G/On Installation Guide & Admin Manual
Contents
1. Account Account is Expires Last login Failed attempts Current status Groups Extended information User info L Adopted EDCs MUser menu preview M Use zone filtering on menu Limit user menu preview to the beatae zones No user No user loaded 0 T Administrator access requires the additional password that was configured during the G On Builder installation and configuration process Press F3 or choose Administrator mode from the File menu to enter administrator mode in G On Admin Password A men Defining Administrator Levels in G On Admin Access to the different tabs in G On Admin s advanced functionality directly Username admin Password Password corresponds to the group levels as they are defined in the AD The two additional groups can be added to the AD and relevant technical personnel can be assigned to any group in AD that ends with e Helpdesklevel1 Ghotline1 basic user menu management e Helpdesklevel2 Ghotline2 advanced user menu management For example membership of a group called GiritechGhotline2 gives the user GHotline2 rights Giritech A S 2008 54 Note If you did not enter a username and password in G On Builder the default is CarenvGCCr 1I GlOn Admin Jog File view Help Applications Menu actions Menus Groups Users Search Login name for Search Ni Edit user Add user De2. cccccccsecccsecceeeceeeeceeeseeeeeeeseseeseeeseueenes 28 PDAS NG casas Senco E isco suse race sueeosd auton pa E eos saies E E 29 Completing and Activating the G ON Serve cccceccseeeeeeeeeeeeaeeeseeeeaeeaes 33 Moving G On to another Server ccccceeccceececeeeecaeeeeceeeeseeeeseeeeseneeseeeeesuees 34 Installing Multiple G ON servers ccccceccseeeceeeeceeeseeeeeeeeaeeeseeeseeeeseeseeeeaees 35 Upgrading GON sissa inte rer tenet ese ste a teen 37 CarenvGCCr G ON INTRODUCTION IOP 10 UDO OO aie OE aeantetustes 37 Installing the Upgrade ccccccccseeceseecececeeeceeeeceeecseesaueecaeeseeesaeesseeeseeesaees 38 G On Builder Changes during Upgrade ccccccccseccseeeseeeeseeeaeeeseeeeaeeeaes 39 Upgrading your Clients to the Latest Version cccccccecceeeeeeeseeeeeeeeeeees 40 Migrating to MS SQL Databases o cccescecsesscsessesessesesersereecerensesteretereres 41 Important Changes to Zone Rules for USB KeyS ccccceccceeeeeeeeeeeeeeees 42 Zone Configuration with the G On AccessRules Manager 43 ZONO CS maraena E E E E E ER E 44 Seng UD ZONCS srcsesndntesvecconcensccedaccendcextacatensetedeasasyibiasontcdeissessebecseadseteoteasan 45 FOG OF Manage ZONES sieceuirsiacasus eree ET Te lal tioned nisteuane easacareene 46 Defining Your OWN Zones ccccccccscecsseceseecececeueceucecseecsueceueeseeesseesaaeeseess 46 Examples OF ZONES oxi ccse
3. 6 Right click the Update CD Menu and select Properties Check Force to Root gt SAVE 7 Notify Users via Email to Select the menu item to update their RW partition on If you don t want to automate the entire procedure You can choose to manually inform the users for example via email to run their G Update The steps to configure the Update Templates for the CD and the RW partition are basically the same but you do not need to create an Update Zone or use the Menu parameters to hide autolaunch and nodialogue Desktop Clients For Desktop Clients the user should be directed to launch G Update from the directory where the Desktop client was installed usually C Program Files GOn Desktop G On USB Key Users should be instructed to go to my computer and select the G On update CD Button This option is presented by a Mouse Right Click on the G On Icon If updates are available they will be asked to Run G Update In the case the user is running G Update from the command prompt please be aware that any windows open onto the USB key s CD or RW partition will cause G Update to stop and issue an error message a see screenshot baa Volume in drive D is Giritech Volume Serial Number is C 7A 2ACG In this case please direct Directory of D the user to close all open AiViyarramers 1 878 About_g_on ico applications that point to Aaa eet eos ECljent axs the USB device and then Atm E i x 2007 07 20 20
4. 1 Enter the name of your MSSQL database in the following format sServername name of MSSQL Database For more information 1a G On Build consult Chapter 2 ant 5 x Configuration of File Settings Emcads Service Help Database section You Server User Directory Client Update AD Syne Clients should use the same Database Settings settings here as you Server hostname or address Username defined when installing servernameSGLEXPRESS sa the MS SQL database Database name Password 2 Update the Username R and Password Fields Database type M MS SOL NT Authentication N Use the same External MS SQL Server Username and E Update Database Password that you defined when installing your MSSQL database 3 Press Update Database Note MS SQL NT Authentication uses the credentials of the EMCADS process to validate against the MS SQL server and NOT the Username and Password in the Database Settings Fields MySQL Database The last option is to choose MySQL This is done by selecting MySQL in the Database Note that we only recommend using MySQL if it is already installed and requested by the customer Support for MySQL is limited to version 4 0 21 attempting to use other versions may cause errors If you do not already have a copy of this version of MySQL contact support giritech com 1 If you use MySQL enter the IP address of the MySQL server 2 Username and Password as defined by your MySQL Server 3
5. AD section AD Emcads group G On access group Domain 1 DNS name mydomain com Emcads group Domain admins Domain 2 CarenvGCCr DNS name myotherdomain com Synchronize all domains together Instead of maintaining a group for G On access in each domain it could be more efficient to maintain one universal group containing users from all of the domains In order to synchronize data in this setup your inifile could look like this AD Emcads group G On access group Domain local only False This configuration assumes that the user account used for running AdSync is logged into the domain containing the G On access group group Setting the Domain local only option to False ensures that entries from other domains are imported as well If the domain containing the Emcads group is part of another domain than the one the user account is logged into then you simply add the domain in question in a domain section AD Emcads group G On access group Domain local only False Domain DNS name mydomain com Note that the Domain local only option also can be specified a Domain xxx section in order to override the value specified in the AD section This is in fact the case for all options in the AD section Database setup If the database connection information in G On Builder is valid for AdSync i e the database is SQL Server you don t need to specify anything regarding the database in the i
6. Users can be added to G On via Synchronization with the Active Directory O Locally Adding Users Synchronization with Active Directory If you choose to synchronize the Active Directory you should create a G On Specific group default name Emcads and assign the users that will be using G On to that group Using the AD Synchronization tools USync or AdSync your users are automatically imported from your Active Directory When syncing users from AD only the Full Name value is synchronized All other values must be manually added to the User Information tab By default all AD Synchronized users are active for more information on activating users see section Activating Enabling Users later in this chapter ning Changes made to AD defined Groups and users will be overwritten the next time you synchronize with the AD Management of groups their associated menus and zones are explained in Chapter 6 Giritech A S 2008 86 CarenvGCCr Locally Adding Users You have the possibility to create users directly in G On To Add a User 1 Goto G On Admin gt Users Tab gt Add User 2 Inthe User Edit Window enter the credentials of the user 3 Activate the Account User Edit User information User id User Login n M Account active Account expiry date M Account expires 27 01 2005 Oa Fullname Mobile_Phone New password Last login Alternative authentication domain Repeat new password Fai
7. ccccccccceccceececeeeeeceeeeseeeeseeeeseeeeeaeees 93 AdO EDC from al gt eee ene eee eae een ene ae ee eee nena 93 Manually Adopting EDCS ccccccccccccceecceeeeceeeeeeeceeeeseeeseeeeeeeeseeeseeeeeeeeseeees 94 PS SI CIA Locking CS sieisen at nec senna etaneee sete snaxeoensteanc paesaeees 94 Distributing amp Deploying Clients cecceeeceeeeeeeeeeeeeeeeeeeneneneees 95 Best Practice Distribution Methods cccccccceecceececeeeeeeeseeeeseeeseeeeeeeeseeees 95 Distribution Methods Step by Step ec cecccecceseeeeseeeseeeeeeeeeeseeaeeeseeees 96 Deploying Clients with G Update ccc cecccccccsecceeeeseeeseeeeeeeeseeeseeeeeeeeseeees 98 Deploying G On USB Clients 10 0 0 cece ceececececeeecee ees eeseeeeaeeeseeeseeeeeeeesaeees 99 Deploying Desktop Client ccccccccssccsseeceeeceseceeeeceeeceueseeeseeeseesaaeenaeess 99 Instructing Users to Deploy Keys cccccceccseceeaeeeeeeeeeeeseeeeaeeeseeesaeesaeeeaes 100 Upgrading Clients vais sacentseacet cicena con ccenpnneceseesasecdevaneavttuacbasesanmnasecenant 102 How G Update works on Upgrade ccccccecccceeeeceececeeeeeeseeseeesseesseeeens 102 Automating update of the Clients and the Applications after upgrade 103 Automatically Update Clients CD Partition ccc eecceeeceeeseeeeeeeeeeeees 104 Creating an Update Menu Item cccccccseccceecceeeceueceeeeceeeseeeeeeeecseeeaees 107 Instructing Users to Man
8. gt click Save Your template is now updated You may now proceed to Step 4 to fill in the template Editing note For more information on other Default Parameters like BROWSER or PORT consult the Default Parameters Table later in this chapter You can specify specific values directly in the Application String However by making them parameters you have the option of targeting the string at more than one server and more than one company CarenvGCCr Step 4 Apply the settings to make your applications work in your environment Once you have viewed that the contents of your application Template are correct you can proceed to the Menu actions Tab to fill in the Template gt Go to G On Admin gt Menu Actions Tab To get an Application String to work you must apply the settings of your company s configuration to your template by creating a menu tie fete action A Menu Action is the connector between the Application String and the menu that a user sees Application PAB Rete A menu action is used to target Parameters nanei an application string to a specific WEB SERVER vEB_SERVER server or application before it is TRAY HINT ZTRAY_HINT added to a user group s menu APPLICATION NAME APPLICATION_NAME ZPATH gt click the button Create new i een m Action gt select the application i template you want to fill in iini True z In this example you see that you are prompted to
9. make sure the needed number of servers was acquired for your license If you intend to simply make copies of your primary installation make sure this installation is completely configured according to this G On Admin Guide and running as expected CarenvGCCr 4 Document the G On License Configuration of the primary installation by either taking screen shots of each of the G On Builder pages or write down the settings Copy the primary and public key pair with a tool like NotePad and save the text file on a share where it can be reached from the other server PCs to run the G On servers Now you re ready to install and run the second server 1 Copy the server root directory default C Program Files Emcads on the primary server PC with all files and subdirectories to the second server On the second server delete the file license in the server root directory Start G On Builder and redo the G On License Configuration Paste in the private and public key pair from the NotePad and make sure the rest of G On Builder is configured exactly as on the primary server Do a Renew License followed by a Save amp Activate Install the G On Service via the Emcads Service pull down menu in G On Builder Start the service If you need to run more than 2 servers please repeat these 5 steps for each additional server you need to install CarrenvGCCr Chapter Upgrading your G On installation is a simple procedure and as long as you ha
10. server to enable installation without a USB server token in the server The rest of the installation follows the standard G On installation guidelines as outlined in the remainder of this document OOOO JOJO O O yO O O SECTION CHECKLIST Did you Verify your server meets the Software and Hardware Requirements Did you review your Bandwidth Is the G On server placed in the recommended location in your environment Have you configured your Firewall Did you open Port 80 OUTBOUND on the Firewall to activate and upgrade your G On installation Do you have the necessary hardware IP addresses or PAT configured for Failover Is your User Directory configured with trust to the appropriate domains Do your corporate PCs meet the client Software amp Hardware Requirements Have you established all the External DNS Settings Have you prepared your MSSQL Database or will you use the Native EDMS Have you read the stipulations for use of Virtual Servers CarenvGCCr Chapter Chapter 3 is a walkthrough of an initial installation of G On If you are upgrading from a previous version of G On there is a complete walkthrough amp reference guide for upgrading in Chapter 5 ow that the you have completed the necessary Environmental preparations outlined in Chapter 3 let s get started installing G On This chapter covers the initial installation of G On Using G On builder Unpacking your G On Product When you receive the G On product it consists
11. Client Source Network Example Settings 000 000 000 000 EDC Manufacturer Client CRC Source Netmask bits J Host Machine Domain mawaa dS should be edited to EDC Firmware EDC Host reflect your company s T_T Operating System Host Machine Name j domain and use HE a proceeding the domain o name to reflect Not OS Major Version Host Machine Domain Equal To The format ee fo IGIRITECH COM should look like this OS Minor Version Host Primary MAC Addr EDC Media Class Oo 00 00 00 00 00 00 domainname com use Device O l g EDC settings The Volume Serial Number settings used in this example can be copied Volume Label as standard Cancel Update R g In this scenario if the user connects with the USB key on a Non Giritech domain machine the Outside zone rule would be in effect This is because Host Machine Domain would fail and the match on the G On USB would pass directing the user to the OUTSIDE ZONE rule Important Changes to Zone Rules for USB Rule Details nein Keys when upgrading from pre 3 3 G On 2 Outside zone zl As of Version 3 3 and onwards you need to review Zone Rules Rule Comment that Apply to USB Keys USB Ke O a a aaa EDC Client l The Standard EDC Format has changed For users upgrading as ee con OTR from previous versions of G On there is a rule update that will Ser Tea ee ars San ee convert your EDC Media Class value from CDROM to the new Hawaa O O e USBG
12. Import export You could also use the import export options as described above This can be done using either approach described It depends very much on the local setup which of these options you should use From a performance perspective the tests we have made do not show any performance issues with remote AD or database connections This is however strongly dependent on the network performance Troubleshooting AdSync Below are listed some problems that may occur and suggestions for solving them dbi operation error Microsoft ODBC Driver Manager Data source name not found and no default driver specified in LOGIN Cause The ODBC connection could not be found Solution Check that the name specified in the configuration file under ODBC source is a valid ODBC connection dbi internal error Elevate Software DBISAM Invalid SQL data type in input binding Cause Missing or wrong database encoding string in configuration file Solution Add encoding option value in configuration file ISO 8859 1 is standard Latin encoding dbi internal error Elevate Software DBISAM DBISAM Engine Error 10498 Insufficient rights to the table COL User a Password 16 required in EXEC Cause The database is encrypted Solution Uncheck the Encrypt data checkbox in the User Directory tab in G On Builder dbi program error Microsoft SQL Native Client SOL Server Invalid object name EDL user in EXEC Cause The defa
13. Once you have upgraded to G On 3 4 you can migrate to the new database version a Backup Your G On Installation b Install and Upgrade from the prior version of G On to G On 3 4 c Update your existing Database d Verify that you have prepared the MS SQL environment according to the guidelines provided in Chapter 2 of this Manual 2 Once you have upgraded to G On 3 4 Take a full Database backup from the GOn Admin gt File gt Backup and Restore dialogue Don t overwrite your old backup 3 Goto the User Directory Tab in G On builder 4 Change the Database type to MS SQL and is G 0n Builder change the settings for File Settings Emcads Service Help Server Hostname Server User Directory Client Update AD Sync Clients Username and Database Settings Password More Server hostname or address Username information on Settings servername SOLEXPRESS sa can be found in the nT ee Password Chapters on Configuration Requirements and ithe Database type M MS SQL NT Authentication N External MS SQL Server gt Installation and T pdate Database configuration Section of this manual 5 Update the Database 6 Restore your database that you created in step 2 above from the GOnAdmin gt File gt Backup and Restore Database function into the New MS SQL database CarenvGCCr SE ea ga 3 i R ce gt Y h y A p lt gt y wa gt pag D G 5 g J i Foil pl E s EED
14. This happens automatically when you update your EDC Frmuare OCH database as a part of the step 4 in the G On Builder Changes 1 0F Operating System Host Machine Name during Upgrade page 39 EDC Class USBUSBSTOR OS Major Version Host Machine Domain For security purposes you should review all your zone rules for EDC Interface 0 Giritech con USB Keys and change the values for EDC Manufacturer to use OS Minor Version Host Primary MAC Addr HAGIWARA and EDC Media Class to USBG Unless you are m ran deaketa fo 00 00 00 00 00 00 using a specific EDC Serial Number then other fields like EDC use TEES Firmware Class and Interface should be blank Device Volume Serial Number Note that Volume Label under Device will change on USB Volume Label key s depending on whether you are accessing the ReadWrite Cancel or ReadOnly partitions This field should therefore not be used in standard zone definitions for USB keys Giritech A S 2008 49 CarenvGCCr Defining an Upgrade Zone To define an upgrade zone you need fill out the Client Version field l n g File View Help E ow a o Applications Menu actions Menus Groups Users Tr da BE aq tO DIO u i as Display filter Group details ane bee Group title DEMO Domain Users Once you have defined all a E bel Group type B DEMOSCts Users fe MO DnsU your zones You will need DEO raved Pie c to assign the Default Menu available to users in each define
15. Update Database CarenvGCCr h as a i a LAFEN Q X y EE EVA The Validation settings determine the general rules for how your G On installation will validate various aspects of your Installation Many of these settings are options but we have provided guidelines for best practice and recommendations in the sections below You should review each setting carefully Max login attempts This setting determines the number of failed login attempts before the user account is locked Once a user has been Locked Out only the G On Administrator can unlock and re activate the user s account For more information on re activating users consult the section for the USER tab in the G On Admin chapter Q Select the number of failed login attempts you will allow before locking a user Enable the rule set validation engine Other than allowing disallowing clients based on whether the EDC is adopted or not G On lets you set up validation rules These connection rules are based on access zones which are defined in the AccessRules Manager Note kg G On Builder amx File Settings Emcads Service Help Server User Directory Client Update AD Syne Clients Database Settings flocahost ements O O o Database name re Update Database Validation settings Max login attempts Pl iY Enable the ruleset validation engine Encrypt data Only effects EDMS Cache ruleset improves performance on
16. employed you may be required to Adopt or manage the Desktop clients after the user attempts to connect but before G Update can complete the deployment Note To run G Update the G On Desktop Client EDC must either be already adopted on the G On Server or the Auto Adopt feature must be turned on Consult Chapter 8 on Adoption for more information Please be aware that the described default installation only installs the basic G On clients delivered with G On on the desktop If you need to include any special clientside software you will need to direct the user or force the user via a menu item to run a G On Update with parameters getall and updaterw please refer to the section on G Update for more details on additional parameters Distributing Identity Files If the Desktop client is installed as part of a corporate image without the IDENTITY file in order to fully deploy the G On Desktop client you will have to distribute or post the IDENTITY file on a network share Instruct the user to copy the IDENTITY file to C Program Files GOn Desktop and Launch G On If you have chosen the Manual Adoption Method the user will have to contact the system Administrator to be adopted Here the Administrator can review the user s PC information and ask the user questions about these PC before granting access 1 Insert your new G On USB Key into a PC running any of the operating systems supported Give the PC time to recognize
17. expires R Reset Locally created users must be manually enabled by checking 7 the account active check box saes ress ullname Home_phone Mobile_Phone itle Zip_code Enabling Locked Out Users In G On Builder you defined the number of failed attempts each user is allowed before being locked out of the system If a user is locked out the account is de activated To reactivate their account you must Go to G On Admin gt User Tab gt Edit User Check the Account Active Evaluate if you want to reset the number of failed login attempts Save Changes oN gt Giritech A S 2008 89 CarenvGCCr To Delete a User 1 Goto G On Admin gt User Tab gt Delete User Note Only Locally Created users are permanently deleted with this function If you delete a user that has been defined by your Active Directory The user will be added the next time you synchronize unless you remove the G On association from the User in the Active Directory Online Users Usemame Online status Last change 2 Go to G On Admin gt File gt Kick selected Online Users Select All Select None 1 Goto G On Admin gt File gt Online Users 2 Highlight the user you want to Disconnect 3 Click Kick Selected Alternately you can disconnect a user directly from the User Tab by selecting the button gt Kick User Note Permanent removal of the adopted EDC is the only way to deny a
18. files to your Backup Info database Databaseversion When an xml file is chosen for ackup date Tog rE restoring the fields in the restore ise atlas view will provide you with information about the particular Tables adopted_edc_history 0 file adopted_ide 0 ia adopted_ idc_ ruleset 5 Click on OK to restore the file after an overwrite warning tbl_ _applications 14 tbl_application_types 6 tbl directory structure 0 Giritech A S 2008 113 CarenvGCCr Chapter Examples for creating connectivity to the most common application types are covered in Chapter 6 This chapter is meant to provide a foundation for companies understand the basic structure of application connectivity and to enable them to configure other applications o implement a connection to an application using G On you need to understand how the application communicates over a network We recommend all administrators of this functionality to contact Giritech for details on a coming training course in Advanced Application Connectivity With Client Server applications working on TCP IP the client application typically connects to the server application by connecting to the server s IP address or name on one or more port s LJ G On addresses all Client Server applications that connect to a fixed IP number or DNS name on fixed ports LJ G On supports TCP and UDP connections To implement a connection to an application using G
