DDM Distributed Database Manager for SQL and ODBC. Installation and User Guide Version 5.27.xx

Transcription

1 DDM Distributed Database Manager for SQL and ODBC Installation and User Guide Version 5.27.xx

2 Communication Devices Inc. 85 Fulton St. Boonton, NJ USA Phone: Fax: Internet: Last Revision 4/2010

3 Table of Contents 1 INTRODUCTION DDM VERSIONS WHAT THIS MANUAL CONTAINS SYSTEM REQUIREMENTS README FILES CONTACT INFORMATION OVERVIEW CDI S ROLE IN NETWORK SECURITY DEVICE MANAGEMENT DATABASE ORGANIZATION INSTALLING THE DDM SQL VERSION INSTALL THE DDM SQL SOFTWARE CREATE, INSTALL, OR UPGRADE THE DDM DATABASE ON THE SQL SERVER Create New SQL Server DDM Database Create New Server DDM Database and import DDM Database Data Create/Upgrade SQL Server and Import DDM Databases Upgrade Existing SQL Server DDM Database Upgrade DDM Client Only EXECUTING THE DDM SQL PROGRAM: ACCESSING THE PROGRAM INSTALLING THE DDM ODBC VERSION INSTALLATION STEPS FOR DDM ODBC VERSION ACCESSING THE PROGRAM GETTING STARTED STARTING THE DDM PROGRAM NAVIGATING THE DDM SOFTWARE OPENING SCREEN Device View INSTALLATION AND SET UP OVERVIEW WORKING WITH GROUPS ADD A GROUP RENAME A GROUP DELETE A GROUP GROUP MODIFICATIONS UNIGUARD GROUP MODIFICATIONS PORT AUTHORITY GROUP MODIFICATIONS MULTIGUARD GROUP MODIFICATIONS REAL TIME LOG LIST

4 6.9 ENABLING THE REAL TIME LOG LIST Printing, Saving and Deleting the DDM Real Time Log Deleting items from the DDM Real Time Log DEVICES ADD A DEVICE TO A GROUP Duplicate a Device Move a Device Use the Device Wizard to add a device Modifying Device Properties Renaming a Device Deleting a Device CONFIGURING A DEVICE Device Info Screen Country Dialing Using the DDM SETTING THE NETWORK PROPERTIES OF A SPECIFIC DEVICE Network Properties, IP Configuration DDM Heartbeat Attributes DNS Attributes SNMP Attributes Network Properties (versions below 4.01) Network Properties (IP type set for external) SYSTEM OPTIONS Port Authority SAM Host Devices SAM Authentication Process Port Authority devices UniGuard devices UniGuard Clients COMMUNICATIONS SCREEN DEFINED PORTS SCREEN Port Properties - Host Port Configuration Power Port Configuration Slave Device Setting (For Port Authority Only) Programmable ESC Code REMOTE ENCRYPTORS SCREEN CLIENT ENCRYPTORS PORT AUTHORITY SAM CLIENT Device Info Screen for a Port Authority SAM Client Device, System Options for Port Authority SAM Client Encryptor Communications Screen for Port Authority SAM Client Device UNIGUARD CLIENT ENCRYPTOR AES/TDES Mode for UniGuard Client Client Encryptor pre-dialog UNIGUARD CLIENT Adding a UniGuard Client UniGuard Client Device Information Screen Network Properties for a UniGuard Client UniGuard Client, System Options Communications Screen UniGuard Client SSE CLIENT Adding an SSE Client

5 9 USERS ADD A USER User Info User Security Token Key Info Screen RSA SecurID Token Info Encryption User and ENCRYPTOR ADDING EXISTING USERS TO A GROUP DELETE A USER FROM A GROUP LISTING USERS OF A GROUP MODIFY PROPERTIES OF A USER USER LOCK LIST USER MANAGEMENT LIST SETTINGS SETUP SCREEN Modem Properties Setup Properties for UniGuard DATABASE UTILITIES DB ADMINISTRATOR LIST Enabling Automatic Services and Database Management Unlock Database Records DDM Seat Licenses DDM SQL only Add Seat Licenses to Database DDM SQL only DEVICE LICENSE Adding Device Licenses to the database RSA SECURID TOKEN ATTRIBUTES RSA Pin Length RSA Next Pin Mode RSA SECURID ENABLE FILES Add RSA SecurID Enable Files DDM LOG FILES PURGING SETUP DEFINE SNMP EVENTS SETTING UP MULTIPLE DDM POLLING MultiPoll\License File Path DDM SQL only DDM Polling Stations Adding Poll Stations SELECT GROUPS TO POLL Edit a Station Deleting a Station DDM IP DIALOUT LIST Adding a non-cdi device Edit a non-cdi Device Delete Device Adding CDI Devices to the IP Dialout ALARM ALERT LIST Enabling the Alerts feature User Properties Adding an User DISPLAY DDM REGISTRATION FORM

