hackers can quite easily access

password-only protected computers and networks. The illustration shows the concept of Two-Factor

authentication.

User PIN and Token code

User PIN is what a user knows and Token code is what a user has.



5

ZyWALL OTP Product Components

ZyWALL OTP, which includes the ZyWALL OTP Token and SafeWord 2008, provides secure verification of

identity to remote Virtual Private Network (VPN) and Local Area Network (LAN) users.

SafeWord 2008 installation includes:

- SafeWord Core Server

Database server

Administration server

Authentication engine

- Management console (integrated in Windows Server AD)

- RADIUS Agents (IAS clients)

SafeWord Core Server

The SafeWord Core Server consists of 3 main components:

- Database server (MySQL) – installed by default. The SafeWord database serves as the repository for

token records independent of the management mode. It stores the Token serial numbers and Token

seeds used to generate OTP. The database server listens on port 5010 by default and only the

Administration service and Authentication engines can query it directly.



6

- Administration server – runs administration services and performs tasks initiated by administrators

or users. Updates the SafeWord database and synchronizes SafeWord database data in configurations

with MMC console and User Center. Also performs replication of changes between peers. It listens on

port 5040 by default.

- Authentication engine (AAA) – runs the authentication engine that verifies that the passcode supplied

with an access request is correct for the token assigned to the specific user. It listens on port 5031 by

default.

Management Console (AD)

The Management console integrated in Microsoft AD is the interface used to directly update the database

via the SafeWord Administration Service.

You can use this to import Tokens (add Token serial numbers to SafeWord database) or backup and

restore Token data.

It also lets you view and manage all imported Tokens.



7

RADIUS Agent

The OTP RADIUS agent contains a configuration file specifying where the SafeWord server holds the user

repository and the Authentication service. It verifies that the passcode supplied with an access request is

correct for the token assigned to the specific user.

An agent can be installed only if it is supporting (base) software components exist. Otherwise the agent

will not appear for selection in the installation components window. For example, the RADIUS server

agent can only be installed when the IAS has already been set up.



8

2. Server Installation

2.1 Pre-requisites

Before starting to install the SafeWord server, user needs to verify:

- Hardware requirements of the system

CPU – Pentium IV or AMD @ 1.8 GHz (min), 2 GHz (recommended)

RAM – 1 GB (min), 4 GB (recommended)

Disk space – 3 to 5 GB (min)

- Software requirements of the system

Server OS –32 or 64-bit Windows Server 2003/2008 or Windows Server 2008 R2

Have a working Active Directory environment

Have IAS server installed for RADIUS authentication

2.2 Installation on Windows Server 2003 Enterprise Service Pack 1

Step 1. Prepare the Active Directory

- Click on Start > Manage Your Server to open the installation wizard. Click “Add or remove a role” to

configure it.



9

- Select to install the Domain Controller (Active Directory).

- Fill in the full DNS name for the new domain.

- Click Next to continue the installation process. When the process is done, Active Directory will be

installed and ready.



10

Step 2. Prepare the IAS Server

- Click Start > Control Panel > Add or Remove Programs > Windows Components Wizard > Networking

Services > Internet Authentication Service to install the component.

- After the installation, you can execute it through Start > Administrative Tools > IAS.



11

Step 3. Check pre-requisites before installation

Network prerequisites:

- 32 or 64-bit Windows Server 2003 with Service Pack 1.

Note: Windows 2008 Core is not supported. Windows 2003/2008 Small Business Server is not supported.

- Active Directory populated with users.

Note: A Domain Controller is required for use with Active Directory.

- Internet access (to receive important product updates not included on your installation CD.)

Component prerequisites:

- Active Directory Users and Computers Management Console

.Net Framework 2.0 or greater installed

This component is only available when the installation machine is part of a domain.

MMC 3.0 or greater installed (for Server 2003, user can download it from http://support.microsoft.com/kb/907265)

Note: Port 5040 must be open between the remote ADUC server and the server running the Admin Service. You may customize

this port.

- IAS/NPS Agent

IAS must be functioning and configured for RADIUS authentication (policies, secret keys, firewall ports, and user

permissions must be set correctly, and users must be able to successfully authenticate to IAS) before installing this

Agent.

Port 1812 must be open in any firewalls between the RADIUS clients and the IAS Server.

Step 4. Install SafeWord 2008 server

In this section, we will walk through the system installation process. For the up to date user manuals,

please check SafeNet’s website. The link is: http://www.aladdin.com/safeword/docs/2008.aspx

Below is a flow chart-type snapshot of the installation process and the step-by-step installation. You can

check chapter 2 of “Installing and Activating SafeWord 2008” of SafeWord 2008 Administration Guide on the

SafeNet website for more detailed information.

http://support.microsoft.com/kb/907265

http://www.aladdin.com/safeword/docs/2008.aspx

ftp://ftp.ealaddin.com/pub/marketing/SafeWord/Tools/SafeWord 2008 Administration Guide version 2.1.0.03.pdf



12



13

1) Insert the CD and select to Install SafeWord 2008.

2) Enter your product serial number (located on your product package and/or on the Activation

Certificate, it is in the format NSXX-XXXX-XXXX-XXXX), then click OK.

3) If there is a new version available, the software will download it automatically during the installation

process.

4) Review the License Agreement, then click Yes to accept it.



14

5) When the Choose Destination Location window appears, accept the default installation location (or

browse to select another), then click Next. If you choose to install in a location different than the

default location, you must ensure that the following permissions are set:

■Administrators – full control

■ Authentication users – read and execute

■ CREATOR OWNER – full control (subfolders and files only)

■ Server Operators – modify

■ SYSTEM – full control

6) The Select Components window for the specific version of SafeWord you selected will appear.

In the ZyXEL pack, you need to select the following components:

■SafeWord Server

■Management Snap-in for Active Directory

■IAS-NPS (RADIUS) Agent

Note: Only components that can be installed on your system will be displayed. If any of the above components doesn’t display, please check

the pre-requisites.

7) Make your selections, and then click Next.

8) Make any needed changes in the Select Program Folder window, then click Next.

9) Review the information in the Start Copying Files window, then click Next.



15

10) Select the preferred user management. Here leave the default setting “I will manage users in Active

Directory”, then click Next.