19. is not found in Active Directory Possible values True False Default value is True Force update A last changed timestamp is saved along with each Active Directory object in the database This timestamp is used to check whether an object needs to be updated This option overrides this check and updates all data It could be useful if someone accidentally changes some data for an AD user in G On Admin Domain xxx DNS Name mydomain com DNS name The dns domain name e g mydomain com This option is mandatory CarenvGCCr Netbios name Can be specified if you want to override the auto detected Netbios name Should only be specified if users are having trouble logging in with the auto detected name All options from the AD section can also be specified here and will override settings for this domain only This could for example be used for specifying domain specific emcads group names Database Settings overriding the ones read from G On Builder Host The name of the database host computer Database The name of the database to connect to on the host Username Database user name Password Password for the user NT Authentication Whether to use NT Authentication or not Other settings ODBC source The name of an ODBC data source pointing to the Emcads database This setting overrides other connection settings Encoding The encoding of the Database Transaction size Can be set if saving to the database i
20. left tree will show you its properties J Doing a slow double click on an item including the root item lets you rename it Highlighting and pressing F2 is another way ritech A S 2008 G IT SIAha Gh O If you configure more menu items to autolaunch the order they are executed in is top gt down in the menu tree left pane J You can delete a menu item by right clicking on it and then choosing delete Note Menu items properties Right clicking on a menu item lets you change its properties The basic properties are 1 Autolaunch If this is set the client o will load this menu item upon menu load i e right after login Hidden Don t display to the user Use either in conjunction with the AutoLaunch property for things like gateways or if you just want to temporarily disable an item Can substitute client on low privileges Normally the Terminal Service client will be carried by the user on the G On USB key However this can give problems on low privilege work stations e g where they are only logged on as a guest This property lets the client The G On menu already has Exit Show log and About built into the root menu of any user that logs in 13 Change menu item prope OEF Menu item properties Action Terminal services SS Caption T Hidden Can substitute clients on low privileges Force to menu root Cancel use a TS client locally installed o
21. member of the GIRITECH domain And when the user is using a computer that is from the Giritech com domain it will be assigned to the inside zone l m S Le A ic RAO A 7 Giritech A S 2008 41 CarenvGCCr Because we created 2 rules one for desktop client and a second for USB Clients all users on Giritech com domain laptops receive the same menus Clients with the USB Keys can also connect from non Giritech domain computers but would be placed into an Outside Zone and receive a different menu as they will not match the Giritech domain See example on Outside Zone Defining a Trusted Zone In certain circumstances you may have trust for the user but not necessarily manage the computer that they are connecting from An example could sooo R J ok be an employee on their home l Rule Number Action on match computer or a trusted vendor from 0 Trusted sone another company Rule Comment Niels Larsen laptop In these cases you would want to EDC Client EDC Serial Number Client Version Client Source Network create a trusted zone that allows TTT I Co more access than an Outside Zone EDC Manufacturer Client CRC Source Netmask bits but more restricted than if they were e y on a corporate managed computer EDC Firmware TA Operating System Host Machine Name EDC CI O Example Settings for Trusted Zones OS Major Yersion Host Machine Domain EDC Interface 0 E Assign An EDC OS Minor Yersion Host Primary MAC Ad
22. of the following Q One black USB key This is referred to as the server token and is needed for the G On Server installation configuration and execution Must always be present in the G On Server unless the tokenless feature has been enabled Please consult your order acknowledgement to verify The black server key is however included with all G On packages Q Red USB keys with G On print These are client keys Note One of the RED keys is specially marked containing the file EDCSERIALS DAT Set this aside now as you will need to copy this file to the G On Server after you have completed the server installation and before you deploy user keys LY A CD ROM containing G On Product Software Electronic Documentation amp Desktop Client CarenvGCCr Installing the Software 1 Insert the server token in a vacant USB port on the server When tokenless is enabled go directly to step 2 and have your license number available and follow the onscreen license validation steps Note In Windows Explorer the USB key mounts two drives and assigns drive letters If the assigned drive letters conflict with existing drive letters local or network mapped drives you can assign other drive letters for the USB partitions This is done by running diskmgmt msc right clicking on the partition in question and choosing Change Drive Letter and Paths 2 Insert the G On product CD lf auto run is enabled on the W
23. replace the SERVER_NAME and other fields with the information specific to your company Save as new men e Editing menu action Title Application Parameters jo utlook Web Access AC Intranet single Port Applica AC Navision single Port ppice Here you should delete the existing ii eee a text from the Raw template and update the information with your company AC Intranet specific details WEB SERVER sr company com TRAY HINT Owes APPLICATION NAME Dutlook Web Access Note the server name should be the REAL name or IP address of the PATH exchange te application server LockToProcess True ki ShowProgress False id 7 Save as new Cancel Giritech A S 2008 73 CarenvGCCr Field Name Application exe Application Names to Kill on Exit Application Parameters Application Title Application to Launch Autologin Communication Type Com Type Destination Port Domain FullScreen To enable an application there are a number of different variables you will be required to define The table below defines the most common Application String Parameters that you will need to know to fully configure your applications in the Application string editor Description When to Apply Can be use with String Types Same as Application When you want to run an application Type 9 to Launch These are the applications you want to have shut down when
24. server exe install This will install the proxy bypass server as a service The proxy bypass server will read the default setup from the ToH server ini configuration file with defaults Emcads server on port 3945 and HTTP proxy bypass server on port 8080 and both on same IP address see chapter 13 2 Start the proxy bypass server from the Windows Services Control Panel Start gt Control Panel gt Administrative Tools gt Services look for Giritech ToH The proxy bypass server can also be stopped and restarted via this interface To remove the bypass service enter C Program Files Emcads ToH server exe remove in the Start gt Run panel 3 Open G On Builder and go to the Clients Tab and enable HTTP Proxy bypass Enter the IP address DNS name and port of the server on which the proxy bypass server is running Typically the same server as the G On server as described under item 1 above e g gon server name 8080 4 Press Save amp Activate and accept Yes the following two questions Restart of Emcads service is not required CarenvGCCr 5 Distribute the resulting Identity file to all users as always when making changes to the Clients Tab 6 Restart G On on client side Users are now able to bypass a local HTTP proxy using the default proxy bypass setup The G On client will continue to try to contact the G On server using the normal IP names and ports and only fal
25. servers with many users iY Allow access as default ruleset action instead of deny Replace with dot in logins v Check AD for password expiry 7 Days in advance to warn user about expiring password EDC and rule administration access Admin Login Admin Password Admin feveeseweverevererrs Sars sasies Ready Service Stopped If you turn this function off zone validation is also turned off And you will be unable to define zones or access rules for your G On installation Q Check the box to Enable the Ruleset Validation Engine Cache Ruleset Checking this option will improve performance on servers with many users and rules Q Check this option if your installation contains multiple rules Allow access as default ruleset action instead of deny This option is enabled by default If default action is left as deny you will have to make a rule for each and every EDC that should be allowed to connect CarenvGCCr LI Check the option to allow access Unless you wish to create individual rules in the Access Rules Manager for each EDC you deploy Replace with dot in logins This option allows UPN suffix in logins and should be selected only by companies that use the in the log in name LI If your users use the symbol in their username you should select this option Otherwise leave this blank Check AD for password expiration This option will verify with your Microsoft AD t
26. take a copy of the Public and Private Key Pair and store them in a safe location using Notepad or similar text tool As the license is linked to the physical server PC and not the G On USB server Token the file called license must be deleted from the server directory default C Program Files Emcads on the new server PC after copying the folder to the new server PC Start G On Builder and use G On Builder to reconfigure the G On License to the same License Configuration as on the previous server PC Reuse the same Public and Private Key Pair from the old server Once you have configured G On Builder do a Renew License You will have to enter your G On USB Server Token Number your License Number that is printed on your G On Package and on the G On shipping documents Save amp Activate license and start the G On Service via the Emcads Service pull down menu in G On Builder Running multiple G On servers simultaneously using the same license to support Failover standby or different backup policies the following process must be followed carefully To enable the multiple simultaneous servers you need to have the following ready before you begin 1 Your G On License must be configured for Tokenless As this is optional make sure the Tokenless feature was acquired for your license Your G On License must be configured for at least the number of servers you intend to run As a G On License comes default with one server
27. the application parameters as seen in the example will direct the Navision client to connect to a server that listens on 127 0 0 2 2407 Giritech A S 2008 76 Application String Editor Application creation wizard Select application type C Terminal Services C Citrix C GUpdate C Change password N ces Application creation wizard Select Application Connectivity application fe Launch Application Connectivity Navision C Launch Application Connectivity Outlook f Launch Application Connectivity Browser Name Type Terminal Service Legacy 4 Cancel IC Desktop Legacy 5 Application Connector Single Port 8 Application Connector Gateway 10 Application Launcher 9 String parts 8 TClient Singleport Server name ip XSE R YER_NAME mustedit noblank Destination port Listen port client Com type 2407 lt gt 2407 itep Tray hint NAVISION Application title NAVISION Application names to kill on exit seperate with rA Application to launch C Program Files Microsoft Business Solutions Navi x Application parameters Servermame 1 27 0 0 2 Company Company_nam x Lock to process As option Show progress C As option Force to True C Force to True m Force to False m C Force to False CarenvGCCr Definition Default Application String Parameters The table below contains a list of Defa
28. the five tabs of the G On Server Configuration tool select the Save and Activate button in the bottom right corner 7 Respond Yes to the Dialogue Boxes Confirm Ed Confirm Eg 2a Do you want to save your configuration Do you want to copy your Identity File to the Folder For the ISO partition oO Note Every time you save your configuration you will be met by a confirmation window like the one above If you choose Yes the identity file will be copied to the Clients directory as well as to the G On Desktop directory The configuration settings you have made are now in force The last thing you need to do is start the server 8 Goto EMCADS Service and Select START Check the bottom of the G On Builder window for Service Running After upgrading your G On server you will need to update your users clients This process is controlled by the G Update tool You have two primary choices when upgrading your clients 1 Send an email and request that they run G Update from their client For more information on manually updating clients see Chapter 10 2 Automating Your Client Update with Zone Rules For more information on automating your client update see Chapter 5 CarenvGCCr EP When migrating from the native EDMS to the MS SQL database we recommend that you follow the following steps in order 1 Follow the upgrade instructions to upgrade your system normally
29. to connect can be used with either G On USB Keys or G On Desktop Clients In this scenario the user will try to use the key to connect But they will receive a message that their attempt has been denied and logged Once this has occurred you should ask 1 The users to contact the G On Administrator and let them know they have tried to connect 2 The Administrator can use Access Rules Manager by right clicking anywhere on the EDC Rules Admin Window and selecting Adopt EDC or use the G On Admin Tool by selecting File gt Adopt Unknown EDC 3 The Administrator can then choose to just adopt the EDC or they can further decide to adopt and assign or lock it to the user AutoAdopting Clients If you have selected either of the autoadopt Advanced Server Settings features in G On Builder gt Advanced a Server Settings then anyone with your identity file will be automatically connected Note This field does not have to be configured but overrides the port defined during installation if it is Conn multiplier to your system io EDC Auto adoption Note We do not recommend tha t you l EDCs must be adopted to access system Note Auto adopt only use the Auto adoption feature with ao SHE ie e gh ralaatiass USB Keys We also advise using extreme M Auto adopt unknown Desktop Clients the setting is ignored caution when applying to desktop clients A J To manage Auto Adopted Clients the Administrator should ro
30. updated The last step before recording the data onto the ISO partition is to offer a safety backup of all the data on the removable partition This is done because any data in the read write partition will in most cases be deleted as the G On USB Key is re partitioned to accommodate the new ISO image Typically the user will answer Yes to this question The easiest choice for users is to automate the update procedure You can choose to automate the update procedure by 1 2 3 on Creating an update zone Creating G Update Application String Simple Template Creating 2 G Update Menu Action Items from the Simple G Update Template a One for forced update of the CD partition b One for manual update of the RW partition Creating 2 Update Menu Items a One for the update of the CD partition with properties set to hidden amp auto launch b One for manual update of the RW partition that is on the users menu Assigning the Menu Item to the User Group s Assigning the User Group to the Zone Note Automation will only update the Read Only or CD partition of the USB Key To update the Read Write Partition you will have to ask the Users to manually select the Update RW Menu Action described Below Upgrade Warning It s important to instruct users to update the RW partition of their G On client after you have upgraded from a version older than 3 3 This is to capture the changes to the new RDP 6 0 that is included from rel
31. user future access to the G On system If you don t remove the user s EDC from the adopted EDC list before disconnecting them from the system the user can still re connect CarrenvGCCr Chapter One of the key elements protecting anyone from accessing your system via G On is User Adoption While Zones and Group Rules Menus can determine what is seen the adoption process ensures that only the users you know and have authorized can attempt to access your G On Installation ow you have completed your G On Admin Configuration it s time to decide which method to use to adopt your users In this section you will learn about adoption the elements of identification with the EMCADS Data Carrier EDC and importance of your G On Identity file You will be using 3 primary interfaces in G On Admin and Access rules manager to LI Import EDCs LI Adopt Users and Clients Q Manage Adopted Users and EDCs Users can be adopted in three ways 1 Adopt from File 2 Adopt by Request 3 Auto Adoption Note One of the RED keys is specially marked containing the file EDCSERIALS DAT This will be copied to the G On Server after you have completed the server installation before you deploy user keys In the adoption process you are adopting the EMCADS Data Carrier EDC serial number CarenvGCCr The EDC serial number is contained within the G On Client Identity Facility CIF The EDC serial number is either the unique serial numbe
32. version upgrades Older versions of G On 3 3 1 and older will continue to communicate with the license server on port 3945 tcp Only exception is version 3 3 1 which will fallback to port 80 tcp in case port 3945 tcp fails AEP G On currently supports a Stateless failover method EP In terms of hardware you will need to install a second G On server CarenvGCCr You need to request a 2 black server key from your Partner Giritech Note that if the tokenless option has been enabled you will not need to have the token active on the server Database Choice When implementing stateless failover please use the MS SQL Database option This database will be less resource intensive to administrate as you can use one database for both G On servers and you only have to maintain one database backup routine In order to configure your environment for Failover please go to page 35 and follow the directions on setting up multiple G On servers Furthermore you have the following options available Failover using 2 External IP Addresses 1 Request 2 unique External IP Addresses 2 When configuring your initial G On Server enter FAILOVER CONFIGURATION CHECKLIST VJ Install the Second G On Server IV Check that the signed key pairs are identical copy amp paste M Check that your IP Addresses are correctly input into Builder Mi Verify that the listening port is correct in the Advanced settings of G O
33. your main application closes without setting up a port For example notepad exe When your main application launches secondary applications you want closed with the main application For example Citrix often launches secondary applications Type 8 and 10 The parameters you If launching notepad This could be Type 8 9 amp 10 want to launch your Readme txt application with This is the Name you Typically the Common application Types 8 amp 10 want to have your Name Such as Outlook Navision Application Identified etc by Same as When you want to run an application Types 8 amp 10 Application exe Turns on Single Sign On SSO For example notepad exe Can be use with Citrix and Terminal Services Types 4 and 5 Specify if the Consult your Application Guide to Types 8 amp 10 Application uses UDP determine what type of or TCP communication is used This is the port that the When your application server is Type 8 Application Server listening on a port listens on and the G On server connects to Authentication Domain Used to define what Authentication Types 4 amp 5 Forces the client to open as a full screen Domain should be used for Single Sign On Can be used with Terminal Services and Citrix Types 4 and 5 CarenvGCCr Listen Port Lock to Process Map Drives Map Printer Ports to Forward Path Remote Application Server Name IP Address Tray Hint Window Resolutio
34. zone and be denied access CarenvGCCr Setting up Zones 5 eeeeasees Adobe Reader 7 0 T Uninstall Adobe Photoshop Album Starter Edition 3 0 an 3rdParty Tools i Logitech Al G AccessRules Manager 1 Start the G On AcessRules manager an Microsoft Calculator Plus fe aD UserSync CXrulesAdmin exe OpenOffice org 2 0 gt fe Gon Admin 2 Logon with the same username and T Trend Micro OfficeScan Client gt 3 Gon Builder password that you defined in amp S Windows Live Messenger ran Samples G OnBuilder fmm Giritech T Documentation Note To use the validation rule zones E Admin Login and features in the AccessRules Manager you must have checked the O POOLS Enable Ruleset Validation Engine n feature on the G On Builder User ree pe Directory Tab Password After you enter your password you will be presented with the CX EDC Admin window 3 Right Click on the CX EDC Admin Window and select one of the following options E CX EDC Admin BAX Rule Action on match EDC SerialNumber EDC Manutacturer EDC Fimware EDC Class EDC Interface EDC Media class Volume Serial Volume Label Source Network HostMAC Client Version Client 1 Update zone 000 000 000 000 32 00 00 00 00 00 00 lt 3 3 2 Outside zone USB Fixed 000 000 000 000 32 00 00 00 00 00 00 3 Inside zone Fixed 000 000 000 000 32 00 00 00 00 00 00 4 Unknown zone 000 000 000 000 32 00 00 00 00 00 00 5 Dery 00
35. 0 000 000 000 32 00 00 00 00 00 00 Add Rule R 4dd Rule Below Edit Rule Remove Rule Manage zones Move Rule up Move Rule down Adopt EDC Show EDC List Show EDC Access About Manage Zones Add a Zone Rule Edit Move or Remove Rules Adopt EDCs Show Adopted EDCs D O0 O0 O UO ODO View EDC Access Giritech A S 2008 45 CarenvGCCr There are some standard rules included in the basic G On installation But you should use this if you want to Add a new Zone or Edit an existing Zone name 0 Follow the directions in Defining your own zones to fill out the Add Edit Rule Window E Add Edit Rule gog Rule Details Rule Number Action on match New Rule Rule Comment 1 To Create a Rule right click in the EDC Client CX E DC Adm In WI ndow and select EDC Serial Number Client Version Client Source Network Add Rule 000 000 000 000 EDC Manufacturer Client CRC Source Netmask bits 2 Consult the examples below to B2 2 complete your Zone configuration EDC Firmware DC Wes TAL H erating System ost Machine Name 3 When finished Click Create Rule PO E meanen OS Major Version Host Machine Domain EDC Interface OS Minor Version Host Primary MAC Addr EDC Media Class 00 00 00 00 00 00 Host Class Device Cw Yolume Serial Number Volume Label Cancel Note All the fields in the Add Edit Rule zone are designed to be Exact Matches with the exception of the f
36. 0 must be open for acquiring the license G On Builder Changes during Upgrade Changes to G On Builder can seriously affect your entire installation We recommend that you follow the guidelines carefully 1 Backup and Copy If you skipped the section on Getting Started at the beginning of this chapter we recommend that you copy your Signing Keypair at this time 2 Goto the Server Tab 3 Activate Your License 4 Next go to the User Directory tab and press the Update Database button to update your existing database DO NOT CHANGE YOUR DATABASE TYPE AT THIS TIME Q If you wish to change the type of database you are using please Ready G G On Builder File Settings Emcads Service Help Signing Keypai Private Signing Key Lzvvj 2 PvOgTexRMxgElpsaAGcdbuetKhw2c Fnomxw Public Signing Key CgLhO1k8GIGHwgs 1392 LHILY WouU F FLbYQIUQTbeps Generate Logfile location Loofile folder ZINSTALLDIR Locate folder License MaxEDCs nza Activate License Concurrent users nza Expires n a Turned on features V MultilP M MultiPort V AutoAdopt V ExtDB V MultiDom V Tokenless Service Stopped consult the section on Migrating to MSSQL database at the end of this chapter Giritech A S 2008 39 CarenvGCCr 5 Select OK in the pop up windows to confirm the test of the database connection completed successfully 6 Once you have filled in
37. Add Group Clone Group Delete Group Giritech A S 2008 84 CarrenvGCCr Chapter User Administration for all G On users is centralized in the User Tab of G On Admin ser management is centralized on the User Tab within G On Admin Adding users has dependencies on whether or not syncing with AD is enabled It is possible to have both AD Synchronized users and manually added users within G On but special settings must be observed Once users have been added there are several routine management features that are included in the tool to L Add Edit and Delete Users E E E E Search for Users Checking amp or Changing Users Menus and Group Associations Disconnect Users Viewing Online Users CarrenvGCCr File View Help Applications Menu actions Menus Groups Search Login name User id Login name for lel eed ed Eituse _Adduser Delete usor _ Kiek user _ Adduser _ Adduser Delete user Delete user _ Kick user _ Kick user User information Alternative auth domain A4ccoun Account is Expires Last login Active thane groups Never Failed attempts O User menu previe Current status Offline User User loaded LL A F Use zone filtering on menu Limit user menu preview to the Extended information following zones l f T 7 Getting Started In G On you Administrate Users from the G On Admin gt Users Tab Adding Users