6 10.13 SSM SETTING DDM RADIUS SERVICE EXPORT DDM DATABASE TO XML FILE PROGRAMMING DEVICES PROGRAM MENU PROGRAMMING DEVICES OVERVIEW Program-Update Device Program-Reload Device Program Group RESET A GROUP PROGRAMMING FLASH FOR A SELECTED GROUP PROGRAMMING FLASH FOR A SELECTED DEVICE PROGRAM ALL DEVICES TELNET TO DEVICE STATUS PROGRAM DEVICE CONTACT LIST CONFIGURE THE IP CARD OF A DEVICE DDM PROGRAMMING A REMOTE SSE USING MODEM COMMUNICATIONS DDM FLASH PROGRAMMING A REMOTE SSE USING MODEM COMMUNICATIONS DISPLAYING THE DDM REAL TIME INFORMATION FOR A SELECTED DEVICE DISPLAYING THE AUDIT INFORMATION FOR A DEVICE PROGRAM GROUP FLASH DEVICES IP CARD CLEAR DEVICE REPORTING AND MAINTENANCE REPORT VIEW REPORT TEMPLATES AUDIT TRAIL MAINTENANCE Purging the Audit Trail Archive DDM ODBC Databases Purging the Audit Trail Purging the DDM Real Time Log EXIT THE REPORT SECTION AND RETURN TO THE DEVICES/USER VIEW DDM POLLING SERVICES ABOUT POLLING SERVICES EDITING A POLLING SERVICE ACCOUNT TYPES POLLING MODES Poll all devices in the database Poll by selected groups Poll by selected devices INSTALLING A POLLING SERVICE Scheduling a Service Stopping or Deleting a Polling Service TROUBLESHOOTING

7 Appendix A Cabling Appendix B Multiport Options Appendix C Audit Trail Events

8 1 INTRODUCTION The Distributed Database Manager (DDM) software products are designed to remotely manage the databases of CDI s UniGuard, Port Authority, Port Authority SAM, and SSE devices. The software products are menu-driven and easily learned. The program is designed to function using the Windows XP, operating system. Windows Server 2003 and MS/SQL 2005 are recommended for DDM SQL server installations. 1.1 DDM Versions Two versions of the DDM are available: DDM SQL and DDM ODBC. The DDM SQL version is designed to handle multiple concurrent sessions. Through the SQL Server database, a number of DDM managers can access the database simultaneously. The DDM databases are stored on the SQL Server database and are easily modified, synchronized, and updated. All information can be backed up for easy and safe restoration in the event of system failure using the SQL Server database utilities. The DDM ODBC version cannot handle multiple concurrent sessions and is meant for a single DDM connection on the concurrent machine. The DDM ODBC databases are stored on a Microsoft Access database. All information can be backed up for easy and safe restoration through the DDM ODBC Utilities. 1.2 What this Manual Contains This manual will provides installation and operation instructions for both the SQL and the ODBC versions of the DDM program. Installation and operation instructions for the Port Authority, Port Authority SAM, and SSE devices are detailed in their respective manuals. 1.3 System Requirements The DDM software requires a workstation (PC) that meets the following requirements. Memory: 1GB RAM minimum Operating System: Windows XP, Windows 2003 server Hard Drive: 100 GB minimum CD or DVD drive Access to a SQL Server

9 The program is loaded from a CD ROM Disk. A separate mini-cd disk, The Device License disk, is provided which will enable the number of devices (UniGuard, Port Authority and or SAM Units) allowed stored in the system. The number of devices that can be managed is virtually infinite, limited only by the storage capacity of the workstation. 1.4 Readme Files The program disk contains a readme file that contains the updates and related information. Please read this file before installing the software. 1.5 Contact Information If you need to contact us, please call Communication Devices Inc. at or visit us at 1-2

10 2 OVERVIEW A network is comprised of routers, firewalls, and other network elements. These elements are usually monitored by Network Operations Center (NOC) technicians. When there is a problem, the technicians must access the console port of the router or other network element to reset the device or perform other maintenance. The console port can be accessed by in-band or out-of-band communications. For security purposes, it is important to limit access to this port to authorized users, and protect the information being sent from the technician to the router or other element. 2.1 CDI s Role in Network Security CDI offers devices that provide both authentication and encryption functions or authentication only. These devices provide secure out-of-band communication between the technicians and network elements. Out-of-band communication uses a secondary path for communication providing more security and enabling devices to be contacted even when there is a network problem Before accessing a router, a technician connects to a CDI UniGuard or Port Authority device and authenticates. Each CDI device maintains a database of authorized users and authentication information. Once the user has successfully authenticated, he/she is permitted to access the network element. All information is encrypted. On the NOC side, a UniGuard device can be set to encryption mode only and encrypt the information being sent by the technician. Figure 2-1 Example of Secure Out-of-Band Management for Routers 2-1