11) The Server Components window will appear with the default ports through which SafeWord

components will communicate. Accept the default port settings or specify your own port settings. You

will also be personalizing your SafeWord installation by defining a unique Encryption Key and Signing

Key on the Database Security pane. Each key must be16 characters in length, and must remain the

same for the life of the installation. Click Next when all needed changes have been made.

Tip: A small exclamation point displayed next to a Port field indicates that port is already in use by another process, and you must select a

different port.

12) When the Host Address window appears, enter the Fully Qualified Domain Name to which this

machine belongs, and then click Next. If you do not know the domain, click Query to obtain it from

your DNS Server.



16

13) If your SafeWord Server is not being installed on a Domain Controller, you will be prompted to

provide the administrator’s credentials for the machine on which the SafeWord Server is to be

installed, then click Next.

14) If you selected the IAS Agent for installation on Server 2003, you will be prompted to restart the IAS

service by clicking Yes. If installing on Server 2008, the Restart window will not appear, and you may

skip to “Finishing the installation”.

15) During installation, windows will appear and disappear, and the installation will take several

minutes to complete. The InstallShield Wizard Complete window will appear when the installation is

finished.



17

16) After the software installation is complete, go to Services to Start the SafeWord User Center service.

17) You can verify the server status to make sure the installation is correct. Click Start > Aladdin >

SafeWord > Configuration > Server Configuration to enable the Utility.

18) Status of all the server components should be “Active” for a successful installation.



18

Step 5. Activate SafeWord 2008 server

The Activation Certificate that came with your software contains the SafeWord 2008 Serial number and

Token Group ID that allow you to download the activation key and token data records, and are in the

following formats:

■ SafeWord Software Serial Number—The serial number is a 16-digit alphanumeric code in the form of

this example:

NSxx-xxxx-xxxx-xxxx. You will need the serial number to obtain your product activation key.

■ Token Group ID—Your Token Group ID is a 16-digit alphanumeric code in the form of this example:

TKxx-xxxx-xxxx-xxxx.

Registering on the portal:

There are two methods of activating SafeWord 2008: using ADUC, or directly from Aladdin’s Website if

not using ADUC. In either case, you must sign in and register on the Aladdin portal at

https://portal.aladdin.com, before you can complete and submit an activation form. After activating, your

information will be verified, and the activation key and token records will be downloaded automatically

for ADUC, and manually if you are not using ADUC.

Activation using ADUC:

1) In ADUC, click on the SafeWord folder. The first time you right-click on the SafeWord folder, you will

be prompted to enter and re-enter (to verify) an Administrator password. This Administrator

password is not your Windows Administrator password. If you have (or plan to have) multiple

management consoles, you must use the same Administrator password for all installations.

https://portal.aladdin.com/



19

2) Click OK when done.

3) Right-click on the SafeWord folder and select Activate Product.

4) Log into the portal using the credentials received in your mail when you registered.

5) Enter the Software Serial Number and the Token Group ID(s) (if you are importing token records) for

the product you are activating. E.g.: Activation Software Serial Number example:

NSXX-XXXX-XXXX-XXXX, Token Group ID example: TKXX-XXXX-XXXX-XXXX.

6) Complete the activation form, then click Submit.

7) The SafeWord Activation window will appear showing the license activation and token import

progress. Upon completion, the activation file key.html will be downloaded to

<Install_Dir>\Aladdin\SafeWord\ImportData. This is the key to activate your software and your token



20

data records. You should back up these files in case you need to reactivate the product or re-import

token records later. The Administration Server and Authentication Engine services will restart.

8) When the activation and authentication process is complete, click OK.

9) The Activations Complete window will display important download and installation information. To

manually save the files from this window, right click on each file name, and then select the Save Target

As option.

10) You should verify that the key.activated.html file is located on the SafeWord server by browsing to

<Install_Dir>\SERVERS\AdminServer\activation.

11) If you are also importing token records, ensure that the token(s) were successfully imported into the

SafeWord database by opening ADUC and then expanding the SafeWord Node. The Tokens sub-folder

will display the imported tokens.

12) If the key.activated.html file exists, the activation is complete. If the file does not exist, please refer to

the manual activation process.

Activating manually via Website:

If you don’t use ADUC to activate SafeWord server, you might need to activate it manually. For off-line

activation, two files are provided to the customer upon purchase of tokens:

■ Server license - a software activation file (key.html) that includes an activation key. This key should be

entered in place of the software serial ID.

■ An import file containing the serial numbers of the tokens bought by the customer (import*.dat).

1) If you are simply obtaining the latest activation package (key.html file + import*.dat), please jump to

11 and continue. If you want to download the activation package for your customers to use, please

create the RCR.txt file first by following the steps described below.



21

a. On the SafeWord installation server, select Start > Programs > Aladdin > SafeWord > Active

Directory Users and Computers.

b. Right-click the SafeWord folder in the left directory tree and select Support.

c. Click the Save button to automatically save the RCR.txt file to a temporary directory.

2) Log into the Portal (http://partner.safenet-inc.com) using the user name and password you received

during registration.

Note: You may be required to create a login at your first visit to the activation site.

3) Click the SafeWord Activation link on the left pane of the window. The SafeWord Activations page will

appear.

4) Enter your SafeWord Software Serial Number in the SafeWord Software Serial Number field.

For example: NSXX-XXXX-XXXX-XXXX.

5) Click the Continue button. The SafeWord Activation page will appear.

6) Click the Browse button and retrieve the RCR.txt file you saved earlier in this process. The file name

will be displayed in the Support Data File field.

7) Enter the product Token Group ID in the Token Group ID field.

8) Scroll down to the bottom of the page and click Submit.

9) You can now download the files that contain the key to activate your software and your token data

records. You should back up these files in case you need to reactivate the product or re-import token

records later.

10) Right click on each link and select the Save Target As option. Save the files on to the SafeWord Server

and unzip them.

11) Rename the license file to key.html. (For example, change the name from NSxx-xxxx-xxxx-xxxx.html

to key.html)

12) Save the key.html file to the following directory:

http://partner.safenet-inc.com/



22

<Install_Dir>\SafeWord\SERVERS\AdminServer\activation.

Important: Ensure the file name is key.html. Using any variation (key.htm or key.html.html, for instance)

will cause the activation to fail.

13) Restart the SafeWord Administration Server and Authentication Engine by browsing to Start >

Programs > Administrative Tools > Services, right click on SafeWord Administration Server and select

Restart (repeat for the Authentication Engine).