38. Available hard disk space 40 Mb Client Software Your G On Clients can use one of the following only 32 bit versions G On USB LJ Microsoft Windows Vista and Vista SP1 LJ Microsoft Windows XP SP2 incl Hotfix KB884020 LJ Microsoft Windows XP SP3 CarenvGCCr LJ Limited support for Windows 2000 Professional SP4 please contact Giritech support for details G On Desktop LJ Microsoft Windows Vista and Vista SP1 LJ Microsoft Windows XP SP2 incl Hotfix KB884020 LJ Microsoft Windows XP SP3 E Limited support for Windows 2000 Professional SP4 please contact Giritech support for details Using External DNS Names To enable external remote access you may want to define a DNS record for example gon company com that you can map to the firewalls external IP address assigned to the G On Server We recommend that you use Host Names instead of IP addresses In the long run this puts fewer requirements on you to reconfigure amp redeploy your users clients if you change the external IP address of the G On Server When to use Split DNS Some third party products may require Split DNS service like Citrix PN Microsoft Outlook and Microsoft CRM For more information on when and how to use split DNS consult the Giritech Services Portal GSP If you have an anti virus application on your server we recommend you except the temp directory from background scanning The reason for this is that the EDMS EMCADS Data Management Syste
39. CHTASKS Run SCHTASKS End SCHTASKS Query SCHTASKS Change AdSync is the advanced Active Directory synchronization tool designed to support larger G On installations with complex AD configurations AdSync default only support MS SQL based G On installations Note If you want to use the built in EDMS database or MySQL you need to manually set up an ODBC connection to the G On database and enter the name of this and other information in a separate configuration file Note that this also means that AdSync does not work on encrypted databases Therefore in order to use AdSync make sure that Encrypt data checkbox in the User Directory tab in G On Builder is not checked Setup AdSync This section describes how to configure AdSync Configuration file A configuration file containing the configuration details should be created and put in the same folder as the AdSync program By default the configuration file is assumed to have the name AdSync ini If you wish to use another name you should use the inifile option specifying the file name e g AdSync exe inifile myfile txt A configuration file based on the data entered in G On builder can be created by using the dumpinifile option e g AGSVNC exe cdump iiile my ileIini Note however that database information is not dumped In the following we will describe how to set up the configuration manually First some typical scenarios are described Af
40. Click Install to start the i installation Destination Folder Program Files Emcads Browse Space required 89 2MB Space available 2 666 V Eo rd 5 Press the INSTALL G On Server button 6 Make sure the black Server Token is inserted in a USB Port Click OK Or in the case of a tokenless installation follow the onscreen licensing directions iis G On v3 4 0 Setup e You are now about to install G on l 7 At this time you should verify that the Server Token you received with your installation package is inserted in the USB interface on the server you are installing D No configuration found do you want to create a new configuration profile E J Giritech A S 2008 18 Carenv GCCr gt The signing certificate appears to be invalid A do you want to generate a new certificate now The G On Server is now installed You may now proceed to the Builder Tool to configure your G On Server Settings and activate your license Giritech A S 2008 19 CarenvGCCr G On Builder G On Builder is the tool you will be using to Q Configure your Server Q Activate Your License LI Create Your Database o Configure your G oneal rity G G On Builder Settings File Settings Emcads Service Help seen eeeeeeneeeeee Sesssssssssssssssssss Signing Keypair Private Signing Key The Primary Interface consists L2vv 2IPvO0gTexRMxgElpsAccdbuetkKhw2c fnMxw of 4 Drop down Menus and 5 aaa Tabs
41. EDC EDC Serial Number EDC Manufacturer HAGIWARA EDC Firmware EDC Class EDC Interface EDC Media Class CDROM Device Volume Serial Number Volume Label Client Client Version Client Source Network 000 000 000 000 Client CRC EDC Host Operating System OS Major Version OS Minor Version Host Class Source Netmask bits i Host Machine Name Host Machine Domain DOMAIN COM Host Primary MAC Addr 00 00 00 00 00 00 Cancel Create Rule you would like to make available to users on XP without Administrative rights CarrenvGCCr Chapter G On allows you to control what level of client access should be allowed based on your level of Trust for the client and it s location Zone Rules reflect this level of trust versus access each user receives n this section you will learn how to define zones and create rules for what users can access based on your level of trust for the user his location and the computer being used When a client connects to a G On server information about the PC s hardware software and the connection itself is collected and sent to the server Matches on certain details of this information can be used to flag the connection with a name This name is a Zone Menus can be associated with users and groups with the condition that the connection belongs to a certain Zone This way it is possible to conditionally associate applications to users based on geography doma
42. Emcads Go C 3rdParty File and Folder Tasks 2 Clients m Rename this file n ay Move this file E GOnDesktop D Copy this file ORWData ee Publish this file to the Web Samples E mail this file temp ml adSync exe gt Delete this File ic CXRulesAdmin exe Other Places z E Emcads log E eprofile 5 Program Files L GonAdmin exe 4 My Documents 9 conBuilder exe My Computer E identity library zip E license 3 pythoncom25 dll 5 pywintypes2S dll ToH server exe gt ToH server ini SP UninstallEmcads exe Ej usagestats dat 9 USync exe E USync log amp My Network Places Details Giritech A S 2008 98 CarenvGCCr The G On USB Key has been initialized before shipping from Giritech The G On USB Key contains G Update necessary for deploying the key with the proper software from the central G On Server PORN Note To run G Update the G On Client EDC must either be already adopted on the G On Server or the Auto Adopt feature must be turned on Consult Chapter 8 on Adoption for more information Copy your Identity file from C Program Files Emcads Clients to the USB Key Distribute the Keys to the Users Instruct the Users to Insert the Key and follow the Instructions Depending on which Adoption process you have employed you may be required to Adopt or manage the USB Keys after the user attempts to connect but before G Update can complete the deployment of t
43. Explorer on the client PC If left like this it will invoke Internet Explorer whether it is default browser or not Path to the logged in user s My Pictures directory Path to the logged in user s My Documents directory The user s password as typed in the G On login window CarenvGCCr USER_x USER_auth_Domain WINSYSDIR Registry_Key Registry_Key Any Value MYMUSIC Where x is the name of a user account key To user objects you can add values to keys like Mobile_Phone Title or company The values of these keys can be parsed to the application you are configuring Refer to Users later in this chapter Example User_Full_ Name When syncing users from multiple domains in AD this parameter hold the name of the domain the user is in Path to the Windows system directory typically C Windows System32 Gets its value from the Windows Registry key value of its name If trailed with a backslash it takes the value of the default value Examples HKEY CLASSES ROOT Applications iexplore exe shell open command the value of the key command in HKEY CLASSES ROOT Applications iexplore exe shell open HKEY CLASSES ROOT Applications iexplore exe shell open command value of the default key in HKEY CLASSES ROOT Applications iexplore exe shell open c ommand Useful i e for launching a registered Windows application on any language version of Windows Any parameter name that h
44. IT tia Gi k GIRITECH A S G On Installation Guide amp Admin Manual Giritech A S 2007 Hersted stervej 27 29 C2 2620 Albertslund Denmark Phone 45 70 277 262 Legal Notice Giritech reserves the right to change the information contained in this document without prior notice Giritech EMCADS and G On are trademarks and registered trademarks of Giritech A S Giritech A S is a privately held company registered in Denmark Giritech s core intellectual property currently includes the patented systems and methods known as EMCADS Other product names and brands used herein are the sole property of their owners Unauthorized copying editing and distribution of this document is prohibited Giritech A S 2008 CarenvGCCr INTRODUCTION BIE FOCI GUO N enea A E meets 5 Whois this Guide FOF oooh nee cdt ena ceatcienviedcasecndsded Sendeededsncuseceaiervendaatoesiedecceusene 5 How the Manual is Organized cccceccceecceeceseeeceeeeeeeeseeeseeeeeeeeseeeseeesaeeeaes 5 SUDDO a a i ee a ae a ee 5 Understanding S O eio2 ceGevecthcctvenadecdaseweasedbesenad dadedeetedadtisswreesdjesesesndGaesemnnabebess 6 C1 8 1 a 51 earn eee eee E eee ee ne ene ee eee 6 OO MS TAM AE AEA aarp saecta EAEE A 7 Overview of G On Configuration amp Deployment cceeeeee 8 Configuration amp Requirements for Your Environment 9 G On Server Requirements ccccceccccececceeeeceece
45. N ADDR 127 0 0 5 3946 PROXY ADDR 1 2 3 4 3128 HTTP ADDR 5 6 7 8 8080 Note For testing ToH client can be started manually in a DOS window on the client machine In production settings the ToH client will be launched by Eclient 3 The bypass server toh server exe must be running on an accessible server configured to a Listen for HTTP requests with the following command line parameters http host 5 6 7 8 http port 8080 default is 0 0 0 0 8080 Forward connections to the EMCADS server with the following command line parameters target host 9 10 11 12 target port 3945 default is 127 0 0 1 3945 That can be configured with the following ToH server ini server HTTP ADDR 5 6 7 8 8080 TARGET ADDR 9 10 11 12 3945 Note For testing the bypass server can be started manually in a DOS window on the server machine In production settings it should be launched and running as a service on the bypass server Note logging and logging levels higher means more information can be enabled on both server and client side by enabling the LOG FILENAME and LOG LEVEL parameters in the ini files in front of an item means that the item has been disabled commented out in the ini file The G On HTTP Proxy bypass tool has been designed to work wth HTTP 1 0 and 1 1 and comply with RFC 1945 2068 and 2616 The tool have been tested with Q Squid http www squid cache org CarrenveCC
46. On you need to understand how the application communicates over the network Typically a client connects to a server using specific ports and protocols To find out how an application communicates refer to the application documentation proxy or firewall configuration netstat exe or a network communication program like CommView http www tamos com products commview which can be used to analyze the communication between the client and the server Application Guidance Some applications do not natively run on fixed ports EMAP Ephemeral Port Mapping but can be modified to do so Some Client applications consist of only one executable file An example GGW exe CarenvGCCr To start an application from a G On menu the full path to the local executable needs to be included in the application string i e C Program Files Microsoft Office Office 1 1 Outlook exe Understanding what ports the application uses to communicate with its server will make connecting with the G on Client a straightforward process Note Looking in the firewall section of the GGW Administrator s guide provides the information of the port the GGW uses to Communicate over the Network Applications Running Multiple Executables Other client applications are suites of executables accompanying dll and ocx files and it may be difficult to identify the executable that actually makes the outgoing connection from the client PC You can set up a G On gateway that
47. PEERS WE CUE EG ba SEU E E VA Ws ww i E ATF The following is only relevant when upgrading from a pre 3 3 G On installation As of Version 3 3 and onwards hence also for version 3 4 you need to review all Zone Rules that Apply to USB Keys Version 3 3 and onwards includes new features for G On Client Carrier the EDC The new EDC recognition will require you to take action to create a new zone Rule Background We have prepared G On for a new G On USB architecture that will allow us to support much larger USB keys As part of this process G On 3 3 and onwards is detecting an increased level of detail from the G On Keys Benefit The new USB detection routine is now reporting more details on the EDC Media Class Field and hence helps increase the overall security of the solution Upgrading from pre 3 3 1 existing zone rules will be converted to comply with the new USB reporting as follows O If the EDC Manufacturer is HAGIWARA then EDC Media Class will be changed to USBG In this example see figure we have an Inside Rule for USB Keys It states that Our Hagiwara Keys registering USBG logging in from our domain PCs DOMAIN COM for example GIRITECH COM will be assigned to the Inside Zone el Add Edit Rute Rule Details Rule Number 43 Rule Comment Action on match Inside USB zone S gt gt gt EDC EDC Serial Number EDC Manufacturer EDC Firmware EDC Class EDC Int
48. Step 2 Use the Application Creator on the Applications Tab to create the application strings LI Step 3 Edit Application String Template LI Step 4 Apply the settings to make your applications work in your environment The basic overview of Steps 2 through 4 are included in the section below more specific examples are included in the Application Connectivity Walk Through section later in this chapter Step 2 Using the Application Creator To define your Application Strings use the Application Creator to create your Application String Template 1 Log onto G On Admin as an Administrator 2 Goto the G On Admin gt Applications Tab 3 Click gt Application Creator button in the lower right corner of the window Select the Type of Application you want to create gt Next or Done Go to Step 3 to View the Application Template you have created 9 G On Admin wiles Applications Application list File view Help Menu actions Menus Groups Users Application string AC Intranet AC Navision Single Port 4pplicati AC Navision 1 Single Port Applicati AC Outlook Multi Port Application AC Outlook 1 Multi Port Application Change password Change Password Change password 1 Change Password Citrix Application Citrix Desktop Legacy ICA Citrix Desktop Legacy ICA 1 Citrix Gateway Citrix PN Application Launcher GUpdate Helpful Application Launcher GUpdate Power Application Launcher GUpdate Simple App
49. al authentication ensuring the server and client is configured for each other The client responds to the challenge with the client identity facility CIF If the client is unable to present the correct response the TCP connection is terminated immediately This is also the response to connection attempt from anything that isn t a proper client i e telnet to port 3945 tcp on the G On server CarenvGCCr Advanced Server Settings Network i Listen Port In the Advanced Server Settings for EDC 3945 Note This field does not have to be configured but i it minihi ides th t defined during installation if it is Auto adoption the checkbox for EDCs a mulher OVEMdes ne port gerne Ung INStalation IF It 1 must be adopted to access system must 10 be selected in order to utilize the adoption EDC Auto adoption features in G On l EDCs must be adopted to access system Note Auto adopt only Auto adopt unknown USB Keys sgl irane If you selected the Auto Adopt unknown Auto adopt unknown Desktop Clients the setting is ignored features for either USB keys or Desktop you do not have to manually adopt or import EDCs from the file The Auto Adopt Feature means that any EDCs that have your company s identity file will be able to access your system They will automatically match into the zones you have defined and no further action is necessary If you chose the Auto Adopt feature you can still choos
50. all noimport updaterw updateonly Can be used with all the other switches except nukethekey Not compatible with other switches Only available for USB Key CarrenvGCCr Inodialog launchgon lyestoall Note or re deploy a user with the minimum of user intervention This option will download all files currently in the root of the A Clients folder same as getall and ignorecrc ignore the current content Same as noimport record the image and run one more time to update the removable drive partition on the G On USB Key same as updaterw NOTE It is NOT possible for the user to abort the application before both the ISO and removable drive partition are updated The only emergency last resort options are to either kill the G Update process in Windows Task manager or physically remove the G On USB Key before G Update starts recording to the Read only partition This switch will suppress status dialogs except error messages This switch will launch the G On client when Gupdate exits This switch will cause G Update to automatically respond yes to all following popup windows nukethekey is not available on G On Desktop Clients Can be used with all other switches Can be used with all other switches except Nukethekey CarrenvGCCr Chapter Backup and Restore is a Key feature of any software installation For G On there are two groups of critical settings that you should ba
51. ange password Cancel Giritech A S 2008 104 CarenvGCCr 3 You can choose from any of the string types we have illustrated the G Update Simple in this exercise Application creation wizard Select G Update String type fe G Update Simple C G Update Power C G Update Helpful Done X Cancel Go to the Menu Actions tab and select gt Create New Action Select the GUpdate Simple Template Name the Title of the Menu Action Update G On CD Partition Fill in the parameters getall yestoall nodialog autoclose launchgon and press Save NOUA Editing menu action Title Update G On CD Partitior Application Citrix Gateway Multi Port Appli a Citrix PN Application Lat GUpdate Helpful Application Lat GUpdate Power Application Lat GUpdate Simple Application Lat GUpdate Simple 1 Application Lau te Simpl Parameters Eais ibiti PARAMETERS F getall yestoall nodialog a Save as new Reset Cancel 8 Goto the G On Admin gt Menus Tab gt select Add Menu gt Enter the name G On Update CD Menu and assign the Update G On CD Partition menu action to this by double clicking on it Giritech A S 2008 105 CarenvGCCr 9 Right click the Update G On CD Menu and select Properties Check the Autolaunch Hidden and Force to menu root buttons gt SAVE Menu item propertie Action GUpdate Simple Caption GUpdate Simple l Autola
52. apter on AD Sync page 29 For synchronization with the AD G On Server must be a full member of the Domain If you plan to import users from AD and or authenticate users against AD the server needs to be a member of the AD domain the users are in CarenrGCCr Note If you choose to use Microsoft Active Directory you must have the rights to 1 Assign Internal DNS Names to IP Addresses 2 Create Global Security Groups and assign User Group memberships in the AD G On currently has two client versions to choose from LY G On USB LJ G On Desktop G On does not technically limit which clients you choose to deploy You should receive your G On USB keys in the package together with your software The desktop clients can be found in the EMCADS GOnDesktop folder on the G On Server once you have completed your initial installation and configuration Client Firewall Requirements LI G On requires that Port 3945 tcp or other ports as configured in G On builder see later is open for Outbound traffic on all clients LJ Optional http proxy traversal tool is available for special configurations where clients need to traverse http proxies from within an internal network to get access to the Internet More details in Chapter 13 Client Hardware Requirements G On USB Q USB port version 1 1 or higher Q Minimum two virtual drive mappings available before any network drive mapping e g drives E and F G On Desktop LI
53. as been given no value by the menu action or from the user login will attempt to get a value from the environment on the client PC Hence if an environment value exists on the client PC it can be utilized directly from an application string Examples WINDIR HOMEPATH APPDATA TEMP PROGRAMFILES COMMONFILES TEMP If the parameter name does not exist as an environment variable it is empty ignored when launching the application Path to the logged in user s My Music directory CarenvGCCr MYDOCUMENTS EDCSERIAL Path to the logged in user s My Documents directory Returns the unique serial number of the EDC i e either the hardcoded serial number on the USB key or the serial number of host PC s harddrive Note that on G On installations running on VMWare machines the EDCSERIAL variable returns the VMWare UUID number CarenvGCCr Cr ea In g IVI enus a G On Admin oeg i File view Help T h e ba S c com p one nt of a Applications Menu actions Menus Groups Users 7 Menus m en u IS th e M e n u Acti O n j SO Menu name aem using this menu Add menu it s important to build a series eae WORSRAEMCADS Ee of application strings and a Series of Menu Actions Menu tree Menu Actions Double click or Drag and Drop to tree before you can build a menu popes Submenu Change Password Citrix Desktop Citrix Gateway To create a Menu Ch Oued Citrix PN 1 Goto
54. ator Owners W2KSR2 S chema Admins Cancel CarenveCCr Note To insure that special groups and personal groups are NOT overwritten they must be unique names that do not exist in the AD For example you have a vendor supplier that you would like to provide ERP services to You would create a personal user group for this user in G OnAdmin that for example is called VendorName This user is in not in the AD so when the EDMS is synchronized the user will remain intact A special note on AD vs Local Users and Group Association AD users that are added to locally created Groups are not affected when re synchronized with the AD So even though the AD controls the groups and members from your domain an AD user can be uniquely added to a Locally Created group without fear of this association being deleted when running one of the AD Synchronization tools The reverse is however not true If you add a Locally Created User to an AD defined Group the Local User s association will be removed the next time you run one of the AD Synchronization tools Checking that a user gets the right menu In the lower right corner of the user page you can see a preview of how the user s menu will look when logging To select a User 1 Goto the User Tab gt Search User 2 Select the User from the List in the Search Result Window and double click 3 The selected user s details will now appear in the User Tab Search result Selec
55. ccnswsiienscawnaasecdsapebdacensveasceatsdsietsicsenseeacedcsesvencedacetereces 47 Important Changes to Zone Rules for USB Keys when upgrading from pre CC I Oe nr a een ee E ee ee en eee een ee eee 49 Assigning ZONES tO GLOUDS ccc cece cece eeeeceeeceeeeaeeeseeeseeeeseeeseeeseeeaeeeseeeeaees 50 PAM VA EDOS racic ped see gsi oe sete cue ers nattians ah pea gene E 51 G On PIII eseteccescanscahe ey qanecaeecesecascanncaencenssanncauncaesneccaressueanearesenocenecen 52 Getting Started as an Administrator ccccccccceecceeeeeeeeeeeeeseeeseeeseeeeaeeeaes 54 Defining Administrator Levels in G On Admin cccccccceececeeeeceeeeceeeeeeeees 54 Administrator Access OVErVICW cccccccceccaeeeceeeeaeeeeeeeeaueeaeeeseeeseeeeseeseeeeaees 55 ED E IN E EEE O A A AEEA N E EE E 56 Synchronize Active Directory ccccccccseeccececeeeceecceeceeecaeecsueseeeecseessueeeas of acia NS VAN arsed EE A toned ETA S E E T A 58 RUNNING VIN soeren ikeneen E EEE DEN EEEE E TEE EEE 59 Overview of G On Application COnnectivity ccccccccccseceeseeeeseeeeseeeeeaeees 68 Advanced Application Connectivity What is a String cccccccecccseeeeeeeeeees 68 Four Step Method for Defining and Configuring Applications 06 69 Defining Application Strings and Menu Actions cccccceeceseeeseeeseeeeseeees 70 Application Connectivity Settings OVErView cccccccecccseceeeeeeeeeeseeeseeeea