11 In certain situations, the encryption of data is not required. For these situations, a secure authentication modem (SAM), which operates out-of-band and provides authentication only, can be installed. 2.2 Device Management The CDI devices are managed remotely by the CDI s Distributed Database Manager (DDM) application running on a Windows PC. The number of devices managed by the DDM is limited by the resources of the PC. The DDM provides centralized management and maintains a central database of users and devices enabling devices and users to be added, deleted, or modified from one location. Each UniGuard and Port Authority device has a local database updated from the DDM database. The DDM communicates with remote devices over dial-up phone lines, serial ports, or IP connections. All communications are encrypted. 2.3 Database organization The central database maintained by the DDM is separated into groups. A group is a collection of devices that share a common user database. A group can be defined by region, company, or by some other association. A device can only belong to one group but an individual user can be assigned to multiple groups. When changes are made to the database, the changes can be sent to one device, devices of one group, or all devices. A log file is maintained by the DDM for tracking system events, such as database updates. GROUP DATABASE STRUCTURE GROUP USERS DEVICES New York Corp J. Williams H. Peterson S. Murphy M. Clarke Port Authority UniGuard1 UniGuard2 UniGuard3 Figure 2-2 Group Database Structure In this example, the Group New York Corp has four users, each having access to any of four devices. If a device is a multiport device, such as the Port Authority, a user may have access to a single port, several ports, or all ports of the Port Authority. The number of devices assigned to a group as well as the total number of groups is virtually infinite, limited only by the storage capacity of the computer running the DDM program. 2-2

12 3 INSTALLING THE DDM SQL VERSION This section provides the DDM Administrator with DDM Installation instructions for the SQL version. The SQL version should be installed if multiple concurrent sessions are necessary. To install the DDM SQL version, you must install the software and then create, upgrade, or install DDM database Install the DDM SQL software. Place the installation CD-ROM in your CD drive. After a few seconds, the Installation Guide screen is displayed. To install the DDM software, click on the Install CDI Distribution Database Manager Software link. The InstallShield Wizard, which guides you through the installation, is installed. The InstallShield Wizard starts the installation of the DDM-SQL software. Click Next to continue with the installation. 3-1

13 The Software License Agreement is displayed. After you have read it, click the appropriate radio button to accept the agreement. Click Next to continue with the installation The Customer Information screen is displayed. Enter your User name and Organization and select an installation option. The first option allows anyone who has access to this computer to use this program. The second one limits access to the user whose name appears in the User Name window. Click Next to continue the installation. During this part of the installation you will need to choose the folder in which the DDM Software is to be installed. To use the suggested folder, click Next to continue or click Change to select a different location. 3-2

14 After all the required information has been entered, the DDM Install Shield Wizard displays a summary page of the information entered. To change the information, click Edit. If no changes are required, click Install to start the installation process. A completion message is displayed when the software has been successfully installed. Click Finish to close the InstallShield Wizard. After you click Finish, the DDM Registration Form is displayed. To be eligible for covered upgrades and support, this form must be returned to CDI. You may submit the form by or print it and send it to the address listed on the form. CDI needs this information to contact you, or the current administrator with important updates that may affect the performance of the products. This is not used as a sales tool Remove the CD ROM Disk from the drive. 3-3

15 3.2 Create, Install, or Upgrade the DDM Database on the SQL Server. After the DDM program has been installed, you must then create, load, or upgrade the databases on the SQL server. Click on the appropriate option. Each option is explained below. You must logon on to the SQL Server and have administration rights. You will be asked to confirm that you have the appropriate rights to create a new or modify the SQL database before you can continue Create New SQL Server DDM Database Select the "Create New SQL Server DDM Databases from the DDM Database if you are installing the database for the first time. This means that the DDM database does not exist on the SQL Server and old DDM databases (access databases) do not need to be imported onto the SQL Server. You will be asked to confirm that you have the appropriate rights to create a new SQL database before you can continue. If the database already exists, a message indicating this is displayed. 3-4

16 3.2.2 Create New Server DDM Database and import DDM Database Data Select the "Create New SQL Server DDM Databases and Import Access DDM Database Data to the new SQL Server DDM Database only if the DDM Database does not exist on the SQL Server and you need to import old DDM Databases (access databases) onto the SQL Server. Before you start, make sure all users are disconnected from the DDM databases. Copy the databases ddmdata.mdb and ddmlog.mdb databases to another directory as a backup. The DDM installation will create the DDM databases in the SQL Server, then copy the database information from the old DDM databases to the new SQL Server DDM databases. TIP It may take as long as 15 minutes to import large DDM databases. To avoid interference from the network during this time, copy the databases to your local PC and perform the upgrade there. Point the ddmdata and ddmlog databases to this directory on your PC from the ODBC Administrator dialog in the Windows Control Panel and then continue with the upgrade Create/Upgrade SQL Server and Import DDM Databases To Create/Upgrade an SQL Server and Import Multiple Access DDM Databases into the SQL Server, click on the button labeled Create/Upgrade an SQL Server and Import Multiple Access DDM Databases into the SQL Server Upgrade Existing SQL Server DDM Database Select the " Upgrade Existing Server DDM Database option from the DDM Database Upgrade Program screen. For this to occur the DDM databases must already exist in the SQL Server. You will need to logon to the SQL Server and have administration rights to be able to create and alter databases. The DDM installation will upgrade the DDM databases in the SQL Server. 3-5