14) To verify the activation, browse to <Install_Dir>\SERVERS\AdminServer\activation. A successfully

processed license file will be renamed to key.activated.html.

15) After successful activation, the support expiration date will display a value of the valid expiration

date.

16) Import the token by clicking the Import Tokens button.



23

17) Select the importAlpine.dat file which was in the downloaded zip file.

18) When the process is done, you will see the corresponding tokens have been added into the Tokens

folder.

The SafeWord activation is complete.

For more information, you can click the “SafeWord Activation” link to perform on-line activation. Please

refer to the following manual: http://www.aladdin.com/pdf/safeword/Safeword-Products-Activation.pdf

http://www.aladdin.com/pdf/safeword/Safeword-Products-Activation.pdf



24

2.3 Installation on Windows Server 2008 R2

Step 1. Prepare the Active Directory

1) Click Start > Administrator Tools > Server Manager to open the installation wizard.

2) Click Roles > Add Roles to configure Server components.

3) Select to install the Active Directory Domain Server.

4) Windows Server 2008 R2 already contains .NET framework version greater than 2.0, thus you don’t

need to install it again.



25

5) After the installation is ready, click the hyper link to run the Active Directory Domain Service

installation wizard.

6) The wizard page will appear for the installation.

7) Select to create a new domain if installing on a new AD server.

8) Fill in the full DNS name for the new domain.



26

9) Select “Windows Server 2008 R2” as the functional level.

10) The “DNS server” option is not mandatory for SafeWord server installation.

11) Fill in the password for the Administrator account; strong password is a requirement.



27

12) Click Next to continue the installation process. After the process is done, the Active Directory will be

installed and ready.

13) You have to restart the computer for Active Directory Domain Services to take effect.

Step 2. Prepare the NPS Server



28

1) Click Start > Administrator Tools > Server Manager to open the installation wizard.

2) Click Roles > Add Roles to configure Server components.

3) Select the Network Policy and Access Services and go into detail setting.

4) Select to install the Network Policy Server.



29

5) After the installation is complete, the results will be displayed on the page.

6) You can execute it on Start > Administrative Tools > Network Policy Server.

Step 3. Check pre-requisites before installing



30

1) Network pre-requisites:

■ 32 or 64-bit Windows Server 2008 or Windows Server 2008 R2.

Note: Windows 2008 Core is not supported. Windows 2003/2008 Small Business Server is not supported.

■ Active Directory populated with users.

Note: A Domain Controller is required for use with Active Directory.

■ Internet access (to receive important product updates not on your installation CD.)

2) Component pre-requisites:

Active Directory Users and Computers Management Console

■ .NET Framework 2.0 or greater installed

■ This component is only available when the installation machine is part of a domain.

■ MMC 3.0 or greater installed

Note: Port 5040 must be open between the remote ADUC server and the server running the Admin Service. You may customize

this port.

3) NPS Agent

■ NPS must be functioning and configured for RADIUS authentication (policies, secret keys, firewall ports, and

user permissions must be set correctly, and users must be able to successfully authenticate to NPS) before

installing this Agent.

■ Port 1812 must be open in any firewalls between the RADIUS clients and the NPS Server.

Step 4. Install SafeWord 2008 server

In this section, we will walk through the system installation process. For the up to date user manuals, you

can check SafeNet’s website. The link is: http://www.aladdin.com/safeword/docs/2008.aspx

Below is a flow chart-type snapshot of the installation process and the step-by-step installation. You can

check chapter 2 of “Installing and Activating SafeWord 2008” of SafeWord 2008 Administration Guide on the

SafeNet website for more detailed information.

http://www.aladdin.com/safeword/docs/2008.aspx

ftp://ftp.ealaddin.com/pub/marketing/SafeWord/Tools/SafeWord 2008 Administration Guide version 2.1.0.03.pdf



31



32

1) Insert the CD and select to Install SafeWord 2008.

2) Enter your product serial number (located on your product package and/or on the Activation

Certificate, it is in the format NSXX-XXXX-XXXX-XXXX), then click OK.

3) If there is a new version available, the software will download it automatically during the installation

process.

4) Review the License Agreement, then click Yes to accept it.



33

5) When the Choose Destination Location window appears, accept the default installation location (or

browse to select another), then click Next. If you choose to install in a location different than the

default location, you must ensure that the following permissions are set:

■ Administrators – full control

■ Authentication users – read and execute

■ CREATOR OWNER – full control (subfolders and files only)

■ Server Operators – modify

■ SYSTEM – full control

6) The Select Components window for the specific version of SafeWord you selected appears.

In the ZyXEL pack, you need to select the components as below:

■ SafeWord Server

■ Management Snap-in for Active Directory

■ IAS-NPS (RADIUS) Agent

Note: Only components that can be installed on your system will be displayed. If any of the above components doesn’t display, please

check the prerequisites.

7) Make your selections, then click Next.

8) Make any needed changes in the Select Program Folder window, then click Next.

9) Review the information in the Start Copying Files window, then click Next.

10) Select preferred user management. Here, leave the default setting “I will manage users in Active

Directory”, then click Next.



34

11) The Server Components window will appear with the default ports over which SafeWord

components will communicate. Accept the default port settings or specify your own port settings. You

will also be personalizing your SafeWord installation by defining a unique Encryption Key and Signing

Key on the Database Security pane. Each key must be16 characters in length, and must remain the

same for the life of the installation. Click Next when all needed changes have been made.

Tip: A small exclamation point displayed next to a Port field indicates that port is already in use by another process, and you must

select a different port.

12) When the Host Address window appears, enter the Fully Qualified Domain Name to which this

machine belongs, and then click Next. If you do not know the domain, click Query to obtain it from

your DNS Server.

13) If your SafeWord Server is not being installed on a Domain Controller, you will be prompted to

provide the administrator’s credentials for the machine on which the SafeWord Server is to be

installed, then click Next.

14) During installation, windows will appear and disappear, and installation will take several minutes to

complete. The Install Shield Wizard Complete window appears when the installation is finished.



35

15) After the software installation is complete, go to Service to Start>Administrative Tools>Service to

Start the SafeWord User Center service.

16) You can verify the server status to make sure the installation is correct. Click Start > Aladdin >

SafeWord > Configuration > Server Configuration to enable the Utility.



36

17) Status of all the server components should be “Active” for a successful installation.