56. ceeceeseeeeseeeesegeeseeeeseeeesseeenes 9 Bandwidth Considerations ccccccccceecceececeeeceeeceeeeseeeseeeeeeeeseeeseeeeeeesaeees 10 Where to Place your G ON Servel cccccccceecceeceseeeceeeeeeeeseeeseeeseeeeseeeseeseaees 10 Firewall Configuration ccccccseccsscecseeceeccceeeceeeceeecueesaeeeeeeeeueesaeessaessaeesaees 11 Failover Configuration amp Setups ccccecsccscsessesessereecerseceseessrersersecersneeserees 11 Directory Synchronization ciccnsiwdceesceen oniesnedaneeadseuue sncnevawsiwscddeaneonontaresedbeudxedsess 12 Client Requirements ccccceceecccececeeeseeccaeecaeesaeeccaeeseeseeesaeseueeseeessueenes 13 DNG SUING S ects secsiecte uate Sede ncens ie EEE EEE EE 14 Anti Virus Settings Server SIdC ccccccceccceeeeeeeeseeeseeeeseeeseeeseeeeseeeseeeseess 14 Database SetUP esisiini nira aaa i a E a 14 Using Virtual Si 62 jo rn en een 15 G On Installation amp Server Configuration ccccssesseeeeeeeeeeeeees 16 PTS AIO 57 e E A a E E a ddaaumbiondebauantomedaeneunonmedie 16 POMBE aeee E EEE 20 G On Server Settings and License Activation c ccccceeceeeceeeseeeeeseeeeees 21 Advanced Server SettingS ccccccccsccccecccseeceeeceuecceeeseeeceeesseesaeeseeessaeesaees 23 User Directory and Database Configuration ccccccccsecceeeeeeeeeaeeeseeeeaees 24 Valdaton Settings snis a ee eee eee ne eee 26 Client Update Folder Settings
57. ces Outlook When your Application wants to contact the server Use to enable your users to identify the application Use to control the size of the Terminal Server and Citrix Windows Displays a progress window during operation Type 8 Types 8 amp 10 Types 4 amp 5 Types 4 amp 5 Type 10 Type 8 Types 4 amp 5 Types 8 amp 10 Types 4 5 8 9 10 Types 4 amp 5 Types 8 amp 10 CarenvGCCr Application Connectivity for Native Clients In this example we will Create a Template for Navision edit it and create a Menu Action to connect to my Navision Application Server 5 All Application Strings are defined on the G On Admin gt Applications Tab Click gt Application Creator Highlight Application Connectivity gt Next 6 Highlight the Application you want to Create gt Done Go to G On Admin gt Applications Tab gt Highlight the String You just created in this example Navision gt Double Click 7 Review the Settings and check that all information NOT contained within the is correct LI See the Application Connectivity Settings Overview Table for a complete explanation on the usage of each parameter If you wish to review the parameters click gt to open the Parameter viewer In this example we verify that the Destination and Listening Port are correct and that the Tray Hint Application Title and Path to the Application to Launch are correct In G On therefore
58. chronization uses the G On tools USync or AdSync Both tools get their primary settings from the AD Sync Tab in G On Builder but also need configuration files to operate correctly Warning USync and AdSync are not compatible and should therefore never be used on the same installation The following describes how to transition from a USync installation to an AdSync installation It is important to remain with AdSync after the transition USync is the default tool designed for smaller installations running on the internal EDMS It is also USync that will be invoked when running Active Directory synchronization from within G On Admin under the File menu gt Sync AD or Ctrl S AdSync is a new tool released with version 3 4 that is designed to support larger installations running on MS SQL databases and with complex AD setups and many users This tool has to be operated from the command prompt interface using configuration files as described below Note If you are not an experienced Windows and AD user then use the default USync tool AdSync requires a deeper understanding of running from the command prompt under windows and a deeper understanding of advanced AD configurations to function correctly The end result from running either of the tools is however almost the same e All users from a chosen AD Security group are imported e All Security groups of which these users are members are imported along with the membership inf
59. ckup and store in a Safe location very company has their own policies for how often they should back up data and on safe storage In order to ensure that your G On installation remains secure and save from server failure upgrade error or other potential disasters we recommend that you backup your system before and after any installation and after making any major changes to your applications or user groups There are two primary items to backup in your G On Installation LJ Copy your Signing KeyPair Q Backup your Database ey 9 G On Builder Hots in a secure location P 5 File Settings Emcads Service Hel The Signing Keypair is the private and Server ia m i erver public keys i e passwords that the G On aca Ee AD Syne ea Server uses to identify its clients and vice Signing Keypair versa Private signing Key zmxT fFLasdtrli03sFCcuearsZ2eLZUELBPB1 SCxI A Public Signing Key Copy both the Private PZUBOKU J aeds 1u30 5 8k fpe43 95qgmccy6lI and the Public Signing Keypair and Store them Generate Warning Generating Signing Keypairs Never use the Generate Button on a running system unless you plan to redeploy new USB keys and Desktop Clients to all users Generating a Signing Keypair should only be done on NEW INSTALLATIONS as all deployed keys will cease to work as they no longer share a secret with the server the identity file is wrong To redeploy you need to distribute a n
60. d zone To complete this process you should Ooahw In the client version field enter the name of the version number you want to upgrade all clients to You can choose to denote it as examples LI All clients less than the version number lt 3 3 0 915 LI To downgrade you could use gt 3 3 0 915 Q Or anything that is not equal to this version 3 3 0 915 Now proceed to the section on Application Strings Configuring G Update in Chapter 6 lel Es G G On Admin DEMO Domain Computers DEMO Domain Controllers DEMO Domain Guests DEMO Domain Users DEMOSEMCADS DEMO Enterprise Admins DEMO Exchange Domain Servers DEMO Gintech Demo User DEMO Gintech sales DEMO GOn Solo Users DEMO Group Policy Creator Owners Default menu demo Only show the default menu in these zones DEMO GTR BAL DEMO GTR IT DEMO GTR NL DEMO GTRs DEMO GTR SL DEMO GTR UK DEMONT Attention DEMO Local Admin DEMO Lotus Notes 7 users DEMO Lotus Notes 8 users DEMO Lotus Notes web client users Members 2 tal demo giritech com Tine Sj berg abc demo giritech com 4me B Christianse ahp demo giritech com Anders Holm Peter alfapeople demo giritech com Jakob Bene algoritmu demo girtech com Gzegoz Pavlit alna demo giritech com Darius Zizys anglia demo giritech com Tony Rose appel demo giitech com Per 4ppel ar demo girtech com Adrienne Refsgaard asensus demo g
61. dr Serial Number EDC Media Class 0 Host Class Device 7 L Describe the Rule in Volume Serial Number the Rule Comment Field Volume Label Cancel We can also assign this EDC to the user by assigning an owner or locking the EDC as defined on page 51 Manage EDCs Defining a User or Vendor Zone It is also possible to create a Zone rule for specific users These rules allow the Administrator to provide a unique menu or zone for an individual user or vendor They are very similar to Trusted Zones however to ease administration you should create a different zone name Example Settings If you have an external vendor that books meetings for you or does your monthly book keeping You would want to Add a zone with the Name of the Vendor or User Create a new Rule that enables this zone Add the EDC Serial Number from this User If you want to further restrict the location from where they access you can choose to enter the Host Machine Domain field If the Vendor is using a USB key you may want to use the standard EDC settings used in the previous example oy gt pn CarenvGCCr Defining an Outside Zone E Add Edit Rule ma Outside Zones should be Rule Details assigned to computers that Rule Number Action on match are not issued or 2o Outside zone maintained by you or ule Comment otherwise where you can USB Key not be guaranteed control EDC Client EDC Serial Number Client Version
62. e TO the AD VAT SIAa ash Assigning Groups to Zones Once you have defined your Groups you will need to assign the Default Zone available to each group in each defined zone To complete this process you should fa ci n Admin Jog File View Help Applications Menu actions Menus Groups Users 1 n Se ect th e G rou ps Tab i n Display filter Group details G O n A d m i n C Display all C Personal User Groups Multi User Groups Ti WRZ Enerpise Admins n W2K3R2 G31000 4T8T DV3S5RS3 Paar W2K3R2 DnsUpdateProxy Sa a W2K3R 24D omain Admi 2 Select the User Group W2K3R2 Demain Computers 6 n W2K3R2 Domain Controll 3 Verify the available Menu W2K3R2 Domain Guests Applications W2K3R2 Domain Users Applications W2K3R2 EMCADS Updat Items are correct WAKSROAE ner Admins eee 7 z W2K3R2 E xchange Organization Administrators 4 Highlight the zone or Vahana Sever aa W2K3R 25E xchange View Only Administrators m Only show the default menu in these zones ZO n es whe re th IS g ro u p W2K3R2 ExchangeLegacylnterop 5 r W2K3R2 G_ON Admins W2K3R 2 Group Policy Creator Owners should receive these W2KGRA Schema Admins Menus 5 Repeat this process for Every Zone and Group that you have defined Default menu Applications In this example all Enterprise Administrators that are logging on from a client that matches the Inside Zone will receive the menu item Applications Add and remove members
63. e above Generate the Activate license button Public Signing Key CQOLHOLKSGIGHWOs IS2LHILY WoUu F FLEYQIUQTbeEpSs Logfile location The feature set can be any Logfile folder combination of below features xINSTALLDIR Locate folder MULTISERV Support for multiple License server IP addresses for server fail Concurent users n a MaxEDCs n a over MULTIIP and multi port Expires n a Pena a eee connectivity MULTIPORT for AIEE Gn E EEN increased outgoing connectivity AUTOADOPT Auto adoption of M clients iw MssaL Support for MS SQL MULTIDOM Support for multiple AD domains TOKENLESS Support for installations without USB server key e g virtual servers m ara ane siris Service Stopped Signing Keypair A Signing Keypair are the private and public keys i e passwords that the G On Server uses to identify its clients and vice versa Warning Generating Signing Keypairs Never Use the Generate button on a running system unless you plan to redeploy new USB keys and Desktop Clients to all users Generating a Signing Keypair should only be done on NEW INSTALLATIONS as all deployed keys will cease to work as they no longer share a secret with the server the identity file is wrong To redeploy you need to distribute the new identity file CarenvGCCr 1 If this ts the first time you Install G On Click Generate in the signing keypair section 2 Copy the S
64. e ip wE B_SERVER mustedit noblank Destination port Listen port client Com type 20 lt gt 20 tcp Tray hint T RAY_HINT mustedit Application title APPLICATION_NAME mustedit 4 Application names to kill on exit seperate with H Application to launch ZBROWSER 4 Application parameters Jittp 2 1 27 0 0 2 4PORT noedit4 4PATHmustedit z Lock to process Show progress As option As option Force to True Force to True C Force to False Force to False 71 Application String Editor oa Name SC Intranet Type Terminal Service Legacy 4 Save Cancel CarenvGCCr The BROWSER is a default parameter that creates a Full path to the PC s default Web Browser e g Firefox Mozilla BUT if your corporate policy is to only allow use of Internet Explorer you may want to change this value to read IE noedit To change this parameter from BROWSER to Internet Explorer you would gt Click the sign at the right edge of the field that contains the parameter you wish to edit This will open the Parameter Editor In the editor Parameter editor x ZIE noedit Parameter name IEI C No Constraints Must Edit No blank fe No Edit C Force Select Values Cancel gt Type in the New Parameter Name in this Case IE gt Verify that No Edit is Checked gt OK gt Verify that the new setting in the template reads IE noedit and
65. e to manage the EDCs by assigning or locking them Warning Auto adopt features should be used with caution because improper use of Auto adopt circumvents security best practices as this feature enables anyone that receives your identity file to connect to your company Adoption of EDCs is one of the security best practices that can be aligned with your security policy If you need guidance on how to align Adoption with your security policy please contact support giritech com When you receive your G On Product one of the red keys has been specially marked It contains the file EDCSERIALS DAT To import your EDCs and adopt them from the file 1 Goto G On Admin 2 Select File gt Adopt J G On kamin EDC from file B Heb s Browse to the Administrator mode F3 aaa Tene Users EDCSERIALS DAT Maintain Zones Ctrl O file gt OK Adopt unknown EDCs Ctrl E 4 You can now Adopt EDC From file Ctrl F v for PO Seal proceed to the Sync AD ctrl s a section on Backup Restore Ctrl B Groups Assigning Locking Online users EDCs or proceed Exit At F4 C directly to Client Deployment Alternative auth domain pe Account CarenvGCCr G Adopt EDC OF x Date Show all Clienttype All C USB Kep Desktop Refresh Manually Adopting Host Domain EDCs You can manually adopt EDCs from either the LJ Access Rules Manager by right clicking anywhere ae M Detail info
66. ease 3 3 and onwards RDP GRDP or the 3 4 GTSC clients may not launch if the RW is not updated CarenvGCCr Automatically Update Clients CD Partition 1 In the Access Rules Manager you can create a new zone for updates Note that you will have to stipulate which Client version you are upgrading to In this example we are going to force an upgrade of the CD partition on any client less than 3 3 G Add Edit Rule 2 Next you need to create an application string to update the clients and the applications In G On Admin go to the Applications Tab and choose the Application Creator button Next choose the GUpdate button from the Rule Details Rule Number Rule Comment G U pdate Action on match IN ew Rule Update zone i EDC EDC Serial Number EDC Manufacturer EDC Firmware EDC Class EDC Interface EDC Media Class Device Volume Serial Number Volume Label _ Client Client Version Client Source Network 3 3 foon 000 000 000 Client CAC Source Netmask bits EDC Host Operating System Host Machine Name OS Major Version Host Machine Domain OS Minor Version Host Primary MAC Addr id 00 00 00 00 00 00 Host Class Cancel Application Creation Wizard Application creation wizard Select application type C Terminal Services C Citrix C Application Connectivity C Ch
67. ecided which client distribution method to use it is time to deploy the clients In this section we introduce you to the basic concepts for our update and deployment tool G Update Client Deployment LI Choose which client distribution method meets your Security Guidelines LJ Align the EDC adoption process with your client distribution best practice Q Verify your installation is configured to use the update and deployment tool Note One of the RED keys is specially marked containing the file EDCSERIALS DAT This will be copied to the G On Server after you have completed the server installation before you deploy user keys There are two things you have to distribute to G On users O Identity File J USB Key amp or the Desktop Client CarenvGCCr How the Identity file is distributed depends on the level of security enforced by your security policy USB Key and Identity File For maximum security Administrators should copy the Identity file directly from the G On Server to the G On USB Key before hand to hand distribution of the G On USB Key to the user Another approach would be to place the Identity file on the intranet and allow the user to copy the file from the intranet to the Read Write partition of the G On USB Key The most secure option in this scenario would require the user to deploy the G On USB Key while connected to the intranet The approach for external users will differ if it is not po
68. ectly when the fallback has been enabled in G On Builder The bypass client can connect through a HTTP proxy on 1 2 3 4 3128 exact IP address to be read from the standard Windows proxy settings to the bypass server on 5 6 7 8 8080 This is typically the same IP address as the G On server but can be configured differently if running the bypass server on a different physical server from the G On server The bypass server then connects to the EMCADS server on 9 10 11 12 3945 Insert the IP address and port of the G On server When running the bypass server and the G On server on the same physical server the addresses 5 6 7 8 and 9 10 11 12 will be identical Configuration involves the following steps 1 G On connects to a local loopback port default setting is 127 0 0 5 3946 2 The bypass client toh client exe must be running on the client machine configured to CarenvGCCr a Listen on the loopback port with the following command line parameters listen host 127 0 0 5 listen port 3946 default is 127 0 0 5 3945 Connect through the HTTP proxy with the following command line parameters proxy host 1 2 3 4 proxy port 3128 default is 127 0 0 1 3128 Tell the HTTP proxy to connect to the server with the following command line parameters http host 5 6 7 8 http port 8080 default is 127 0 0 1 8080 That can be configured with the following ToH client int client LISTE
69. ees 74 CHEATING MENUS avctessevewceetnconaccosd cosensendseussdeaseaxeecsasusbesgseten iEn 80 SOU HM sss cs A E E ea 82 Creating Local GIOUDS wcecscsscancneansssvienenatinenien vaatndenuneasttonenaunsiinnenaneldieraneteeeneetseds 83 Assigning Groups tO ZONES ccccccceeccsececseeceeecceceseecueeeeaeecaeesueeeseeesaeesaues 84 User Administration ccccccecceeeeeneeneeeeeenseneceesensenscneseesensonesensoness 85 PATONG NYS CUS aces ste E E A EE 86 Assigning Changing a Users Group ASSOCIATIONL cccceceeeeceeeeeeeeeeeeenes 87 Selecting Searching USES ccccccceeccccececcecccenceceeeeeecesseeeeseeeesneeseeeetsaees 88 Activating Enabling Users cccccccecccseceseeeeeeeeeeeeseeeseeeeseeeseeesaeeeseeeseeeeaues 89 Enabling Locked Out USEPS cccccccccseccseeeseeeeeeeeeeeeseeeeaeeeseeeseeeeseeeseeeeaees 89 DEINO S Sls aee E E men unand oteataane Dosnteadatas 90 Viewing Online Users ccccccecccseeceeeeceeeceeeceeeeceeecseesaueeseeesseesaueeeeessaeesaees 90 Disconnecting SENS decessexsed senercesacvenseeeideaseaveenssansdapoveeincetessetdcenenvecincsbarcuate 90 CarenvGCCr G ON INTRODUCTION AdOpPUNG LIS CUS ssrin iran eE 91 What is being Adopted ccccccecceecccececeeeceeeceeeceeesaueecaeesseesaeessenssaeesaees 91 Why Adoption is Important ccccccccceccceeeeeeeeeeeeseeeeeseeseeeseeeseeeeseeeseeeeaees 92 G On Builder Settings for Adoption
70. embers from your domain an AD user can be uniquely added to a Locally Created group without fear of this association being deleted when running the AD Synchronization tool The reverse is however not true If you add a Locally Created User to an AD defined Group the Local User s association will be removed the next time you run the AD Synchronization tool Assigning Menus The most important thing to do is to find the relevant user groups and assign default menus This is done by 1 Selecting a group from the group list on the left 2 Selecting a menu in the Default menu list by clicking on it 3 Click on the menu name again to deselect it You can only select one menu per group Use the filter option to limit your view to either users personal user groups or multi user groups The default is to show only multi user groups as these are the most used Creating New Groups To create a new group right click in the group list and use either the Add group or Clone group option Add group will create a new empty group Clone Group will make a copy of the currently selected group including membership To change the name of a group change the title on the Group Detail frame Warning Changing a group title means the group won t sync correctly when synchronized with the AD Note Remember that group membership will be updated the next time USync or AdSync are run And EDMS Group Memberships will not Synchroniz
71. er Client Version Client Source Network 000 000 000 000 Example Settings for Inside Zones using EDC Manufacturer Client CRC Source Netmask bits n 32 Desktop Clients ee EDC Host Operating System Host Machine Name i EDC Class m m Host Machine Domain should be OS Major Version Host Machine Domain edited to reflect your company s ees o GIRITECH COM OS Minor Version Host Primary MAC Addr domain EDC Media Class 7 aE Fixed Host Class Device pw Q EDC Media Class should be Volume Serial Number F ixed Volume Label Cancel Add Edit Rule Rule Details Rule Number Action on match New Rule inside USB zone Example Settings for Inside Zones using USB Rule Comment Clients FE EDC Client EDC Serial Number Client Version Client Source Network m Host Machine Domain should be 000 000 000 000 edited to reflect your company s EDC Manufacturer Client CAC Source Netmask bits domai n HAGIWARA 32 Adi EDC Host Q EDC Media Class USBG Operating System Host Machine Name EDC Class l OS Major Version Host Machine Domain Q EDC Manufacturer HAGIWARA EDC Interface PO GIRITECH COM OS Minor Yersion Host Primary MAC Addr EDC Media Class 00 00 00 00 00 00 USBG i maa Note that the EDC settings can be used Volume Serial Number as standard as they refer to G On s unique USB Keys Volume Label i men na In the examples above this rule assumes that the computer is a
72. erface EDC Media Class USBG Device Volume Serial Number Volume Label Client Client Version Client CRC EDC Host Operating System OS Major Version 0 OS Minor Version 0 Host Class tt Client Source Network 000 000 000 000 Source Netmask bits zi Host Machine Name Host Machine Domain DOMAIN COM Host Primary MAC Addr 00 00 00 00 00 00 Cancel Update Rule This new detection is available for USB Keys when logging in from Windows XP as an Administrative User or from Windows Vista as a Standard or Administrative User Note Special settings are required for users on Windows XP logging on as a Non Administrative or Low User Privileges The new detailed detection levels are only available for XP Administrative and Vista Standard Administrative Users In order to enable your users to access G On from XP clients where they do not have administrative Rights you will have to create a second zone rule that includes CDROM in the EDC Media Class In this example see figure we have created a second Inside Rule for USB Keys It states that Our Hagiwara Keys registering CDROM logging in from our domain PCs DOMAIN COM for example GIRITECH COM will be assigned to the Inside Zone This action should be repeated for all zone rules that E Add Edit Rule Rule Details Rule Number New Rule Rule Comment Action on match XP Low Admin Rights Users on USB Keys
73. ervers LJ System Administrators with a fundamental understanding of Microsoft Active Directory G On Installation Guide and Admin Manual is to be used in the implementation upgrade and routine administration of your G On installation M Network Firewall and Database Pre configuration Chapter 2 M System Configuration Zone Setup and Application Connectivity Chapters 3 6 M Routine Administration User synchronization and Client Deployment Chapters 7 11 Note this manual covers all versions of G On Enterprise and Business Functionality that is only included in G On Enterprise is marked with an P mark All screenshots in this manual are either Windows Server 2003 or Vista but the contents of the screens are exactly the same LJ Every effort has been made to ensure the accuracy of the contents of this manual Any corrections will be posted to the latest online G On Installation Guide and Admin Manual at the Giritech Services Portal GSP at the following address http support giritech com LI If you require additional support or further assistance please contact support giritech com CarenvGCCr j Understanding G On G On gives IT professionals the ability to securely extend internal applications to users partners vendors external contractors and others in a way that is easy to administrate User and group information can be synchronized with domains in Microsoft AD allowing for easy configuration of menu
74. ew identity file Please keep copies of the keys in a safe and secured place as they are an integrated part of the mutual authentication process CarenvGCCr G On Backup Restore G On Admin lets you perform database backups to xml files and later restore them Fill in a path and name for the file you want to backup to and check the relevant settings E Everything includes literally everything in your database with the option to exclude the EDC access log U Applications Actions and Database Menus This option covers information in the database which produces the data in the Backup tie first three tabs in G On Admin fbackup xm l This gives you the option to What to backup save your setup with no users fe Everything IY Exclude EDC Access Log Note that menu association to Applications Actions and Menus groups users will be lost if you later restore this kind of backup C Selected tables E Selected tables This option enables you to backup only certain tables of your own choice from the database Comment E In the comment field you can type information about the backup at your own convenience Cancel et NOTE xml files from a backup operation are not encrypted whether you are using an encrypted database or not Backup Restore Database Backup Restore G On Restore Backup file The restore tab is where you C Documents and Settings testbackupapril20 xml restore xml backup