17 Enter a Username and Password that has full rights in the SQL Server Upgrade DDM Client Only Select the button labeled "Upgrade DDM Client Only" from the DDM Database Upgrade Program screen. This will only install or upgrade the DDM Client files, bypassing a SQL Server DDM database creation or upgrade process. For RSA SecurID Token type users that are RSA SecurID Token type, RSA SecurID will supply a disk with their serial numbers. 3.3 Version Control At the end of the installation, the user is given the option of implementing DDM Version Control. When version control is implemented, DDM stations can be updated to the latest production DDM software when the DDM program is started. If the DDM version is below , a query will be presented to the DDM user to update its files to the latest DDM production files. The DDM Database level in the SQL Server must be at or above version 5.26 for this to be presented to the DDM user. If Version Control is not implemented during the installation, the install files would have to be run again in order to get to the option of implementing Version Control. 3-6

18 If the user accepts this installation query, the installation will create a directory ( \\DDMInstalls\DDM52701\...) in the shared path (License File Path) with all the DDM installation files for version The DDM/SSM users must have full rights to this shared path. If this path is not defined, DDM Version Control cannot be implemented. 3.4 Executing the DDM SQL Program: Once the CDI Distributed Database Manager SQL has been successfully installed, remove the Distributed Database Manager CD ROM disk from the CD ROM. To run the CDI Database Manager application, click the Start button and then select CDI DDM Manager SQL from the program list. You may also start the application from the Finished Installation window. 3.5 Accessing the Program To access the program, the DDM user must successfully authenticate by using one of two types of SQL Server authentication: Trusted Connection or SQL Server User Name/Password. 3-7

19 Trusted Connection A Trusted Connection uses Windows authentication credentials. Enter the user name and password that you use to logon to your PC workstation. SQL Server User Name/Password The SQL Server authentication relies on the SQL server security options set up by the System Administrator. You must enter the SQL Server name to successfully logon to the DDM SQL Server. Connection Timeout: Enter the number of seconds the system will wait to connect to the SQL Server (default value is 15 seconds). 3-8

20 4 INSTALLING THE DDM ODBC VERSION This section provides the DDM Administrator with DDM instructions for the installation of the DDM Installation ODBC version. The ODBC version is selected when capability of multiple concurrent sessions is not necessary and there are a limited number of users. 4.1 Installation Steps for DDM ODBC Version Place the installation CDROM in your CD drive. After a few seconds, the Installation Guide screen is displayed. To install the DDM software, click on the Install CDI Distribution Database Manager Software link. The InstallShield Wizard guides you through the installation of the DDM-ODBC software. Click Next to continue with the installation. The Software License Agreement is displayed. After you have read it, click the appropriate radio button to accept the agreement. Click Next to continue with the installation 4-1

21 The Customer Information screen is displayed. Enter your User name and Organization and select an installation option. The first option allows anyone who has access to this computer to use this program. The second one limits access to the user whose name appears in the User Name window. Click Next to continue the installation. During this part of the installation you will need to choose the folder in which the DDM Software is to be installed. Click Next to use the suggested folder or click Change to select a different location. After all the required information has been entered, the DDM Install Shield Wizard displays a summary page of the information entered. To change the information, click Edit. If no changes are required, click Install to start the installation process. 4-2

22 A completion message is displayed when the software has been successfully installed. Click Finish to close the Install Shield Wizard. After you click Finish, the DDM Registration Form is displayed. To be eligible for covered upgrades and support, this form must be returned to CDI. You may submit the form by or print it and send it to the address listed on the form. CDI needs this information to contact you, or the current administrator with important updates that may affect the performance of the products. This is not used as a sales tool Remove the CD ROM Disk from the drive. 4.2 Accessing the Program When the program is accessed, the DDM ODBC user must successfully authenticate to enter the DDM ODBC program. Enter the same "user name" that you use to initially log on the PC. This is a security measure to insure that only valid users can access the program. 4-3

23 5 GETTING STARTED This section describes how to get started using the DDM program to manage UniGuard, Port Authority, and SAM devices. 5.1 Starting the DDM Program Start the DDM program either from the Start Menu or by clicking the DDM desktop shortcut. After you enter your username and password, the Opening screen is displayed. Figure 5-1 Opening screen, Device/User View 5.2 Navigating the DDM software The DDM software is menu-driven and easy to navigate. Dropdown menus list options. 5.3 Help A brief description of the option and links is displayed when you rollover the option with your mouse. 5-1

24 5.4 Opening Screen The options displayed in the menu bar depend on whether Device/User or Report View is selected. To switch views, click View in the Menu bar. Device/User view is the default view. It is used when adding or modifying groups, devices, or users. Report View is selected when creating or viewing reports. Please refer to section 12 for more information about Report View and reports Device View The left pane of the screen displays the Group List. The right pane displays the names and certain attributes of the devices in a selected group. Group List The Group List is displayed in the left pane. The Group List may be expanded to display all groups. The Groups displayed in the Group List will have been retrieved from the DDM Databases in the SQL Server. The Device Not Contacted List is a list of all devices in the system that have not been programmed and/or an error has occurred in the programming of a CDI device. The DDM Real Time Log List is a list of all events that happen to a device in real time. The device must have an IP card to communicate with the PC running the DDM program and the DDM Real Time Log must be enabled on the particular DDM PC. Each Group may be expanded to display information pertaining to the Groups: A Group may be compressed to display the only the Group name. Devices in the Group Client Encryptors in the Group Users in the Group User Locked List New Device Template for the Group Group Modifications 5-2