37

2.4 Activate the SafeWord server and Import the physical tokens

The Activation Certificate that came with your software contains the SafeWord 2008 Serial number and

Token Group ID that allow you to download the activation key and token data records, and are in the

following formats:

1) SafeWord Software Serial Number—The serial number is a 16-digit alphanumeric code in the form of

this example:

NSxx-xxxx-xxxx-xxxx. You will need the serial number to obtain your product activation key.

2) Token Group ID—Your Token Group ID is a 16-digit alphanumeric code in the form of this example:

TKxx-xxxx-xxxx-xxxx.

Registering on the portal:

There are two methods of activating SafeWord 2008: using ADUC, or directly from Aladdin’s Website if

not using ADUC. In either case, you must sign in and register on the Aladdin portal at

https://portal.aladdin.com , before you can complete and submit an activation form. After activating,

your information will be verified, and the activation key and token records will be downloaded

automatically for ADUC, and manually if you are not using ADUC.

Activation using ADUC:

1) In ADUC, click on the SafeWord folder. The first time you right-click on the SafeWord folder, you will

be prompted to enter and re-enter (to verify) an Administrator password. This Administrator

password is not your Windows Administrator password. If you have (or plan to have) multiple

management consoles, you must use the same Administrator password for all installations.

https://portal.aladdin.com/



38

2) Click OK when done.

3) Right-click on the SafeWord folder and select Activate Product.

4) Log into the portal using the credentials received in your mail when you registered.

5) Enter the Software Serial Number and the Token Group ID(s) (if you are importing token records) for

the product you are activating. E.g.: Activation Software Serial Number example:

NSXX-XXXX-XXXX-XXXX, Token Group ID example: TKXX-XXXX-XXXX-XXXX.

6) Complete the activation form, then click Submit.

7) The SafeWord Activation window will appear showing the license activation and token import

progress. Upon completion, the activation file key.html will be downloaded to

<Install_Dir>\Aladdin\SafeWord\ImportData. This is the key to activate your software and your



39

token data records. You should back up these files in case you need to reactivate the product or

re-import token records later. The Administration Server and Authentication Engine services will

restart.

8) When the activation and authentication process is complete, click OK.

9) The Activations Complete window will display important download and installation information. To

manually save the files from this window, right click on each file name, and then select the Save

Target As option.

10) You should verify that the key.activated.html file is located on the SafeWord server by browsing to

<Install_Dir>\SERVERS\AdminServer\activation.

11) If you are also importing token records, ensure that the token(s) were successfully imported into

the SafeWord database by opening ADUC and then expanding the SafeWord Node. The Tokens

sub-folder will display with the imported tokens.

12) If the key.activated.html file exists, the activation is complete. If the file does not exist, please refer to

the manual activation process.

Activating manually via Website:

If you don’t use ADUC to activate the SafeWord server, you might need to activate it manually. For off-line

activation, two files are provided to the customer upon purchase of tokens:

■ Server license - a software activation file (key.html) that includes an activation key. This key should

be entered in place of the software serial ID.

■ An import file containing the serial numbers of the tokens bought by the customer (Import*.dat).

1) If you are simply obtaining the latest activation package (key.html file + import*.dat), please jump to

11 and continue. If you want to download the activation package for your customers to use, please



40

create the RCR.txt file first by following the steps described below.

a. On the SafeWord installation server, select Start > Programs > Aladdin > SafeWord > Active

Directory Users and Computers.

b. Right-click the SafeWord folder in the left directory tree and select Support.

c. Click the Save button to automatically save the RCR.txt file to a temporary directory.

2) Log into the Portal (http://partner.safenet-inc.com) using the user name and password you received

during registration.

Note: You may be required to create a login at your first visit to the activation site.

3) Click the SafeWord Activation link on the left pane of the window. The SafeWord Activations page

appears.

4) Enter your product SafeWord Software Serial Number in the SafeWord SoftWare Serial Number field.

For example: NSXX-XXXX-XXXX-XXXX.

5) Click the Continue button. The SafeWord Activation page appears.

6) Click the Browse button and retrieve the RCR.txt file you saved earlier in this process. The file name

displays in the Support Data File field

7) Enter the product Token Group ID in the Token Group ID field.

8) Scroll down to the bottom of the page and click Submit.

9) You can now download the files that contain the key to activate your software and your token data

records. You should back up these files in case you need to reactivate the product or re-import token

records later.

10) Right click on each link and select the Save Target As option. Save the files on to the SafeWord Server

and unzip them.

11) Rename the license file to key.html. (For example, change the name from NSxx-xxxx-xxxx-xxxx.html

to key.html)

http://partner.safenet-inc.com/



41

12) Save the key.html file to the following

directory:<Install_Dir>\SafeWord\SERVERS\AdminServer\activation.

Important: Ensure the file name is key.html. Using any variation (key.htm or key.html.html, for instance) will cause the

activation to fail.

13) Restart the SafeWord Administration Server and Authentication Engine by browsing to Start >

Programs > Administrative Tools > Services, right click on SafeWord Administration Server and

select Restart (repeat for the Authentication Engine).

14) To verify the activation, browse to <Install_Dir>\SERVERS\AdminServer\activation. A successfully

processed license file will be renamed to key.activated.html.

15) After a successful activation, the support expiration date will display a value of the valid expiration

date.

16) Import the tokens by clicking the Import Tokens button.



42

17) Select the importAlpine.dat file which was in the downloaded zip file.

18) When the process is done, you will see the corresponding tokens are already in the Tokens folder.

The SafeWord activation is complete.

For more information, you can click the “SafeWord Activation” link to perform on-line activation. Please

refer to the following manual: http://www.aladdin.com/pdf/safeword/Safeword-Products-Activation.pdf

http://www.aladdin.com/pdf/safeword/Safeword-Products-Activation.pdf



43

2.5 Importing software tokens into your server

If your license is for the mobile soft token, you have to activate the token license by e-mail.

You have to provide the information below to SafeWord’s support.

a) SafeWord 2008 Software Serial number

b) MobilePass serial number(S/N)

c) Units

d) Seed

e) Authorization code(A.C)

And send the E-mail to the support:

[email protected]

After you send that information to SafeWord’s support, they will reply with your “Activation code”.

Step 1. Star > All Programs > Aladdin > SafeWord > Active Directory Users and Computers

Click SafeWord at the left folder and the click MobilePASS.

Select the Software Token, and click the Configure Licensing button.