75. he AD User Group Use the name of the User Group that contains your G On users If this group is not created in the AD please specify a global security group that will be using the EMCADS server CarenvGCCr The Clients Tab contains all the settings that will define the address where clients connect and the behavior of the client to the end user EMCADS Connection Here you will enter the DNS name or IP address es of the G On Server as well as the specific port s that the client should connect to We recommend 3945 the port assigned by IANA to Giritech traffic Reference http www iana org assignments port numbers Multiple addresses and ports configuration The G On client can be configured to connect to alternative addresses or ports increasing connectivity from clients that G G On Builder Pils ES File Settings Emcads Service Help Server User Directory Client Update AD Sync Clients Emcads Connection Emceads Server DNS name or IP address es 10 0 0 444 gon company com failover company com Port s the client connects to 3945 80 449 Login dialog Display login dialog randomly on screen centers if disabled Prevent TAB navigation Make Cancel default button Allow user to use On Screen Keyboard OSK login Automatically invoke OSK Client Options Close client connection when the screen saver activates M Client logging Save eclient log to EDC Fallback to TOH Se
76. he key Important When the key is in the process of deployment users should NOT remove the G On USB Key from the computer during the update as this could permanently damage the device Users should also monitor their power If the host machine loses power during this critical phase of the update process then the G On USB Key will very likely be permanently damaged beyond recovery Finally during the ISO recording process the burning of data onto the USB key s read only partition the G Update software will NOT respond to user input it will switch to stay on top of other applications and will not redraw After the recording is completed all files copied off the removable partition will be copied back The user can click the Show Log link in the lower right corner of the G Update user interface to see a more detailed log of the progress Copy the Installer and Identity files from C Program Files Emcads GOnDesktop TIP If you are placing the G On Desktop Client on a corporate image you can omit the identity file When later authorizing a user to remotely access your system you can provide them with the identity file and Carrenv GCCr proceed with your normal adoption process 3 Distribute the Desktop Client identity file to the Users 4 Instruct the Users to double click on the G On Desktop Installer to initialize the installation and connection process 5 Depending on which Adoption process you have
77. ields mentioned in the list below where relational operators are allowed In these fields you can use the notations for Less than lt Greater Than gt or No Match Not Equal Zone rule fields allowing relational operators EDC Serial number EDC Manufacturer EDC Firmware EDC Class EDC Interface EDC Media Class Device Volume Label Device Volume Serial Number Client CRC Machine Name Host Class Client Version not string comparison Domain Name Example if the device is USB and the domain is giritech com then it is trusted but if the device is USB and the domain is giritech com not equal to giritech com then it is not trusted CarenvGCCr 1 aa E F a a s 5 Za rmmnnAIAC AFT LANAC In this section we have illustrated the most common zone definitions you will need to configure in your G On Installation Each Example highlights the fields that must be populated in order to make the zones operational Some zones are by default included in the Action on Match drop down field If you need to create a new zone refer to the section above Adding and Managing Zones for instructions on how do define a new Action on Match item E Add Edit Rute m n a Rule Details Defining an Inside Zone Rule Numb Aiea 5 EInODS OTN 3 Oe oe ek ve ee og Inside Zones can be assigned to computers that son are issued and maintained by your company EDC Client EDC Serial Numb
78. ient Log is stored in clear text and may reveal sensitive information about your company HTTP Proxy Bypass The last box in the Client Options field is HTTP Proxy bypass with server name IP and port address This box enables the HTTP proxy traversal functionality introduced with G On version 3 4 Please note that this a fallback option when enabled and will therefore not override other G On Builder connectivity settings Warning Please ensure that at least one direct connection via standard ports as described previously to the Emcads server exists The HTTP Proxy Bypass should never be the only option as that will impair users ability to remotely update their clients because G Update does not run through the HTTP Proxy Bypass tool e Check HTTP Proxy bypass if you need the G On clients to support proxy traversal by tunneling G On TCP traffic as HTTP traffic through HTTP proxies This setting tells the G On client to communicate via the HTTP proxy bypass server instead of directly to Emcads in case connections cannot be made on the standard addresses and ports e The server port field refers to the address of the proxy bypass server and is the target IP address the local HTTP Proxy should connect to To enable the default fallback setup of HTTP Proxy bypass 1 On the G On server run toh server exe install from the emcads directory with no parameters use Start gt Run gt C Program Files Emcads ToH
79. igning Keypair to a file and Store it in a secure location CarenvGCCr Advanced Server Settings Now proceed to the advanced server settings by Clicking on the Settings Advanced Server Settings to call up the dialog box Network L9 G On Builder leg File Settings Emcads Service Help Ser Advanced Server settings 4D Sync Clients Signing Keypair Private Signing Key zmx lt T fFLasdfr i038FCUea szZeLZUELBPBSCXJ Public Signing Key rzuBokuja ds 1u30 58kfpe43 9GqgmccyelIt Generate This is where you set the default G On Server Listening Port By default it is set to 3945 which is the port assigned by IANA to Giritech traffic For more information on the IANA port assignment go to http www iana org assignments port numbers 1 Configure the Listen Port Enter the relevant Advanced Server Settings port if the firewall Port Network Listen Port pede Tane aea 345 CO 45 Note This field does not have to be configured but PATS to a different port overrides the port defined during installation if it is than the port the GON Conn multiplier server listens on e g if 0 clients connect to port 3945 but the Firewall PAT s the external port 443 to it enter 443 If left blank the server will simply listen on 3945 Warning EDC Auto adoption l EDCs must be adopted to access system Note Auto adopt only F Auto adopt unknown USB Keys ee ee be adopted Otherwise M Aut
80. iguration file is exported to an XML file named lt dns name gt xml g mydomain com xml The resulting file s can be imported using the import option Example AdSync exe export CarenvGCCr help Show list of available options and exit import Import data from a file exported with the export option Example AdSync exe import myfile xml usync Convert data imported with USync to format recognisable by AdSync version Print product version and exit Other options delete_unmatched Setting this option will override any Delete unmatched entries settings in the configuration file force With usync option set During upgrade of data imported with USync AdSync may encounter users which it cannot find a match for in Active Directory Normally this will cause AdSync to halt but setting this option will result in the removal of the unmatched user s and the upgrade will continue Without usync option AdSync will not run if it detects that the database contains data synchronized with USync This option forces AdSync to run even if this is the case Using this option is not recommended unless you are an expert user AdSync and USync are NOT compatible lf you have imported data with one of the tools then synchronizing with the other will not work correctly i e some data may be deleted and groups and users may appear more than once in the G On admin module Example Adsync exe force inifile Run AdSync with
81. in or software versions just to name a few Here are the basic steps necessary to create and define zones Q Add Zones Q Create Rules LI Assign Zones to Groups LI Assign Identity Files EDC to Users The Primary Interface consists of the EDC Admin Window in the Access Rules Manager program and several sub menus to view Access Manage Identity Files and Assign Lock Identity files to users Most of these menu s are available when you right click inside the Access Rules Manager main window CarenvGCCr There are many different ways to configure zones Here are some definitions of the most common types along with the typical levels of application access It s important to note that these are just examples and that you should adjust access to align with your companies internal security policies LI Inside or Inside USB The Inside Zone should be used for company managed PCs Clients falling into this zone will typically get access to the most SRA E Add Edit Rule gog comprehensive application Flule Details menu and the ability to use Rule Number Action on match their native clients Rule Comment LJ Trusted The Trusted zone is EDT T aN for access from clients that EDC Serial Number Inside zone you trust but where you don t Ai sar necessarily manage their EDC Manufacturer Client CAC Source Netmask bits l 32 m Computer Typically these p E zm are defined to be user specific Operating Syste
82. indows server you should be prompted to run and install G On If auto run is disabled you can start the installation by starting InstallGOn exe from the root of the CD 3 Read the license information accept these by clicking on I Agree and the server installation starts is G On 3 4 0 Setup License Agreement pe E Please review the license agreement before installing G On v3 4 0 IF you Le accept all terms of the agreement click I Agree 5 On Server License Agreement END USER LICENSE AGREEMENT FOR GIRITECH A S SOFTWARE IMPORTANT READ CAREFULLY This non exclusive End User License Agreement EULA is a legally binding agreement between You either an individual or a single entity and Giritech AJS For the Giritech 4 5 software product which includes the G On server software and the G On software clients and may include associated media printed materials and online or electronic documentation SOFTWARE PRONDIICT Rv using Fhe SOFTWARE PRODIICT You frornnration or lenal ad Cancel MullsoFt Install System v2 22 Giritech A S 2008 17 CarenvGCCr 4 Choose where to install the server product Default is C Program Files Emcads but you can install the product anywhere on a local hard disk ii G On v3 4 0 Setup Installation Folder Setup will install G On v3 4 0 in the Following Folder To install in a different Pe folder click Browse and select another Folder
83. ions work in your environment Step 1 Identify your Application Types These are the Application String types in G On Q 0D OD O DO Type 4 Terminal Services Connector 9 parameters Using this version Terminal Services can be launched with single sign on Note If you don t desire single sign on use a Type 8 with the mstsc exe Type 5 Legacy Citrix Connector 9 parameters Using this version the ICA Desktop can be launched with single sign on Type 7 Change Password No Parameters Can be used to enable users to remotely change their password Type 8 Single Port Application Connector 11 Parameters Used to launch applications that only require a single port to connect to the server Some examples are Microsoft Navision Web Browser etc Type 9 Application Launcher 2 Parameters Launches local applications with corresponding parameters Can be used after launching a gateway Type 10 Multi Port Application Connector 9 parameters Used to launch applications that require two or more ports to connect to the server Some examples are Outlook Citrix PN Type 1 Show log Predefined standard item Type 2 About Predefined standard item Type 3 Exit Predefined standard item Type 6 Reserved for future use CarenvGCCr Patninn VeTINING anA Alani A eT IAN e Once you have completed Step One and identified the types of applications you would like to connect you are ready to move on to steps 2 4 LI
84. iritech com Martin Buchho ATT demo giritech com ATT avf demo giritech com Rob Waples azero demo giritech com Jesper Raaberg Go to G On Admin press F3 and Log onto G On Admin DEMOS aperion_testers DEMO Schema Admins as an DEMO Training Administrators BasM demo giitech com Bas Meyer _ Ad m i n istrato r Add and remove members Add Group No user loaded Clone Group Delete Group Select the Groups Tab in G On Admin Select the User Group Select Which Menu Item should be available Highlight the zone or zones where it should appear Repeat this process for Every Zone that you have defined In this example all Enterprise Administrators that are logging on from a client that matches the Inside Zone will receive the menu item Applications More information on defining applications menus and applying zones to groups or users Is covered in Chapter 6 a Airitanrh AIC 5ANANQ Giritech A S 2008 RA JU CarenvGCCr Manage EDCs To manage an EDC right click anywhere in the select Show EDC List window in the Access Rules Manager Then right click any EDC listed in the EDC List Window right select the appropriate action from the drop down list Here you have the options to Q Assign EDCs to users Officially assigns responsibility of the EDC to the user Q Lock Owner If you lock the owner then the user can only use this EDC and no other EDC G EDC List Fiter O
85. is will produce the help screen deploy getall updaterw updateonly The deploy switch is not case sensitive with the name of the ISO image file nor does it require the iso extension on the name of the image This feature DOES NOT import current files from the Read only partition of the G On USB Key switch changes the default mode of operation so G Update updates all current files and downloads all files that are not present on the USB key toggles G Update to update the removable partition on the G On USB Key with the contents of the RWData folder under the EMCADS installation folder Note please always launch with getall to ensure proper updating of RW partition instructs G Update to limit updating to either a folder and its subfolders or a single file For example Invoking G Update with the following parameters GUpdate exe updaterw updateonly wfica appsrv ini will update the appsrv ini file in the wfica folder However invoking G Update with the following parameters GUpdate exe updaterw updateonly wfica will update the entire wfica folder Can be used with these Switches deploy is not compatible with other switches and should be used alone Compatible with updaterw ignorecrc updateonly updaterw Compatible with getall updateonly ignorecrc no import Compatible with getall updaterw ignorecrc noimport CarrenvGCCr noimport ligno
86. it more difficult to script a G On login increasing client login security LI Display Login Dialog Randomly LJ Prevent Tab Navigation in the Login Dialog Q Make Cancel the default button instead of Enter The next two boxes allow you to offer or even force the use of the OSK On Screen Keyboard which is an effective way to cheat keylogger software e Select which of the 5 Log In Dialog Features you wish the clients to exhibit Client Options The bottom check box controls client logging and provides an option to disconnect the client from the server if the screensaver on the client PC activates This will reduce the risk of abuse if the user forgets his key in a logged in machine e Choose if you want the clients to disconnect when the Screensaver activates Warning All settings on the Clients tab are stored in the identity file on the client Changes to this tab will therefore not occur until the client has been updated with the newly updated identity file This is usually done with GUpdate e If you need connection logging enabled on the clients check the Client logging box This will not save the log but only enable logging Please note that if Client logging is disabled there will be no show log entry on the menu s of all clients e Decide if you want the log to be stored on the EDC by checking the Save eclient log to EDC box CarrenvGCCr Security Warning Information in the Cl
87. l application sessions run on individual connections preventing data leaks between sessions As an added security precaution two separate AES keypairs are used one for upstream traffic and one for downstream traffic Any tampering with a connection will cause the application session to be disconnected by the G On Server but will not influence other application sessions The client opens ports on the client PC s local loopback interface 127 0 0 2 and forwards communication TCP or UDP to and from this port through the G On Server A technique called LockToProcess prevents any other application from using the session to access the intranet Only the proper application will be allowed to connect through the loopback interface CarrenvGCCr Chapter From beginning to end there are 6 major categories you will need to complete to get up and running with your G On Solution Preparation and Network Setup Bandwidth Review Firewall Settings User Directory Setup Failover Setup DNS Settings Database Preparation Installation or Upgrade Installation of the G On Server Creating the Database Configure User Login Security Features Configure the Client connections Create your Company Specific Identity File Activation of G On User Setup User Synchronization amp Database Population Administrator Setup amp Configuration User Access Locations Security Zone Setup Applicatio
88. lback to HTTP proxy bypass if no connection can be established Note that G On reads the default proxy settings from Windows refer to Internet Explorer gt Tools gt Internet Options gt Connections gt LAN Settings gt Proxy Server where the Paddress name and port used an be found Note Following these guidelines will enable the default setup of the HTTP proxy bypass tool If more advanced settings are required please consult Chapter 13 E g for configurations where the Proxy setup cannot be found via Windows as described above hidden proxy Note Remember to restart the HTTP Proxy Bypass server every time a stop and or restart of the Emcads server have been performed The HTTP Proxy Bypass Server can be restarted via Start gt Control Panel gt Administrative Tools gt Services Find Giritech ToH and press Restart Confirm X 1 Once you have filled in the five tabs of Do you want to save your configuration the G On Server Configuration tool s select the Save and Activate button in the bottom right corner or any G On server Tab 2 Respond to the Dialogue Boxes Note Every time you save your configuration you will be met by a confirmation box like the one below If you choose Yes the identity file will be copied to the Clients directory as well as to the GOnDesktop directory Confirm X Do you want to copy your Identity File to the Folder for the ISO pa
89. led login attempts ne Reset Note Manually added users are not automatically activated You have to check the box Account Active before the user can log in Using both AD and Local Users There are many reasons to employ a mixed user policy in G On In many companies you have external vendors temporary employees or partners that you don t want added to your corporate network or AD G On enables you to locally create users and define restricted access without having to add them to your domain or your AD Assigning Changing a Users Group Association Instead of using the group page to add and remove users to a group you can add and remove a user from several groups on the user page by using the Change Groups button This will show a dialog box containing all multi user groups and an option to add or remove check marks to indicate membership Giritech A S 2008 87 Select groups for user Select the groups you want this user to be a member of W2K3R2 G 31000 4T8TDV3S5RS3 W2K3R 24D nsU pdateProxy W2K3R2 Domain Admins W2K3R 24D omain Computers W2K 3A 24D omain Controllers W2KSA2 Domain Guests W2KSA2 Domain Users v W2KSR2 EMCA4DS W2K3R 2 Enterprise Admins W2K3R2 E xchange Organization Administrators W2K3R2 E xchange Recipient Administrators W2KS3R2 E xchange Servers W2K SR 2 E xchange View Only Administrators W 2K SR 2 E xchangeLegacy nterop W2KSA24 G_ON Admins W2K3R 2 Group Policy Cre
90. lete user Kick user User information Groups m m m Login name User Administration a Ta b Alternative auth domain Administrator Level All Account Ad m i n U se rs Ani Oooo e k xpires CI Vi ew u se r a CCO u nt Last login Failed attempts User menu previews 7 Current status Use zone filtering on menu l nfo rm ati O n a Limit user menu preview to the following zones View access zone fe pres i nfo rm ati O n Ki pere Unknown Inside tside J View user menu profile J View adopted EDC s Electronic Data Carrier like USB device or host PC J No edit or delete functions are available at this level Group amp Menu Tabs Administrator Level Helpdesk level 1 Users at this level inherit the User tab but have access to the Group and Menu tabs At this level staff can Add amp remove members from groups Disconnect Users View Online Users Adopt unknown EDCs EMCADS Data Carrier EDC USB device or host PC Create Groups Reset user logon after lockout Assign a default menu to each group Lock default menus to zones Assign defined actions to menus Q O OOOUQOUOUO Menu Actions Tab Administrator Level Helpdesk level 2 O Edit create and delete already created menu actions Applications Tab Administrator Level Default Administrator mode Professionals in this category are typically senior level operations staff that are tasked with the strategic dep
91. lication Launcher GUpdate Simple 1 Application Launcher Navision Vista Single Port Applicati Outlook Vista Multi Port Application Terminal Server Desktop Legacy RDP Terminal Server Desktop Legacy RDP 1 Create new application Saving tree Edit Application Single Port 4pplicati Application Launcher ICA Legacy ICA Legacy Multi Port Application Terminal Service Le Terminal Service Le Delete application Application creator X u CarenvGCCr Step 3 Edit Application String Template In Step2 the Application Creator creates a template for your application string To open and edit the template that you created in Step2 go to 1 G On Admin gt Application Tab 2 Highlight the Name of the Template you created with the application creator 3 Select Edit This will open the Application String Editor which is your Template In the template you will see that there are several Values that have been entered into your template Most of the values in the template are Generic and are designed to Guide you on what values should be entered when you fill out Step4 But some values are default parameters As in this example The Application to Launch is given as BROWSER Giritech A S 2008 ICA Desktop Legacy 5 Application Connector Single Port 8 Application Connector Gateway 10 Application Launcher 9 String parts 8 TClient Singleport Server nam
92. loyment amp maintenance of the corporate infrastructure or Giritech Certified Partners The applications tab in G On Admin is where application connectivity occurs Staff at this level can Utilize the Application creation wizard Application string creator Define Zones Sync AD Adopt EDC from file USB specific Perform backup restore operations on the database OOUUOU CarrenyGCCr Administrator mode Switch to administrator mode by pressing F3 or select Administrator mode from the File menu You will be prompted for the G On administrator username and password Note If you did not set a password in G On Builder the default is Admin Password capital P Maintain Zones Here you can add or remove names of Zones To Define Zones go to the AccessRules Manager Adopt Unknown EDCs This takes you to a window that shows connection attempts from unknown EDCs The list is sorted chronologically Right click on a list item to adopt an EDC Adopt EDC from file Provides you with the option of adopting all the delivered keys by importing the file EDCSERIALS DAT which is on a specially marked G On USB key Sync AD Invokes USync exe or AdSync exe from the EMCADS server directory see next section This imports changes in AD users and groups to the EDMS based on the parameters setup in G On Builder Backup Restore see Chapter 11 Online Users See Chapter 7 CarenvGCCr Active Directory syn