25 Devices and Attributes The right pane lists the names and attributes of devices of a group. Each field is described below: Device Name: Name given to the device when the device was added. Device Type: Type of device, such as Master Port Authority-88 with IP, UniGuard with IP, Port Authority 11SAM. Device Mode: Authentication mode of the device Standard (default) Auto Authentication/Encryption Connects to the device in an encrypted session but goes directly into the port list without a user ID/password authentication. RSA SecurID Device Allows the device to use RSA tokens for authentication. Host ID: A unique number used to identify the device in the DDM database. The serial number of the device is used as the Host ID. Program Status: Indicates whether the device can be contacted. This field will be blank if there are no problems with the device. If there was a problem programming or contacting the device, it will display a message in red. Examples: No Contact From Device: A device that has heartbeat properties configured and did not send the heartbeat I m Alive message back to the DDM. Invalid Communications: Failed to connect to the device. Error in Programming: Failed during programming of the device. Invalid System Key: The system key that is programmed into the device is different than the device record in the DDM. Invalid System Password: The system password that is programmed into the device is different than the device record in the DDM. Version: Current firmware version of the device. Phone Number: Phone number used to contact the device. IP address: IP address of device. 5-3

26 IP version: Current IP card firmware version. Def Credentials (Default Credentials): PK: Indicates that both the device s system password and system key are at default levels. P: Indicates the device s system password is at a default level. K: Indicates that the device s system key is at a default level Viewing Device Status To view the device status, right-click on the device name. The Device Properties screen will be displayed. The Device Status is displayed on the right-hand side. The Device status displays the program status of the device when the DDM attempts to connect to the device. The program status may be Idle, In use, or Alarm. Each status type is described below: Idle: The device is available to connect to the DDM In Use: The device is already connected to the DDM Alarm:: The device is in an alarm state and cannot be connected to the DDM. To clear the device status, right-click on the status and select Clear Device Status to Idle. Select Set Device Status to Alarm to put the device into an alarm state Report View Please refer to section 12 for more information about Report View and reports. 5.5 Installation and Set Up Overview An overview of the steps to install and set up the DDM program are listed below. 1. Install the DDM application on a computer running Windows. The Install Wizard will guide you through the steps. (Sections 3 and 4). 2. Create one or more groups. For each group, enter a Group name, the main device type, and the primary and secondary (optional) communication method. (Section 6) 3. Set up the device template. Any changes made to the device template will appear every time a device is added to the group. (Section 6.1) 4. Add devices or client encryptors to the group. Select the device type and enter a device name. Unless otherwise configured, the parameters in the device template will be used. (Sections 7 and 8). 5. Add users to the group. The users will be added to the database of the devices of the group. (Section 9) 5-4

27 Device Maximum number of users UniGuard 150 Port Authority Sam 22/ Port Authority Sam11 50 MultiGuard Set DDM system-wide parameters as required. These include adding device licenses, seat licenses for the DDM, and RSA licenses; assigning users as administrators; selecting the modem used to connect to CDI devices, setting up polling of devices, and other functions. (Section 10) 7. Reload (program) a single device, all devices of a group, or all devices (Section 11) 8. Create reporting templates. Switch to report view to view reports and manage reports. (Section 12). 5-5

28 6 WORKING WITH GROUPS A group is the collection of devices that can be accessed by a set of users. Groups can be defined by location, by region, or by another way that makes sense for your organization. Keep in mind that while a device may only be assigned to one group; a user may belong to multiple groups. This section describes how to do the following: Add, delete, and rename a group Make modifications to all devices of the same type View a Real Time log 6.1 Add a Group 1. In the main screen, click on Group List. Click on Group in the Menu Bar. From the dropdown list, select Add New Group. 2. On the Group Attributes screen, enter the Group Name. You may also enter a brief description. After entering the appropriate information in the Group Attributes screen, click Ok to continue. The New Device Template for Group screen displays. 6-1

29 3. Set up the Device Template for a device type. From the dropdown list, select the Device Type. Click Next to continue The Device Template establishes the default settings for the entire group. When a new device is added, the settings in the Device Template for that particular device type are used. You may later modify all settings of a device type in the Group Modifications screen. 4. Select the method for primary DDM communications and secondary DDM Communications. These settings determine the means by which the device and the DDM manager will communicate. 5. After you select the primary and secondary communications methods, the Device Template screen is displayed. 6. Click the tabs to enter device information, system options, communications settings, port options, and remote encryption. For a new or existing device, these settings may be modified in the Device Properties screen. 6-2