Step 2. Enter the information of the Software Token license

a. Serial Number(S/N)

b. Units

c. Seed

d. Authorization Code(A.C)

e. Activation Code (The support seam will respond with the activation code after you send your

information about the license)

Enter all the above information, then press the Generate and Import button. The system will automatically

import the software token into your server.

mailto:[email protected]



44

After you import the software token, you can check it in the Tokens folder.



45

3. OTP Authentication to an OTP-protected Network via SSL VPN over

ZyWALL USG

In the following example, we will employ Two Factor Authentication (ZyXEL OTP pack) to enhance

password security of the SSL VPN application provided by ZyWALL USG.

In order to use this application, you are required to configure your ZyWALL USG and SafeWord according

to the following steps:

1) Install the SafeWord server software on a computer.

(Note: Please refer to the SafeWord installation guide in Chapter 2. For more details, please check the

SafeNet website for the installation documentation.)

2) Create the user accounts on the ZyWALL USG and in the SafeWord server.

3) Import token’s import file (Import*.dat) into the SafeWord server.

4) Assign the users to the OTP tokens (on the SafeWord server).

5) Configure the SafeWord installation as a RADIUS server in the ZyWALL USG Object > AAA Server

screens.

6) Distribute the OTP tokens to (local or remote) the users who will remotely log into the ZyWALL USG.

Note: ZyWALL OTP is a stand-alone product, which is not included in the ZyWALL USG package.

Network Topology

In this example, we will have one token and we will create user “OTP” who will log into ZyWALL USG with

OTP.



46

3.1.1 ZyWALL USG Configurations for Ext-user

Step 1. Create a user account on ZyWALL USG.

1) Go to CONFIGURATION > Object > User/Group and click the “Add” button to create a new user

account.

2) Enter the user’s name, description and select the user type “ext-user” on the User configuration

page.

3) Click the OK button to finish the configuration on this page.

Step 2. Configure the AAA Server.

1) Go to CONFIGURATION > Object > AAA Server and then navigate to the RADIUS page.

2) Configure the SafeWord server as:

Enter the IP address of the SafeWord server in the Server Address field.

Enter the authentication port to RADIUS server, like Microsoft IAS; the default value is 1812.

Enter the Shared secret to RADIUS server into the Key field.

Select the Group Membership Attribute; the default value is 11.



47

Step 3. Configure the Authentication Method.

1) Go to CONFIGURATION > Object > Auth. Method and click the “Edit” button to modify the default

authentication method.

2) In the edit page, click “Add” to add “group radius” into method list.

Step 4. Create the SSL Application(s) according to your needs.

1) Go to CONFIGURATION > Object > SSL Application and click the “Add” button to create an SSL VPN

application object.

2) For example, create a web application to remotely access the FTP server via SSL VPN.



48

Step 5. Create the SSL VPN access policy.

1) Go to CONFIGURATION > VPN > SSL VPN and click the “Add” button to create an SSL VPN access

policy.

2) Configure the access policy as:

Enter the policy name and description.

Select the User/Group object to apply this policy to.

Select the application object this policy applies to.

Select the address object to be used if needed.

Click the “OK” button to finish the configuration.



49



50

3.1.2 ZyWALL USG Configurations for Ext-group-user

Configuring the User on ZyWALL USG

Step 1. Create a user group account on ZyWALL USG.


group account.

2) Enter the user group’s name, description and select the user type “ext-group-user” on the User

configuration page, then enter the Group Identifier(the Group Identifier must be the same in the

RADIUS setting of the attribute information).






51



Enter the authentication port to RADIUS server, like Microsoft IAS; the default value is 1812.

Enter the Shared secret to RADIUS server in Key field.

Set the Group Membership Attribute to Class(25).




2) In the edit page, click “Add” to add “group radius” into method list.

Step 4. Create the SSL Application(s) according to your needs.

1) Go to CONFIGURATION > Object > SSL Application and click the “Add” button to create an SSL VPN

application object.

2) For example, create a web application to remotely access the sslotp server via SSL VPN.



52

Step 5. Create the SSL VPN access policy.

1) Go to CONFIGURATION > VPN > SSL VPN and click the “Add” button to create an SSL VPN access

policy.

2) Configure the access policy as below:

a. Enter the policy name and description.

b. Select the User/Group object to apply this policy to.

c. Select the application object this policy applies to.

d. Select the address object to be used if needed.

e. Click the “OK” button to finish the configuration.



53



54

3.2.1 SafeWord Server Configurations for Ext-user

Step 1. Create a RADIUS client.

1) Take Microsoft IAS as an example.

2) Right click the RADIUS Client folder and click New > RADIUS Client to add a new setting.


1) Enter the name for the rule.

2) The Client address is the ZyWALL USG’s interface IP address used to accesses the IAS.

3) Click the “Next” button for the next step.



55

4) Enter the Shared secret; the “Key” in ZyWALL USG AAA Server setting.

5) Click the “Finish” button to finish the configuration.

6) The new OTP client has been created.

Step 3. Assign the token to a User.

1) Open the ADUC (Active Directory Users and Computers).

2) Click the “Users” folder to list all users and groups in the RADIUS server.

3) Right click the OTP user, and then click “Properties”. Go to the “SafeWord” tab.

4) Enter the serial number of the assigned token. If needed, enter the PIN code for it. (This one is

used as the Password when logging into the ZyWALL USG.)



56

(If there is no setting the PIN code, it just only enter the OTP codes when you login.)



57

5) After the configuration, you can click the “Tokens” link and check the token status.

Step 4. Enable Remote Access.

1) To allow the user to log in via SSL VPN, you have to enable the Remote Access Permission for this

user.

2) Right click the OTP user, and then click the “Properties”. Go to the “Dial-in” tab and choose “Allow

access”.



58

Step 5. Change the sequence of entering OTP and PIN for authentication.

By SafeNet default setting, the password entry sequence is OTP + PIN. You should change this sequence

to match ZyWALL USG’s behavior (PIN+OTP). Here are the instructions for this step.

1) Go to C:\Program files\Aladdin\SafeWord\Servers\Shared\ folder and open the file SCCservers.ini

(use Notepad for editing)

2) Search for the string: “# Set this to ‘on’ to force SoftPin to precede the password”

3) At the command “Pin_Before_Password=off ”, change the value to ‘on’.

4) Reboot the SafeWord server and check the SafeWord services had been activated.



59

3.2.2 SafeWord Server Configuration for Ext-group-user

Step 1.Create a Group

1) Open the ADUC (Active Directory Users and Computers).