93. m needs exclusive access to its own temporary files which are created in the temp directory In case of false positives where an installed AntiVirus solution falsely identifies G On as malware please contact Giritech Support for help to contact the vendor and resolve the issue G On includes support for two types of databases Q EDMS Giritech s Native EMCADS Data Management System O MS SQL Server 2005 Express Standard amp Enterprise O MS SQL Server 2008 preliminary CTP version G On EDMS If you choose to use the Native EDMS no pre configuration is necessary CarenvGCCr MS SQL Server 2005 and 2008 For users of MS SQL you need to follow a specific series of actions to prepare your MS SQL environment for G On For detailed information how to install with the appropriate settings please refer to the document SQL 2005 Configuration located on the GSP Note At the time of release of G On version 3 4 only a pre release version CTP of SQL Server 2008 was available Please contact Giritech Support for latest details when considering SQL Server 2008 Note You do not need to create a database The database will be created by G On Builder during the installation and configuration process More Information can be found in Chapter 3 EP G On 3 4 supports the installation of G On on virtual servers using the tokenless al option This is a license option that needs to be ordered together with the G On
94. m Host Machine Name from locations like Home EDC Class 0 i PC s In this scenario you OS Major Version Hast Machine Domain may decide to allow access to p m po y i i OS Minor Version Host Primary MAC Addr all the applications that are EDC Media Class a COT available in the Inside zone Host Class however you restrict native ae M olume Serial Number client access and enable only m Terminal Service usability Volume Label without drive mapping Cancel Q Vendor or User Specific Much like the trusted zone this zone is typically reserved for clients that you trust but where you do not necessarily manage the computer or the computer is a native member of another domain This is a administrator defined zone to enable specific access to a user or vendor specific list of applications Q Outside The Outside Zone is for users that are connecting from a client or a domain that you have no knowledge of Typically this could occur when users connect from clients at airports conferences In this scenario would typically restrict both the level of application access to include only non sensitive applications and the use of only a Terminal Server client Q Update Update zone is useful when upgrading clients from previous versions of G On When using this zone the users upgrade experience is automated Q Deny The final rule in your list will be a Deny Access Rule Clients that do not match any of the defined zones will match this
95. mplest way to use AdSync is if you can run it on a computer which is logged into the AD domain and has a connection to the database For security or other reasons this may not always be possible If it is not possible or convenient to have an AD account and database connection on the same computer the only possibility for using AdSync is via the import export options You can export data on any computer which is logged into the AD and then transfer the exported file to a computer where you have set up a connection to the database it could be the database server itself and then import the data Note however that the data in the export file is not encrypted in any way so you may want to protect the file in some way if you transfer it on an insecure line If G On should be synchronized with more than one AD without trust between them these options are available Use a Run as approach Create a user account for each AD that need to be synchronized and run AdSync as each user CarenvGCCr Distribute AdSync AdsSync can be distributed to a computer on each AD you need to synchronize with and then run on each of these computers Note however that this requires that you can setup a connection from each of these computers to the G On database Note that there is no conflict in synchronizing several AD s at the same time since the data is separated by the domain names It is however still not recommended to do so for performance reasons
96. n Show Progress application Is the port the G On client should listen on Locking to Process increases security Maps Drives Same as Map Drives Multiple Ports to forward These ports are the listen ports on the client as well as the forward ports from the G On server to the application server Part of the link in the browser link field used to access virtual site of web server Not required if the web server is setup to runa default site Application to Launch This is the Application Server Address This is the text that is displayed in the Windows System Tray This is the size of the application window Activity indicator Used with Single Port Applications Enabling it means that only the process started by this string can communicate through the G On Connection on the Port that has been defined in the string Used with Citrix or Terminal Services Used with Citrix or Terminal Services When your application is using more than one port Examples Here the web server is setup to run exchange as a virtual site http 127 0 0 2 exchange in this case the PATH parameter exchange http 127 0 0 2 system index php another example of how to use the PATH parameter system index php http 127 0 0 2 in this case the default web site on the web server is accessed Use when you want to launch a specific application when running Terminal Services or Citrix For example A Terminal Servi
97. n DEMO Local Admin DEMO Lotus Notes 7 users DEMO Lotus Notes 8 users DEMO Lotus Notes web client users DEMO PartnerNet DEMO Partners DEMOASS Authenticated Users DEMOS aperion_testers DEMO Schema Admins DEMOS Training Administrators Add Group Clone Group Delete Group Group details Group title Default menu Members DEMO Domain Users Group type p Personal user group Multiuser group demo Only show the default menu in these zones 2 tal demo giritech com Tine Sj berg abe demo girtech com Arne B Christianse ahp demo giritech com Anders Holm Peter alfapeople demo giritech com Jakob Bene algoritmu demo giritech com Gzegoz Pavlit alna demo girtech com Darius Zizys anglia demo giritech com Tony Rose appel demo giritech com Per Appel ar demo girtech com Adrienne Refsgaard asensus demo giritech com Martin Buchho ATT demo giritech com ATT avf demo giritech com Rob Waples azero demo girtech com Jesper Raaberg BasM demo giritech com Bas Meyer fal Add and remove members No user loaded Giritech A S 2008 82 CarenvGCCr Note To insure that special groups and personal groups are NOT overwritten they must be unique names that do not exist in the AD AD users that are added to locally created Groups are not affected when re synchronized with the AD So even though the AD controls the groups and m
98. n Connectivity Creation Connect Applications Create and Assign User Groups amp Menus Client Administration Deployment Best Server Backup Practice USB Key Deployment Best G On Practice Configuration Desktop Backup Client Deployment User Adding New Guidelines Users Removing Users CarrenvGCCr Chapter Before you install your G On Server you need to prepare your network environment This section covers the basic pre requisites you must have to SECTION OVERVIEW successfully install configure and run G On Server Software and Hardware o save time during the installation and configuration process we Requirements recommend that you make the necessary preparations to your network environment prior to installation of G On Bandwidth Considerations M Mi G On Server Placement in the Network Environment Firewall Configuration Server Hardware Failover Setup amp LJ USB port version 1 1 or higher Configurati sl Q Minimum two virtual drive mappings available e g drives E and User Directory Setup F Optional tokenless support available Client Software amp Hardware l Q 100 Mb of available hard disk space Requirements DNS Settings Q Minimum 1 2GHz Processor pee geen EIS Q Minimum 512 MB memory for up to 100 concurrent users Preparation Use of Virtual Servers Q 2 GB memory for a recommended maximum of 500 concurrent users Server Software Your G On Server can use one of the foll
99. n Builder Mi Verify that the Firewall setup is correct incl ports NAT and PAT configuration both IP addresses into the Clients Tab of G On Builder This is done in the field EMCADS Server DNS name or IP Address 3 The listening port can remain 3945 for both the primary and the failover servers 4 Copy your G On server to the backup failover server Failover Using 1 External IP Address 1 You will have to use your firewall s Port Address Translation PAT features to configure the traffic from the External Port to the internal G On Server listening ports 2 Install your primary G On server as normal and leave the listening port set to 3945 tcp 3 When configuring your initial G On Server enter the IP address into the Clients Tab of G On Builder In the field Port Connects to on the Clients tab enter the Ports that you have defined in the firewall separated by commas ie 3945 443 4 Activate your Primary G On server and generate your signing key pair 5 Install your secondary G On Server with all the same settings Copy the signing keypair from your Primary server installation 6 Define the listening port to listen to a different port ie 443 tcp Two separate tools is provided for AD synchronization The default USync tool for smaller installations and installations running on the internal G On database and AdsSync for larger G On installations with more than 200 users see later ch
100. n a different installation Destination Folder Program Files Emcads Browse Space required 89 2MB Space available 2 6GB Cancel onscreen directions when running tokenless Please remember to stop the HTTP Proxy Bypass tool as well refer to page 32 for details or you will get a write error message Also remember to restart the HTTP Proxy Bypass server after upgrading G On 4 Select Yes to Install the new version on top of the old The G On Installer automatically recognizes an already installed version and will install on top of it ig G On v3 4 0 Setup installation Giritech A S 2008 38 A The current installation path already contains a configured Emcads system do you want to continue and upgrade this CarenvGCCr 5 Once the new version is installed select OK After the upgrade is complete you will be asked to verify your installation re acquire your license and upgrade the database Select OK ie G On 3 4 0 Setup Ea You performed an upgrade of your Emcads system therefore you MUST proceed to run G On Builder to verify your installation and possibly renew your license 6 Log Into G On Builder Use your existing administrator username and password to launch G On Builder where you will have to re activate your license and Update your database On the Configuration menu in G On Builder select the option to Activate License Note outgoing port 8
101. n set by the systems administrator during the installation 1 EP Synchronization with multiple domains in complex AD structures are only supported in G On Enterprise Giritech A S 2008 CarenvGCCr Once the Server has verified the client and assigned the appropriate zone the G On Server authenticates the user either against the AD or the EDMS The AD is not queried until the G On Server verifies that the user exists in the EDMS The AD is never exposed and the AD passwords are never stored in the EDMS Finally once the User has been authenticated the Server presents a menu to the client Menus are dynamic and the menu presented to the user is defined by the administrator and can vary based on user name user group associations and access zones The G On Client is currently either a G On USB Key or a G On Desktop client Two factor authentication is implemented using 163 bit Elliptic Curve Cryptography ECC a standards based public key technology to generate keypairs which are used for encrypting and signing the initial handshake prior to user logon By verifying the servers digital signature created with the ECC key the client is also validating the server before any connection continues Once the handshake is completed all data is encrypted using 256 bit Advanced Encryption Standard AES Each new application session goes through the handshaking procedure establishing a new AES encrypted connection This means that al
102. n the workstation Force to menu root To force menu items like Exit and other frequently used applications to the root of the users menu check this property It s important to remember that the final menu presented to the user depends on group membership and that it s possible for a user to get the contents of more than one menu Building a practical menu structure will take some planning and a good knowledge of the company s group structure CarenvGCCr Groups Tab The Groups tab is reserved for managing the default Menus and assigning Zones to the User Groups you have applied to G On User groups are typically managed in Active Directory and then synchronized to G On meaning that it isn t necessary to hand build a group structure Nevertheless menus need to be assigned to the user groups for the users to get a menu Bi E3 G G On Admin File wiew Help Applications Menu actions Menus Groups Users Display filter C Display all Multi User Groups C Personal User Group DEMO Cts Users DEMO DnsUpdateProxy DEMO Domain Admins DEMO Domain Computers DEMO Domain Controllers DEMO Domain Guests DEMO Domain Users DEMOSEMCADS DEMO Enterprise Admins DEMO Exchange Domain Servers DEMO Girtech Demo User DEMO Giritech sales DEMO GOn Solo Users DEMO Group Policy Creator Owners DEMO GTR BAL DEMO GTR IT DEMO NGTR NL DEMONGTRs DEMO GTR SL DEMOSGTR UK DEMONIT Attentio
103. nformation on How to manage Groups and Users synchronized from the Active Directory see Chapters 6 and 7 Using USync Synchronization of your Active Directory can be Q Run manually by going to G On Admin gt File gt Sync AD LJ Scheduled via the Command Line LI To subscribe to changes in AD schedule USync exe to run for example once every hour This can be done by adding USync exe to the list of Scheduled Tasks on the Windows server Using the Command Line to Schedule USync Tasks C gt SCHTASKS Create RU SYSTEM RP runaspassword SC HOURLY MO 4 ITN USYNC TR C Program Files Emcads usync exe SD 23 10 2005 RESULT FROM INSTALLING A NEW SCHEDULED TASK E E E INFO The schedule task USYNC will be created under user name NT AUTHORITY SYSTEM WARNING Password will be ignored for NT AUTHORITY SYSTEM user SUCCESS The scheduled task USYNC has successfully been created RESULT FROM EDITING AN EXISTING SCHEDULED TASK E E E INFO The schedule task USYNC will be created under user name NT AUTHORITY SYSTEM WARNING Password will be ignored for NT AUTHORITY SYSTEM user WARNING The task name USYNC already exists Do you want to replace it Y N y Q SUCCESS The scheduled task USYNC has successfully been created For more information on this Command line tool you can use one of the following CarenvGCCr SCHTASKS SCHTASKS Delete SCHTASKS Create S
104. nifile You can however override or change these settings in the inifile Example Database NT Authentication False Username user Password password Here the database connection will be made using the given user name and password instead of using NT authentication CarenvGCCr There is also the possibility of using an ODBC connection to connect to the database Example Database ODBC Source emcads odbc If the ODBC Source option is set it overrides any other database connection settings You can also specify a username and password for the ODBC connection Database ODBC Source emcads odbc Username user Password password All configuration options This section describes the full set of options available Note however that most cases are covered by the typical configurations described in the previous section so much of the information here may not be relevant to you The configuration file contains the following sections and values AD Emcads group EMCADS Emcads group the name of the group containing users to be synchronized If not specified the name EMCADS is assumed Domain local only Specifies whether users and groups outside the domain should be imported This option can be used to set up synchronization of multiple domains in one go Possible values True False Default value is True Delete unmatched entries Specifies whether to delete a user or a group in the database if it
105. o adopt unknown Desktop Clients the setting is ignored If you change this setting on an already running system clients will be unable to connect unless you correctly PAT the connection on the firewall Giritech A S 2008 23 CarrenvGCCr EDC Auto Adoption The last panel lets you enable or disable the level of security for EDC Access and select the auto adopt for your clients Q EDCs must be adopted to access i l EDCs must be adopted to access system Note Auto adopt only system This checkbox enables you to turn on or turn off the adoption validation of G On clients EDCs Advanced Server Settings Network Listen Port 345 CO 45 Note This field does not have to be configured but overrides the port defined during installation if it is Conn multiplier 10 EDC Auto adoption takes place if EDC must Auto adopt unknown USB Keys adopted Otherwise M Auto adopt unknown Desktop Clients the setting is ignored LJ If you do not check the option EDC s must be adopted you effectively leave your G On installation without any token security Giritech recommends that you Leave the EDC s must be adopted to access system Checked LJ Using Auto Adoption This option lets anyone with a USB key Desktop Client and your identity file connect to the server While this presents you with a way of automatically adopting keys that connect which might come in handy if you plan a big rollout y
106. o determine whether or not a user s AD password has expired LI If you check this option you should adjust days value option if you would like your users to receive a warning To do this set a value in the final box to configure the number of days before the actual expiration date the user should receive the warning EDC and Rule Administration Access The section at the bottom panel contains the Administrator Username and Password for your G On Solution It is used for restricting access to all G On server Tools LY G OnBuilder L G OnAdmin Advanced Administrator Features LJ CXRulesAdmin To Change the Default Password EEE L9 Please repeat your password X x 1 Type in your new ae Admin Password Administrator Username and Password and select another tab any tab will do Remember to save your configuration to update the password 2 Confirm the Password in the Dialogue box that appears Note The G On administrator password can be any string of characters and is case sensitive Minimum length is 5 characters if you do not explicitly set a password the default password is Password no quotation marks capital P Warning If you lose your Administrator Password you will no longer be able to use any of the G On Tools or upgrade your installation CarenvGCCr Client Update Folder Settings This panel defines where the G On Server stores the Client Software Q We have entered the defaul
107. ormation e User information contains login name and some details e Group information consists of the group name suffixed by the NetBIOS name The differences are e USync imports only global and universal security groups AdSync also import local security groups e USync imports all users in the domain AdSync only imports groups in which one or more of the chosen users are members e USync only imports the display name of the users whereas AdSync also imports email title street address zip code company work home and mobile phone numbers The following sections provide configuration and operational details about the two tools CarenvGCCr TROUBLESHOOTING USYNC USync can be run with command line parameters for troubleshooting purposes d Debugmode outputs much more logging info than normal f Flush deletes all users and groups from the EDMS c lt name gt Clean delete all users and groups from lt name gt domain Alternatively there is a switch to bring up a help dialog with a list of the options If you choose to use the Active Directory you should create a G On Specific group and assign the users that will be G On to that group Using the USync your users are automatically imported from your Active Directory When syncing users from AD with USync only the Full Name value is synchronized All other values are must be manually added to the User Information tab For more i
108. ou should also note the Warning Box below If you wish to follow security best practice Guidelines Check the Box EDC s must be adopted to access System Warning Be aware that auto adoption allows anyone with a G On client and your identity file to connect to your server Giritech recommends only to use this feature for a short and limited period to help large scale rollouts of clients and not as part of normal day to day operation or P TF Aa A A A 6 4 P Brett rE Y I Q J The User Directory tab is where you define the LI Database Settings L User Validation Settings LJ Administrator Password 1 Start by selecting the type of Database you will be using for your G On installation L9 G On Builder ie xX File Settings Emcads Service Help Server User Directory Client Update AD Sync Clients Database Settings locahost emeads o Database name s Database type Emcads Built in Update Database Emeads Built in gt EDMS External MySQL Server External MS SQL Server 2 Follow the instructions below for your Database setup CarenvGCCr Database Settings As default the G On Server uses an embedded database Emcads Built in EMCADS Built In If you use EDMS the server is always localhost The name of the database is EMCADS by Default Simply click Update Database to enable this option and respond yes to the 2 dialog boxes Microsoft SQL Database
109. ould be deleted from the Emcads database then you can run the command again with the extra option force i e AdSync exe usync force Otherwise you should run USync once and check again If you still have the problem then please contact Giritech Support When AdSync is run with the usync option it will automatically switch to debug logging This creates an improved information base to assist in support cases Please have this log available when contacting Giritech Support AdSync has a readonly option which if specified has the effect that no data is saved to the database This can be used for testing an upgrade before actually doing it Command line options AdSync has a number of command line options for performing other tasks and or configure the way the tasks are done These options are described in this section All command line options should be given on the form lt option name gt e g AdSync exe export Some options can be activated using one letter abbreviations Use option help to see available options Task options In this section we describe options to AdSync which changes the functionality to perform specific tasks If none of these options are specified a normal synchronization is done clear Delete all users and groups belonging to the domain s specified in configuration file export Export data from AD without entering it into the database The data from each domain specified in the conf
110. owing only 32 bit versions LJ Microsoft Windows Server 2003 SP2 LJ Microsoft Windows Server 2003 R2 SP2 O Microsoft Windows Server 20087 Please note that G On 3 4 have been tested with basic Windows Server 2008 functionality none of the advanced features e g new Terminal Services or new Active Directory have been tested Please contact Giritech support for latest details on Windows Server 2008 support CarenvGCCr LJ Limited support for Windows Server 2000 SP4 please contact Giritech support for details Dimensioning the Server The G On Server is not CPU intensive but CPU usage will increase as the amount of concurrent users increase Network bandwidth is a key factor and probably the primary bottleneck if not properly sized The network and server administrators should be able to monitor bandwidth for saturation The available network bandwidth is halved in the case where both inbound and outbound traffic uses the same network adapter on the G On Server To scale network performance a second network adapter can be installed assigning one to the inbound connections from the users and the other to the LAN where the application servers are located No routing between the interfaces is needed This configuration also provide a physical separation of inside and outside that helps increase the security level Physical placement for the G On server is a business choice i e it depends on the level of security tha
111. plication to launch WINSYSDIR noedit cmd exe Application parameters C VENDORPATH noedit batch startprog bat You can not launch the startprog bat simply by using its name as a windows command Likewise it is not possible to launch for example an MS Word document by invoking its full path and name Instead you must start Winword exe with full path and as a parameter put in full path to the document An example of this could be Fixed Path Application to Launch C Program Files Microsoft Office OFFICE11 WINWORD EXE Application parameters VENDORPATH noedit MyDocument doc However this would only launch MS Word on an English Windows with Office 2003 installed Application to launch Using the Registry Paths IHKEY LOCAL MACHINE SOFTWARE Microsoft Windows CurrentVersion AppP aths Winword exe Path notice there is a space in App Paths where the line breaks Application parameters VENDORPATH noedit MyDocument doc This string will work on any language version of Windows and with any version of MSOffice CarenvGCCr Chapter HTTP proxies between internal local area networks and the Internet is a common way of controlling users access to services on the Internet Unfortunately these systems will typically block all other traffic and hence make it impossible for G On users to get access to the Internet and hence to their home applications he HTTP Proxy Bypass functionality introduced with G On 3 4 solves thi