30 6.2 Rename a Group Double-click on a Group Name or highlight the Group name and selecting Rename Group. The Group Attributes screen is displayed. Enter the new group name and description in the information field. 6.3 Delete a Group Select Delete Group or highlight the Group and press the Delete key. You will be prompted to confirm that you want to delete the group. Click Yes to continue or No to cancel the Delete request. CAUTION: Responding "Yes" to this prompt will delete the entire group and all of its device associations. The data will be unrecoverable. 6.4 Group Modifications Group Modifications allows you to modify certain settings of all devices of a particular type in the selected group. The settings of Group Modifications will be applied to any device added to the group. 6-3

31 To display the Group Modifications screen, click on Group Modifications under the Group you wish to modify. From the Select Device Type screen, select the device type that you wish to modify or select All to modify all device types. Selecting All essentially allows modifying only those parameters that common to all device types and are listed in the Device Template screen. The parameters of the Group Modification screen differ slightly depending on the device. The parameters for each device type UniGuard, Port Authority, and MultiGuard--are listed in the following sections. For a detailed description of each parameter, please see the Devices chapter UniGuard Group Modifications For more detailed information about the UniGuard parameters, please refer to the Devices section. UNIGUARD Group Modifications Tab Parameters Description Device info System Options None User Security Level Host AT Command Access) Host Dialout Update System Password Update System Key Device Mode Host DTR/RTS loss of Signal Time (secs) First Message Delay Time Login Inactivity Time User Security Level: Establishes the User ID as either User ID only or User ID and Password as the security method when logging in to the device. Host AT Command Access: Enables the host to manage and access the device s internal modem. If full host management of the device s internal modem is necessary, this option should 6-4

32 UNIGUARD Group Modifications Tab Parameters Description be set for Enabled Transparency. Host Dialout: Enable or disable the host ability to dial out using the device s modem. Device Mode: Standard device (default) Security is enabled. Auto Authentication: device only communicates with UniGuard clients in an encrypted session. RSA SecurID ACM (act as an RSA ACM device) RSA SecurID Device (first authenticates with a valid User ID and then authenticates using RSA SecurID. Standard Device Bypass Security: Security is disabled on the device. Update System Password: The system password is used by the DDM to access and program the device. Update System Key: The default key used for all devices of this type..the system key may be generated or entered. Communications Defined Ports Remote Encryptors Modem Port Bits/Parity Modem Port Baud Rate Power Port Value Primary Defined Message Secondary Defined Message Host Connect Defined Message Extra AT Command Settings None Edit Client ID Add Encryptor ID Delete Encryptor ID Select Encryptor IDs from database Primary Defined Message: A userdefined message sent out when before the authentication process begins. Secondary Defined Message: A userdefined message sent out after the first user response/prompt has been processed. Host Connect: Only applies to UniGuard devices. A user-defined message sent out to the host port after successful user authentication. The user then connects to the host application. Select from Client Database: Displays a list of IDs of clients that are allowed to access devices that belong to this group. Group IP Filter List* Add IP Filter Edit IP Filter Delete IP Filter The IP Filter address ranges can be set for inclusion mode and exclusion mode. 6-5

33 UNIGUARD Group Modifications Tab Parameters Description Inclusion mode defines an address range that can connect to the CDI device via IP and have full access to the device after user authentication. Exclusion mode defines an address range that will have no IP access to the CDI device. Example: The IP address range with the starting address of to the ending address of is set for exclusion mode. Another IP Address range with the starting address of to the ending address of is set for inclusion mode. These IP address settings result in the following: All IP addresses from to will have no access to the specified CDI Device with the exception of IP Address , and *The Group IP Filter List is for CDI devices that have a CDI internal IP card at version 2.00 or above. 6.6 Port Authority Group Modifications For more detailed information about Port Authority parameters, please refer to the Devices chapter. PORT AUTHORITY Group Modifications Tab Parameters Description Device info screen System Options None User Security Level Update System Password Update System Key Device Mode (Type)) First Message Delay Time Inactivity Time Host DTR/RTS loss of Signal Time (secs) First Message Delay Time Login Inactivity Time User Security Level: Establishes the User ID as either User ID only or User ID and Password as the security method when logging in to the device. Update System Key: This is the default key used for all devices of this type. The system key may be generated or entered. Standard device (default) Security is enabled. 6-6

34 PORT AUTHORITY Group Modifications Tab Parameters Description Auto Authentication: device only communicates with UniGuard clients in an encrypted session. RSA SecurID ACM (act as an RSA ACM device) RSA SecurID Device (first authenticates with a valid User ID and then authenticates using RSA SecurID. Standard Device Bypass Security: Security is disabled on the device. Communications Modem Port Bits/Parity Modem Baud Rate Primary Defined Message Secondary Defined Message Send AT Command Primary Defined Message: A userdefined message sent out before the authentication process begins. Secondary Defined Message: A user-defined message sent out after the first user response/prompt has been processed. Defined Ports Remote Encryptors Control Mimicking Modem Connect Message Edit Client ID Add Client ID Delete Client ID Select Client IDs from database Displays a list of IDs of clients that are allowed to access devices that belong to this group. Group IP Filter List* Add IP Filter Edit IP Filter Delete IP Filter The IP Filter address ranges can be set for inclusion mode and exclusion mode. Inclusion mode defines an address range that can connect to the CDI device via IP and have full access to the device after user authentication. Exclusion mode defines an address range that will have no IP access to the CDI device. Example: The IP address range with the starting address of to the ending address of is set for exclusion mode. Another IP Address range with the starting address of to the ending address of is set for inclusion mode. Result of these IP address settings: All IP addresses from 6-7