2) Click the “Users” folder to list all users and groups in RADIUS server.

3) Right click the Users folder and click New > Group to add a new setting.

4) Right click the otpusers group and click Properties > Members to add new users to this group.



60


1) Right click the aman user, and then click “Properties”. Go to the “SafeWord” tab.

2) Enter the serial number of the assigned token. If needed, enter the PIN code for it. (This one is used

as the Password when logging into the ZyWALL USG.)




61



user.

2) Right click the OTP user, and then click “Properties”. Go to the “Dial-in” tab and choose “Allow

access”.

3) Change the sequence of entering OTP and PIN for authentication.

By SafeNet default setting, the password entry sequence is OTP + PIN. You should change this

sequence to match ZyWALL USG’s behavior (PIN+OTP). Here are the instructions for this step.

a. Go to C:\Program files\Aladdin\SafeWord\Servers\Shared\ folder and open the file

SCCservers.ini (use Notepad for editing).

b. Search for the string: “# Set this to ‘on’ to force SoftPin to precede the password ”

c. At the command “Pin_Before_Password=off ”, change the value to ‘on’.

d. Reload the SafeWord server.



62

4) Reboot the SafeWord server and check the SafeWord services had been activated.





4) The Client address is the ZyWALL USG’s interface IP address used to access the IAS.


6) Click the “OK” button to finish the configuration.



63

Step 6. Set the connection request policy on RADIUS Server.

1) Select the connection request policy and double click the Use Windows authentication for all users

to edit the attribute’s value.



64

2) Select the “setting” page and click the Standard option to add the attribute value.

3) Click the Add button, select the Class option and type the attribute value. (The value must match

the Group Identifier when adding the user into the USG.)



65

Step 7. Require Authentication Group Policy

1) Start > Programs > Secure Computing > SafeWord > Configuration > IAS Agent Configuration.

2) Click the “Groups…” button.

3) Enable the otpusers group and Click “OK” to finish the configuration on this page.



66

3.3.1 Verify OTP Ext-user via Login from the Remote PC Step 1. Log into the device.

1) Enter the user name, password (PIN code), and the One-Time Password generated by the token.

2) Click the “SSL VPN” button to submit login information.

3) Once the OTP works correctly, you will see the SSL application that has been configured for the

user to use.



67

3.3.2 Verify OTP Ext-group-user via Login from a Remote PC Step 1. Login into the device.

1) Enter the user name, password (PIN codes), and the One-Time Password generated by the token.

2) Click the “SSL VPN” button to submit login information.

3) Once the OTP works correctly, you will see the SSL application that has been configured for the

user to use.



68

4. OTP Authentication to an OTP-protected Network via IPsec VPN

Client over the ZyWALL USG

In the following example, we will employ Two-factor Authentication (ZyXEL OTP pack) to enhance

password security by using the SSL VPN application provided by ZyWALL USG.

In order to use this application, you are required to configure your ZyWALL USG and SafeWord according

to the following steps:

1. Install the SafeWord server software on a computer.

(Note: Please refer to the SafeWord installation guide in Chapter 2. For more details, please check the

SafeNet website for the installation documentation.)

2. Create the user accounts on the ZyWALL USG and in the SafeWord server.

3. Import token’s import file (Import*.dat) into the SafeWord server.

4. Assign the users to the OTP tokens (on the SafeWord server).

5. Configure SafeWord as a RADIUS server in the ZyWALL USG Object > AAA Server screens.

6. Distribute the OTP tokens to the (local or remote) users who will remotely log into the ZyWALL USG.

Note: ZyWALL OTP is a stand-alone product, which is not included in the ZyWALL USG package.

Network Topology

In this example, we will have one token and we will create user “OTP” who will be the authenticator to

establish the IPsec VPN tunnel to ZyWALL USG.



69

4.1.1 ZyWALL USG Configurations for Ext-user

Step 1. Create a user account on ZyWALL USG.


account.

2) Enter the user’s name, description and select the user type “ext-user” on the User configuration

page.






Enter the authentication port of the RADIUS server, such as Microsoft IAS; the default value is

1812.

Enter the Shared secret to RADIUS server in the Key field.

Select the Group Membership Attribute; the default value is 11.



70




2) In the edit page, click “Add” to add the “group radius” into the method list.

Step 4. Configure the IPsec VPN Gateway policy.

1) Go to CONFIGURATION > VPN > IPsec VPN and then navigate to the VPN Gateway page.

2) Enter the values for VPN phase-1 configuration.



71

3) Enable the Extended Authentication and choose “Server Mode” method.

Step5. Configure the IPsec VPN Connection policy.

1) Go to CONFIGURATION > VPN > IPsec VPN and then navigate to the VPN Connection page.




72

4.1.2 ZyWALL USG Configurations for Ext-group-user

Step 1. Create a user group account on ZyWALL USG.


group account.

2) Enter the user’s group name, description and select the user type “ext-group-user” on the User

configuration page , and enter the Group Identifier(the Group Identifier must be the same in the

RADIUS setting of the attribute information).




Configure the SafeWord server as:

Enter the IP address of the SafeWord server in the server address.

Enter the authentication port to RADIUS server, sucha as Microsoft IAS; the default value is

1812.

Enter the Shared secret to RADIUS server in Key field.




73




2) In the edit page, click “Add” to add the “group radius” into method list.

Step 4. Configure VPN On ZyWALL

1) Go to CONFIGURATION >VPN >VPN Gateway and click the “Add” button to create a new VPN

Gateway.

2) Enter the Pre-Shared Key



74

3) Select the type of encryption and authentication in the “Proposal” section.

4) Go to CONFIGURATION >VPN >VPN Connection and click the “Add” button to create a new VPN

Connection Tunnel.



75

5) Select the type of encryption and authentication in the “Proposal” section.



76

4.2.1 SafeWord Server Configuration for Ext-user






2) The Client address is the ZyWALL USG’s interface IP address which accesses to IAS.

3) Click the “Next” button for the next step.



77

4) Enter the Shared secret; the “Key” on ZyWALL USG AAA Server setting.

5) Click the “Finish” button to finish the configuration.

6) The new OTP client has been created.


1) Open the ADUC console (Active Directory Users and Computers).

2) Click the “Users” folder to list all users and groups in the RADIUS server.