112. pplicable 4 Copy the server root directory default C Program Files Emcads with all files and subdirectories to the new server hint check the size first maybe it fits on the server token s Read Write partition 5 Move the server token to a USB port in the new server 6 Install the Windows service on the new server by invoking emcads exe i p 3945 in a command prompt 7 If applicable change your IP settings on the new server so the IP address matches the one of the old server or change firewall NAT PAT settings and maybe also DNS settings to reflect the new IP address 8 Start the server CarenvGCCr Steps to move the server Tokenless EP If you are using G On without the G On USB Server Token and your license permits you to only run one server or if you have already used all the servers as permitted by your license you need to Deactivate the license for the server that is no longer going to be used Start G On Builder and use pull down menu File gt Deactivate License G On Builder will connect to Giritech s License Manager and release this particular server license and make room for a new license on another physical server PC Note If you for some reason are unable to deactivate the license please contact your Giritech Partner who will make arrangement to have it deactivated or to increase the number of servers permitted by your license Document the G On Builder License Configuration on the old server and
113. pplications consult Chapter 12 for a more detailed explanation on Application Connectivity Strings are created by the Application Creator But if you choose to open and browse the raw strings or observe them in the viewing window you will see a long list of values and Brackets This section gives you basic knowledge about the actual make up of a string however we recommend that you use the standard strings from the Application Creator All parameters in the raw strings must be surrounded by percentage signs A parameter can have a series of basic values to choose among later specified in square brackets For example if you want to include a parameter defining whether or not to display fullscreen using the values true or false you could make it like this FullScreen False True Notice that the values are separated by a horizontal bar To make a particular value the default value trail with default Example FullScreen False True default Some parameters can be forced to hold a value This means that when the menu action is created it is mandatory that certain fields are filled in i e they can NOT be left blank Example DOMAIN mustedit noblank CarenvGCCr Step 1 Identify the Types of applications you would like to make available Step 2 Create the application strings with the Application Creator Step 3 Edit Application String Properties and Parameters Step 4 Apply the settings to make your applicat
114. press Retry for 2007 08 13 14 Update Progress se es ae ae 4 GlOnv33 G Update to finish 2007 07 06 Powered by ERICADS successfully 1 Alternatively press D N N gt GUpdate exe Device Access Denied ae Abort to stop the D gt GUpdate exe i Hoa tise a A bay ater update process Pressing IB i E j Retr Ignore Ignore will not solve the 4 sure ond Gaal issue and only leads to ANNDOCIDDHNEONNDARADANTANKARONNA the error message being re peated Transferring image to device Show Log CarenvGCCr 1 Click Yes to start the update 2 Depending on whether or not you want to backup files click either Yes or No to continue the update Note This is the last chance to abort 3 Click Yes if you want to continue the update 4 Click Yes if you want the Read Write partition updated with the software you have placed in the clients RWData directory on the G On Server 5 Click Yes to continue the update and the following dialogs will appear Note This part of the update process may take several minutes but as long as the LED on the G On USB Key is blinking the update process is still in progress 6 Press OK to finish the update process 7 When the update process has completed the dialog above appears Simply close the G On CarenvGCCr To see a complete list of all supported switches in G Update start G Update with the switch GUpdate exe th
115. r Q Microsoft ISA http www microsoft com isaserver default mspx Q JanaServer2 http www janaserver de start php lang en
116. r that it belongs to and look for updates or changes to the files on the Read only partition of the G On USB Key or the Desktop client directory lf G Update finds anything to update it will download the needed files from the server and just before the actual update is performed shut down the G On client if it is running If there are no updates the G On client is left running as it were Note G Update updates the CD ISO partition from the Clients folder under the EMCADS installation folder There is one limitation it does NOT download ISO image files from the root of the Clients folder which is where pre recorded ISO images for deployment are stored If updates are available G Update will notify the user by displaying a dialog box which asks if the user wants to download the updates The user can determine if the bandwidth is sufficient for the download and abort it if the client software is used over a slow connection like GSM or a low bandwidth connection If the user selects to continue G Update will continue to download and prepare the updates G Update will show which file it is currently downloading and attempt to estimate the remaining time calculated from an average of the total transferred amount of data CarenvGCCr When the download is complete G Update will prepare the new ISO image for the Read only partition of the G On USB Key This includes importing all files from the ISO partition that were not
117. r burned on the G On USB key or the unique hard disk firmware serial number of the device where G On Desktop is installed By adopting the EDC into your system you maintain control over who is accessing your Server The EDC CIF and Identity File are important elements to your G On System without them your clients can t connect or gain access to the system O The Identity File gives clients that ability to connect to the G On Server O The EDC is your Client Specific Unique Serial Number Identity File When the G On Server is installed and configured a unique file named the identity file is created This file contains information unique to the G On installation and the identity file is what gives the G On USB and G On Desktop clients the ability to connect to the G On Server The identity file is encrypted during creation and can safely be distributed to the clients by electronic means The initial connection happens when the G On USB or G On Desktop clients is first launched The client decrypts the identity file to get the IP name address of the G On Server to contact The client contacts the server the server responds with a greeting and the secure key exchange SKE process starts Secure Key Exchange SKE A greeting with a per session public ECC key and a signature is sent from the server Only a client with an identity file created by this server can validate the signature of the public key This is the basis for the mutu
118. rder by Update OwnerID OwnerLogin EDC Serial EDC Locked Owner Locked Date Casing Serial Assign owner s Unassign Owner s i Manage EDC User locking gt Edit Casing Serial Copy to Clipboard Deselect Select All Adopt EDC Add EDC Remove EDC s x Displaying O of 0 max 10 Q Lock EDC This EDC can only be used by this person Q Adopt Add Remove EDCs More information on assigning and managing EDCs is covered in Chapter 8 Adopting Users Giritech A S 2008 51 CarenvGCCr Chapter G On Admin G On Admin is your primary tool for defining and configuring your applications menus and managing your users he Admin tool is your primary interface from everyone conducting routine helpdesk tasks to Senior Network Administrators that are responsible for remote connectivity to applications The G On Admin is the tool you will need to use to Q Import Users and Groups from your Active Directory Q Create Application Connectivity Strings Q Create Menus LI Create Groups and Users LJ Assign Users and Applications to Users and Zones The Primary Interface Fle View Hep consists of two dro p d Own Applications Menu actions Menus Groups Users MENUS and five tabs which Geach Loginname x pee Search Edit user Add user Delete user Kick user you will use during the re 3 f ser information roups configuration The next Login name E
119. recrc lautoclose nukethekey The trailing backslash in the wfica is what tells G Update if it s a folder or a file it should attempt to update The noimport switch tells G Update to ignore what is already present on the part of the G On USB Key or G On Desktop it s about to update This means it will not import files currently on the Read only partition even if they were NOT the latest version However on the removable drive partition of the G On USB Key or G On Desktop Applications Directory it will delete all files present before downloading the updates effectively achieving the same as with the Read only partition will cause it to only download a fresh copy of all files currently present i e it will not download files that do not already exist on the G On USB Key This switch will make GUpdate automatically close itself when finished if no errors occurred during the run This is a special switch that changes the behavior of G Update It should be used with great care because using this switch resets all other switches either to predefined values or ignores them It also disables user intervention and defaults actions to yes on all dialogs except the Safety backup dialog Note All files currently on the removable drive partition will be destroyed when this switch is used This option is designed to deploy getall updateonly updaterw ignorecrc get
120. rmation the EDC Rules Admin Key Value Window and selecting Adopt EDC Q G On Admin Tool by selecting File gt Adopt Unknown EDC rer You are currently using 0 of 10 allowed Assigning Locking EDCs Send a Bese a a 1 Log into the Access Rules Manager 2 Right click anywhere on the EDC Rules Admin Window and select Show EDC List S ssion owner 3 In the EDC List Window oe select the on the EDC you Lock EDC would like to assign gt right Copy EDC Serial to Clipboard ak ES 4 Select the appropriate Remove EDC action from the list Here you have the options to Q Assign EDCs to users Officially assigns responsibility of the EDC to the user Q Lock Owner If you lock the owner then the user can only use this EDC and no other EDC Q Lock EDC This EDC can only be used by this person Q Adopt Add Remove EDCs Giritech A S 2008 94 CarrenvGCCr Chapter Client distribution and deployment is one of the most critical steps in your G On installation Proper distribution EDC adoption and deployment involves aligning the physical distribution methods with your internal security policies nce you have completed your G On Configuration it s time to decide how to adopt distribute and deploy your clients to the users The Best Practice Distribution methods found in this chapter can help you determine which method best aligns with your security best practices Once you have d
121. rnet and between the client and Emcads The bypass server listens on an Internet port and sends data to Emcads as if it came from the Internet The server appears to the network as a HTTP server but will decode the HTTP requests and forward data to the G On server s public port as setup in G On Builder default port 3945 Both executables are running as console applications and the server side must be started manually see page 32 The client side is automatically launched by Eclient The client can be setup to create ToH client log default off and the server is default setup to create ToH server log with minimum logging Configuration options can be specified on the command line or in the ToH client ini and ToH server ini configuration files as described below Note Due to the inevitable overhead associated with HTTP tunneling using the HTTP proxy bypass tool will affect performance negatively higher latency and lower effective bandwidth Note G Update will not run through the HTTP Proxy tool The tool has been designed to work together with G On 3 4 Please contact Giritech product management for any other use of the HTTP proxy bypass tool In a typical setup the bypass client will be distributed on the USB or to the desktop as part of the standard G On client package When launched it will listen on 127 0 0 5 3946 The G On clients are configured to target that port instead of the EMCADS server dir
122. rtition CarenvGCCr The configuration settings you have made are now in force The last thing you need to do is start the server 3 Goto EMCADS Service and Select START a G On Builder X File Settings Emcads Service Help Server User AD Sync Clients Signing Key Private Signin Start N zmx lt T fFLa F LZUELBPBi scx The server is installed as a Windows Service You can start stop and restart the G On server from the Windows Services Manager invoke services msc After saving and activating your configuration service control is also possible from the new menu item Emcads Service Service status is visible in the bottom right corner of the G On Builder window Should you encounter the need for moving the software to another server besides the Windows Registry keys added to add the windows service files are merely copied to the new server to the same locations as on the old server Note This scenario applies to moving an existing server to another box If you wish to set up a failover serve contact your Giritech Representative to hear more about how to receive a 2 server token or an additional tokenless Server Steps to move the server Token based 1 Stop the service if running 2 Uninstall the service this is done by invoking emcads exe r p 3945 in a command prompt 3 Substitute 3945 with the port number your G On server is configured to listen on if a
123. rver port Save and Activate Service Running Q suffer from restricted outgoing ports the MULTISERV MULTIPORT feature must be enabled see page 21 Q have set up more G On servers for failover the MULTISERV MULTIIP feature must be enabled see page 21 You can specify up to 5 IP DNS addresses and or 5 ports The Addresses and ports are paired by entering them in as comma separated entries The connection will occur on the first combination of server address and port where a G On server answers the connection attempt Example Server DNSNSname1 DNSname1 DNSname1 DNSname2 Port 3945 5000 443 3945 Here the client first tries to connect to DNSname first on port 3945 then 5000 then 443 and finally the client will attempt to connect to DNSname2 on port 3945 The number of server addresses must at least be the same as ports to connect to If the number of ports exceeds the number of addresses probing for servers stops when the last address has been tried Pr witankh AIC SANOQ Giritech A S 2008 CarenvGCCr Note The server still only listens on the designated listen port You will have to configure multiple PATs on the firewall yourself or by other means forward the server s listening port to listening ports on the configured addresses or install more G On servers Login dialog These are the settings for the behavior of the client login interface The first three boxes are settings to make
124. s The G On product consists of two primary parts LJ G On Server LJ G On Client UNSECURE SECURE Microsoft Active G On Client 2 Directory Internet Server Application G On is an end to end all in one solution Servers I P Zs em fali INANA Aa ArnVJAFr AJI ANJI wtol Y gj l wF Ei w wi Y wi The G On Server is a Windows Based Server Application based on Giritech s EMCADS Encrypted Multipurpose Content and Applications Deployment System technology The EMCADS Data Management System EDMS is used for storing and accessing information about applications users groups adopted keys rules zones and access statistics The G On Server has one TCP port open for incoming connections and forwards the relevant parts of incoming connections to services on the network it is attached to This only occurs once a connection has been established The G On Client either G On USB or G On Desktop first verifies that it is connecting with the right server using a signing key pair The G On Server then verifies that the G On Client belongs to the system This verification is done by means of a unique serial number that unambiguously identifies the actual device referred to as the EDC Electronic Data Carrier e g USB key or host PC It then checks for connection rules allowing or denying access to that client The Client is assigned into one or more zone s that reflects the defined level of trust versus access that has bee
125. s Authentication you MUST remove the Sync Source Domain from this Tab There are three fields in this Tab that need to be filled in ara measina Ready Service Stopped Main DC Global Catalog Server 1 Enter the name of your Main DC or Global Catalog Server in the field provided Hee ihe OUR O This is the NetBIOS name not the DNS name DOMAIN NAME It is very important that you Sync Source Domain s enter the correct information This field holds the LAN Manager Domain names that are used for AD for the Global Catalog and synchronization the Domain names F The name of the domain from where the users are synchronized and validated If you do not know your this should be the Pre Windows 2000 Domain Name or LANManager domain Domain name you can open name a command prompt and type 2 Highlight and right click on the example LANMANAGERDOMAINNAME nbtstat n and delete it from the list 3 Right click anywhere in the field TP The Domain name is and chose Add to add a domain nn readable in the first name to the list NETBIOS domain name paragraph of the output in 4 Inthe window that appears enter PO the line with 1E This value the NETBIOS domain and tab If DNS Domain name holds the domain the server the DNS Domain Name does not is a member of Auto resolve manually type in the DNS domain name in the window aa and click Save AD User Group 5 Enter the name of t
126. s problem by tunneling G On TCP traffic as HTTP traffic to pass the local proxy as if it was standard web traffic G On HTTP proxy bypass is a tool that enables G On to create TCP connections over HTTP to bypass standard proxies The problem occurs when a company uses proxies to control access to the Internet The tool solves the problem of users being behind a filtering HTTP proxy and wanting to create a remote connection to the Internet Note G On HTTP proxy bypass is a command prompt based tool that requires a deep understanding of Windows and Internet configurations Any installations and configurations that do not follow the default guidelines on page 32 are therefore only recommended for advanced G On users Please contact Giritech Support for help Security Warning Connecting through and hence bypassing a HTTP proxy might be a violation of local security policies as the proxy is typically implemented to control and prevent users accessing the Internet The HTTP proxy bypass tool consists of a client and a server executable ToH client exe and ToH server exe The client is running on the users Windows PC and listens for TCP connections and traffic on a local port and encodes it as HTTP requests On the network it will appear as normal web browsing and will work even CarenvGCCr on networks deploying restrictive store and forward HTTP proxies The tool is setup as an alternative path fallback through the Inte
127. s time consuming Some databases e g the built in database perform better if updates are made in larger transactions The default size is 1 Debug Add this section in order to get debug log output Running AdSync To run the tool open a command prompt at the folder containing the AdSync executable and the configuration file In the prompt type Adsync exe and the synchronization will begin You can also schedule the task to be run with the Windows Task Scheduler or similar tools see under USync for more details Data imported with USync transitioning from USync to AdSync AdSync will check whether data imported with USync is present in the database If this is the case it will abort In order to upgrade data imported with USync AdSync must be run in a special mode Here is a recommended recipe for transitioning the data 1 Backup database 2 Open Command Prompt at Emcads folder and run AdSync exe usync CarenvGCCr 3 When command has finished with success you should create a configuration file for AdSync by running the command AdSync exe dump_inifile AdSync ini 4 Synchronize again by running AdSync exe and verify that it finishes without errors Notes AdSync will match and convert all existing users and groups which were synchronized using the USync program If AdSync finds one or more users which it cannot match it will print a list of the users in question to the log and stop If these users sh
128. se the default settings configure your firewall Port 3945 tcp for Inbound Traffic Changing the Default Listening Port We don t recommend changing the standard listening port and instead recommend that you configure alternative external listening ports with Port Address Translation PAT features on your firewall See below If you for some reason still wish to change the listening port for daily operations you can change the default listening port from Port 3945 tcp to another TCP port by changing the settings during G On installation If you choose to change the default port configure your firewall to pass traffic from the same port to the G On Server Alternative External Listening Port Configuration with PAT If you would like to externally listen on port s OTHER than 3945 tcp you can use Port Address Translation in your Firewall s configuration to map additional ports on the outside firewall to the G On Server We suggest using external 3945 tcp 443 tcp and 80 tcp which all must be PAT to 3945 tcp on the inside see section on Failover with 1 IP address for more information Licensing amp Activation Requirements on Firewall Configuration In G In version 3 4 port 80 tcp is used to communicate with the Giritech G On licensing server during activation licensing and upgrade The firewall port 80 tcp MUST be open for OUTBOUND traffic to allow the server to complete activation licensing initialization changes to concurrent users and
129. sections will walk you tod Sz emative auth domain through the necessary Jia settings for the nak Account is OoOo e f OoOo e f Expires Last login Failed attempts User menu preview g Ap pl icat i 9 nm Ta b Current status I Use zone filtering on menu O Menu Actions Tab Lana ee preview to the gt Extended information g Menus Userinfo AdoptedEDCs 1 Groups User Management is included in Chapter 7 Giritech A S 2008 52 VAT SIAa ash Basic Concepts that will be used in G On Admin Application string This is the most basic element in the EMCADS system An application string is used to launch applications and programs on the client and manages the secure G On connection between the client and the server Application strings can contain a series of changeable parameters separated by semicolons Action type number A simple integer that indicates what kind of action should be executed on the client and how the following parameters should be interpreted Menu actions A menu action is an application string that has been completely configured A menu action contains fixed parameters such as server name application path and port numbers Menu actions are the commands executed when selecting one of the items on the user Menu Menu A menu is built using a series of Menu Actions A menu is a simple hierarchical tree structure common to most Windows programs The final men
130. ssible for them to physically present themselves at your location The most secure option would be to send the G On USB Key as registered mail and forward the Identity file as a zipped file in an e mail There are risks with remote deployment which could potentially expose your identity to unwanted parties However for ease of deployment this may be a practical course of action and since G On employs 2 factor authentication a username and password is still needed along with the adopted EDC of the G On USB Key Desktop Client and Identity File The desktop client is found in the EMCADS folder typically C Program Files Emcads GOnDesktop This file contains both the Installer and your identity file The desktop client can be mailed to users with or without the identity file Or the Desktop Client can be pre installed as part of a corporate image You should align the method for distribution with your own best practice security guidelines Pre Adopting USB Key Clients Pre Adopting clients can be used to speed the adoption process for G On USB Key deployment The best way to pre adopt clients is to 1 Import and Adopt the EDCs from the EDCSERIALS DAT file on the specially marked red USB key 2 Manage the EDCs by Assigning or locking it to the user 3 Distributing the Keys or Clients Identity files by requiring the users to sign a receipt CarenvGCCr Adopting Clients after connection Adopting Clients after they have tried