35 PORT AUTHORITY Group Modifications Tab Parameters Description to will have no access to the specified CDI Device with the exception of IP Address , and *The Group IP Filter List is for CDI devices that have a CDI internal IP card at version 2.00 or above. 6.7 MultiGuard Group Modifications For more detailed information about the MultiGuard parameters, please refer to the Devices chapter. MULTIGUARD Group Modifications Tab Parameters Description Device info screen System Options None User Security Level Host AT Command Access Update System Password Device Mode (Type) Update System Key First Message Delay Time Host DTR/RTS loss of Signal Time (secs) First Message Delay Time Login Inactivity Time User Security Level: Establishes the User ID as either User ID only or User ID and Password as the security method when logging in to the device. Update System Key: The system key may be generated or entered. This is the default key used for all devices of this type. Standard device (default) Security is enabled. Auto Authentication: device only communicates with UniGuard clients in an encrypted session. RSA SecurID ACM (act as an RSA ACM device) RSA SecurID Device (first authenticates with a valid User ID and then authenticates using RSA SecurID. Standard Device Bypass Security: Security is disabled on the device. Communications Primary Messages: Primary Secondary Extra AT Command Settings Primary Defined Message: A userdefined message sent out when before the authentication process begins. Secondary Defined Message: A userdefined message sent out after the first user response/prompt has been processed. 6-8

36 MULTIGUARD Group Modifications Tab Parameters Description Defined Ports Remote Encryptors Group IP Filter List* None None Add IP Filter Edit IP Filter Delete IP Filter The IP Filter address ranges can be set for inclusion mode and exclusion mode. Inclusion mode defines an address range that can connect to the CDI device via IP and have full access to the device after user authentication. Exclusion mode defines an address range that will have no IP access to the CDI device. Example: The IP address range with the starting address of to the ending address of is set for exclusion mode. Another IP Address range with the starting address of to the ending address of is set for inclusion mode. These result in the following: All IP addresses from to will have no access to the specified CDI Device with the exception of IP Address , and The Group IP Filter List is for CDI devices that have a CDI internal IP card at version 2.00 or above. 6.8 Real Time Log List The DDM Real Time Log List is a list of all events that happen to a device in real time. The device must have an IP card to communicate with the PC running the DDM applications and the DDM Real Time Log must be enabled on the particular DDM PC. These logs can only be viewed from the Real Time Log List. The items are color-coded to indicate the severity of the real time log item. 6-9

37 REAL TIME LOG ALERT SEVERITY LEVELS SEVERITY COLOR ALERT Green INFORMATION Blue DEBUG Blue WARNING Orange EMERGENCY CRITICAL ERROR NOTICE Red Red Red Red Each entry in the log has the following information: Date/Time, Device Name, Facility, Severity, Message, and Source IP Address. 6.9 Enabling the Real Time Log List The Real Time log list must be enabled before you can view it. 1. Click on SETTINGS in the Menu bar. From the dropdown menu, select Setup. 2. In the Setup window, click the checkbox titled Enable DDM Real Time Log. 3. Modify the default DDM Real Time Log Port value if necessary. The default port is Click OK to enable the Real Time Log option and exit the Setup window. When this option has been enabled, the IP address of the DDM will appear in the title bar of the Setup window. 5. After enabling the DDM Real Time Log option and exiting the Setup window, the DDM Real Time Log listener will be activated. As logs come in, they will be validated Select DDM RealTime Log List under Group List to view the log. All new log items will be inserted in the view list in real time. and inserted into the DDM databases (DDMSysLog and DDMLog). 6-10

38 Number of log entries Printing, Saving and Deleting the DDM Real Time Log The DDM Real Time Log can be printed or saved to a file. To print or save the file, highlight any line on the DDM Real Time Log and click on the GROUP in the menu bar of the DDM window. From the list displayed, select the appropriate action--print DDM Real Time Log or Save DDM Real Time Log to file. If Save DDM Real Time Log has been selected, choose the folder in which the file is to be saved and enter the filename in the displayed Save As window. 6-11

39 6.9.2 Deleting items from the DDM Real Time Log To delete a real-time log, click Devices in the menu bar and then select Delete DDM Real Time Log. The real-time log of DDM actions will be deleted. Once deleted, it cannot be recovered. 6-12