4) Enter the serial number of the assigned token. If needed, enter the PIN code for it (this one is used

as the Password when logging into the ZyWALL USG).



78




user.

2) Right click the OTP user, and then click “Properties”. Go to the “Dial-in” tab and choose “Allow

access”.



79

Step 5. Change the sequence of entering OTP and PIN for authentication

By SafeNet default setting, the password entry sequence is OTP + PIN. You should change this sequence

to match ZyWALL USG’s behavior (PIN+OTP). Here are the instructions for this step.

1) Go to C:\Program files\Aladdin\SafeWord\Servers\Shared\ folder and open the file SCCservers.ini

(use Notepad for editing).

2) Search for the string: “# Set this to 'on' to force SoftPin to precede the password ”




80

4) Reload the SafeWord server and check the SafeWord services had been activated.



81

4.2.2 SafeWord Server Configuration for Ext-group-user

Step 1.Create a Group


2) Right click the Users folder and click New > Group to add a new setting.

3) Right click the otpusers group and click Properties > Members to add new users to this group.



82



2) Click the “Users” folder to list all users and groups in RADIUS server.


4) Enter the serial number of the assigned token. If needed, enter the PIN code for it. (This one is

used as the Password when logging into the ZyWALL USG.)




user.

2) Right click the OTP user, and then click the “Properties”. Go to the “Dial-in” tab and choose “Allow

access”.



83

Step 4. Change the sequence of entering OTP and PIN for authentication.

By Safenet default setting the password entry sequence is OTP + PIN. You should change this sequence to

match ZyWALL USG’s behavior (PIN+OTP). Here are the instructions for this step.

1) Go to C:\Program files\Aladdin\SafeWord\Servers\Shared\ folder and open the file

SCCservers.ini (use Notepad for editing).

2) Search for the string: “# Set this to 'on' to force SoftPin to precede the password ”




84

4) Reload the SafeWord server and check the SafeWord services had been activated.





4) The Client address is the ZyWALL USG’s interface IP address used to accesses the IAS.




85

6) Click the “OK” button to finish the configuration.

Step 6. Setting the connection request policy on RADIUS Server

1) Select the connection request policy and double click the Use Windows authentication for all users

to editing the attributes value.



86

2) Select the “Settings” page and click the Standard option to add the attribute value.

3) Click the Add button and select the Class option and type the attribute value. (The value must

match the Group Identifier when adding the user into the USG.)



87

Step 6. Require Authentication Group Policy.

1) Go to Start > Programs > Secure Computing > SafeWord > Configuration > IAS Agent Configuration.

2) Click the “Groups…” button.

3) Enable the otpusers group and Click “OK”



88

4.3 ZyWALL IPsec VPN Client Configuration

Step 1. Configure the IPsec VPN Phase1 policy.


2) Click the “Advanced Settings” button and click the X-Auth Popup feature.

Step 2. Configure the IPsec VPN Phase2 policy




89

2) Click the “Save & Apply” button to finish the configuration and save it.

3) You can trigger the IPsec VPN tunnel by clicking the “Open Tunnel” button.



90

4.4 Verify OTP via Login from the VPN Client

Step 1. Trigger the IPsec VPN tunnel.

1) Click the “Open Tunnel” button on IPsec VPN client (The VPN tunnel must be triggered from the

Client side because it is a dynamic tunnel).

2) When performing Phase-1 authentication, the authentication window will pop-up for the X-Auth

login.

3) Enter the user name into the “Login” field and PIN code + OTP in the “Password” field.

Step 2. Establish the IPsec VPN tunnel.

1) There is only a 10 second window to enter the authentication information into X-Auth window. If

you use more time to finish it, the tunnel will fail to establish. You can see the message flow on VPN

Console as in the picture below.

2) If the VPN tunnel is established successfully, you will see the following message exchange on your

VPN Console.



91

Step 3. Check the VPN tunnel status.

You can see the VPN connection status is Connected on CONFIGURATION > VPN > IPsec VPN > VPN

Connection page. Also can check the IPsec VPN SA on MONITOR > VPN Monitor > IPsec page.



92

5. Mobile OTP Authentication to an OTP-protected Network

5.1 Create the Software Token to your Windows computer

Step 1. Download the SafeNet MobilePASS from the link below to your computer.

http://www.safenet-inc.com/support-downloads/mobilepass-download-page/

1) After downloading the file, open the application and click the Activate Now button.

2) After clicking the Activate Now button , the soft token activation string will appear.

http://www.safenet-inc.com/support-downloads/mobilepass-download-page/



93

3) Open the Active Directory Users and Computers and select one user that to use the

OTP Authentication.

4) Right click and select Properties on the user name

5) Select the label of Safe Word



94

Step 2. Create the Software token for this user

1) Press the Wizard button to create the software token

2) Enter the Activation Code from the SafeNet MobilePASS




95

4) Enter the PIN Code for this user and configure in the SafeNet MobilePASS.

5) After entering the PIN Code, you will be requested to re-enter the PIN code for verification.



96

(The PIN code on Server and Mobile are of different type, the PIN code on Mobile makes the mobile token

more secure.)

6) After completing the step below, you can test that the MobilePASS in your SafeWord server is

working.

When you confirm with this step, the mobile token in your mobile device will be ready for use.

If you want to get a one time password , you have to enter the Mobile PIN code that you configured first.



97

This is a safety precaution in case your mobile device is stolen. 5.2 Create the Software Token to your iPhone, iPad or Mac OS Step 1. Download the SafeNet MobilePASS From iTunes (search for the keyword “safenet”.)

You can find the application when you search for “Safe MobilePass” in iTunes.




98

2) After clicking the Activate Now button , a soft token activation code will appear.

3) Open the Active Directory Users and Computers and select a user that is to use the

OTP Authentication.

4) Right click and select Properties on the user name.

5) Select the SafeWord tab.



99

Step 2. Create the Software token for this user.

1) Press the Wizard button to create the software token.



100

2) Enter the Activation Code from the SafeNet MobilePASS .




101

4) Enter the PIN Code for this user , and configure in the Safe Net Mobile PASS.

5) After entering the PIN Code , you will be requested to re-enter the PIN code for verification.



102


more secure.)

6) After finishing the step below, you can test the MobilePASS in your SafeWord server is working.

When you confirm with the last step, the mobile token in your mobile device will be ready for use.

If you want to get a one time password, you have to enter the Mobile PIN code that you configured first.