131. t folders that we recommend using If you wish to use the default settings you can proceed to the next Tab AD Sync Q Should you choose to change the default settings you should familiarize yourself with the ISO Partition and the Read Write drive Partition described below There are two options the ISO Partition at the top and the Read Write drive partition at the bottom We recommend using the ISO partition for the Giritech clients e g EClient exe and GUpdate exe as these are files you typically do not want users to modify The rewriteable gt removable drive 9 G On Builder E partition is typically File Settings Emcads Service Help used for 3rd party application software such as a Citrix ICA or Microsoft RDP client m raae iri ISO Partition contents For the Desktop C Program Files Emeads Clients a Client It is recommended to keep only the Girtech provided clients and software in this folder that would be for example EClient exe These files are also GUpdate exe and other files that the user should NOT be allowed to change Additionally in the root of this folder any predefined ISO images used for deployment of G On USB should be located deployed to the desktop client however here the default path is Removable Drive partition contents C Program Files GOn C Program Files Emcads RA wD ata a Desktop This folder is where all the vendor specific applications should go the con
132. t the company would like to maintain We recommend the following in prioritized order Preferred Server Dedicated server hardware e Placement on a dedicated hardware provides the highest level of security e Placement on a separate virtual server using tokenless option e Proxy Server e Terminal Server Not Recommended We do not recommend installation on other types of servers And NEVER on the same box as the AD Server or the Web Server as this presents a grave security risk Placement in the Firewall LAN Infrastructure The EMCADS server was designed to be placed securely on the inside of the Firewall where the application servers are In this configuration only one port default 3945 or as configured in the Firewall will be open from the outside and the traffic on this port will be limited to the applications which the remote users have been authorized to access Direct access to the infrastructure is avoided since the user only has access to predefined applications and the remote PC is never assigned an IP address on the internal network where the G On Server resides All traffic running on this port is encrypted and protected CarenvGCCr B Configuration of your firewall impacts the Q Activation and Upgrade of your G On installation Q Where Clients connect during general operations LJ Failover General Firewall Requirements The default setting for G On communication is via the default IANA assigned port 3945 To u
133. t user LogniD Lastlogin Activ Account expire Username 8 User into Hans yes Never Hans Jensen Hansen Online Status gt admin Gay Never Admin 01 Offline admin 2E Never Admin 02 G admin03 iwy yes Never Admin 03 na KA aikect Oa admin wekor gintech adminll Sy yes Never Admin 04 VA IKOR A Domain Admins test01 w2k es Never Test 01 W2K3R2 Domain Users E i 5 W2KSR2 EMCADS test02 iw2k Nev Test 02 Me ek a ea Pe AL ever Sialan W2K3R2 G_ON Admins test03 w2k 4 Never Test 03 test04 iw2k yes Never Test 04 File View Help ITI TALS ah Applications Menu actions Menus Groups L Search Login name for jlsc User inform Note It is possible to search using Login namd Address tech com other parameters than login name e g o D Address fields Title or EDC serial Home_phone number This is done by selecting Alternative Mobile Phone another property from the search dropdown box Account Accountis Active The searched field will then be included Bane Ha In the search result dialog ast Innire Newer Failed atternnte N Activating Enabling Users User Edit User information Users synchronized from the User id User Login New password Active Directory are enabled by admin w2k 312 gitec default and no extra actions are Last login Alternative authentication domain Repeat new password Cancel W2K3R2 necessary MV Account active Account expiry date Failed login attempts Account
134. tent of this folder would be synchronized to the removable drive partition of the G On USB device or the Applications folder in the If the user wishes they G On Desktop installation folder can choose another directory when Note The folders defined above must either be a complete path deploying the standard including driveletter or a path relative to the emcads installation 2 vat Desktop folder please note that you cannot use UNC paths nstaller Note Many 3rd party clients need to write to configuration files during operation If these clients are placed in the read Save and Activate only partition they will not work correctly Giritech A S 2008 28 CarenvGCCr ta G On Builder X File Settings Emcads Service Help This tab is where you will define the standard Sever User Directow Client Update AD Sync Clients settings to synchronize your Active Directory AD User Sync Main DC 7 Global Catalog Server Name and your Synchronization Domain lt TH GaP The name of the server through which the synchronization of users and These settings are valid for both versions of groups will be done it is recommended that this server is the Global f Catalog server the Active Directory synchronization tools USync and AdSync Syne source domain s Note If you are not using the AD for U ser Syn ch r oniz ati on amp Name of the usergroup in the 4D containing the Emcads user
135. ter that we give a full description of all options available Typical configurations In this section we will describe some typical scenarios and give examples on how to configure AdSync for each of them Database setup is the same for all of the scenarios and is described last Single domain CarenvGCCr If you have a single domain setup the user account used for running AdSync must be logged into this domain You therefore only need to specify the name of the group from which users should be drawn Example AD Emcads group Domain Users Multiple domains If you have multiple domains there are two different approaches to choose from e Synchronize with each domain separately e Synchronize all domains together Note that the second case is only possible if you can add users from all domains to a group in the domain you are synchronizing from Synchronizing with each domain separately In order to synchronize with several domains you must add a domain section to the inifile for each of the domains Each domain section has to have a unique name starting with Domain and must contain the option DNS Name Example AD Emcads group G On access group Domain 1 DNS name mydomain com Domain 2 DNS name myotherdomain com In this example the name of the Emcads group is the same in the two domains It is however possible to specify another name in each Domain xxx section which then overrides the one specified in the
136. the Menus Tab Update Helpful GUpdate Power in G On Admin GUpdate Simple Navision Vista 2 Select the Add OWA Menu button eel 3 Give the menu a suitably descriptive name as this menu name will be used when the final menu is created for the user ainsi x Under the list of menus you have Please enter name of new menu two tree views The one on the left contains one item with the name of l your new menu The one on the right contains a list of Menu Actions cane The menu action list contains a couple of standard items e g separator and submenu and a list of all the Menu Actions you created on the Menu Action Tab Now create your new menu by dragging items from the right panel to the left panel or by doubleclicking the menus in the panel on the bottom right Basic Features of the Menu Tab O If you want to include something in a sub menu then the main menu for that item or action cannot be used to launch an application i e an action Menu tree it has to be just a name for the menu Use the Submenu action instead Terminal services Owid Delete menu item Outlook Vista J You can delete items from the left list Navision XP Properties by right clicking on them and selecting MAPAN dona ly i Change Password Delete You can t delete the root item Citrix Desktop To do that you have to delete the Submenu whole menu J Placing the mouse over an item in the
137. the new hardware device 2 Ifthe Key is Adopted the user will receive a message asking if they would like to deploy the key Click Yes 3 When the update is complete close the G On Update Manager by clicking on the red X in the upper right corner Note The update process can be lengthy and it may seem that the update process stops but it can take several minutes It is important the update process be allowed to complete otherwise the key is left in an unknown state and may require a new initialization The G On USB Key is now ready for use Remove the G On USB Key and reinsert it to connect to the G On Server Setting up Zones for New Key Deployment Not necessary for initial client distribution and deployment CarenvGCCr Setting up Application Strings for New Key Deployment Not necessary for initial client distribution and deployment CarrenvGCCr Chapter When making changes to your existing G On solution or after you upgrade to another version of G On you will need to upgrade your already deployed Clients here are several reasons for updating an adopted G On USB Key besides upgrades of the client software If any of the G On Server s security settings are changed or a new signing key pair needs to be created the G On USB Key must be updated When G Update runs normally either invoked manually by the user directly or forced to run by creating an update zone the client will connect to the G On serve
138. the specified configuration file Example AdSync exe inifile myfile ini CarenvGCCr password Password for database connection readonly Run in read only mode i e nothing is saved to the database Useful for testing the result of a configuration username Username for database connection Logging in AdSync Progress and other information is logged to the screen and to a log file called AdSync log located in the same directory as the executable Note that information is always appended to the log file so you may want to delete this file regularly in order to avoid disk space problems Event log Errors and warnings issued during execution of AdSync will be entered into Windows Application Event log This enables you to get notifications about problems during execution which can be useful if you are running AdSync as a scheduled task Debug logging As mentioned previously a special debug option is available When running in debug mode more detailed information is logged You should only turn this option on for troubleshooting purposes as it will decrease performance and cause the log file to grow rapidly in size Note that when usync option is chosen debug option is automatically set The reason for this is that this option only should be used one time and if something goes wrong it simplifies the troubleshooting greatly that as much information as possible is present Recommendations for special cases The si
139. u that is displayed for the end user may contain several menus depending on group relationships and zones Group A user group can contain one or more users A personal user group is always created when a new user is created or imported A group can have a default menu assigned to it meaning that all members in this group will get this menu on login If a user is a member of more than one group the user will get a menu containing the combined contents of the menus assigned User A user can be a member of multiple groups but is at least a member of their own personal group This is the one group they cannot be removed from The menu that the user is assigned is based on the groups they are a member of It is possible to attach detailed information about each user Zones User Groups can be assigned Zones as a way to manage menus and hence application access depending on the active zones for each user Refer to chapter 5 for details on Zones CarenvGCCr Administrator mode User Name admiri Getting Started as an Administrator From the start menu gt All Programs gt Giritech select GOnAdmin to launch G On Admin tool Access rights are controlled by the AD and users must be logged on the server or in a terminal session that allows access to the G On Admin application Fie View Help Users Search Login name op User information Login name E User id E Alternative auth domain ry
140. ually Update their Clients cc eeeceeceeeeee ee 107 System Backup amp Restore cccccccccceeeeeseeeneeeeeseneeeeeeeeseneseneneeeees 112 SIGNING KEY Pall BACK UD saseeteseveswerecexccesnela eanna ea aaa 112 S O Backup REStOrE nesrin odataunzaneatane gameeniedoneunctuasectsseessecies 113 GJ ROS ONC ars sscenctreersscsaconbsesegscpsieeedecunsseaneouroseusneueresisenaonseteccurayoneeeeesyees 113 Overview of Application Connectivity cccceeceeeeeneeeeeeeeeees 114 Introduction to HTTP proxy Dyp sSs c ccccseeseeseeeeeneeeeeeeeseeees 117 Introduction to the HTTP proxy bypass tool ccccceccceeceeeeeeeeeeeeeeaeeeees 117 Configuring the HTTP proxy bypass tOol ccccccccseceeeeeseeeeeeeeseeeseeeeaees 118 Compliance and tested proxies cccccceseccceeeeeeeeaeeeeeeeeaeeeseeeeaeeeseeeseeesaees 119 CarenvGCCr G ON INTRODUCTION The G On Installation Guide and Admin Manual is a concise usable resource for Certified G On Partners and G On Administrators LJ This Manual covers everything you need to initially install upgrade administrate and configure applications for your Giritech G On solution The G On Installation Guide and Admin Manual is designed for Q Technical personnel with a basic understanding of TCP IP based networks firewalls and services Q Accomplished Administrators who have experience installing configuring and administrating Microsoft Windows s
141. ult Parameters that can be used when editing the G On Applications Strings in Step3 Editing the Template YUSERNAME GONPATH DESKTOP VENDORPATH YCLIENTDIR PORT BROWSER YIEX MYPICTURES ZMYDOCUMENTS PASSWORD The user s login name as typed in the G On login window The path to the drive and directory where the G On Client is residing On a G On USE key this is the Read Only partition on a PC with G On Desktop Client installed this is the directory where ECLIENT EXE is launched from Path to the logged in user s desktop directory The path to the Read Write partition on a G On USB key Ona G On Desktop Client this is the Applications directory Path to the eclient exe Left for backwards compatability Port number to connect to If left like this it will start with using the value typed in Listen Port but increment the port number with one if the port is already occupied for example by another gateway This is repeated until there is a vacant port number Very useful if you connect to for example multiple internal web sites Example Application BROWSER Parameter http 127 0 0 2 PORT On a multiple ports application string the parameter is PORTx where x is the number of the line the listen port is defined in Numbering starts from the top Full path to a local browser If left like this it will invoke the PC s default web browser Full path to MS Internet
142. ult database for the ODBC connection is not the Emcads database Note that by default an ODBC connection for SQL Server is set to connect to the master database Solution In the ODBC connection configuration make sure the default database is the Emcads database CarenvGCCr dbi program error Microsoft SOL Native Client SOL server Invalid c lumn name user external 10 in EXEC Cause You are using a G On version prior to 3 4 AdSync only works for version 3 4 or later Solution Upgrade to version 3 4 At the heart of G On is the ability to extend connectivity to defined applications Extending Applications is enabled by creating and configuring Application Strings To implement a connection to an application using G On you either need to understand how the application communicates over the network or use the built in Application String Creator which will define the standard application strings for you An Application String is basically an action number with parameters that details the desired action on the client LJ G On addresses all Client Server applications that connect to a fixed IP number or DNS name on fixed ports LJ G On supports TCP and UDP connections LI On the client side G On uses the loopback 127 0 0 2 as the listening address In the next section there is an overview of the most common settings and how to change them If you require more advanced information on how to create and configure a
143. unch I Hidden Can substitute clients on low privileges 10 Then in the Groups Tab Apply the Menu Items to the Update Zone This will automatically update the clients that match the update zone File View Help Applications Menu actions Menus Groups Users Display filte Group detail C Display all C Personal User Groups Multi User Groups Group title fw2K3R2 EMCADS W2K3R24 G 31 000 47 8TDV3S5RS3 Group typ Personal user group f Multi user group W2K3R2 Domain Controllers W2K3R2 Domain Guests Applications Default menu Anplications W2K3R2 Domain Users Applications W2K3R2 Enterprise Admins Applications W2K3R2 E xchange Organization Administrators W2K3R2 Exchange Recipient Administrators W2K3R2 Exchange Servers W2K3R 25E xchange Yiew Only Administrators W2K3R2 ExchangeLegacylnterop W2K3R2 G_ON Admins W2K3R2 Group Policy Creator Owners W2K3R2 Schema Admins Only show the default menu in these zones Members Add and remove members Add Group Clone Group Delete Group Saving tree Giritech A S 2008 106 CarenvGCCr Go to the Menu Actions tab and select gt Create New Action Select the GUpdate Simple Template Name the Menu Action Update G On RW Partition Enter the parameters getall yestoall nodialog updaterw autoclose launchgon Go to the G On Admin gt Menu gt Select the Update Menu gt Drag assign the Update G On RW Partition menu action to this
144. utinely go into the EDC List to assign owners lock EDCs or Lock Owners Security Warning Auto adopt features should be used with caution because improper use of Auto adopt circumvents security best practices as this feature enables anyone that receives your identity file to connect to your company Adoption of EDCs is one of the security best practices that can be aligned with your security policy If you need guidance on how to align Adoption with your security policy please contact support giritech com CarenvGCCr Deploying Clients with G Update Once you have decided which client distribution method to use it is time to deploy the clients In this section we introduce you to the basic concepts for our update and deployment toolkit G Update G Update is the update and deployment toolkit from Giritech It is designed to ease the deployment of the G On client software as well as pushing out updates when necessary The EMCADS install directory on the G On Server contains two folders named Clients and RWData These folders contain the G On client software and the software that goes on to the Read Write partition respectively Note The content from the Client folder goes to the CD Partition of the key while the RW Data goes to the RW partition C Program Files Emcads Bel Ea File Edit iew Favorites Tools Help a O Bak F gt Search gt Folders iu Address C Program Files
145. vGCCr Copy your Signing Keypair We strongly recommend that you Copy the Private Signing Key and Public Signing Key which you will find on the G On Builder Server tab to a text file and save it to the backup location This will help avoid having to manually update all clients if a failure occurs Notify Users 9 G On Builder File Settings Emcads Service Help Server User Directory Client Update 4D Sync Clients Signing Keypair Private Signing Key zmxT TFLas dtr i 038FCUearsZeLZUELBPBi SCX Public Signing Key PZUBDKUjagds 1u30 5 Sk fpe43 Saqggmccy l I Generate Notify your G On users that their G On connection may experience disconnection interruptions during the upgrade process Important Changes to settings in G On Builder are ONLY active after J You have saved and activated using the gt Save and Activate Button J Started Restarted the Services using the gt EmcadsServices gt Start or Restart Installing the Upgrade 1 Download the G On 3 3 1 Installer After closing all active G On windows select the InstallGOn exe and RUN the G On Installer 2 Accept the license Agreement and Select Install 3 Verify that your Server Token is in place and respond OK or follow ie G On 3 4 0 Setup Installation Folder Folder click Browse and select another folder Click Install to start the ie Setup will install G On v3 4 0 in the following folder To install i
146. vent made any changes to the server environment placement or structure can be done with minimal interruption to your users efore upgrading your G On Installation there are several critical factors that you should pay attention to the in the sections on Backup and Signing Keypair in the Prior to Upgrade section of this Chapter Changing these items could result in failure for all existing users and result in you having to re deploy all your clients Note One user demo licenses cannot be seamlessly upgraded to version 3 4 We recommend taking a full backup of the database de installing the old version and performing a full install of version 3 4 including restore of database You should follow these steps carefully Doing so will ensure that you are able to restore your system to it s original state or restore settings that may have been inadvertently changed during upgrade Backup your G On Server Prior to commencing the upgrade remember to backup the G On Server This can be done either by actually backing up to some other media or by simply copying the contents of the directory the G On Server is installed in normally C Program Files Emcads over to another directory LI As of version 3 2 you can also choose to use the backup and restore feature in G ON Admin to backup the components of your installation as separate files For more information on using this feature consult the Backup Restore section on page 113 Caren
147. which you will use during Public Signing Key the configuration The next CQOLHOLKSGIGHWgs I92LHILY Wou F FTLbYQIUQTbeEps sections will walk you through the necessary settings for the Logfile location e Server e Advanced Settings Logfile folder Generate E Ea e User Directory ZINSTALLDIR Locate folder e Client Update e AD Sync License e Clients Concurrent users nza Expires n a Turned on features M MultiiP iY AutoAdopt iY MultiDom Important Max EDCs iY MultiPort iY ExtDB IY Tokenless n a Activate License Service Stopped Changes to settings in G On Builder are ONLY active after J You have saved and activated using the gt Save and Activate Button J Started Restarted the Services using the gt Emcads Service gt Start or Restart Giritech A S 2008 20 CarenvGCCr The Server tab contains three settings Signing Keypair Logfile location and License Activation Renewal Renew License 1 Start your Builder GG 0n Builder Pale Es Configuration by pressing File Settings Emcads Service Help the Activate License Server User Directory Client Update AD Synce Clients button at the bottom left of the Server Window signing Keypas Private Signing Key L2vwvj2I PvOqgTexRMxgE1lpsAGcdbuetkKhw2c fnMxw Once the license has been received you will see the amount of users the expiration date and the feature set of your newly received licens
148. will permit different applications on the client PC to connect through the G On Gateway connection Lock to process turned off i e CITRIX communicates on 1494 TCP 1604 UDP and 2598 TCP The following Citrix applications use one or all of the ports Wfcrun32 exe 1494 PN exe 1494 1604 or 2598 G On Communication The G On connection communicates on the loopback IP 127 0 0 2 Most client applications can be configured to communicate on the loopback address This is normally done with a command line switch or is configured in the application In the Citrix application PN exe is configured using APPSRV ini where you point the client to the firewall connection of 127 0 0 2 instead of the true server location Wfcrun32 exe is configured on the command line or by using an application specific ica file Note Some applications require split DNS Please refer to the Split DNS whitepaper for more information Hint At certain times even a windows command line is not enough to launch a specific client application correctly You can be forced into launching a script batch file instead To launch a cmd or bat file with G On make your Application to launch WINSYSDIR noedit cmd exe and the Application Parameters C PathTo MyScript bat CarenvGCCr Example you would like to launch startprog bat a batch file residing in a directory called batch in the root of the Read Write partition of a G On USB key Ap
Download Pdf Manuals
Related Search