40 7 DEVICES This section explains how to add to a device to group, remove a device from a group, and configure the properties of a specific device. For information about adding UniGuards and Port Authority devices as client encryptors, may be added to a group as client encryptors, please refer to the Client Encryptors chapter. 7.1 Add a device to a group A device may be added to group by one of the following ways: Duplicate a device Move a device from one group to another Use the Add Device Wizard Duplicate a Device Display the Device List by double-clicking the Device Leaf of the Selected Group; the device list for this group will be displayed. To duplicate a device, click on the device and drag and drop it to the new Group. From the Duplicate or Move Device screen, select Duplicate Device. When a device is duplicated, the device settings will be duplicated only. The group parameters for the device will be dependent on the group to which it is attached Move a Device To move a device from one group to another, click on the device and drag it to the new group. The Duplicate or Move Device screen will be displayed. From this screen, select Move device. When device is moved from one group to another, the device settings remain the same but the group setting for the device changes. For instance, the device will be attached to the users and client IDs attached of this group only Use the Device Wizard to add a device The Add Device Wizard guides you through the steps to add a new device. When a new device is added to a group, the New Device Template is applied, which was 7-1

41 created when the Group was created. The New Device Template uses the group parameters as a basis for the device properties. 1. Click on the name of the group to which you want to add the device. 2. Click on Devices in the menu bar and select Add New Device. The New Device Properties screen is displayed. Alternatively, you may double-click the Device leaf under the Group name to display the New Device Properties screen. Alternatively, click to highlight a device name in the right panel. Right-click the device name and a menu with device options is displayed. Select the Add New Device option to add a device. 3. From the New Device Properties screen, select the device type from the scroll down list. Enter a name for the device. 4. Click on Device Info to add optional information. Click Next to continue. 7-2

42 5. The wizard displays the Connection screen. From the scroll-down list, select the primary and secondary method by which the device will communicate with the DDM. For each communication method, enter the IP address, port, and other requested information. 6. On the next screen, the wizard then prompts you to enter a password for the device. You also have the option to use RSA SecurID. Select Yes to use RSA SecurID.. 7. Click Finish to complete the procedure. 8. After the device parameters and all the users for this device have been entered, the information can be loaded to the device from the DDM. To do this, select Reset Device from the Program menu.. This will reset the device to the default parameters and load the new system and port options. It will clear the device s User database and reprogram it with the latest User database for this Group. If you are adding several devices to a group, add all the devices first, and then select Reset Group from the Program menu Modifying Device Properties You can change the properties of an existing device. To do this, double-click on the device in the Device List view to display the Device Properties screen. You may then change the Device Info properties or click on the appropriate tab to modify other settings. Alternatively, you can click on Device in the Device List view, then click on Device in the menu bar. Select Display/Rename Device to display the Device Properties screen Renaming a Device The name of an existing device can be changed by highlighting the existing device in the device list and then selecting, Display/Rename Device, or by double clicking on the device in the Device List view Deleting a Device To delete a device, highlight the existing device in the Device List view and then click on Device in the menu bar. Select Delete device. You can also click on the device in the device list and then press the delete key. "Display/Rename Device Attributes" will display the Device Properties screen and "Delete Device" will delete the device from the group after the appropriate warning prompt. 7.2 Configuring a Device The Device Properties screen enables you to configure devices managed by the DDM. You can display this screen by double-clicking on the device name from the device list in the Main screen. 7-3

43 You can also display the Device Properties screen by clicking on the specific device name. From the menu bar, click Devices and then Display Device Attributes. The Device Properties screen has five tabs that display screens for entering parameters to set up for devices managed by DDM. Not all tabs apply to all device types. The fields on the screens depend on the device type selected. Device Info System Options Communications Defined Ports (for Port Authority, Port Authority SAM or a MultiGuard devices only) Remote Encryptions Device Info Screen The Device Info screen enables you to enter reference information about the device being added and define the communication paths by which DDM will access the device. To display the Device Info screen, Right click on a device. From the menu, select Edit Device (or double click on device), and then click the Primary Network Properties button 7-4

44 Device Type: Required. Select the device type from the dropdown list. Available devices include the Port Authority SAM (-11, -22, -44), UniGuard, Port Authority (-88, -44 or 84), or a MultiGuard. The default setting is UniGuard. Device Name: Required; for reference to the device s ID, such as company, location, etc Device Status link: Click on this link to view whether the program status of the device. IDLE: Device is ready to connect to the DDM IN USE: Device is connected to the DDM ALARM: Device is in the alarm state and can not be connected to the DDM To clear a device or to put in an alarm state, click the status link. Select Clear Device Status to put the device in an idle state. Select Set Device Status to Alarm to put the device in an alarm state. NOTE: When the DDM is communicating with a CDI device, device the status will read IN SE. If the device is not being used and the status still reads INUSE, click on the status and select Clear Device Status to IDLE. Serial Number: No entry is necessary. When the DDM accesses the device, it retrieves the device s serial number and adds it to the DDM database. RSA SecurID Enable: Set this to make the device act as an ACM device and as a replacement for an RSA SecurID ACM unit. The device can also be an RSA SecurID unit (CDI device/acm device). The serial number field will display the RSA Serial Number. Version: No entry is necessary. When the DDM accesses the device, it retrieves the device version and adds it to the DDM Database. 7-5