This is a safety precaution in case your mobile device is stolen.



103

5.3 Create a Software Token on your Android OS

Step 1. Download the SafeNet MobilePASS From Android Market (search for the key word “safenet”).




104

2) After clicking the Activate Now button, the soft token activation code will appear.

3) Open the Active Directory Users and Computers and select a user that is to use the

OTP Authentication.

4) Right click and select Properties on the user name.

5) Select the Safe Word tab.



105

Step 2. Create the Software token for this user. 1) Press the Wizard button to create the software token.

2) Enter the Activation Code from the SafeNet MobilePASS.



106




107

4) Enter the PIN Code for this user, and configure in the SafeNet MobilePASS.

5) After entering the PIN Code, you will be requested to re-enter the PIN code for verification.


more secure.)



108

6) After finishing the step below, you can test the MobilePASS in your SafeWord server is working.

When you confirm with the last step, the mobile token in your mobile device will be ready for use.

If you want to get a one time password, you have to enter the Mobile PIN code that you configure first.

This is a safety precaution in case your mobile device is stolen.



109

6 Advanced scenario

6-1 A Lab of the「Guest for OTP」

We always have guests coming to visit our company.

We want to use the OTP for guests to use the internet, while preventing them from using the same

password to access the internet on their next visit.

Step 1. Add the guest accounts to your AD.

1) Add the accounts of guests in ADUC.

Step 2. Assign the token to users.

1) Right click on guest > Properties > SafeWord

2) Enter the serial number of the assigned token and enter the PIN code for it.



110

3) Enable remote Access

Right click on guest > Properties > Dial-in

Select the Allow access option in Network Access Permission.

4) Add all of the guest accounts into a group.



111

Step 3. Setting the RADIUS Server

1) Create a Radius client

Right click the RADIUS Client folder and click New > RADIUS Client to add a new setting.

2) Setting the connection request policy on RADIUS Server

Select the connection request policy and double click the Use Windows authentication for all users to

edit the attribute value.



112

3) Select the “setting” page and click the Standard option to add the attribute value.

4) Click the Add button and select the Class option and type the attribute value. (The value must

match the Group Identifier when adding the user into the USG.)



113

5) Require authentication group policy.

Go to start > programs > secure computing > configuration > IAS Agent Configuration.

Click the “Group….” and enable the guest group, then click “OK”.



114

Step 4. Setting the user policy on USG.

1) Add a user/group object for guests (the Group Identifier must match the RADIUS setting of the

attribute information).

2) Configure the AAA Server

Configuration > object > AAA Server > RADIUS

Enter the RADIUS server’s IP address and authentication key.


3) Configure the Auth. Method.

Configuration > object > Auth. Method

Select group radius as the first authentication.



115

Step 5. Set up the SSL VPN and assign the OTP users.

1) Add the user object to SSL VPN to allow the guests to access the internet.

2) Guest cannot login again without a new one time password.



116

6.2.1 Transfer of license to a new server (SafeWord license backup)

Backing up the registration Information is very import. It can simplify transferring the tokens from a

crashed server to a new server.

1) Open the ADUC > right-click on the SafeWord > Activate product

2) Enter your registration Information. (the e-mail address and the password)



117

3) Enter the token group ID.

4) After you submit your serial number and the token group ID, the registration information will be

installed into your server.

5) After completion, right-click on the web link and click the “open in new window” to save the file.



118

6) Save the file.

You can install a new server using these files.



119

6.2.2 Import the token license into a new server

After you back up your license, you can follow the steps below to finish importing the

token license into your new server.

1) First, you have to install the SafeWord 2008 Server on your new server.

When the installation is complete, you can find the SafeWord options in Active Directory Users and

Computers (ADUC), but there will be no physical token numbers in Tokens folder.

2) You now have to import the tokens into SafeWord.

Start > Programs > Aladdin > SafeWord > Active Directory Users add Computers > SafeWord >

Tokens

Select the “Import tokens” button.

And select the “import*.dat” file.



120

3) After the process is done, you will see the corresponding tokens in the Tokens folder.

All of the users and tokens will be automatically synchronized.



121

7. OTP Troubleshooting

This chapter lists the guidelines for troubleshooting during different stages:

(1) Installation: If the installation fails, please check:

Does target system meet all pre-requisites/requirements?

Check the install.log file which can be found in

(32 bit OS) Program Files\Aladdin\SafeWord\Installs

(64 bit OS) Program Files(x86)\Aladdin\SafeWord\Installs

(2) Activation:

If manual activation fails, please confirm that only the file named key.html is being used.

Try to restart the Administrator server, Authentication engine and ADUC.

If the server still doesn’t work, please contact ZyXEL support with the activation key and error

message.

(3) Token import failure: If all/some imported records are rejected:

Check to see if the authenticators had been previously imported (the Event Viewer in ADUC,

check by event type).

(4) Server update: If auto updater fails with error message “Error verifying signature: Class not registered”

Please run existing Auto Updater (which will fail).

Go to Program Files\Aladdin\SafeWord\Patches, launch setup_aua.exe (manually patches AUA

to the newest version).

(5) Authentication:

If authentication fails:

Verify proper entry of token password.

Check that the token has been imported.

Verify match between token serial number and serial number of token assigned in user record.

Verify user properly entered their user name at login.

Confirm the IP address of the SafeWord server is correctly entered in the proper Authentication

Settings field of the Administration window.

If authentication is successful, but access is denied:

Check user access privileges.

Check user status (account expired / locked, etc.).

Is user role correct?

Does user’s role point to the correct ACL?

Does ACL entry restrict access to the requested resource?



122

(6) Server status:

How to determine if a port is active?

For Windows, use the “netstat -an” command, then search the output manually for active ports.

Server(s) not responding

Use the configuration utility to check the server status as below:

Restart server(s).

(7) Re-sync the token:

How to re-sync the token?

After assigning the token to a User, you can enter the token-generated password in the Passcode field

and then press the test button. If the result is “Failed”, you must re-synchronize your token.



123

1) Select the Re-sync button, and enter the passcode in the first passcode field.

2) Re- generate the passcode immediately and enter the passcode in the second passcode field.

3) Then click the re-sync button, the token and the Authentication Server will be synchronized.



124

Documents

ZyWALL OTPv2 - download.from.zyxel.rudownload.from.zyxel.ru/91cd5567-8056-4839-a1ba... · components and SafeWord server to assigning the token to users, including the application